Windows Xp SP2 z arcavir i pada

fitiusz · 25 Listopad 2007 13:28

Witam.

Zwracam się do was z wielką prośbą o pomoc w rozwiązaniu problemu z moim kompem. Mam windowsa XP, 256 RAM. Kilka dni temu postanowiłem zmienić antywirusa z “antivir” na “arcavir 2007”. Zrobiłem to, gdyż “arcavir” dostałem od tpsa wraz z neostradą. Aby zainstalować “arcavir” musiałem ściągnąc i zainstalować “servicepack2” i uczyniłem to. Gdy już miałem to gotowe zainstalowałem swego “arcavir 2007” … i wtedy zaczęły się problemy. Przeskanował cały system i komp zaczął świrować: Internet chodzi strasznie pomału, uruchamianie się kompa i jego zamykanie trwa do kilkunastu minut, gdy ma wykonać kilka operacji to się wiesza, nie można nic zainstalować bo instalator windowsa przygotowuje sie tak długo, że albo się wyłancza, albo wiesza. Nie mam pojęcia co to możebyć, skanowałem go jeszcze AdAware ale nic to ni dało, tak samo Spybot’em. Zrobiłem log’a hijack’iem i proszę o pomoc

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:26:44, on 2007-11-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe C:\Program Files\ArcaBit\ArcaUpdate\update.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe C:\Program Files\ArcaBit\Common\TaskScheduler.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe C:\WINDOWS\System32\imapi.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe C:\WINDOWS\Temp\startdrv.exe C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe C:\WINDOWS\system32\dumprep.exe C:\WINDOWS\regedit.exe C:\Program Files\neostrada tp\neostradatp.exe C:\Program Files\neostrada tp\ComComp.exe C:\PROGRA~1\NEOSTR~1\Toaster.exe C:\PROGRA~1\NEOSTR~1\Inactivity.exe C:\PROGRA~1\NEOSTR~1\PollingModule.exe C:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE C:\Program Files\neostrada tp\Watch.exe C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\User\USTAWI~1\Temp\gmer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl/szukajneo.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - (no file) O2 - BHO: (no name) - {6D3D1890-95AF-4171-86EF-1E3BBCAF713A} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [Jet Detection] “C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [ABRegmon] C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe O4 - HKLM…\Run: [ArcaCheck] C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup O4 - HKLM…\Run: [AvMenu] C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Startup: PowerReg SchedulerV2.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Add to AMV Convert Tool… - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v … 9770061937 O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lob … ttings.cab O17 - HKLM\System\CCS\Services\Tcpip…{3912E8C2-26B7-4585-BB3B-CA712A0E18C9}: NameServer = 194.204.152.34 217.98.63.164 O18 - Filter hijack: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - (no file) O20 - Winlogon Notify: crehcjid - C:\WINDOWS\SYSTEM32\crehcjid.dll O20 - Winlogon Notify: TS_LogonListener - C:\WINDOWS\SYSTEM32\TS_LogonListener.dll O20 - Winlogon Notify: @ Ŕ - @ Ŕ (file missing) O20 - Winlogon Notify: ¸ - ¸ (file missing) O20 - Winlogon Notify: đ - đ (file missing) O20 - Winlogon Notify: Ŕ Ŕ - Ŕ Ŕ (file missing) O20 - Winlogon Notify: ŕ ¸ Ŕ - ŕ ¸ Ŕ (file missing) O20 - Winlogon Notify: ř Č Ŕ - ř Č Ŕ (file missing) O23 - Service: ArcaBit FileMonitor (ABFileMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - C:\Program Files\ArcaBit\Common\TaskScheduler.exe O23 - Service: ArcaBit Update Service (AVUpdate) - ArcaBit - C:\Program Files\ArcaBit\ArcaUpdate\update.exe O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/User/USTAWI~1/Temp/msoclip1/01/clip_image002.jpg – End of file - 8819 bytes

Gutek · 25 Listopad 2007 15:50

Najpierw automat:

Pobierz program SDFix

fitiusz · 26 Listopad 2007 08:29

Wykonałem wszystko krok po kroku, a oto co otrzymałem w SDFix’ie

SDFix: Version 1.115 Run by Administrator on 2007-11-26 at 08:19 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix\SDFix Safe Mode: Checking Services: Name: Distributed Allocated Memory Unit FCI MSN RAV runtime xpdx Distributed Allocated Memory Unit FCI MSN RAV runtime runtime2 xpdx Path: Distributed Allocated Memory Unit - Deleted FCI - Deleted MSN RAV - Deleted runtime - Deleted xpdx - Deleted Distributed Allocated Memory Unit - Deleted FCI - Deleted MSN RAV - Deleted runtime - Deleted runtime2 - Deleted xpdx - Deleted Infected ip6fw.sys Found! ip6fw.sys File Locations: “C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\dllcache\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\drivers\ip6fw.sys” 29056 2004-08-03 23:00 Infected File Listed Below: C:\WINDOWS\system32\drivers\ip6fw.sys Trojan File copied to Backups Folder Attempting to replace ip6fw.sys with original version… Original ip6fw.sys Restored Infected ip6fw.sys Found! ip6fw.sys File Locations: “C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\dllcache\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\drivers\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\dllcache\ip6fw.sys” 29056 2004-08-03 23:00 “C:\WINDOWS\system32\drivers\ip6fw.sys” 29056 2004-08-03 23:00 Infected File Listed Below: C:\WINDOWS\system32\drivers\ip6fw.sys Trojan File copied to Backups Folder Attempting to replace ip6fw.sys with original version… Original ip6fw.sys Restored Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Service asc3550o - Deleted after Reboot Normal Mode: Checking Files: Trojan Files Found: C:\410876~1 - Deleted C:\410876~1 - Deleted C:\410876~1 - Deleted C:\WINDOWS\system32\4.tmp - Deleted C:\WINDOWS\system32\5.tmp - Deleted C:\WINDOWS\system32\1E.tmp - Deleted C:\WINDOWS\system32\1_exception.nls - Deleted C:\WINDOWS\system32\Gothic.exe - Deleted C:\WINDOWS\system32\i - Deleted C:\WINDOWS\Temp\startdrv.exe - Deleted C:\WINDOWS\system32\xpdx.sys - Deleted C:\WINDOWS\system32\drivers\asc3550o.sys - Deleted C:\WINDOWS\system32\drivers\runtime2.sys - Deleted C:\WINDOWS\system32\drivers\runtime2.sy_ - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-26 08:27:59 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:78,33,5e,9c,f7,2f,2e,b9,cb,97,46,fe,e4,74,ae,fc,f3,d4,9c,5a,63,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s0”=dword:bd64c2ea “s1”=dword:3c2c5158 “s2”=dword:4d3d409b “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:78,33,5e,9c,f7,2f,2e,b9,cb,97,46,fe,e4,74,ae,fc,f3,d4,9c,5a,63,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:78,33,5e,9c,f7,2f,2e,b9,cb,97,46,fe,e4,74,ae,fc,f3,d4,9c,5a,63,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:78,33,5e,9c,f7,2f,2e,b9,cb,97,46,fe,e4,74,ae,fc,f3,d4,9c,5a,63,… scanning hidden registry entries … [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\21\1\t] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DLLName”="\x111\t\20\t\30\b\2\2" “Logon”=“WLEventLogon\0\0\0\0\0” “Logoff”="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\T\1\t] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DLLName”="\x154\t\xa0\t\x154\b\2\2" “Logon”=“WLEventLogon\0\0\0\0\0” “Logoff”="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\U\1\t] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DLLName”="\x155\t\xb8\t\x154\b\2\2" “Logon”=“WLEventLogon\0\0\0\0\0” “Logoff”="" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Y\1\t] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DLLName”="\x159\t\x10c\t\x154\b\2\2" “Logon”=“WLEventLogon\0\0\0\0\0” “Logoff”="" [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,5e,02,00,00,01,00,00,00,05,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] “%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" Remaining Files: --------------- File Backups: - C:\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes: Fri 2 Jul 2004 4,348 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak” Fri 2 Jul 2004 401 …SH. — “C:\Documents and Settings\All Users\DRM\DRMv11.bak” Fri 22 Jul 2005 400 …SH. — “C:\Documents and Settings\All Users\DRM\v2ks.bla.bak” Fri 22 Jul 2005 48 …SH. — “C:\Documents and Settings\All Users\DRM\v2ks.sec.bak” Tue 21 Mar 2000 565,248 A…H. — “C:\Kuba\Mini Car Racing\Game\WCSUP.DLL” Thu 22 Mar 2007 46,592 …H. — “C:\Documents and Settings\User\Dane aplikacji\Microsoft\Word~WRL1665.tmp” Thu 22 Mar 2007 22,016 …H. — “C:\Documents and Settings\User\Dane aplikacji\Microsoft\Word~WRL3080.tmp” Fri 27 Jan 2006 444 …HR — “C:\Documents and Settings\User\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak” Finished!

Złączono Posta : 26.11.2007 (Pon) 9:34

Wykonałem także log Combofix i oto co otrzymałem

ComboFix 07-11-19.3 - User 2007-11-26 9:00:57.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.48 [GMT 1:00] Running from: C:\Documents and Settings\User\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 ))))))))))))))))))))))))))))))) . 2007-11-26 08:10 2007-11-25 13:24 2007-11-24 15:10 2007-11-20 23:44 2007-11-20 23:41 2007-11-20 23:41 2007-11-20 23:37 2007-11-20 11:18 56,536 --a------ C:\WINDOWS\system32\pghash.dat 2007-11-20 11:18 269 --a------ C:\WINDOWS\system32\spupdwxp.log 2007-11-20 09:45 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2007-11-20 09:43 2007-11-20 09:43 2007-11-20 09:43 164,352 --------- C:\WINDOWS\system32\wstpager.ax 2007-11-20 09:43 148,480 --------- C:\WINDOWS\system32\wscui.cpl 2007-11-20 09:43 108,032 --------- C:\WINDOWS\system32\wshbth.dll 2007-11-20 09:43 81,408 --------- C:\WINDOWS\system32\wscsvc.dll 2007-11-20 09:43 13,824 --------- C:\WINDOWS\system32\wscntfy.exe 2007-11-20 09:40 2007-11-20 09:11 2007-11-19 20:34 93,456 --a------ C:\WINDOWS\system32\pguard.dat 2007-11-19 20:31 2007-11-19 20:31 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys 2007-11-19 18:58 90,112 --a------ C:\WINDOWS\system32\crehcjid.dll 2007-11-03 18:27 2007-10-28 13:24 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-26 07:59 --------- d-----w C:\Program Files\neostrada tp 2007-11-25 10:04 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-20 23:46 --------- d-----w C:\Program Files\GocartMania 2007-11-20 22:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-20 10:17 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd9133.sys 2007-11-06 08:51 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Skype 2007-10-25 17:08 --------- d-----w C:\Program Files\WinX DVD Player 3.0 2007-10-19 16:11 --------- d-----w C:\Program Files\DK 2007-10-19 16:07 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-03 17:56 --------- d-----w C:\Program Files\F1 Challange KRC 2007 2006-11-14 15:43 4,608 ----a-w C:\Documents and Settings\User\gg.dll 2004-03-11 12:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2003-12-23 00:20 777 ----a-w C:\Program Files\trial_setup.ini 2003-12-23 00:20 40,448 ----a-w C:\Program Files\trial_setup.exe 2003-12-23 00:20 4,297,728 ----a-w C:\Program Files\trial_setup.msi 1999-05-17 10:58 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL 1998-12-08 23:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL 1998-12-08 23:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL 1998-12-08 23:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL 1998-12-08 23:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL 1998-12-08 23:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE~\Browser Helper Objects{5742F79A-1D91-42c4-990C-B46CF55A6478}] [HKEY_LOCAL_MACHINE~\Browser Helper Objects{6D3D1890-95AF-4171-86EF-1E3BBCAF713A}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-02-17 14:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-04 00:44 C:\WINDOWS\system32\rundll32.exe] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2003-07-18 00:53] “CTHelper”=“CTHELPER.EXE” [2003-08-28 09:45 C:\WINDOWS\system32\CTHELPER.EXE] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 00:00] “Jet Detection”=“C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” [2001-11-29 00:00] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” [2006-10-12 03:10] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 12:49] “ABRegmon”=“C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe” [2007-07-12 09:40] “ArcaCheck”=“C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe” [2007-07-27 12:57] “AvMenu”=“C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe” [2007-10-22 14:51] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44] C:\Documents and Settings\User\Menu Start\Programy\Autostart\ PowerReg SchedulerV2.exe [2005-03-26 12:26:39] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 13:44:06] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid] crehcjid.dll 2007-11-19 21:20 90112 C:\WINDOWS\system32\crehcjid.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener] TS_LogonListener.dll 2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2003-12-08 17:35 32768 --a------ C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez] C:\Program Files\Warez P2P Client\warez.exe -h [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “UserAccess7”=2 (0x2) “scagent”=2 (0x2) “NVSvc”=2 (0x2) “MSN RAV”=2 (0x2) “IDriverT”=3 (0x3) “FTRTSVC”=2 (0x2) “FCI”=2 (0x2) “Distributed Allocated Memory Unit”=2 (0x2) “DCSPGSRV”=2 (0x2) “Creative Service for CDROM Access”=2 (0x2) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\ArcaVir2007CDMenu.exe . Contents of the ‘Scheduled Tasks’ folder “2007-10-22 14:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe “2007-11-25 13:28:23 C:\WINDOWS\Tasks\Symantec NetDetect.job” - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-26 09:07:20 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ************************************************************************** . Completion time: 2007-11-26 9:10:20 - machine was rebooted . — E O F —

Bardzo jestem ciekaw tego, co z tego wynika i oczekuję z niepokojem.

Dziękuję za to co już zrobiłeś dla mnie i proszę o dalszą pomoc

Gutek · 26 Listopad 2007 17:28

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

fitiusz · 26 Listopad 2007 19:17

Tak więc wykonałem co mi napisałeś i oto nowy log z Combo, wykonany już po usunięciu C:\Qoobox

ComboFix 07-11-19.3 - User 2007-11-26 20:03:01.3 - NTFSx86 Running from: C:\Documents and Settings\User\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 ))))))))))))))))))))))))))))))) . 2007-11-26 08:10 2007-11-25 13:24 2007-11-24 15:10 2007-11-20 23:44 2007-11-20 23:41 2007-11-20 23:41 2007-11-20 23:37 2007-11-20 09:43 2007-11-20 09:43 2007-11-20 09:43 32,866 --------- C:\WINDOWS\slrundll.exe 2007-11-20 09:40 2007-11-20 09:11 2007-11-19 20:34 93,456 --a------ C:\WINDOWS\system32\pguard.dat 2007-11-19 20:31 2007-11-19 20:31 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys 2007-11-19 18:58 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys 2007-11-03 18:27 2007-10-28 13:24 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-26 19:02 --------- d-----w C:\Program Files\neostrada tp 2007-11-25 10:04 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-20 23:46 --------- d-----w C:\Program Files\GocartMania 2007-11-20 22:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-20 10:17 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd9133.sys 2007-11-06 08:51 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Skype 2007-10-25 17:08 --------- d-----w C:\Program Files\WinX DVD Player 3.0 2007-10-19 16:11 --------- d-----w C:\Program Files\DK 2007-10-19 16:07 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-03 17:56 --------- d-----w C:\Program Files\F1 Challange KRC 2007 2006-11-14 15:43 4,608 ----a-w C:\Documents and Settings\User\gg.dll 2004-03-11 12:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2003-12-23 00:20 777 ----a-w C:\Program Files\trial_setup.ini 2003-12-23 00:20 40,448 ----a-w C:\Program Files\trial_setup.exe 2003-12-23 00:20 4,297,728 ----a-w C:\Program Files\trial_setup.msi 1999-05-17 10:58 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL 1998-12-08 23:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL 1998-12-08 23:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL 1998-12-08 23:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL 1998-12-08 23:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL 1998-12-08 23:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-02-17 14:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-04 00:44 C:\WINDOWS\system32\rundll32.exe] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2003-07-18 00:53] “CTHelper”=“CTHELPER.EXE” [2003-08-28 09:45 C:\WINDOWS\system32\CTHELPER.EXE] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 00:00] “Jet Detection”=“C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” [2001-11-29 00:00] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” [2006-10-12 03:10] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 12:49] “ABRegmon”=“C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe” [2007-07-12 09:40] “ArcaCheck”=“C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe” [2007-07-27 12:57] “AvMenu”=“C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe” [2007-10-22 14:51] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 13:44:06] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crehcjid] crehcjid.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener] TS_LogonListener.dll 2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2003-12-08 17:35 32768 --a------ C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez] C:\Program Files\Warez P2P Client\warez.exe -h [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “UserAccess7”=2 (0x2) “scagent”=2 (0x2) “NVSvc”=2 (0x2) “MSN RAV”=2 (0x2) “IDriverT”=3 (0x3) “FTRTSVC”=2 (0x2) “FCI”=2 (0x2) “Distributed Allocated Memory Unit”=2 (0x2) “DCSPGSRV”=2 (0x2) “Creative Service for CDROM Access”=2 (0x2) R1 ABTDI;ABTDI;??\C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys R2 ABFileMon;ArcaBit FileMonitor;“C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe” R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe R2 procguard;procguard;??\C:\WINDOWS\System32\drivers\procguard.sys R3 ABFLT;ArcaBit File Monitor Driver;??\C:\PROGRA~1\ArcaBit\ArcaVir\ABFLT.sys R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;“C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe” R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\system32\DRIVERS\torususb.sys S3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;“C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe” S3 ENW9503;ENW-950x RTL-based PCI Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ENW9503.sys S3 GDInterceptor;GDInterceptor;??\C:\WINDOWS\System32\interceptor.sys S3 ps_drv;ps_drv;??\C:\Documents and Settings\User\ps_drv.sys S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S4 DCSPGSRV;DiamondCS Process Guard Service v3.000;“C:\Program Files\ProcessGuard\dcsuserprot.exe” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\ArcaVir2007CDMenu.exe . Contents of the ‘Scheduled Tasks’ folder “2007-10-22 14:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe “2007-11-25 13:28:23 C:\WINDOWS\Tasks\Symantec NetDetect.job” - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-26 20:06:31 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ************************************************************************** . Completion time: 2007-11-26 20:08:45 C:\ComboFix2.txt … 2007-11-26 19:44 C:\ComboFix3.txt … 2007-11-26 09:10 . — E O F —

Gutek · 26 Listopad 2007 22:41

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

fitiusz · 27 Listopad 2007 08:58

Zanim przepiszę najnowszy log z Combo, to chcę powiedzieć, że z moim kompem jest już coraz lepiej i aby było super to przesyłam log i czekam na dalsze wskazówki

ComboFix 07-11-19.3 - User 2007-11-27 9:42:06.5 - NTFSx86 Running from: C:\Documents and Settings\User\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 ))))))))))))))))))))))))))))))) . 2007-11-26 08:10 2007-11-25 13:24 2007-11-24 15:10 2007-11-20 23:44 2007-11-20 23:41 2007-11-20 23:41 2007-11-20 23:37 2007-11-20 09:43 2007-11-20 09:43 2007-11-20 09:43 32,866 --------- C:\WINDOWS\slrundll.exe 2007-11-20 09:40 2007-11-20 09:11 2007-11-19 20:34 93,456 --a------ C:\WINDOWS\system32\pguard.dat 2007-11-19 20:31 2007-11-19 20:31 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys 2007-11-19 18:58 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys 2007-11-03 18:27 2007-10-28 13:24 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-27 08:44 --------- d-----w C:\Program Files\neostrada tp 2007-11-25 10:04 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-20 23:46 --------- d-----w C:\Program Files\GocartMania 2007-11-20 22:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-20 10:17 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd9133.sys 2007-11-06 08:51 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Skype 2007-10-25 17:08 --------- d-----w C:\Program Files\WinX DVD Player 3.0 2007-10-19 16:11 --------- d-----w C:\Program Files\DK 2007-10-19 16:07 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-03 17:56 --------- d-----w C:\Program Files\F1 Challange KRC 2007 2006-11-14 15:43 4,608 ----a-w C:\Documents and Settings\User\gg.dll 2004-03-11 12:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2003-12-23 00:20 777 ----a-w C:\Program Files\trial_setup.ini 2003-12-23 00:20 40,448 ----a-w C:\Program Files\trial_setup.exe 2003-12-23 00:20 4,297,728 ----a-w C:\Program Files\trial_setup.msi 1999-05-17 10:58 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL 1998-12-08 23:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL 1998-12-08 23:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL 1998-12-08 23:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL 1998-12-08 23:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL 1998-12-08 23:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-02-17 14:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-04 00:44 C:\WINDOWS\system32\rundll32.exe] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2003-07-18 00:53] “CTHelper”=“CTHELPER.EXE” [2003-08-28 09:45 C:\WINDOWS\system32\CTHELPER.EXE] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 00:00] “Jet Detection”=“C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” [2001-11-29 00:00] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” [2006-10-12 03:10] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 12:49] “ABRegmon”=“C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe” [2007-07-12 09:40] “ArcaCheck”=“C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe” [2007-07-27 12:57] “AvMenu”=“C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe” [2007-10-22 14:51] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 13:44:06] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener] TS_LogonListener.dll 2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2003-12-08 17:35 32768 --a------ C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez] C:\Program Files\Warez P2P Client\warez.exe -h [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “UserAccess7”=2 (0x2) “scagent”=2 (0x2) “NVSvc”=2 (0x2) “MSN RAV”=2 (0x2) “IDriverT”=3 (0x3) “FTRTSVC”=2 (0x2) “FCI”=2 (0x2) “Distributed Allocated Memory Unit”=2 (0x2) “DCSPGSRV”=2 (0x2) “Creative Service for CDROM Access”=2 (0x2) R1 ABTDI;ABTDI;??\C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys R2 ABFileMon;ArcaBit FileMonitor;“C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe” R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe R2 procguard;procguard;??\C:\WINDOWS\System32\drivers\procguard.sys R3 ABFLT;ArcaBit File Monitor Driver;??\C:\PROGRA~1\ArcaBit\ArcaVir\ABFLT.sys R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;“C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe” R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\system32\DRIVERS\torususb.sys S3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;“C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe” S3 ENW9503;ENW-950x RTL-based PCI Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ENW9503.sys S3 GDInterceptor;GDInterceptor;??\C:\WINDOWS\System32\interceptor.sys S3 ps_drv;ps_drv;??\C:\Documents and Settings\User\ps_drv.sys S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S4 DCSPGSRV;DiamondCS Process Guard Service v3.000;“C:\Program Files\ProcessGuard\dcsuserprot.exe” S4 scagent;Security Agent;“C:\WINDOWS\system32\scagent.exe” start [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\ArcaVir2007CDMenu.exe . Contents of the ‘Scheduled Tasks’ folder “2007-10-22 14:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” “2007-11-25 13:28:23 C:\WINDOWS\Tasks\Symantec NetDetect.job” - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-27 09:45:49 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ************************************************************************** . Completion time: 2007-11-27 9:47:39 C:\ComboFix2.txt … 2007-11-27 09:36 C:\ComboFix3.txt … 2007-11-26 20:08 . — E O F —

Gutek · 27 Listopad 2007 23:32

zastanawiałem się nad tym kiedyś ale gdy to usuwałem nic się nie działo

Wklej do Notatnika:

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

fitiusz · 28 Listopad 2007 09:10

Chyba za bardzo pochwaliłem wczoraj swojego kompa, bo lekko zamulał, ale dziś jest już lepiej.

Oto nowy log

ComboFix 07-11-19.3 - User 2007-11-28 9:53:25.7 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.69 [GMT 1:00] Running from: C:\Documents and Settings\User\Pulpit\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 ))))))))))))))))))))))))))))))) . 2007-11-26 08:10 2007-11-25 13:24 2007-11-24 15:10 2007-11-20 23:44 2007-11-20 23:41 2007-11-20 23:41 2007-11-20 23:37 2007-11-20 09:43 2007-11-20 09:43 2007-11-20 09:43 32,866 --------- C:\WINDOWS\slrundll.exe 2007-11-20 09:40 2007-11-20 09:11 2007-11-19 20:34 93,456 --a------ C:\WINDOWS\system32\pguard.dat 2007-11-19 20:31 2007-11-19 20:31 24,911 --a------ C:\WINDOWS\system32\drivers\procguard.sys 2007-11-19 18:58 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys 2007-11-03 18:27 2007-10-28 13:24 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-28 08:53 --------- d-----w C:\Program Files\neostrada tp 2007-11-25 10:04 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-11-20 23:46 --------- d-----w C:\Program Files\GocartMania 2007-11-20 22:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2007-11-20 10:17 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd9133.sys 2007-11-06 08:51 --------- d-----w C:\Documents and Settings\User\Dane aplikacji\Skype 2007-10-25 17:08 --------- d-----w C:\Program Files\WinX DVD Player 3.0 2007-10-19 16:11 --------- d-----w C:\Program Files\DK 2007-10-19 16:07 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-10-03 17:56 --------- d-----w C:\Program Files\F1 Challange KRC 2007 2004-03-11 12:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe 2003-12-23 00:20 777 ----a-w C:\Program Files\trial_setup.ini 2003-12-23 00:20 40,448 ----a-w C:\Program Files\trial_setup.exe 2003-12-23 00:20 4,297,728 ----a-w C:\Program Files\trial_setup.msi 1999-05-17 10:58 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL 1998-12-08 23:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL 1998-12-08 23:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL 1998-12-08 23:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL 1998-12-08 23:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL 1998-12-08 23:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2006-02-17 14:03] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“RUNDLL32.exe” [2004-08-04 00:44 C:\WINDOWS\system32\rundll32.exe] “WheelMouse”=“C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [2003-07-18 00:53] “CTHelper”=“CTHELPER.EXE” [2003-08-28 09:45 C:\WINDOWS\system32\CTHELPER.EXE] “UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 00:00] “Jet Detection”=“C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe” [2001-11-29 00:00] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe” [2006-10-12 03:10] “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” [2004-08-23 12:49] “ABRegmon”=“C:\Program Files\ArcaBit\ArcaVir\ABregmon.exe” [2007-07-12 09:40] “ArcaCheck”=“C:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe” [2007-07-27 12:57] “AvMenu”=“C:\Program Files\ArcaBit\ArcaVir\AVMenu.exe” [2007-10-22 14:51] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2004-08-04 00:44] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 13:44:06] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TS_LogonListener] TS_LogonListener.dll 2007-01-12 16:41 101376 C:\WINDOWS\system32\TS_LogonListener.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2001-07-09 09:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] nwiz.exe /install [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] C:\Program Files\QuickTime\qttask.exe -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] 2003-12-08 17:35 32768 --a------ C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez] C:\Program Files\Warez P2P Client\warez.exe -h [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “UserAccess7”=2 (0x2) “scagent”=2 (0x2) “NVSvc”=2 (0x2) “MSN RAV”=2 (0x2) “IDriverT”=3 (0x3) “FTRTSVC”=2 (0x2) “FCI”=2 (0x2) “Distributed Allocated Memory Unit”=2 (0x2) “DCSPGSRV”=2 (0x2) “Creative Service for CDROM Access”=2 (0x2) R1 ABTDI;ABTDI;??\C:\Program Files\ArcaBit\ArcaVir\ABTDI.sys R2 ABFileMon;ArcaBit FileMonitor;“C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe” R2 ArcaBit.TaskScheduler;ArcaBit.TaskScheduler;C:\Program Files\ArcaBit\Common\TaskScheduler.exe R2 AVUpdate;ArcaBit Update Service;C:\Program Files\ArcaBit\ArcaUpdate\update.exe R2 procguard;procguard;??\C:\WINDOWS\System32\drivers\procguard.sys R3 ABFLT;ArcaBit File Monitor Driver;??\C:\PROGRA~1\ArcaBit\ArcaVir\ABFLT.sys R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys R3 ArcaBit.Core.Configurator;ArcaBit.Core.Configurator;“C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe” R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\system32\DRIVERS\torususb.sys S3 ArcaBit.Core.LoggingService;ArcaBit.Core.LoggingService;“C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe” S3 ENW9503;ENW-950x RTL-based PCI Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\ENW9503.sys S3 GDInterceptor;GDInterceptor;??\C:\WINDOWS\System32\interceptor.sys S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys S3 usbscan;Sterownik skanera USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys S3 USBSTOR;Sterownik magazynu masowego USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS S4 DCSPGSRV;DiamondCS Process Guard Service v3.000;“C:\Program Files\ProcessGuard\dcsuserprot.exe” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\ArcaVir2007CDMenu.exe . Contents of the ‘Scheduled Tasks’ folder “2007-10-22 14:16:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - C:\Program Files\Apple Software Update\SoftwareUpdate.exe “2007-11-27 17:28:14 C:\WINDOWS\Tasks\Symantec NetDetect.job” - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-28 09:56:34 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … ************************************************************************** . Completion time: 2007-11-28 9:58:00 C:\ComboFix2.txt … 2007-11-28 09:51 C:\ComboFix3.txt … 2007-11-27 09:47 . — E O F —

Gutek · 28 Listopad 2007 16:09

Teraz już Ok

fitiusz · 28 Listopad 2007 17:44

Skoro tak twierdzisz to super. Wielkie DZIĘKI za pomoc, już bałem się że bez formatu się nie obejdzie. Czyli teraz mogę spokojnie czynić w ten sposób http://forum.dobreprogramy.pl/viewtopic.php?t=76580 tzn. optymalizacja i odchudzanie windowsa xp? Mam jeszcze jedno pytanie, jak uruchamiam neta, to pojawia mi się taka infromacja

Czy to nic groźnego?

Gutek · 28 Listopad 2007 22:04

Użyj programu HostsXpert i ustaw domyślne ustawienia plikowi hosts.

Tak możesz - http://forum.dobreprogramy.pl/viewtopic.php?t=76580