Wolno chodzi komp nie wszystkie str. się otwierają i często

Dla specjalistów Bezpieczeństwo
#1

Witam ostatnio strasznie rzeczy mi sie z kompem dzieją jestem troche laikiem w tych sprawach więcd prosze o pomoc zauważyłem że większośc zrzuca skan z hijackthis więc ja też poniżej umieszczem podobny z mojego kompa prosze o jakąś pomoc jak w temacie! !!

CODE Logfile of HijackThis v1.99.1

Scan saved at 16:36:18, on 2007-07-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\SYSTEM32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

D:\WINDOWS\SYSTEM32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\ATI Technologies\ATI.ACE\cli.exe

D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

D:\PROGRA~1\NEOSTR~1\CnxMon.exe

D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

D:\Program Files\Microsoft ActiveSync\wcescomm.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Internet Explorer\iexplore.exe

d:\progra~1\intern~1\iexplore.exe

D:\Program Files\Skype\Phone\Skype.exe

D:\Program Files\Gadu-Gadu\Gadu-Gadu\Gadu-Gadu\gg.exe

C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe

D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

D:\PROGRA~1\MICROS~4\rapimgr.exe

D:\Program Files\STK016_V2.01\STK016M.exe

C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe

C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe

C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\wdfmgr.exe

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

D:\WINDOWS\System32\alg.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\WINDOWS\system32\wuauclt.exe

D:\Documents and Settings\slawek_\Pulpit\HijackThis_v1.99.1.exe

D:\WINDOWS\system32\uWDF.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - D:\Program Files\Multi_Media\tbMult.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - D:\Program Files\Multi_Media\tbMult.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll (file missing)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)

O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - D:\Program Files\Multi_Media\tbMult.dll

O4 - HKLM…\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM…\Run: [ATICCC] “D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime

O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [CloneCDTray] “D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s

O4 - HKLM…\Run: [MSys32] “F:\GRY\Tetris 4000\morfitwebentrance.exe”

O4 - HKLM…\Run: [WooCnxMon] D:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [WOOWATCH] D:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM…\Run: [statusClient] D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM…\Run: [TomcatStartup] D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM…\Run: [Easy-PrintToolBox] D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [Picasa Media Detector] E:\Picasa2\PicasaMediaDetector.exe

O4 - HKLM…\Run: [FlagDupeWipeSoft] D:\Documents and Settings\All Users\Dane aplikacji\Debug ford flag dupe\BALMITCH.exe

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [Globe7] “D:\Program Files\Globe7\Globe7.exe” /hide

O4 - HKLM…\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU…\Run: [spamihilator] “D:\Program Files\Spamihilator\spamihilator.exe”

O4 - HKCU…\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU…\Run: [H/PC Connection Agent] “D:\Program Files\Microsoft ActiveSync\wcescomm.exe”

O4 - HKCU…\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [waveobj] D:\DOCUME~1\slawek_\DANEAP~1\COALLO~1\LIVE BAGS WAIT.exe

O4 - HKCU…\Run: [skype] “D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O4 - Global Startup: STK016 PNP Monitor.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra ‘Tools’ menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - D:\Program Files\CDPoker\casino.exe (file missing)

O9 - Extra ‘Tools’ menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - D:\Program Files\CDPoker\casino.exe (file missing)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)

O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)

O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_64.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab

O17 - HKLM\System\CCS\Services\Tcpip…{23B8A1FC-3122-4A2A-AD24-35C7A107C405}: NameServer = 85.255.115.58,85.255.112.116

O17 - HKLM\System\CCS\Services\Tcpip…{2DA128D7-7C4C-497E-955B-DBE1B487FFD6}: NameServer = 194.204.159.1,192.168.1.1

O17 - HKLM\System\CCS\Services\Tcpip…{613EC58E-4B66-4A07-B061-DE12D2579902}: NameServer = 85.255.115.58,85.255.112.116

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

Złączono Posta : 20.07.2007 (Pią) 16:50 CODE

No i zapomniałem ze często się komp zwiesza i że strony się strasznie długo otwierają !!

#2

Jest infkecja.

Użyj narzędzia FixWareOut.exe

użyj narzędzia No Lop

Użyj narzędzia ComboFix

I wróć koniecznie z logami z HijackThis+SilentRunners oraz ComboFix

#3

To z hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 19:25:58, on 2007-07-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\SYSTEM32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

D:\Program Files\Alwil Software\Avast4\ashServ.exe

D:\WINDOWS\system32\spoolsv.exe

C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe

D:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe

C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe

D:\WINDOWS\system32\svchost.exe

C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe

D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

D:\Program Files\ATI Technologies\ATI.ACE\cli.exe

D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

D:\PROGRA~1\NEOSTR~1\CnxMon.exe

D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

D:\Program Files\Microsoft ActiveSync\wcescomm.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Internet Explorer\iexplore.exe

d:\progra~1\intern~1\iexplore.exe

D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

D:\Program Files\STK016_V2.01\STK016M.exe

D:\PROGRA~1\MICROS~4\rapimgr.exe

D:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\WINDOWS\system32\wuauclt.exe

D:\Program Files\Gadu-Gadu\Gadu-Gadu\Gadu-Gadu\gg.exe

D:\WINDOWS\explorer.exe

D:\WINDOWS\system32\NOTEPAD.EXE

D:\Documents and Settings\slawek_\Pulpit\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

R3 - URLSearchHook: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - D:\Program Files\Multi_Media\tbMult.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - D:\Program Files\Multi_Media\tbMult.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll (file missing)

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll (file missing)

O3 - Toolbar: Multi Media Toolbar - {b5146c40-189a-4311-bda9-fbae3e023187} - D:\Program Files\Multi_Media\tbMult.dll

O4 - HKLM…\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM…\Run: [ATICCC] “D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime

O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [CloneCDTray] “D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s

O4 - HKLM…\Run: [MSys32] “F:\GRY\Tetris 4000\morfitwebentrance.exe”

O4 - HKLM…\Run: [WooCnxMon] D:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [WOOWATCH] D:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM…\Run: [statusClient] D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto

O4 - HKLM…\Run: [TomcatStartup] D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe

O4 - HKLM…\Run: [Easy-PrintToolBox] D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [Picasa Media Detector] E:\Picasa2\PicasaMediaDetector.exe

O4 - HKLM…\Run: [FlagDupeWipeSoft] D:\Documents and Settings\All Users\Dane aplikacji\Debug ford flag dupe\BALMITCH.exe

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [Globe7] “D:\Program Files\Globe7\Globe7.exe” /hide

O4 - HKLM…\Run: [QuickTime Task] “D:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU…\Run: [spamihilator] “D:\Program Files\Spamihilator\spamihilator.exe”

O4 - HKCU…\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU…\Run: [H/PC Connection Agent] “D:\Program Files\Microsoft ActiveSync\wcescomm.exe”

O4 - HKCU…\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [waveobj] D:\DOCUME~1\slawek_\DANEAP~1\COALLO~1\LIVE BAGS WAIT.exe

O4 - HKCU…\Run: [skype] “D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized

O4 - HKCU…\Run: [Gadu-Gadu] “D:\Program Files\Gadu-Gadu\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O4 - Global Startup: STK016 PNP Monitor.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra ‘Tools’ menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - D:\Program Files\CDPoker\casino.exe (file missing)

O9 - Extra ‘Tools’ menuitem: CDPoker - {A68FC757-51CF-4f3c-B13A-BFB8CA69BB99} - D:\Program Files\CDPoker\casino.exe (file missing)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)

O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\flashget.exe (file missing)

O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_64.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab

O17 - HKLM\System\CCS\Services\Tcpip…{2DA128D7-7C4C-497E-955B-DBE1B487FFD6}: NameServer = 194.204.159.1,192.168.1.1

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.116

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NETWOR~1\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NETWOR~1\bin\nSvcLog.exe

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

I z SilentRunners

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Spamihilator” = ““D:\Program Files\Spamihilator\spamihilator.exe”” [file not found]

“Komunikator” = “D:\Program Files\Tlen.pl\tlen.exe” [file not found]

“H/PC Connection Agent” = ““D:\Program Files\Microsoft ActiveSync\wcescomm.exe”” [MS]

“ctfmon.exe” = “D:\WINDOWS\system32\ctfmon.exe” [MS]

“waveobj” = “D:\DOCUME~1\slawek_\DANEAP~1\COALLO~1\LIVE BAGS WAIT.exe” [null data]

“Skype” = ““D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]

“Gadu-Gadu” = ““D:\Program Files\Gadu-Gadu\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“ATIPTA” = “D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”]

“ATICCC” = ““D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime” [null data]

“RemoteControl” = ““D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

“CloneCDTray” = ““D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s” [“SlySoft, Inc.”]

“MSys32” = ““F:\GRY\Tetris 4000\morfitwebentrance.exe”” [file not found]

“WooCnxMon” = “D:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“WOOWATCH” = “D:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]

“(Default)” = “(empty string)” [file not found]

“StatusClient” = “D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto” [“Hewlett-Packard”]

“TomcatStartup” = “D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe” [“Hewlett-Packard”]

“Easy-PrintToolBox” = “D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon” [file not found]

“SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“Picasa Media Detector” = “E:\Picasa2\PicasaMediaDetector.exe” [“Google Inc.”]

“FlagDupeWipeSoft” = “D:\Documents and Settings\All Users\Dane aplikacji\Debug ford flag dupe\BALMITCH.exe” [null data]

“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]

“Globe7” = ““D:\Program Files\Globe7\Globe7.exe” /hide” [file not found]

“QuickTime Task” = ““D:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”]

“avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”]

HKLM\Software\Microsoft\Active Setup\Installed Components\

>{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer”

\StubPath = “D:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE” [MS]

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express”

\StubPath = “D:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”

-> {HKLM…CLSID} = “Skype add-on (mastermind)”

\InProcServer32(Default) = “D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”]

{b5146c40-189a-4311-bda9-fbae3e023187}(Default) = (no title provided)

-> {HKLM…CLSID} = “Multi Media Toolbar”

\InProcServer32(Default) = “D:\Program Files\Multi_Media\tbMult.dll” [“Conduit Ltd.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [file not found]

Czekam na dalsze instrukcje!!

Złączono Posta : 20.07.2007 (Pią) 19:32

Aha combo fix

“slawek_” - 2007-07-20 19:16:11 - ComboFix 07-07-14.6 - Dodatek Service Pack 2 FAT32

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

c:\autorun.inf

d:\autorun.inf

D:\DOCUME~1\slawek_\DANEAP~1.\macromedia\Flash Player#SharedObjects\ZRRJXV5B\www.broadcaster.com

D:\DOCUME~1\slawek_\DANEAP~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#www.broadcaster.com

D:\DOCUME~1\slawek_\DANEAP~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys#www.broadcaster.com\settings.sol

D:\WINDOWS\hosts

e:\autorun.inf

f:\autorun.inf

((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))

2007-07-20 19:09

2007-07-20 19:02 8,731 --a------ D:\dnsbak.reg

2007-07-19 12:08

2007-07-18 20:35

2007-07-18 18:02 95,872 --a------ D:\WINDOWS\system32\AvastSS.scr

2007-07-18 18:02 94,552 --a------ D:\WINDOWS\system32\drivers\aswmon2.sys

2007-07-18 18:02 85,952 --a------ D:\WINDOWS\system32\drivers\aswmon.sys

2007-07-18 18:02 745,600 --a------ D:\WINDOWS\system32\aswBoot.exe

2007-07-18 18:02 43,176 --a------ D:\WINDOWS\system32\drivers\aswTdi.sys

2007-07-18 18:02 26,888 --a------ D:\WINDOWS\system32\drivers\aavmker4.sys

2007-07-18 18:02 23,416 --a------ D:\WINDOWS\system32\drivers\aswRdr.sys

2007-07-18 18:02

2007-07-12 22:40

2007-07-12 17:46 51,200 --a------ D:\WINDOWS\nircmd.exe

2007-07-12 00:13

2007-07-11 22:13 29,568 --a------ D:\WINDOWS\FVProtect.exe

2007-07-11 22:13 26,624 --a------ D:\WINDOWS\userconfig9x.dll

2007-07-11 15:20

2007-07-09 23:31

2007-07-09 23:26

2007-07-09 00:06

2007-06-22 21:58

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 20:54:22 67,078 ----a-w D:\WINDOWS\system32\perfc015.dat

2007-07-09 20:54:22 435,978 ----a-w D:\WINDOWS\system32\perfh015.dat

2007-06-15 19:01:16 -------- d-----w D:\Program Files\SmartSound Software

2007-06-15 19:00:44 -------- d-----w D:\Program Files\Windows Media Components

2007-06-09 22:05:30 -------- d-----w D:\Program Files\QuickTime

2007-06-09 20:45:00 -------- d-----w D:\DOCUME~1\slawek_\DANEAP~1\Ulead Systems

2007-06-09 20:44:48 74 —ha-w D:\WINDOWS\syslife.dat

2007-06-09 19:49:42 86,016 ----a-w D:\WINDOWS\system32\OpenAL32.dll

2007-06-09 19:49:42 262,144 ----a-w D:\WINDOWS\system32\wrap_oal.dll

2007-06-08 15:02:06 -------- d-----w D:\Program Files\Common Files\ACD Systems

2007-05-10 21:43:06 7,136 ----a-w D:\WINDOWS\mozver.dat

2007-05-01 18:52:42 13,824 ----a-w D:\WINDOWS_g6uninst.exe

2006-03-05 08:19:52 1,682 --sha-w D:\WINDOWS\system32\KGyGaAvL.sys

2006-03-05 08:19:52 56 --sh–r D:\WINDOWS\system32\0D2FA2D32D.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2001-04-16 16:39 37808 --------- D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]

2007-02-19 16:10 751144 --a------ D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A5366673-E8CA-11D3-9CD9-0090271D075B}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b5146c40-189a-4311-bda9-fbae3e023187}]

2007-02-01 15:14 1285144 --a------ D:\Program Files\Multi_Media\tbMult.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATIPTA”=“D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-09-29 07:15]

“ATICCC”=“D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2004-09-29 10:37]

“RemoteControl”=“D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“CloneCDTray”=“D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2004-06-28 04:33]

“MSys32”=“F:\GRY\Tetris 4000\morfitwebentrance.exe” []

“WooCnxMon”=“D:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 19:07]

“WOOWATCH”=“D:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 19:07]

“WOOTASKBARICON”=“D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 19:07]

“@”="" []

“StatusClient”=“D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe” [2002-12-16 16:51]

“TomcatStartup”=“D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe” [2003-03-31 19:28]

“Easy-PrintToolBox”=“D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe” []

“SpeedTouch USB Diagnostics”=“D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38]

“Picasa Media Detector”=“E:\Picasa2\PicasaMediaDetector.exe” [2007-02-01 03:52]

“FlagDupeWipeSoft”=“D:\Documents and Settings\All Users\Dane aplikacji\Debug ford flag dupe\BALMITCH.exe” [2007-03-02 17:38]

“SoundMan”=“SOUNDMAN.EXE” [2004-07-01 12:23 D:\WINDOWS\SOUNDMAN.EXE]

“Globe7”=“D:\Program Files\Globe7\Globe7.exe” []

“QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2007-06-10 00:06]

“avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Spamihilator”=“D:\Program Files\Spamihilator\spamihilator.exe” []

“Komunikator”=“D:\Program Files\Tlen.pl\tlen.exe” []

“H/PC Connection Agent”=“D:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-06-27 01:54]

“ctfmon.exe”=“D:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44]

“waveobj”=“D:\DOCUME~1\slawek_\DANEAP~1\COALLO~1\LIVE BAGS WAIT.exe” [2007-03-02 17:34]

“Skype”=“D:\Program Files\Skype\Phone\Skype.exe” [2007-02-19 16:27]

“Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\Gadu-Gadu\Gadu-Gadu\gg.exe” [2007-04-19 17:43]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“”=

“ATICCC”=“D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

AutoRun\command- G:\atisetup.exe

launch\command- G:\atisetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{41ffc882-f8ed-11db-a883-806d6172696f}]

AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{4f7a4286-1755-11dc-a8c9-000e504b0c29}]

AutoRun\command- D:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e7c661c5-e674-11d8-b827-806d6172696f}]

AutoRun\command- G:\AUTORUN\AUTORUN.EXE

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-20 19:18:36

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-20 19:19:01

D:\ComboFix-quarantined-files.txt … 2007-07-20 19:19

D:\ComboFix2.txt … 2007-07-12 17:53

— E O F —

#4

Te w/w wpisy sfiksuj w Hijacku:

>>Hijack>>scan(Do a system scan only)>>zaznacz je >> Fix checked.

Tylko nie pomyl się przy “017”, !

Jak widać, masz m.in. grożnego wirusa “Email-Worm.Win32.NetSky.q” (http://wirusy.antivirenkit.pl/pl/opis/Email-Worm.Win32.NetSky.q.html) oraz infekcję na pendrive.

Usuwanie:

Jeśli masz jakiś “usuwacz”, to usuwaj przy jego pomocy.

Jeśli nie masz “usuwacza”, to:

Wklej do Notatnika :

File::

D:\Documents and Settings\All Users\Dane aplikacji\Debug ford flag dupe\BALMITCH.exe

D:\DOCUME~1\slawek_\DANEAP~1\COALLO~1\LIVE BAGS WAIT.exe

D:\WINDOWS\FVProtect.exe 

D:\WINDOWS\userconfig9x.dll

D:\WINDOWS\_g6uninst.exe


Folder::

D:\Documents and Settings\All Users\Dane aplikacji\Debug ford flag dupe

D:\DOCUME~1\slawek_\DANEAP~1\COALLO~1


Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41ffc882-f8ed-11db-a883-806d6172696f}]


[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4f7a4286-1755-11dc-a8c9-000e504b0c29}]

>>Plik>>Zapisz jako… >>> ComboFix-Do (najwygodniej będzie,

jeśli zapiszesz w takiej lokalizacji, by ikonka ComboFix-Do znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik ComboFix-Do.txt na plik ComboFix.exe

(czyli ikonkę ComboFix-Do.txt na ikonkę ComboFix.exe )

– tak jak na tym obrazku -->http://i12.tinypic.com/4l761r5.gif

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Usuń ręcznie wszystkie D:\FOUND.058 i podobne.

Potem daj nowy log z ComboFixa.

.

#5

Zrobiłem wszystko jak wy6żej oto rezultat:

“slawek_” - 2007-07-20 21:43:25 - ComboFix 07-07-14.6 - Dodatek Service Pack 2 FAT32

((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))

2007-07-20 21:41

2007-07-20 19:09

2007-07-20 19:02 8,731 --a------ D:\dnsbak.reg

2007-07-19 12:08

2007-07-18 20:35

2007-07-18 18:02 95,872 --a------ D:\WINDOWS\system32\AvastSS.scr

2007-07-18 18:02 94,552 --a------ D:\WINDOWS\system32\drivers\aswmon2.sys

2007-07-18 18:02 85,952 --a------ D:\WINDOWS\system32\drivers\aswmon.sys

2007-07-18 18:02 745,600 --a------ D:\WINDOWS\system32\aswBoot.exe

2007-07-18 18:02 43,176 --a------ D:\WINDOWS\system32\drivers\aswTdi.sys

2007-07-18 18:02 26,888 --a------ D:\WINDOWS\system32\drivers\aavmker4.sys

2007-07-18 18:02 23,416 --a------ D:\WINDOWS\system32\drivers\aswRdr.sys

2007-07-18 18:02

2007-07-12 22:40

2007-07-12 17:46 51,200 --a------ D:\WINDOWS\nircmd.exe

2007-07-12 00:13

2007-07-11 15:20

2007-07-09 23:31

2007-07-09 23:26

2007-07-09 00:06

2007-06-22 21:58

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 20:54:22 67,078 ----a-w D:\WINDOWS\system32\perfc015.dat

2007-07-09 20:54:22 435,978 ----a-w D:\WINDOWS\system32\perfh015.dat

2007-06-15 19:01:16 -------- d-----w D:\Program Files\SmartSound Software

2007-06-15 19:00:44 -------- d-----w D:\Program Files\Windows Media Components

2007-06-09 22:05:30 -------- d-----w D:\Program Files\QuickTime

2007-06-09 20:45:00 -------- d-----w D:\DOCUME~1\slawek_\DANEAP~1\Ulead Systems

2007-06-09 20:44:48 74 —ha-w D:\WINDOWS\syslife.dat

2007-06-09 19:49:42 86,016 ----a-w D:\WINDOWS\system32\OpenAL32.dll

2007-06-09 19:49:42 262,144 ----a-w D:\WINDOWS\system32\wrap_oal.dll

2007-06-08 15:02:06 -------- d-----w D:\Program Files\Common Files\ACD Systems

2007-05-10 21:43:06 7,136 ----a-w D:\WINDOWS\mozver.dat

2006-03-05 08:19:52 1,682 --sha-w D:\WINDOWS\system32\KGyGaAvL.sys

2006-03-05 08:19:52 56 --sh–r D:\WINDOWS\system32\0D2FA2D32D.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2001-04-16 16:39 37808 --------- D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]

2007-02-19 16:10 751144 --a------ D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b5146c40-189a-4311-bda9-fbae3e023187}]

2007-02-01 15:14 1285144 --a------ D:\Program Files\Multi_Media\tbMult.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATIPTA”=“D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-09-29 07:15]

“ATICCC”=“D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2004-09-29 10:37]

“RemoteControl”=“D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“CloneCDTray”=“D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2004-06-28 04:33]

“WooCnxMon”=“D:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 19:07]

“WOOWATCH”=“D:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 19:07]

“WOOTASKBARICON”=“D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 19:07]

“@”="" []

“StatusClient”=“D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe” [2002-12-16 16:51]

“TomcatStartup”=“D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe” [2003-03-31 19:28]

“Easy-PrintToolBox”=“D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe” []

“SpeedTouch USB Diagnostics”=“D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38]

“Picasa Media Detector”=“E:\Picasa2\PicasaMediaDetector.exe” [2007-02-01 03:52]

“SoundMan”=“SOUNDMAN.EXE” [2004-07-01 12:23 D:\WINDOWS\SOUNDMAN.EXE]

“Globe7”=“D:\Program Files\Globe7\Globe7.exe” []

“QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2007-06-10 00:06]

“avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Spamihilator”=“D:\Program Files\Spamihilator\spamihilator.exe” []

“Komunikator”=“D:\Program Files\Tlen.pl\tlen.exe” []

“H/PC Connection Agent”=“D:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-06-27 01:54]

“ctfmon.exe”=“D:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44]

“Skype”=“D:\Program Files\Skype\Phone\Skype.exe” [2007-02-19 16:27]

“Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\Gadu-Gadu\Gadu-Gadu\gg.exe” [2007-04-19 17:43]

“waveobj”=“D:\DOCUME~1\slawek_\DANEAP~1\COALLO~1\LIVE BAGS WAIT.exe” []

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“”=

“ATICCC”=“D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

AutoRun\command- G:\atisetup.exe

launch\command- G:\atisetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e7c661c5-e674-11d8-b827-806d6172696f}]

AutoRun\command- G:\AUTORUN\AUTORUN.EXE

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-20 21:44:49

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-20 21:45:09

D:\ComboFix-quarantined-files.txt … 2007-07-20 21:34

D:\ComboFix3.txt … 2007-07-20 19:19

D:\ComboFix2.txt … 2007-07-20 21:34

— E O F —

Aha i C: \Qoobox miałem w D: \Qoobox nie wiem czy to jakaś różnice bo sie na tym nie znam ale go usunołem a tego typu plików D:\FOUND.058 nie miałem w wyszukiwarce nic takiego nie wyskoczyło a na dysku D też nic takiego nie znalazłem!!

#6

Otwórz notatnik i wklej w nim:

Plik>>zapisz jako>>zmien rozszerzenie z TXT na wszystkie pliki i zapisz pod nazwa FIX.REG dwuklik na ten Fix i potwierdzasz dodanie do rejestru.

Przeskanuj ten plik

D:\WINDOWS\ syslife.dat

na http://www.virustotal.com

wyrzuć te pliki

D:\FOUND.063

D:\FOUND.062

D:\FOUND.061

D:\FOUND.060

D:\FOUND.059

D:\FOUND.058

D:\FOUND.057

Daj Jessi buziaka, bo Ci bardzo pomogła :stuck_out_tongue:

#7

Do Notatnika wklej:

Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"waveobj"=-

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na “Wszystkie pliki” >>> Zapisz jako FIX.REG >>>

plik uruchom (dwuklik i OK).

Zrestartuj komputer.

Te w/w usuń ręcznie, ale ponieważ “foundy” mają atrybuty ochronne, to musisz zmienić te atrybuty:

>>Start>>Panel Sterowania>>Opcje Folderów>>Widok>>usuń zaznaczenie przy “Ukryj chronione pliki systemu”>>zaznacz przy “pokaż ukryte pliki”>>Zastosuj>>OK.

Dopiero teraz wyszukaj i usuń ręcznie te pliki.

Możesz jeszcze raz dać log z ComboFixa, żeby sprawdzić, czy ten klucz po infekcji “LOP” zniknął.

.

EDIT:

Widzę, że w tym czasie, gdy ja pisałam, to @ Kuba1 dał już odpowiedź.

No cóż - spóźniłam się. :slight_smile:

.Ale mój post też może być przydatny, bo pokazuje, jak usunąć atrybuty ochronne.

.

#8

tO JEST COMBOFIX :

“slawek_” - 2007-07-20 23:21:50 - ComboFix 07-07-14.6 - Dodatek Service Pack 2 FAT32

((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))

2007-07-18 18:02 95,872 --a------ D:\WINDOWS\system32\AvastSS.scr

2007-07-18 18:02 94,552 --a------ D:\WINDOWS\system32\drivers\aswmon2.sys

2007-07-18 18:02 85,952 --a------ D:\WINDOWS\system32\drivers\aswmon.sys

2007-07-18 18:02 745,600 --a------ D:\WINDOWS\system32\aswBoot.exe

2007-07-18 18:02 43,176 --a------ D:\WINDOWS\system32\drivers\aswTdi.sys

2007-07-18 18:02 26,888 --a------ D:\WINDOWS\system32\drivers\aavmker4.sys

2007-07-18 18:02 23,416 --a------ D:\WINDOWS\system32\drivers\aswRdr.sys

2007-07-18 18:02

2007-07-12 17:46 51,200 --a------ D:\WINDOWS\nircmd.exe

2007-07-09 23:31

2007-07-09 23:26

2007-07-09 00:06

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 20:54:22 67,078 ----a-w D:\WINDOWS\system32\perfc015.dat

2007-07-09 20:54:22 435,978 ----a-w D:\WINDOWS\system32\perfh015.dat

2007-06-15 19:01:16 -------- d-----w D:\Program Files\SmartSound Software

2007-06-15 19:00:44 -------- d-----w D:\Program Files\Windows Media Components

2007-06-09 22:05:30 -------- d-----w D:\Program Files\QuickTime

2007-06-09 20:45:00 -------- d-----w D:\DOCUME~1\slawek_\DANEAP~1\Ulead Systems

2007-06-09 20:44:48 74 —ha-w D:\WINDOWS\syslife.dat

2007-06-09 19:49:42 86,016 ----a-w D:\WINDOWS\system32\OpenAL32.dll

2007-06-09 19:49:42 262,144 ----a-w D:\WINDOWS\system32\wrap_oal.dll

2007-06-08 15:02:06 -------- d-----w D:\Program Files\Common Files\ACD Systems

2007-05-10 21:43:06 7,136 ----a-w D:\WINDOWS\mozver.dat

2006-03-05 08:19:52 1,682 --sha-w D:\WINDOWS\system32\KGyGaAvL.sys

2006-03-05 08:19:52 56 --sh–r D:\WINDOWS\system32\0D2FA2D32D.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

2001-04-16 16:39 37808 --------- D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]

2007-02-19 16:10 751144 --a------ D:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b5146c40-189a-4311-bda9-fbae3e023187}]

2007-02-01 15:14 1285144 --a------ D:\Program Files\Multi_Media\tbMult.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“ATIPTA”=“D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [2004-09-29 07:15]

“ATICCC”=“D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” [2004-09-29 10:37]

“RemoteControl”=“D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” [2003-10-31 19:42]

“CloneCDTray”=“D:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” [2004-06-28 04:33]

“WooCnxMon”=“D:\PROGRA~1\NEOSTR~1\CnxMon.exe” [2003-10-16 19:07]

“WOOWATCH”=“D:\PROGRA~1\NEOSTR~1\Watch.exe” [2003-10-16 19:07]

“WOOTASKBARICON”=“D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [2003-10-16 19:07]

“@”="" []

“StatusClient”=“D:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe” [2002-12-16 16:51]

“TomcatStartup”=“D:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe” [2003-03-31 19:28]

“Easy-PrintToolBox”=“D:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe” []

“SpeedTouch USB Diagnostics”=“D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” [2004-01-26 11:38]

“Picasa Media Detector”=“E:\Picasa2\PicasaMediaDetector.exe” [2007-02-01 03:52]

“SoundMan”=“SOUNDMAN.EXE” [2004-07-01 12:23 D:\WINDOWS\SOUNDMAN.EXE]

“Globe7”=“D:\Program Files\Globe7\Globe7.exe” []

“QuickTime Task”=“D:\Program Files\QuickTime\qttask.exe” [2007-06-10 00:06]

“avast!”=“D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 17:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Spamihilator”=“D:\Program Files\Spamihilator\spamihilator.exe” []

“Komunikator”=“D:\Program Files\Tlen.pl\tlen.exe” []

“H/PC Connection Agent”=“D:\Program Files\Microsoft ActiveSync\wcescomm.exe” [2006-06-27 01:54]

“ctfmon.exe”=“D:\WINDOWS\system32\ctfmon.exe” [2004-08-03 22:44]

“Skype”=“D:\Program Files\Skype\Phone\Skype.exe” [2007-02-19 16:27]

“Gadu-Gadu”=“D:\Program Files\Gadu-Gadu\Gadu-Gadu\Gadu-Gadu\gg.exe” [2007-04-19 17:43]

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]

“”=

“ATICCC”=“D:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

AutoRun\command- G:\atisetup.exe

launch\command- G:\atisetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{e7c661c5-e674-11d8-b827-806d6172696f}]

AutoRun\command- G:\AUTORUN\AUTORUN.EXE

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-20 23:23:31

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

Completion time: 2007-07-20 23:23:52

D:\ComboFix-quarantined-files.txt … 2007-07-20 21:34

D:\ComboFix2.txt … 2007-07-20 21:45

D:\ComboFix3.txt … 2007-07-20 21:34

— E O F —

A te pliki usunołem

D:\FOUND.063

D:\NoLopBackups

D:\dnsbak.reg

D:\FOUND.062

D:\FOUND.061

D:\FOUND.060

D:\FOUND.059

D:\FOUND.058

D:\FOUND.057

Tylko że tych plików jest dużo więcej typu

FOUND.000 do FOUND.056 na dysku c i na dyskach e i d też jest kilka to nie wiem czy mam tez je usuwac czy tylko te podane wyżej!

a w Virustotal nic nie wykrył jedynie dodatkowe informacje:

File size: 74 bytes

MD5: 768ef41c1b9ff016dd745912677d73b5

SHA1: aff5eb19d7a1b199a496a37839e6473d840b5ff5

Czekam na dalsze informacje!!

#9

Tak się domyślałam, że tych “foundów” jest więcej - wszystkie oczywiście usuń!

A o tym “D:\WINDOWS\syslife.dat” to wiedziałam już, że to nieszkodliwe, bo zetknęłam się z tym gdzie indziej - dlatego nawet nie wspominałam o nim.

No cóz - @ Kuba1 wolał to sprawdzić.

Nic tu więcej podejrzanego w logu nie widzę.

Trzymaj się. :slight_smile:

#10

W takim razie dzieki za pomoc! !!

#11

Przecież to nie było usuwane. Z logu wynika, że dalej jest na dysku - gdyby nie było na dysku, to zamiast daty instalacji byłyby puste nawiasy []

Jeśli ten komunikat będzie się dalej pojawiał, to masz trzy wyjścia:

  1. nie zwracać na to uwagi

  2. reinstalować ponownie Neostradę

  3. *********

A niektóre strony pewnie nie otwierają się, bo po prostu chwilowo brak z nimi połączenia.

.

===============

Punkt trzeci został usunięty, gdyż zastosowanie się do niego mogło namieszać jeszcze bardziej.

Proszę dokładniej sprawdzać.

Monczkin.

#12

pytak popraw posty i obejmij logi znacznikami :!:

http://forum.dobreprogramy.pl/viewtopic.php?t=36654

#13

@ Monczkin - chyba lekko przesadzasz, :slight_smile: bo:

Czyli po “polskiemu”:

“Nie jest niebezpieczny, ale zbędny. Oprogramowanie Wanadoo ISP, nie jest potrzebne/wymagane.”

Ale nie zamierzam się o to kłócić - nie warto, bo to drobnostka. :slight_smile: