kacprosz
(kacprosz)
6 Grudzień 2007 15:26
#1
Witam
problem pojawił się wczoraj wieczorem.Problem jest taki że strony internetowe ładują sie bardzo wolno.
Daje logi z Silent Runners:
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” [“Nero AG”] “AutoConnect” = “e:\Program Files\AutoConnect\AutoConnect.exe” [“http://autoconnect.prv.pl ”] “DAEMON Tools” = ““e:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “Network Security XP” = “C:\WINDOWS\System32\nvsvc86.exe” [null data] “WMI Standard Event Consumer - hosting” = “C:\WINDOWS\System32\wbem\scrcs.exe” [null data] “Microsoft Oftice” = “C:\WINDOWS\System32\msmsgs.exe” [null data] “systemscroot” = “systembin.exe” [null data] “Microsoft Windows Driver” = “C:\WINDOWS\rundll32.exe” [null data] “MicroSoft Legal Syst3m32” = “Syst3m32.exe” [null data] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “MicroSoft Legal Syst3m32” = “Syst3m32.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “SkyTel” = “SkyTel.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [null data] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [null data] “NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”] “mmsass” = “mmdmm.exe” [null data] “AVGCtrl” = “E:\Program Files\AVPersonal\AVGNT.EXE /min” [“H+BEDV Datentechnik GmbH”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “AdslTaskBar” = “rundll32.exe stmctrl.dll,TaskBar” [null data] “HakerzyNET MAV” = “E:\Program Files\HakerzyNET AntiVirus\HakerzyNET_MAV.exe” [“Hakerzy.NET © 2006 - 2008”] “Network Security XP” = “C:\WINDOWS\System32\nvsvc86.exe” [null data] “WMI Standard Event Consumer - hosting” = “C:\WINDOWS\System32\wbem\scrcs.exe” [null data] “Microsoft Oftice” = “C:\WINDOWS\System32\msmsgs.exe” [null data] “systemscroot” = “systembin.exe” [null data] “MicroSoft Legal Syst3m32” = “Syst3m32.exe” [null data] “WinDLL (Wseclayer.exe)” = “rundll32.exe C:\WINDOWS\System32\Wseclayer.exe,start” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “MicroSoft Legal Syst3m32” = “Syst3m32.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “E:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll” [“BitComet”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{4EFE464B-3D0B-4800-A5DE-2321283A3256}” = “QCD IconHandler” -> {HKLM…CLSID} = “QIconHandler Class” \InProcServer32(Default) = “e:\Program Files\Quintessential Player\QCDIcons.dll” [empty string] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “e:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “E:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “e:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] AntiVir/Win(Default) = “{a7cda720-84ee-11d0-b5c0-00001b3ca278}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program Files\AVPersonal\AVShlExt.DLL” [“H+BEDV Datentechnik GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “e:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AntiVir/Win(Default) = “{a7cda720-84ee-11d0-b5c0-00001b3ca278}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “E:\Program Files\AVPersonal\AVShlExt.DLL” [“H+BEDV Datentechnik GmbH”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Kacper Patryk Damian\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}(Default) = “BitComet Button” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “E:\Program Files\BitComet\tools\BitCometBHO_1.1.9.24.dll” [“BitComet”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_03” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_03” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll” [“Sun Microsystems, Inc.”] {461CC20B-FB6E-4F16-8FE8-C29359DB100E}\ “ButtonText” = “BitComet Search” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir Service, AntiVirService, ““E:\Program Files\AVPersonal\AVGUARD.EXE”” [“H+BEDV Datentechnik GmbH”] AntiVir Update, AVWUpSrv, ““E:\Program Files\AVPersonal\AVWUPSRV.EXE”” [“H+BEDV Datentechnik GmbH, Germany”] MicroSoft Legal Syst3m32, System.microsoft.com , ““C:\WINDOWS\System32\Syst3m32.exe” -netsvcs” [null data] NMIndexingService, NMIndexingService, ““C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe”” [“Nero AG”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 57 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 162 seconds. ---------- (total run time: 485 seconds)
Niestety nie moge dać loga z HijackThis ponieważ nie chce sie uruchomić
Za wszystkie odpowiedzi wielkie thx
kacprosz
(kacprosz)
6 Grudzień 2007 20:32
#3
Gutek2222 zrobiłem jak kazałeś:
oto co wyszło po przeskanowaniu Sdfix:
SDFix: Version 1.110 Run by Kacper Patryk Damian on 2007-12-06 at 21:22 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\combofix\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: C:\WINDOWS\SYSTEM32\GHHGJ.EXE - Deleted C:\WINDOWS\SYSTEM32\MPDEMO.EXE - Deleted C:\WINDOWS\rundll32.exe - Deleted C:\WINDOWS\system32\i - Deleted C:\WINDOWS\system32\mmdmm.exe - Deleted C:\WINDOWS\system32\msmsgs.exe - Deleted C:\WINDOWS\system32\systembin.exe - Deleted Removing Temp Files… ADS Check: C:\WINDOWS No streams found. C:\WINDOWS\system32 No streams found. C:\WINDOWS\system32\svchost.exe No streams found. C:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] “C:\WINDOWS\System32\wbem\scrcs.exe”=“C:\WINDOWS\System32\wbem\scrcs.exe:*:Enabled:WMI Standard Event Consumer - hosting” Remaining Files: --------------- File Backups: - C:\combofix\SDFix\backups\backups.zip Files with Hidden Attributes: Wed 5 Dec 2007 34,418 …SH. — “C:\infs.exe” Wed 5 Dec 2007 68,608 …SH. — “C:\WINDOWS\system32\a.exe” Wed 5 Dec 2007 458,752 …SH. — “C:\WINDOWS\system32\Wseclayer.exe” Fri 20 Sep 2002 58,820 …SHR — “C:\WINDOWS\system32\wbem\scrcs.exe” Finished!
a to log z ComboFix:
ComboFix 07-12-02.7 - Kacper Patryk Damian 2007-12-06 21:25:30.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.628 [GMT 1:00] Running from: E:\Pobrane z internetu\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\a.exe . ((((((((((((((((((((((((( Files Created from 2007-11-06 to 2007-12-06 ))))))))))))))))))))))))))))))) . 2007-12-06 21:22 . 2007-12-06 21:22 2007-12-06 17:34 . 2007-12-06 17:36 8,374 --a------ C:\WINDOWS\system32\sfsfsdfscxzcz.exe 2007-12-06 09:49 . 2007-12-06 09:49 2007-12-06 09:19 . 2007-12-06 20:52 6,656 --a------ C:\Documents and Settings\Kacper Patryk Damian\mssysroot.sys 2007-12-06 09:19 . 2007-12-06 21:24 0 --a------ C:\adware.exe 2007-12-05 22:41 . 2007-12-05 22:42 34,418 —hs---- C:\infs.exe 2007-12-05 21:45 . 2007-12-05 21:46 14,160 --a------ C:\WINDOWS\system32\dfsdfds.exe 2007-12-05 21:19 . 2007-12-05 21:22 6,910 --a------ C:\WINDOWS\system32\ghhgjhjdfg.exe 2007-12-05 19:58 . 2007-12-05 21:09 458,752 --------- C:\WINDOWS\system32\nope.dll 2007-12-05 19:32 . 2007-12-05 21:09 458,752 —hs---- C:\WINDOWS\system32\Wseclayer.exe 2007-12-05 19:32 . 2007-12-05 21:17 14,160 --a------ C:\WINDOWS\system32\ghhgjhj.exe 2007-12-05 19:32 . 2007-12-05 20:14 27 --a------ C:\WINDOWS\system32\kuki.bat 2007-12-05 18:59 . 2007-12-05 18:59 548,864 --a------ C:\WINDOWS\system32\Syst3m32.exe 2007-12-05 13:50 . 2007-12-05 15:29 851,968 --a------ C:\WINDOWS\system32\Srb0ty.exe 2007-12-05 12:36 . 2007-12-05 12:36 55,808 —hs---- C:\ntlds 2007-12-04 16:13 . 2007-12-04 16:13 2007-12-04 16:13 . 2007-12-04 16:13 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2007-12-04 15:48 . 2007-12-04 15:48 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2007-12-04 00:47 . 2007-12-04 00:47 2007-12-03 19:51 . 2007-12-03 19:51 2007-12-03 13:14 . 2007-12-03 13:14 2007-12-03 00:24 . 2007-12-03 00:24 2007-12-03 00:14 . 2002-08-29 01:32 21,760 --a–c— C:\WINDOWS\system32\dllcache\usbstor.sys 2007-12-03 00:13 . 2003-08-25 18:06 182,880 --a------ C:\WINDOWS\system32\iuengine.dll 2007-12-03 00:13 . 2003-08-25 18:06 182,880 --a–c— C:\WINDOWS\system32\dllcache\iuengine.dll 2007-12-03 00:10 . 2004-04-12 17:27 1,081,616 --a------ C:\WINDOWS\system32\mscomctl.ocx 2007-12-03 00:10 . 2004-04-12 17:27 609,584 --a------ C:\WINDOWS\system32\comctl32.ocx 2007-12-03 00:10 . 2004-04-12 17:27 152,848 --a------ C:\WINDOWS\system32\comdlg32.ocx 2007-12-02 18:55 . 2007-12-02 18:55 2,560 --a------ C:\WINDOWS\system32\bitcometres.dll 2007-12-02 16:57 . 2007-12-05 22:39 68,123 --a------ C:\WINDOWS\system32\msv.exe 2007-12-02 13:51 . 2007-12-02 13:51 2007-12-02 13:12 . 2007-12-05 11:17 49 --a------ C:\WINDOWS\NeroDigital.ini 2007-12-02 13:01 . 2007-12-02 13:01 2007-12-02 12:55 . 2007-12-02 12:56 2007-12-02 12:54 . 2007-12-02 12:54 2007-12-02 12:54 . 2007-12-02 13:54 2007-12-02 12:54 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2007-12-02 12:51 . 2007-12-02 12:51 2007-12-02 12:51 . 2007-12-02 12:54 659 --a------ C:\WINDOWS\mozver.dat 2007-12-02 12:49 . 2007-12-02 12:49 2007-12-02 12:47 . 2007-12-02 10:51 2007-12-02 12:47 . 2007-12-02 12:47 2007-12-02 12:47 . 2007-12-02 10:54 2007-12-02 12:47 . 2007-12-02 12:49 2007-12-02 12:47 . 2007-12-02 12:47 2007-12-02 12:47 . 2007-12-02 10:51 2007-12-02 12:47 . 2007-12-02 13:51 2007-12-02 12:23 . 2007-12-02 12:23 2007-12-02 12:14 . 2007-12-02 12:14 2007-12-02 12:12 . 2007-12-02 16:31 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-12-03 13:52 --------- d–h--w C:\Program Files\InstallShield Installation Information 2007-12-02 11:54 --------- d-----w C:\Program Files\Java 2007-12-02 11:40 --------- d-----w C:\Program Files\Common Files\Panda Software 2007-12-02 10:31 --------- d-----w C:\Program Files\Common Files\Ahead 2007-12-02 10:30 --------- d-----w C:\Program Files\Nero 2007-12-02 10:30 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Nero 2007-12-02 10:20 --------- d-----w C:\Documents and Settings\Kacper Patryk Damian\Dane aplikacji\Talkback 2007-12-02 10:12 --------- d-----w C:\Program Files\Common Files\InstallShield 2007-12-02 10:04 315,392 ----a-w C:\WINDOWS\HideWin.exe 2007-12-02 10:04 --------- d-----w C:\Program Files\Realtek 2007-12-02 09:56 558,142 ----a-w C:\WINDOWS\java\Packages\LVZFTBDR.ZIP 2007-12-02 09:56 155,995 ----a-w C:\WINDOWS\java\Packages\OWHVJRXR.ZIP 2007-12-02 09:56 --------- d-----w C:\Program Files\microsoft frontpage 2007-12-02 09:54 --------- d-----w C:\Program Files\Usługi online 2002-09-20 17:05 58,820 --sh–r C:\WINDOWS\system32\wbem\scrcs.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2007-06-01 10:21] “DAEMON Tools”=“e:\Program Files\DAEMON Tools\daemon.exe” [2007-08-22 13:06] “WMI Standard Event Consumer - hosting”=“C:\WINDOWS\System32\wbem\scrcs.exe” [2002-09-20 18:05] “Microsoft Oftice”=“C:\WINDOWS\System32\msmsgs.exe” [] “MicroSoft Legal Syst3m32”=“Syst3m32.exe” [2007-12-05 18:59 C:\WINDOWS\system32\Syst3m32.exe] “AutoConnect”=“E:\Program Files\AutoConnect\AutoConnect.exe” [2004-08-28 19:27] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] “MicroSoft Legal Syst3m32”=“Syst3m32.exe” [2007-12-05 18:59 C:\WINDOWS\system32\Syst3m32.exe] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] “WMI Standard Event Consumer - hosting”=“C:\WINDOWS\System32\wbem\scrcs.exe” [2002-09-20 18:05] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “RTHDCPL”=“RTHDCPL.EXE” [2006-12-19 04:12 C:\WINDOWS\RTHDCPL.exe] “SkyTel”=“SkyTel.EXE” [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe] “NvCplDaemon”=“RUNDLL32.exe” [2001-10-26 18:30 C:\WINDOWS\system32\rundll32.exe] “nwiz”=“nwiz.exe” [2006-08-16 08:35 C:\WINDOWS\system32\nwiz.exe] “NvMediaCenter”=“RUNDLL32.exe” [2001-10-26 18:30 C:\WINDOWS\system32\rundll32.exe] “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-03-01 15:57] “AVGCtrl”=“E:\Program Files\AVPersonal\AVGNT.exe” [2004-11-08 08:12] “SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11] “AdslTaskBar”=“stmctrl.dll” [2006-06-02 10:01 C:\WINDOWS\system32\stmctrl.dll] “HakerzyNET MAV”=“E:\Program Files\HakerzyNET AntiVirus\HakerzyNET_MAV.exe” [2007-12-01 20:57] “WMI Standard Event Consumer - hosting”=“C:\WINDOWS\System32\wbem\scrcs.exe” [2002-09-20 18:05] “Microsoft Oftice”=“C:\WINDOWS\System32\msmsgs.exe” [] “MicroSoft Legal Syst3m32”=“Syst3m32.exe” [2007-12-05 18:59 C:\WINDOWS\system32\Syst3m32.exe] “WinDLL (Wseclayer.exe)”=“C:\WINDOWS\System32\Wseclayer.exe” [2007-12-05 21:09] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce] “MicroSoft Legal Syst3m32”=“Syst3m32.exe” [2007-12-05 18:59 C:\WINDOWS\system32\Syst3m32.exe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] “WMI Standard Event Consumer - hosting”=“C:\WINDOWS\System32\wbem\scrcs.exe” [2002-09-20 18:05] “MicroSoft Legal Syst3m32”=“Syst3m32.exe” [2007-12-05 18:59 C:\WINDOWS\system32\Syst3m32.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2002-09-20 18:05] “Network Security XP”=“C:\WINDOWS\System32\nvsvc86.exe” [] “WMI Standard Event Consumer - hosting”=“C:\WINDOWS\System32\wbem\scrcs.exe” [2002-09-20 18:05] “Microsoft Oftice”=“C:\WINDOWS\System32\msmsgs.exe” [] “Microsoft Windows Driver”=“C:\WINDOWS\rundll32.exe” [] “systemscroot”=“systembin.exe” [] “MicroSoft Legal Syst3m32”=“Syst3m32.exe” [2007-12-05 18:59 C:\WINDOWS\system32\Syst3m32.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] “MicroSoft Legal Syst3m32”=“Syst3m32.exe” [2007-12-05 18:59 C:\WINDOWS\system32\Syst3m32.exe] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunServices] “WMI Standard Event Consumer - hosting”=“C:\WINDOWS\System32\wbem\scrcs.exe” [2002-09-20 18:05] “systemscroot”=“systembin.exe” [] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] WMI Standard Event Consumer - hosting REG_SZ C:\WINDOWS\System32\wbem\scrcs.exe R2 AVWUpSrv;AntiVir Update;“E:\Program Files\AVPersonal\AVWUPSRV.EXE” R3 avgntdd;avgntdd;??\E:\Program Files\AVPersonal\AVGNTDD.SYS R3 axsaki;axsaki;C:\WINDOWS\System32\DRIVERS\axsaki.sys R3 axskbus;axskbus;C:\WINDOWS\System32\DRIVERS\axskbus.sys R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\System32\DRIVERS\stmatm.sys R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\System32\DRIVERS\torususb.sys R4 System.microsoft.com ;MicroSoft Legal Syst3m32;“C:\WINDOWS\System32\Syst3m32.exe” -netsvcs S3 mssysroot;mssysroot;??\C:\Documents and Settings\Kacper Patryk Damian\mssysroot.sys *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . ************************************************************************** catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-12-06 21:26:06 Windows 5.1.2600 Dodatek Service Pack. 1 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-12-06 21:26:20 . — E O F —
Gutek
(Gutek)
6 Grudzień 2007 20:57
#4
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
Gutek
(Gutek)
6 Grudzień 2007 21:16
#6
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo
Gutek
(Gutek)
6 Grudzień 2007 21:34
#8
w trybie awaryjnym usuń folder
na koniec - Skan AVG Anti-Spyware 7.5 po update + raport
kacprosz
(kacprosz)
6 Grudzień 2007 21:51
#9
nie mam takiego folderu na dysku C
próbowałem też opcji “pokaż ukryte pliki i foldery” i nic
Gutek
(Gutek)
6 Grudzień 2007 21:55
#10
Wklej do Notatnika:
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2 " - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: * * Qoobox**.
Po tym nowy log z Combo