Zamulony komputer

Zelek · 6 Wrzesień 2006 13:33

Komputer chodzi strasznie wolno. Wszystko się włącza po kilkanaście sekund. Taki explorer włącza się ok. nawet 1min!! Proszę o sprawdzenie loga:

Logfile of HijackThis v1.99.1

Scan saved at 15:31:38, on 2006-09-06

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\ArcaVir\Bin\NetMonSv.exe

C:\Program Files\ArcaVir\Bin\avmonsv.exe

C:\WINDOWS\sql-smss.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Winamp\Winampa.exe

C:\WINDOWS\System32\update.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\ArcaVir\Bin\arcascan.exe

C:\WINDOWS\System32\devldr32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Karol\Pulpit\hijackthis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll/space.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll/space.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)

O2 - BHO: (no name) - {F3ABB3D0-F610-4543-B656-E31363DC15B1} - C:\WINDOWS\System32\jegl.dll (file missing)

O2 - BHO: (no name) - {F3F4F0C0-13C2-4E3F-AE54-04B70A3E85F2} - C:\WINDOWS\System32\jegl.dll (file missing)

O2 - BHO: (no name) - {F8D5E7C4-5159-44AE-A65B-207B5133A2C4} - C:\WINDOWS\System32\jegl.dll (file missing)

O2 - BHO: (no name) - {FF3DF00E-DD2C-492B-92EE-365016B3BBA8} - C:\WINDOWS\System32\jegl.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [Microsoft Windows Update] update.exe

O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll,DllInstall

O4 - HKLM\..\Run: [Microsoftf smss Control] smss.pif

O4 - HKLM\..\Run: [ABmenu] C:\Program Files\ArcaVir\Bin\ABmenu.exe

O4 - HKLM\..\RunServices: [Microsoft Windows Update] update.exe

O4 - HKLM\..\RunServices: [Microsoftf smss Control] smss.pif

O4 - HKCU\..\Run: [Microsoft Windows Update] update.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe"

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Startup: PowerGG.lnk = C:\Program Files\Gadu-Gadu\PowerGG.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: *.coolwebsearch.com

O15 - Trusted Zone: *.searchmeup.com

O16 - DPF: Cdm.Sdig - https://www.cdm.net.pl/cdm2/sdig/aplet/SdigApplet.cab

O16 - DPF: CDMNet - https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C4} (GameDesire Pool Training) - http://67.15.101.3/g_bin/pl/billardt_2_0_0_24.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_24.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8775F43E-73EB-4003-B022-F9F8488AF212}: NameServer = 212.182.66.21,212.182.66.23

O18 - Filter: text/html - {A3A59E7D-6EAC-4E32-B9D5-1DA968ED9486} - C:\WINDOWS\System32\jegl.dll

O18 - Filter: text/plain - {A3A59E7D-6EAC-4E32-B9D5-1DA968ED9486} - C:\WINDOWS\System32\jegl.dll

O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle3.dll (file missing)

O21 - SSODL: Azureus - {36605959-8A8D-C66E-122B-8A76787A27FC} - c:\program files\azureus\whhmhz32.dll (file missing)

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - C:\Program Files\ArcaVir\Bin\NetMonSv.exe

O23 - Service: ArcaVir Monitor (ArcaMonSvc) - ArcaBit - C:\Program Files\ArcaVir\Bin\avmonsv.exe

O23 - Service: ArcaScan - ArcaBit - C:\Program Files\ArcaVir\Bin\arcascan.exe

O23 - Service: arcaserv - ArcaBit Sp. z o. o. - C:\Program Files\ArcaVir\bin\arcaserv.exe

O23 - Service: sql-smss - Unknown owner - C:\WINDOWS\sql-smss.exe

Bieniol · 6 Wrzesień 2006 14:12

Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe sql-smss

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll/space.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll/space.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe” O2 - BHO: (no name) - {F3ABB3D0-F610-4543-B656-E31363DC15B1} - C:\WINDOWS\System32\jegl.dll (file missing) O2 - BHO: (no name) - {F3F4F0C0-13C2-4E3F-AE54-04B70A3E85F2} - C:\WINDOWS\System32\jegl.dll (file missing) O2 - BHO: (no name) - {F8D5E7C4-5159-44AE-A65B-207B5133A2C4} - C:\WINDOWS\System32\jegl.dll (file missing) O2 - BHO: (no name) - {FF3DF00E-DD2C-492B-92EE-365016B3BBA8} - C:\WINDOWS\System32\jegl.dll (file missing) O4 - HKLM…\Run: [Microsoft Windows Update] update.exe O4 - HKLM…\Run: [sp] rundll32 C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll,DllInstall O4 - HKLM…\Run: [Microsoftf smss Control] smss.pif O4 - HKLM…\RunServices: [Microsoft Windows Update] update.exe O4 - HKLM…\RunServices: [Microsoftf smss Control] smss.pif O4 - HKCU…\Run: [Microsoft Windows Update] update.exe O4 - HKCU…\Run: [shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe” O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O15 - Trusted Zone: *.coolwebsearch.com O15 - Trusted Zone: *.searchmeup.com O18 - Filter: text/html - {A3A59E7D-6EAC-4E32-B9D5-1DA968ED9486} - C:\WINDOWS\System32\jegl.dll O18 - Filter: text/plain - {A3A59E7D-6EAC-4E32-B9D5-1DA968ED9486} - C:\WINDOWS\System32\jegl.dll O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle3.dll (file missing) O23 - Service: sql-smss - Unknown owner - C:\WINDOWS\sql-smss.exe

Wyczyść folder TEMP (w trybie awaryjnym), czyli Start --> uruchom --> cmd i wpisujesz:

Po zabiegach nowy log z Hijacka + log z Silent Runners

Zelek · 6 Wrzesień 2006 16:40

Kurde trudne to wszystko do zrobienia Musze poczytac jak to pokasowac.

Bieniol · 6 Wrzesień 2006 16:43

Opisze Ci to bardziej szczegółowo

Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe sql-smss

Wyłączasz przywracanie systemu:

Włączasz tryb awaryjny:

Odpalasz Hijacka --> do a system scan only i zaznaczasz wpisy:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll/space.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll/space.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank F2 - REG:system.ini: Shell=explorer.exe “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe” O2 - BHO: (no name) - {F3ABB3D0-F610-4543-B656-E31363DC15B1} - C:\WINDOWS\System32\jegl.dll (file missing) O2 - BHO: (no name) - {F3F4F0C0-13C2-4E3F-AE54-04B70A3E85F2} - C:\WINDOWS\System32\jegl.dll (file missing) O2 - BHO: (no name) - {F8D5E7C4-5159-44AE-A65B-207B5133A2C4} - C:\WINDOWS\System32\jegl.dll (file missing) O2 - BHO: (no name) - {FF3DF00E-DD2C-492B-92EE-365016B3BBA8} - C:\WINDOWS\System32\jegl.dll (file missing) O4 - HKLM…\Run: [Microsoft Windows Update] update.exe O4 - HKLM…\Run: [sp] rundll32 C:\DOCUME~1\Karol\USTAWI~1\Temp\se.dll,DllInstall O4 - HKLM…\Run: [Microsoftf smss Control] smss.pif O4 - HKLM…\RunServices: [Microsoft Windows Update] update.exe O4 - HKLM…\RunServices: [Microsoftf smss Control] smss.pif O4 - HKCU…\Run: [Microsoft Windows Update] update.exe O4 - HKCU…\Run: [shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe” O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O15 - Trusted Zone: *.coolwebsearch.com O15 - Trusted Zone: *.searchmeup.com O18 - Filter: text/html - {A3A59E7D-6EAC-4E32-B9D5-1DA968ED9486} - C:\WINDOWS\System32\jegl.dll O18 - Filter: text/plain - {A3A59E7D-6EAC-4E32-B9D5-1DA968ED9486} - C:\WINDOWS\System32\jegl.dll O20 - Winlogon Notify: style2 - C:\WINDOWS\system32\winstyle3.dll (file missing) O23 - Service: sql-smss - Unknown owner - C:\WINDOWS\sql-smss.exe

I klikasz na dole “fix checked”

Uruchamiasz narzędzie KillBox, zaznaczasz Delete on reboot i All Files , w polu full path of file wklej ścieżkę:

C:\WINDOWS\sql-smss.exe

C:\WINDOWS\system32\winstyle3.dll

C:\WINDOWS\System32\jegl.dll

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00003.exe

C:\WINDOWS\System32\update.exe

C:\WINDOWS\System32\smss.pif

Klikasz X i restart kompa (restart po usunięciu ostatniego pliku)

Wyczyść folder TEMP (w trybie awaryjnym), czyli Start --> uruchom --> cmd i wpisujesz:

Ten wpis z kreseczką “_” usuniesz edytorem rejestru Registrar Lite

Uruchom edytor w pole Address wklej ścieżke

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz i z prawokliku kasujesz wpisy.

Po zabiegach nowy log z Hijacka + log z Silent Runners

Zelek · 6 Wrzesień 2006 18:24

Dzięx. Rozjaśniłeś mi z deka