x-kom hosting

[Rozwiązany] You have a security problem...

Zamotasupuany
utworzono
utworzono

Witam. Od dwóch dni pojawia mi sie komunikat następującej treści : You have a security problem. Wyskakują dziwne okienka, komputer jest wolny niemiłosiernie. Wskazuje to wyraźnie na zainfekowanie. Tyle, że żaden program nic nie wykrywa. Proszę o pomoc

Log z HJT

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:35:05, on 2008-08-05 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\Rundll32.exe C:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exe C:\DOCUME~1\Jowitka\USTAWI~1\Temp\3B.tmp C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [00e0a6b8] rundll32.exe "C:\WINDOWS\system32\qkmugvjy.dll",b O4 - HKLM\..\Run: [bM03d39524] Rundll32.exe "C:\WINDOWS\system32\hylirdvu.dll",s O4 - HKCU\..\Run: [somefox] C:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: http://*.mks.com.pl O17 - HKLM\System\CCS\Services\Tcpip\..\{5CEEC803-D0D4-46BE-A085-260EA30F4448}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 3628 bytes

Mateusz J.
komentarz
komentarz

Pobierz ComboFix.

Do notatnika wklej:

File::C:\DOCUME~1\Jowitka\USTAWI~1\Temp\3B.tmpC:\WINDOWS\system32\hylirdvu.dllC:\WINDOWS\system32\qkmugvjy.dllC:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exeRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"00e0a6b8"=-"BM03d39524"=-[HKEY_Current_Users\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Somefox"=-

W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix

wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku:

82650GIF.gif

Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum.

Do tego nowy log z HijackThis poproszę :)

Zamotasupuany
komentarz
komentarz

Log z Combofix'a:

 ComboFix 08-08-06.01 - Jowitka 2008-08-07 20:25:05.1 - NTFSx86 MINIMALMicrosoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.19 [GMT 2:00]Running from: C:\Documents and Settings\Jowitka\Pulpit\Nowe\ComboFix.exeCommand switches used :: C:\Documents and Settings\Jowitka\Pulpit\Nowe\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\DOCUME~1\Jowitka\USTAWI~1\Temp\3B.tmpC:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exeC:\WINDOWS\system32\hylirdvu.dllC:\WINDOWS\system32\qkmugvjy.dll.(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\DOCUME~1\Jowitka\USTAWI~1\Temp\3B.tmpC:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exeC:\WINDOWS\BM03d39524.txtC:\WINDOWS\BM03d39524.xmlC:\WINDOWS\cookies.iniC:\WINDOWS\Fonts\acrsecB.fonC:\WINDOWS\Fonts\acrsecI.fonC:\WINDOWS\pskt.iniC:\WINDOWS\system32\actskn43.ocxC:\WINDOWS\system32\AutoRun.infC:\WINDOWS\system32\efcYsppm.dllC:\WINDOWS\system32\eLTuDfhk.iniC:\WINDOWS\system32\eLTuDfhk.ini2C:\WINDOWS\system32\gupdpgvv.iniC:\WINDOWS\system32\hthwcepl.iniC:\WINDOWS\system32\hylirdvu.dllC:\WINDOWS\system32\khfDuTLe.dllC:\WINDOWS\system32\lvwusvsr.iniC:\WINDOWS\system32\tuvTmKDU.dllC:\WINDOWS\system32\winzzd32.dllC:\WINDOWS\system32\yjvgumkq.ini.(((((((((((((((((((((((((   Files Created from 2008-07-07 to 2008-08-07  ))))))))))))))))))))))))))))))).2008-08-06 21:55 . 2008-08-06 21:55	2,048	--a------	C:\WINDOWS\system32\acgjfbmi.exe2008-08-06 21:52 . 2008-08-06 21:52	80,896	--a------	C:\WINDOWS\system32\lpecwhth.dll2008-08-05 22:33 . 2008-08-05 22:33	<DIR>	d--------	C:\Program Files\Trend Micro2008-08-05 20:46 . 2008-08-05 20:46	2,048	--a------	C:\WINDOWS\system32\hwgvfjng.exe2008-08-03 17:08 . 2008-08-03 17:08	95	--a------	C:\WINDOWS\wininit.ini2008-08-03 15:48 . 2008-08-03 15:50	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy2008-08-03 15:48 . 2008-08-03 17:17	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy2008-08-03 13:44 . 2008-08-03 15:32	<DIR>	d-a------	C:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-08-03 13:38 . 2008-08-03 15:41	<DIR>	d--------	C:\Program Files\PC Tools AntiVirus2008-08-03 13:38 . 2008-08-03 13:38	<DIR>	d--------	C:\Program Files\Common Files\PC Tools2008-08-03 11:05 . 2008-08-03 11:05	<DIR>	d--------	C:\Program Files\MSXML 4.02008-08-03 10:52 . 2008-08-03 10:52	78,340	--a------	C:\WINDOWS\system32\msxml71.dll2008-08-03 10:40 . 2008-08-03 11:28	<DIR>	d--------	C:\Program Files\PConPoint.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-07 18:12	---------	d-----w	C:\Program Files\Wanadoo2008-08-03 15:13	19,728	----a-w	C:\WINDOWS\system32\pgdfgsvc.exe2008-08-03 09:22	---------	d-----w	C:\Program Files\FlashGet2008-08-03 08:01	---------	d-----w	C:\Program Files\Lavasoft2008-08-03 07:33	---------	d--h--w	C:\Program Files\InstallShield Installation Information2008-08-03 07:33	---------	d-----w	C:\Program Files\MUSICMATCH2008-08-03 07:26	---------	d-----w	C:\Program Files\Browser Hijack Recover2008-08-03 07:21	---------	d-----w	C:\Program Files\Common Files\Acronis2008-07-27 10:25	---------	d-----w	C:\Program Files\MKS2008-07-12 09:13	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft2008-06-20 17:42	246,784	----a-w	C:\WINDOWS\system32\mswsock.dll2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-18 12:19	---------	d-----w	C:\Documents and Settings\Jowitka\Dane aplikacji\HPAppData2008-06-15 16:57	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\pdf9952008-06-15 16:54	51,716	----a-w	C:\WINDOWS\system32\pdf995mon.dll2008-06-15 16:54	249,856	----a-w	C:\WINDOWS\system32\pdfmona.dll2008-06-08 11:39	---------	d-----w	C:\Documents and Settings\Jowitka\Dane aplikacji\HP2008-06-08 11:39	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\WEBREG2008-06-08 11:32	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Hewlett-Packard2008-06-08 11:28	---------	d-----w	C:\Program Files\HP2008-06-08 11:28	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\HPSSUPPLY2008-06-08 11:25	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\HP2008-06-08 11:24	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\HP Product Assistant2008-06-08 11:23	---------	d-----w	C:\Program Files\Hewlett-Packard2008-06-08 11:23	---------	d-----w	C:\Program Files\Common Files\HP2008-06-08 11:22	---------	d-----w	C:\Program Files\Common Files\Hewlett-Packard2007-04-18 07:41	0	----a-w	C:\Documents and Settings\Jowitka\WebExcl.dat.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.xvid"= xvid.dll"VIDC.AP41"= APmpg4v1.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^GStartup.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnkbackup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Jowitka^Menu Start^Programy^Autostart^Cleanup.lnk]HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWINHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAAHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P NetworkingHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]--a------ 2004-08-04 00:44 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]--a------ 2005-10-19 08:46 1712128 C:\Program Files\Gadu-Gadu\gg.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]--a------ 2002-09-07 06:07 4190208 C:\WINDOWS\system32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPTMOUSEMOUSE]--a------ 2001-06-26 03:05 40960 C:\WINDOWS\system32\Optmouse.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2004-06-03 23:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]--a------ 2007-02-13 20:29 35328 C:\Program Files\Winamp\winampa.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]--------- 2002-12-09 18:24 45056 C:\PROGRA~1\Wanadoo\TaskBarIcon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]--------- 2002-12-09 18:24 20480 C:\PROGRA~1\Wanadoo\Watch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]--a------ 2002-05-29 01:59 520192 C:\Program Files\Logitech\iTouch\iTouch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2002-09-07 06:07 442368 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]--------- 2002-02-05 08:05 46592 C:\WINDOWS\soundman.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"PSIMSVC"=2 (0x2)"PREVSRV"=2 (0x2)"PAVSRV"=2 (0x2)"PavPrSrv"=2 (0x2)"PavProt"=2 (0x2)"PAVFNSVR"=2 (0x2)"MkS_Scan"=3 (0x3)"MksVirMonSvc"=2 (0x2)"MkSUpdateInt"=3 (0x3)"ABNetMon"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\WINDOWS\\system32\\winver.exe"=R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]R3 optmoupf;Samsung OptMouse PS2 Filter Driver;C:\WINDOWS\system32\DRIVERS\optmoupf.sys [2001-06-26 03:05][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc.- - - - ORPHANS REMOVED - - - -Notify-WgaLogon - (no file)Notify-winzzd32 - winzzd32.dllMSConfigStartUp-ABREGMON - C:\Program Files\MKS\Bin\ABregmon.exeMSConfigStartUp-Acronis Schedule - C:\Program Files\Common Files\Acronis\Schedule\schedule.exeMSConfigStartUp-MKS_MENU - C:\Program Files\MKS\Bin\mks_menu.exeMSConfigStartUp-mmtask - C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-07 20:30:20Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\wdfmgr.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exe.**************************************************************************.Completion time: 2008-08-07 20:37:26 - machine was rebootedComboFix-quarantined-files.txt  2008-08-07 18:37:14Pre-Run: 8,834,695,168 bajtów wolnychPost-Run: 8,686,759,936 bajt˘w wolnych193	--- E O F ---	2008-08-03 09:16:14

HJT:

 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:44:23, on 2008-08-07Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\AGRSMMSG.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Wanadoo\EspaceWanadoo.exeC:\Program Files\Wanadoo\ComComp.exeC:\Program Files\Wanadoo\Watch.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dllO2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dllO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO15 - Trusted Zone: http://*.mks.com.plO17 - HKLM\System\CCS\Services\Tcpip\..\{5CEEC803-D0D4-46BE-A085-260EA30F4448}: NameServer = 194.204.159.1 217.98.63.164O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 3924 bytes

Komunikat już się nie pojawia, poza tym komp chodzi o niebo lepiej, wielkie dzięki

snip91
komentarz
komentarz

Do wywalenia jeszcze:

File::C:\WINDOWS\system32\acgjfbmi.exeC:\WINDOWS\system32\lpecwhth.dllC:\WINDOWS\system32\hwgvfjng.exe

W notatniku zakładka Plik --> Zapisz jako --> zapisz pod nazwą CFScript.txt i zapisz go w tym samym katalogu, w którym jest ComboFix.

Wystartuj tryb awaryjny (F8 podczas ładowania systemu). Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt tak, jak na obrazku:

82650GIF.gif

Rozpocznie się usuwanie i powstanie log, który pokazujesz na forum.

Po restarcie usuń ręcznie folder C:\Qoobox.

Zamotasupuany
komentarz
komentarz
 ComboFix 08-08-06.01 - Jowitka 2008-08-08 11:29:27.2 - NTFSx86 MINIMALMicrosoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.21 [GMT 2:00]Running from: C:\Documents and Settings\Jowitka\Pulpit\Zbyszek\ComboFix.exeCommand switches used :: C:\Documents and Settings\Jowitka\Pulpit\Zbyszek\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\WINDOWS\system32\acgjfbmi.exeC:\WINDOWS\system32\hwgvfjng.exeC:\WINDOWS\system32\lpecwhth.dll.(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\acgjfbmi.exeC:\WINDOWS\system32\hwgvfjng.exeC:\WINDOWS\system32\lpecwhth.dll.(((((((((((((((((((((((((   Files Created from 2008-07-08 to 2008-08-08  ))))))))))))))))))))))))))))))).2008-08-07 21:24 . 2008-08-07 21:24	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Raxco2008-08-07 21:24 . 2008-05-15 09:45	71,184	-ra------	C:\WINDOWS\system32\drivers\DefragFS.sys2008-08-07 21:22 . 2008-08-07 21:24	<DIR>	d--------	C:\Program Files\Raxco2008-08-05 22:33 . 2008-08-05 22:33	<DIR>	d--------	C:\Program Files\Trend Micro2008-08-03 17:08 . 2008-08-03 17:08	95	--a------	C:\WINDOWS\wininit.ini2008-08-03 15:48 . 2008-08-03 15:50	<DIR>	d--------	C:\Program Files\Spybot - Search & Destroy2008-08-03 15:48 . 2008-08-07 21:22	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy2008-08-03 13:44 . 2008-08-03 15:32	<DIR>	d-a------	C:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-08-03 13:38 . 2008-08-03 15:41	<DIR>	d--------	C:\Program Files\PC Tools AntiVirus2008-08-03 13:38 . 2008-08-03 13:38	<DIR>	d--------	C:\Program Files\Common Files\PC Tools2008-08-03 11:05 . 2008-08-03 11:05	<DIR>	d--------	C:\Program Files\MSXML 4.02008-08-03 10:52 . 2008-08-03 10:52	78,340	--a------	C:\WINDOWS\system32\msxml71.dll2008-08-03 10:40 . 2008-08-03 11:28	<DIR>	d--------	C:\Program Files\PConPoint2008-07-18 15:02 . 2008-07-18 15:02	230,664	--a------	C:\WINDOWS\system32\PDBoot.exe.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-08 09:26	---------	d-----w	C:\Program Files\Wanadoo2008-08-03 09:22	---------	d-----w	C:\Program Files\FlashGet2008-08-03 08:01	---------	d-----w	C:\Program Files\Lavasoft2008-08-03 07:33	---------	d--h--w	C:\Program Files\InstallShield Installation Information2008-08-03 07:33	---------	d-----w	C:\Program Files\MUSICMATCH2008-08-03 07:26	---------	d-----w	C:\Program Files\Browser Hijack Recover2008-08-03 07:21	---------	d-----w	C:\Program Files\Common Files\Acronis2008-07-27 10:25	---------	d-----w	C:\Program Files\MKS2008-07-12 09:13	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft2008-06-20 10:45	360,320	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44	138,368	----a-w	C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52	225,920	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-18 12:19	---------	d-----w	C:\Documents and Settings\Jowitka\Dane aplikacji\HPAppData2008-06-15 16:57	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\pdf9952008-06-08 11:39	---------	d-----w	C:\Documents and Settings\Jowitka\Dane aplikacji\HP2008-06-08 11:39	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\WEBREG2008-06-08 11:32	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\Hewlett-Packard2008-06-08 11:28	---------	d-----w	C:\Program Files\HP2008-06-08 11:28	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\HPSSUPPLY2008-06-08 11:25	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\HP2008-06-08 11:24	---------	d-----w	C:\Documents and Settings\All Users\Dane aplikacji\HP Product Assistant2008-06-08 11:23	---------	d-----w	C:\Program Files\Hewlett-Packard2008-06-08 11:23	---------	d-----w	C:\Program Files\Common Files\HP2008-06-08 11:22	---------	d-----w	C:\Program Files\Common Files\Hewlett-Packard2007-04-18 07:41	0	----a-w	C:\Documents and Settings\Jowitka\WebExcl.dat.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.xvid"= xvid.dll"VIDC.AP41"= APmpg4v1.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^GStartup.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnkbackup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Jowitka^Menu Start^Programy^Autostart^Cleanup.lnk]HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWINHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAAHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P NetworkingHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]--a------ 2004-08-04 00:44 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]--a------ 2005-10-19 08:46 1712128 C:\Program Files\Gadu-Gadu\gg.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]--a------ 2002-09-07 06:07 4190208 C:\WINDOWS\system32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPTMOUSEMOUSE]--a------ 2001-06-26 03:05 40960 C:\WINDOWS\system32\Optmouse.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2004-06-03 23:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]--a------ 2007-02-13 20:29 35328 C:\Program Files\Winamp\winampa.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]--------- 2002-12-09 18:24 45056 C:\PROGRA~1\Wanadoo\TaskBarIcon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]--------- 2002-12-09 18:24 20480 C:\PROGRA~1\Wanadoo\Watch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]--a------ 2002-05-29 01:59 520192 C:\Program Files\Logitech\iTouch\iTouch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2002-09-07 06:07 442368 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]--------- 2002-02-05 08:05 46592 C:\WINDOWS\soundman.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"PSIMSVC"=2 (0x2)"PREVSRV"=2 (0x2)"PAVSRV"=2 (0x2)"PavPrSrv"=2 (0x2)"PavProt"=2 (0x2)"PAVFNSVR"=2 (0x2)"MkS_Scan"=3 (0x3)"MksVirMonSvc"=2 (0x2)"MkSUpdateInt"=3 (0x3)"ABNetMon"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\WINDOWS\\system32\\winver.exe"=R3 optmoupf;Samsung OptMouse PS2 Filter Driver;C:\WINDOWS\system32\DRIVERS\optmoupf.sys [2001-06-26 03:05]S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]S2 PD91Agent;PD91Agent;C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-07-18 15:02]S3 PD91Engine;PD91Engine;C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-07-18 15:02][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12	REG_MULTI_SZ   	Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt	REG_MULTI_SZ   	hpqcxs08 hpqddsvc*Newly Created Service* - ADILOADER*Newly Created Service* - CATCHME.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-08 11:31:38Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-08 11:33:10ComboFix-quarantined-files.txt  2008-08-08 09:33:07ComboFix2.txt  2008-08-07 18:37:30Pre-Run: 9,423,966,208 bajtów wolnychPost-Run: 9,413,918,720 bajtów wolnych157	--- E O F ---	2008-08-03 09:16:14

Odnoszę wrażenie, że komp po tej zmianie jakby wolniej chodził, poprzednio było lepiej. Ale może mi się tylko wydawać... Tak czy inaczej, dziękuję

Mateusz J.
komentarz
komentarz

Log czysty.

Odnoszę wrażenie, że komp po tej zmianie jakby wolniej chodził, poprzednio było lepiej.

Wykonaj: http://www.forumpc.pl/index.php?showtopic=17478

Zamotasupuany
komentarz
komentarz

już jest wszystko ok, bardzo dziękuję za pomoc

temat do zamknięcia

Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!

Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.

×
×
  • Dodaj nową pozycję...

Powiadomienie o plikach cookie

Strona wykorzystuje pliki cookies w celu prawidłowego świadczenia usług i wygody użytkowników. Warunki przechowywania i dostępu do plików cookies możesz zmienić w ustawieniach przeglądarki.