Zamotasupuany utworzono 6 sierpnia 2008 utworzono 6 sierpnia 2008 Witam. Od dwóch dni pojawia mi sie komunikat następującej treści : You have a security problem. Wyskakują dziwne okienka, komputer jest wolny niemiłosiernie. Wskazuje to wyraźnie na zainfekowanie. Tyle, że żaden program nic nie wykrywa. Proszę o pomoc Log z HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:35:05, on 2008-08-05 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\AGRSMMSG.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\Rundll32.exe C:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exe C:\DOCUME~1\Jowitka\USTAWI~1\Temp\3B.tmp C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Wanadoo\EspaceWanadoo.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [00e0a6b8] rundll32.exe "C:\WINDOWS\system32\qkmugvjy.dll",b O4 - HKLM\..\Run: [bM03d39524] Rundll32.exe "C:\WINDOWS\system32\hylirdvu.dll",s O4 - HKCU\..\Run: [somefox] C:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: http://*.mks.com.pl O17 - HKLM\System\CCS\Services\Tcpip\..\{5CEEC803-D0D4-46BE-A085-260EA30F4448}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 3628 bytes
Mateusz J. komentarz 6 sierpnia 2008 komentarz 6 sierpnia 2008 Pobierz ComboFix. Do notatnika wklej: File::C:\DOCUME~1\Jowitka\USTAWI~1\Temp\3B.tmpC:\WINDOWS\system32\hylirdvu.dllC:\WINDOWS\system32\qkmugvjy.dllC:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exeRegistry::[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"00e0a6b8"=-"BM03d39524"=-[HKEY_Current_Users\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Somefox"=- W notatniku zakladka Plik ==> Zapisz jako ==> zapisz pod nazwą CFScript.txt i zapisz go w tym katalogu co ściągnięty i zapisany został combofix wystartuj do trybu awaryjny. Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt Tak jak na obrazku: Rozpocznie się usuwanie i powstanie log , który pokazujesz na forum. Do tego nowy log z HijackThis poproszę
Zamotasupuany komentarz 7 sierpnia 2008 Autor komentarz 7 sierpnia 2008 Log z Combofix'a: ComboFix 08-08-06.01 - Jowitka 2008-08-07 20:25:05.1 - NTFSx86 MINIMALMicrosoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.19 [GMT 2:00]Running from: C:\Documents and Settings\Jowitka\Pulpit\Nowe\ComboFix.exeCommand switches used :: C:\Documents and Settings\Jowitka\Pulpit\Nowe\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\DOCUME~1\Jowitka\USTAWI~1\Temp\3B.tmpC:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exeC:\WINDOWS\system32\hylirdvu.dllC:\WINDOWS\system32\qkmugvjy.dll.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\DOCUME~1\Jowitka\USTAWI~1\Temp\3B.tmpC:\DOCUME~1\Jowitka\USTAWI~1\Temp\setup1018.exeC:\WINDOWS\BM03d39524.txtC:\WINDOWS\BM03d39524.xmlC:\WINDOWS\cookies.iniC:\WINDOWS\Fonts\acrsecB.fonC:\WINDOWS\Fonts\acrsecI.fonC:\WINDOWS\pskt.iniC:\WINDOWS\system32\actskn43.ocxC:\WINDOWS\system32\AutoRun.infC:\WINDOWS\system32\efcYsppm.dllC:\WINDOWS\system32\eLTuDfhk.iniC:\WINDOWS\system32\eLTuDfhk.ini2C:\WINDOWS\system32\gupdpgvv.iniC:\WINDOWS\system32\hthwcepl.iniC:\WINDOWS\system32\hylirdvu.dllC:\WINDOWS\system32\khfDuTLe.dllC:\WINDOWS\system32\lvwusvsr.iniC:\WINDOWS\system32\tuvTmKDU.dllC:\WINDOWS\system32\winzzd32.dllC:\WINDOWS\system32\yjvgumkq.ini.((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 ))))))))))))))))))))))))))))))).2008-08-06 21:55 . 2008-08-06 21:55 2,048 --a------ C:\WINDOWS\system32\acgjfbmi.exe2008-08-06 21:52 . 2008-08-06 21:52 80,896 --a------ C:\WINDOWS\system32\lpecwhth.dll2008-08-05 22:33 . 2008-08-05 22:33 <DIR> d-------- C:\Program Files\Trend Micro2008-08-05 20:46 . 2008-08-05 20:46 2,048 --a------ C:\WINDOWS\system32\hwgvfjng.exe2008-08-03 17:08 . 2008-08-03 17:08 95 --a------ C:\WINDOWS\wininit.ini2008-08-03 15:48 . 2008-08-03 15:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-08-03 15:48 . 2008-08-03 17:17 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy2008-08-03 13:44 . 2008-08-03 15:32 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-08-03 13:38 . 2008-08-03 15:41 <DIR> d-------- C:\Program Files\PC Tools AntiVirus2008-08-03 13:38 . 2008-08-03 13:38 <DIR> d-------- C:\Program Files\Common Files\PC Tools2008-08-03 11:05 . 2008-08-03 11:05 <DIR> d-------- C:\Program Files\MSXML 4.02008-08-03 10:52 . 2008-08-03 10:52 78,340 --a------ C:\WINDOWS\system32\msxml71.dll2008-08-03 10:40 . 2008-08-03 11:28 <DIR> d-------- C:\Program Files\PConPoint.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-07 18:12 --------- d-----w C:\Program Files\Wanadoo2008-08-03 15:13 19,728 ----a-w C:\WINDOWS\system32\pgdfgsvc.exe2008-08-03 09:22 --------- d-----w C:\Program Files\FlashGet2008-08-03 08:01 --------- d-----w C:\Program Files\Lavasoft2008-08-03 07:33 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-08-03 07:33 --------- d-----w C:\Program Files\MUSICMATCH2008-08-03 07:26 --------- d-----w C:\Program Files\Browser Hijack Recover2008-08-03 07:21 --------- d-----w C:\Program Files\Common Files\Acronis2008-07-27 10:25 --------- d-----w C:\Program Files\MKS2008-07-12 09:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft2008-06-20 17:42 246,784 ----a-w C:\WINDOWS\system32\mswsock.dll2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-18 12:19 --------- d-----w C:\Documents and Settings\Jowitka\Dane aplikacji\HPAppData2008-06-15 16:57 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\pdf9952008-06-15 16:54 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll2008-06-15 16:54 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll2008-06-08 11:39 --------- d-----w C:\Documents and Settings\Jowitka\Dane aplikacji\HP2008-06-08 11:39 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\WEBREG2008-06-08 11:32 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Hewlett-Packard2008-06-08 11:28 --------- d-----w C:\Program Files\HP2008-06-08 11:28 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HPSSUPPLY2008-06-08 11:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HP2008-06-08 11:24 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HP Product Assistant2008-06-08 11:23 --------- d-----w C:\Program Files\Hewlett-Packard2008-06-08 11:23 --------- d-----w C:\Program Files\Common Files\HP2008-06-08 11:22 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard2007-04-18 07:41 0 ----a-w C:\Documents and Settings\Jowitka\WebExcl.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.xvid"= xvid.dll"VIDC.AP41"= APmpg4v1.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^GStartup.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnkbackup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Jowitka^Menu Start^Programy^Autostart^Cleanup.lnk]HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWINHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAAHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P NetworkingHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]--a------ 2004-08-04 00:44 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]--a------ 2005-10-19 08:46 1712128 C:\Program Files\Gadu-Gadu\gg.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]--a------ 2002-09-07 06:07 4190208 C:\WINDOWS\system32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPTMOUSEMOUSE]--a------ 2001-06-26 03:05 40960 C:\WINDOWS\system32\Optmouse.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2004-06-03 23:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]--a------ 2007-02-13 20:29 35328 C:\Program Files\Winamp\winampa.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]--------- 2002-12-09 18:24 45056 C:\PROGRA~1\Wanadoo\TaskBarIcon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]--------- 2002-12-09 18:24 20480 C:\PROGRA~1\Wanadoo\Watch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]--a------ 2002-05-29 01:59 520192 C:\Program Files\Logitech\iTouch\iTouch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2002-09-07 06:07 442368 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]--------- 2002-02-05 08:05 46592 C:\WINDOWS\soundman.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"PSIMSVC"=2 (0x2)"PREVSRV"=2 (0x2)"PAVSRV"=2 (0x2)"PavPrSrv"=2 (0x2)"PavProt"=2 (0x2)"PAVFNSVR"=2 (0x2)"MkS_Scan"=3 (0x3)"MksVirMonSvc"=2 (0x2)"MkSUpdateInt"=3 (0x3)"ABNetMon"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\WINDOWS\\system32\\winver.exe"=R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]R3 optmoupf;Samsung OptMouse PS2 Filter Driver;C:\WINDOWS\system32\DRIVERS\optmoupf.sys [2001-06-26 03:05][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc.- - - - ORPHANS REMOVED - - - -Notify-WgaLogon - (no file)Notify-winzzd32 - winzzd32.dllMSConfigStartUp-ABREGMON - C:\Program Files\MKS\Bin\ABregmon.exeMSConfigStartUp-Acronis Schedule - C:\Program Files\Common Files\Acronis\Schedule\schedule.exeMSConfigStartUp-MKS_MENU - C:\Program Files\MKS\Bin\mks_menu.exeMSConfigStartUp-mmtask - C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-07 20:30:20Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\wdfmgr.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exe.**************************************************************************.Completion time: 2008-08-07 20:37:26 - machine was rebootedComboFix-quarantined-files.txt 2008-08-07 18:37:14Pre-Run: 8,834,695,168 bajtów wolnychPost-Run: 8,686,759,936 bajt˘w wolnych193 --- E O F --- 2008-08-03 09:16:14 HJT: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:44:23, on 2008-08-07Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\AGRSMMSG.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Wanadoo\EspaceWanadoo.exeC:\Program Files\Wanadoo\ComComp.exeC:\Program Files\Wanadoo\Watch.exeC:\Program Files\internet explorer\iexplore.exeC:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dllO2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dllO4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exeO4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dllO9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO15 - Trusted Zone: http://*.mks.com.plO17 - HKLM\System\CCS\Services\Tcpip\..\{5CEEC803-D0D4-46BE-A085-260EA30F4448}: NameServer = 194.204.159.1 217.98.63.164O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe--End of file - 3924 bytes Komunikat już się nie pojawia, poza tym komp chodzi o niebo lepiej, wielkie dzięki
snip91 komentarz 7 sierpnia 2008 komentarz 7 sierpnia 2008 Do wywalenia jeszcze: File::C:\WINDOWS\system32\acgjfbmi.exeC:\WINDOWS\system32\lpecwhth.dllC:\WINDOWS\system32\hwgvfjng.exe W notatniku zakładka Plik --> Zapisz jako --> zapisz pod nazwą CFScript.txt i zapisz go w tym samym katalogu, w którym jest ComboFix. Wystartuj tryb awaryjny (F8 podczas ładowania systemu). Na ikonę ComboFix przeciągasz zrobiony plik CFScript.txt tak, jak na obrazku: Rozpocznie się usuwanie i powstanie log, który pokazujesz na forum. Po restarcie usuń ręcznie folder C:\Qoobox.
Zamotasupuany komentarz 8 sierpnia 2008 Autor komentarz 8 sierpnia 2008 ComboFix 08-08-06.01 - Jowitka 2008-08-08 11:29:27.2 - NTFSx86 MINIMALMicrosoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.21 [GMT 2:00]Running from: C:\Documents and Settings\Jowitka\Pulpit\Zbyszek\ComboFix.exeCommand switches used :: C:\Documents and Settings\Jowitka\Pulpit\Zbyszek\CFScript.txt[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b]FILE ::C:\WINDOWS\system32\acgjfbmi.exeC:\WINDOWS\system32\hwgvfjng.exeC:\WINDOWS\system32\lpecwhth.dll.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\acgjfbmi.exeC:\WINDOWS\system32\hwgvfjng.exeC:\WINDOWS\system32\lpecwhth.dll.((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 ))))))))))))))))))))))))))))))).2008-08-07 21:24 . 2008-08-07 21:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Raxco2008-08-07 21:24 . 2008-05-15 09:45 71,184 -ra------ C:\WINDOWS\system32\drivers\DefragFS.sys2008-08-07 21:22 . 2008-08-07 21:24 <DIR> d-------- C:\Program Files\Raxco2008-08-05 22:33 . 2008-08-05 22:33 <DIR> d-------- C:\Program Files\Trend Micro2008-08-03 17:08 . 2008-08-03 17:08 95 --a------ C:\WINDOWS\wininit.ini2008-08-03 15:48 . 2008-08-03 15:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy2008-08-03 15:48 . 2008-08-07 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy2008-08-03 13:44 . 2008-08-03 15:32 <DIR> d-a------ C:\Documents and Settings\All Users\Dane aplikacji\TEMP2008-08-03 13:38 . 2008-08-03 15:41 <DIR> d-------- C:\Program Files\PC Tools AntiVirus2008-08-03 13:38 . 2008-08-03 13:38 <DIR> d-------- C:\Program Files\Common Files\PC Tools2008-08-03 11:05 . 2008-08-03 11:05 <DIR> d-------- C:\Program Files\MSXML 4.02008-08-03 10:52 . 2008-08-03 10:52 78,340 --a------ C:\WINDOWS\system32\msxml71.dll2008-08-03 10:40 . 2008-08-03 11:28 <DIR> d-------- C:\Program Files\PConPoint2008-07-18 15:02 . 2008-07-18 15:02 230,664 --a------ C:\WINDOWS\system32\PDBoot.exe.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-08-08 09:26 --------- d-----w C:\Program Files\Wanadoo2008-08-03 09:22 --------- d-----w C:\Program Files\FlashGet2008-08-03 08:01 --------- d-----w C:\Program Files\Lavasoft2008-08-03 07:33 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-08-03 07:33 --------- d-----w C:\Program Files\MUSICMATCH2008-08-03 07:26 --------- d-----w C:\Program Files\Browser Hijack Recover2008-08-03 07:21 --------- d-----w C:\Program Files\Common Files\Acronis2008-07-27 10:25 --------- d-----w C:\Program Files\MKS2008-07-12 09:13 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys2008-06-18 12:19 --------- d-----w C:\Documents and Settings\Jowitka\Dane aplikacji\HPAppData2008-06-15 16:57 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\pdf9952008-06-08 11:39 --------- d-----w C:\Documents and Settings\Jowitka\Dane aplikacji\HP2008-06-08 11:39 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\WEBREG2008-06-08 11:32 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Hewlett-Packard2008-06-08 11:28 --------- d-----w C:\Program Files\HP2008-06-08 11:28 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HPSSUPPLY2008-06-08 11:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HP2008-06-08 11:24 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\HP Product Assistant2008-06-08 11:23 --------- d-----w C:\Program Files\Hewlett-Packard2008-06-08 11:23 --------- d-----w C:\Program Files\Common Files\HP2008-06-08 11:22 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard2007-04-18 07:41 0 ----a-w C:\Documents and Settings\Jowitka\WebExcl.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 09:06 88363 C:\WINDOWS\AGRSMMSG.exe][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.xvid"= xvid.dll"VIDC.AP41"= APmpg4v1.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DSLMON.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^GStartup.lnk][HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnkbackup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Jowitka^Menu Start^Programy^Autostart^Cleanup.lnk]HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWINHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAAHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P NetworkingHKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]--a------ 2004-08-04 00:44 15360 C:\WINDOWS\system32\ctfmon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]--a------ 2005-10-19 08:46 1712128 C:\Program Files\Gadu-Gadu\gg.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]--a------ 2007-03-11 21:34 49152 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--------- 2004-10-13 18:24 1694208 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]--a------ 2002-09-07 06:07 4190208 C:\WINDOWS\system32\nvcpl.dll[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPTMOUSEMOUSE]--a------ 2001-06-26 03:05 40960 C:\WINDOWS\system32\Optmouse.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2004-06-03 23:05 32881 C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]--a------ 2007-02-13 20:29 35328 C:\Program Files\Winamp\winampa.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]--------- 2002-12-09 18:24 45056 C:\PROGRA~1\Wanadoo\TaskBarIcon.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]--------- 2002-12-09 18:24 20480 C:\PROGRA~1\Wanadoo\Watch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]--a------ 2002-05-29 01:59 520192 C:\Program Files\Logitech\iTouch\iTouch.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]--a------ 2002-09-07 06:07 442368 C:\WINDOWS\system32\nwiz.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]--------- 2002-02-05 08:05 46592 C:\WINDOWS\soundman.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"PSIMSVC"=2 (0x2)"PREVSRV"=2 (0x2)"PAVSRV"=2 (0x2)"PavPrSrv"=2 (0x2)"PavProt"=2 (0x2)"PAVFNSVR"=2 (0x2)"MkS_Scan"=3 (0x3)"MksVirMonSvc"=2 (0x2)"MkSUpdateInt"=3 (0x3)"ABNetMon"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]"DisableMonitoring"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\BearShare\\BearShare.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\WINDOWS\\system32\\winver.exe"=R3 optmoupf;Samsung OptMouse PS2 Filter Driver;C:\WINDOWS\system32\DRIVERS\optmoupf.sys [2001-06-26 03:05]S1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 16:35]S2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]S2 PD91Agent;PD91Agent;C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe [2008-07-18 15:02]S3 PD91Engine;PD91Engine;C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe [2008-07-18 15:02][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc*Newly Created Service* - ADILOADER*Newly Created Service* - CATCHME.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-08-08 11:31:38Windows 5.1.2600 Dodatek Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-08-08 11:33:10ComboFix-quarantined-files.txt 2008-08-08 09:33:07ComboFix2.txt 2008-08-07 18:37:30Pre-Run: 9,423,966,208 bajtów wolnychPost-Run: 9,413,918,720 bajtów wolnych157 --- E O F --- 2008-08-03 09:16:14 Odnoszę wrażenie, że komp po tej zmianie jakby wolniej chodził, poprzednio było lepiej. Ale może mi się tylko wydawać... Tak czy inaczej, dziękuję
Mateusz J. komentarz 8 sierpnia 2008 komentarz 8 sierpnia 2008 Log czysty. Odnoszę wrażenie, że komp po tej zmianie jakby wolniej chodził, poprzednio było lepiej. Wykonaj: http://www.forumpc.pl/index.php?showtopic=17478
Zamotasupuany komentarz 8 sierpnia 2008 Autor komentarz 8 sierpnia 2008 już jest wszystko ok, bardzo dziękuję za pomoc temat do zamknięcia
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.