Prosze o sprawdzenie loga i pomoc jeżel ktoś ma czas.
Proszę o sprawdzenie log'a, trojanDownloader.Wigon.bs
Prosze o pomoc w usunieciu win32 small EPJ
BARDZO PROSZE O SZYBKA POMOC, SPECJALISTY CO SIE ZNA ;]]]
witam.zamuliło mi kompa prosze o sprawdzenie logów
głośniki blaupunkta JBL i GROUND ZERO..prosze o opinie
o wejscie prosze osoby chodzące do tamady!!
Odjazdy autobusów z łodzi -Prosze o pomoc
Bardzo proszę o analizę loga z Hijackthis - help
Prosze o sprawdzenie loga - wolny net
chomiki
Otoz sciagnalem trojana....Przeskanowalem calgeo kompa i wszystko usunalem procz jednego pliku, ktory sie sam odnaiwal!
Wszedlem w lokalizacje poniewaz wkur... mnie juz okienka antyvira i sie okazalo ze mam tam ponad 900 folderow z kopia launchera wow'a!
Usunalem je jednak jak po chwili wszedlem do tego folderu znowu tam byly...
Wiec usunalem prawidlowy launcgher
w nadzieji ze to cos da jednak nic nie dalo...
Wpislaem moj problem w google i znalazlem was...
Wiec oto moj log....
Logfile of HijackThis v1.99.1
Scan saved at 16:57:04, on 2009-09-13
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\system32\ctfmon.exe
D:\gry\steam\steam.exe
C:\Windows\System\hpc.exe
c:\dos32.pif
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WebServ\WebServ.exe
C:\Program Files\WebServ\apache2\bin\WebServ(apache).exe
C:\Program Files\WebServ\mysql\bin\WebServ(mysqld).exe
C:\Program Files\WebServ\apache2\bin\WebServ(apache).exe
C:\Program Files\WebServ\domain\no-ip\No-IP DUC20.exe
C:\WINDOWS\svchost.exe
E:\ze starego kompa\cały dysk D\Film,Piosenki i Rysunki Marcina\Tibia\OTS\Darkness Otserv 0.5.3\Darkness Otserv 0.5.3\Darkness Otserv 0.5.3 - Gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marcin\Pulpit\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13928&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Marcin\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll (file missing)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [1] c:\dos32.pif
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe"
O4 - HKCU\..\Run: [Steam] "d:\gry\steam\steam.exe" -silent
O4 - HKCU\..\Run: [HP Service] C:\Windows\System\hpc.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB2F32A-A6CB-4166-81A2-3074C3A3C16C}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: ,C:\DOCUME~1\Marcin\USTAWI~1\Temp\20746500853mxx.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - c:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
Prosze o pomoc!
pZdR!
Zdzis!
1. Najlepiej uruchom komputer w trybie awaryjnym.
2. Usuń C:\WINDOWS\svchost.exe
3. Podejrzany plik: c:\dos32.pif - usuń, jeśli go nie utworzyłeś
4. C:\Windows\System\hpc.exe - podobno bezpieczny, ale nigdy nic nie wiadomo
6. Usuń wpis: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page
7. Usuń: O2 - BHO: My Global Search Bar BHO i powiązane wpisy (My Global Search Bar)
8. Usuń: O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
9. Usuń: O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D}
10. O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98}
11. Usuń: O4 - HKLM\..\Run: [1] c:\dos32.pif
12. Opcjonalnie usuń: O8 - Extra context menu item: &Winamp Search
13. Podejrzany wpis: O20 - AppInit_DLLs: ,C:\DOCUME~1\Marcin\USTAWI~1\Temp\20746500853mxx.dll
14. O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing) - brak pliku - można usunąć
Następnie odpal skanowanie w programie antywirusowym i antyspyware, np. SpyBot.
Szczegóły: http://hijackthis.de
Odinstaluj Winamp Toolbar oraz DAEMON Tools Toolbar
Uruchom HijackThis Do a system scan only w okienku programu pokaże się log zaznacz kratki przy podanych wpisach klikasz Fix checked
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13928&l=dis
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Marcin\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll (file missing)
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [1] c:\dos32.pif
O20 - AppInit_DLLs: ,C:\DOCUME~1\Marcin\USTAWI~1\Temp\20746500853mxx.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
Pobierz The Avenger zaznacz poniższy tekst:
Files to delete:
c:\dos32.pif
C:\WINDOWS\svchost.exe
C:\DOCUME~1\Marcin\USTAWI~1\Temp\20746500853mxx.dll
Folders to delete:
C:\Program Files\AskBarDis
C:\Program Files\MyGlobalSearch
Drivers to delete:
ASKUpgrade
kopiujesz klikasz na Paste Script from Clipboard Execute Potwierdzasz i zgadzasz się na restart klikając OK.
Po wykonaniu wklej raport na forum C:\avenger.txt
Po tym dajesz log z RSIT
Niestety zmuszony jestem znow dac logi...
Zrobilem sposobem 1 uzytkownika...
Dziekuje za obydwa posty
Logfile of HijackThis v1.99.1
Scan saved at 16:08:10, on 2009-09-23
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\gry\steam\steam.exe
C:\Windows\System\hpc.exe
C:\Program Files\Nowe Gadu-Gadu\gg.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\TibiaBot NG\TibiaBot NG\loader.exe
C:\Program Files\TibiaBot NG\TibiaBot NG\loader.exe
D:\GRY\Tibia\Tibia.exe
C:\xampp\xampp-control.exe
C:\Program Files\Remere's Map Editor\RME.exe
E:\ze starego kompa\cały dysk D\Film,Piosenki i Rysunki Marcina\Tibia\OTS\theforgottenserver-v0.2.5-win32gui\Mystic Spirit\The Forgotten Server.exe
E:\ze starego kompa\cały dysk D\Film,Piosenki i Rysunki Marcina\Tibia\OTS\loader\apps\tibia85\Tibia.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Marcin\Pulpit\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Marcin\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [1] c:\dos32.pif
O4 - HKLM\..\Run: [menustart] c:\loader.exe
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\gry\steam\steam.exe" -silent
O4 - HKCU\..\Run: [HP Service] C:\Windows\System\hpc.exe
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe"
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB2F32A-A6CB-4166-81A2-3074C3A3C16C}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Documents and Settings\Marcin\Pulpit\xampp\service.exe
Niestety, ale to wygląda na Jeffo. W takim razie:
Wyłącz przywracanie systemu na wszystkich dyskach Instrukcja
Następnie pobierz Dr.Web CureIt, wykonaj pełne skanowanie, lecz co się da, resztę usuń. Skanujesz po kilka razy do czasu, aż skaner nic nie znajdzie. Później pobierz Combofix, przeskanuj system i daj log na forum
JEstes pewny?
svchost jest na c:/windows/system 32 nie w c:/windows!
Ostatnim razem zeczywiscie mogl nim byc jeefo jednaktym razem to chyba co innego...
Zwroc uwaga na plik loader.exe antyvir(avira) caluy czas mi go znajduje na dysku c, choc go usuwam...
Wszystko na to wskazuje, ale może to tylko dopiero początkowe stadium. Spójrz, w poprzednim logu było:
C:\WINDOWS\svchost.exe
W nowym logu doszło jeszcze to:
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
A teraz spójrz tutaj http://helpc.eu/usuwanie-jeffo-t31.html
I teraz widać jak się ma jedno do drugiego, więc zrób to o co prosiłem w poprzednim poście. Widać tu także kilka innych syfów, ale to narazie mniej ważne
Otoz mailem kilka powaznych problemow... Juz je naprawilem jednak pojawil sie jeszcze jeden:
Combo fix krzyczy, ze nie ma wlaczonego przywracania systemu...
Czy mam je teraz wlaczyc gdy Dr Web po pelnym skanowaniu kompa nic nie wykrywa???
Tak, włącz.
A wiec w koncu sie udalo...
ComboFix 09-09-23.02 - Marcin 2009-09-24 21:41.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.3327.2580 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Marcin\Pulpit\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Marcin\Dane aplikacji\Microsoft\Clip Organizer\mstore10.mgc
c:\documents and settings\Marcin\Dane aplikacji\Microsoft\Clip Organizer\Offic10.MGC
c:\documents and settings\Marcin\Moje dokumenty\cc_20090824_111105.reg
c:\documents and settings\Marcin\Moje dokumenty\cc_20090824_111159.reg
c:\program files\myglobalsearch
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.JAR
c:\program files\myglobalsearch\bar\1.bin\M9FFXTBR.MANIFEST
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.JAR
c:\program files\myglobalsearch\bar\1.bin\M9NTSTBR.MANIFEST
c:\program files\myglobalsearch\bar\1.bin\M9PLUGIN.DLL
c:\program files\myglobalsearch\bar\Cache\00271F23
c:\program files\myglobalsearch\bar\Cache\006C6AF1
c:\program files\myglobalsearch\bar\Cache\00CD0BD2.bin
c:\program files\myglobalsearch\bar\Cache\00D33D83.bin
c:\program files\myglobalsearch\bar\Cache\00D342E2.bin
c:\program files\myglobalsearch\bar\Cache\010AB7E8
c:\program files\myglobalsearch\bar\Cache\files.ini
c:\program files\myglobalsearch\bar\History\search
c:\program files\myglobalsearch\bar\Settings\prevcfg.htm
c:\windows\Installer\238cb5.msp
c:\windows\Installer\238cb6.msp
c:\windows\Installer\238cb7.msp
c:\windows\Installer\238cb8.msp
c:\windows\Installer\238cb9.msp
c:\windows\Installer\238cba.msp
c:\windows\Installer\238cbb.msp
c:\windows\Installer\238cbc.msp
c:\windows\Installer\238cbd.msp
c:\windows\Installer\252208e.msi
c:\windows\Installer\252208f.msp
c:\windows\Installer\2522090.msp
c:\windows\Installer\2522091.msp
c:\windows\Installer\2522092.msp
c:\windows\Installer\2522093.msp
c:\windows\Installer\2522094.msp
c:\windows\Installer\2522095.msp
c:\windows\Installer\2522096.msp
c:\windows\Installer\2522097.msp
c:\windows\Installer\2522098.msp
c:\windows\Installer\25220b9.msi
c:\windows\Installer\25220ba.msp
c:\windows\Installer\25220bb.msp
c:\windows\Installer\25220bc.msp
c:\windows\Installer\25220bd.msp
c:\windows\Installer\25220be.msp
c:\windows\Installer\25220bf.msp
c:\windows\Installer\25220c0.msp
c:\windows\Installer\25220c1.msp
c:\windows\Installer\25220c2.msp
c:\windows\Installer\25220c3.msp
c:\windows\Installer\256bc7.msp
c:\windows\Installer\256bc8.msp
c:\windows\Installer\256bc9.msp
c:\windows\Installer\256bca.msp
c:\windows\Installer\256bcb.msp
c:\windows\Installer\256bcc.msp
c:\windows\Installer\256bcd.msp
c:\windows\Installer\256bce.msp
c:\windows\Installer\256bcf.msp
c:\windows\Installer\256bd0.msp
c:\windows\Installer\2602de.msp
c:\windows\Installer\2602ea.msp
c:\windows\Installer\2602f7.msp
c:\windows\Installer\548a1c2.msi
c:\windows\system32\setup.ini
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_POWERMANAGER
-------\Service_PowerManager
((((((((((((((((((((((((( Pliki utworzone od 2009-08-24 do 2009-09-24 )))))))))))))))))))))))))))))))
.
2009-09-23 16:32 . 2009-09-23 16:38 -------- d-----w- c:\documents and settings\Marcin\DoctorWeb
2009-09-21 15:39 . 2009-09-21 15:40 -------- d-----w- C:\xampp
2009-09-16 20:08 . 2009-09-16 20:08 -------- d-----w- c:\windows\system32\wbem\Repository
2009-09-16 18:15 . 2009-09-16 18:15 -------- d-----w- c:\program files\Runtime Software
2009-09-16 17:52 . 2009-09-16 20:06 -------- d-----w- c:\program files\PC Inspector File Recovery
2009-09-16 14:05 . 2009-09-16 20:06 -------- d-----w- c:\program files\SQLite Analyzer
2009-09-15 15:35 . 2009-09-15 15:35 -------- d-----w- c:\program files\SQL Maestro Group
2009-09-15 14:32 . 2009-09-16 20:07 -------- d-----w- c:\program files\Sqliteman
2009-09-15 13:56 . 2009-09-15 14:04 -------- d-----w- c:\program files\DBConvert
2009-09-13 20:23 . 2009-09-13 20:24 -------- d-----w- c:\program files\Nowe Gadu-Gadu
2009-09-13 17:57 . 2009-09-13 17:57 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-13 13:11 . 2009-09-13 13:11 -------- d-----r- c:\documents and settings\LocalService\Ulubione
2009-09-12 12:43 . 2009-09-13 07:30 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\sqlitestudio
2009-09-12 11:35 . 2009-09-12 11:35 -------- d-----w- c:\program files\No-IP
2009-09-03 15:43 . 2009-09-03 15:43 -------- d-----w- c:\documents and settings\Marcin\Ustawienia lokalne\Dane aplikacji\cache
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-24 19:46 . 2008-09-11 18:50 -------- d-----w- c:\program files\AutoConnect
2009-09-24 17:19 . 2009-01-05 16:47 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\Skype
2009-09-24 16:59 . 2009-03-26 15:46 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\HLSW
2009-09-24 15:54 . 2009-08-24 09:30 -------- d---a-w- c:\documents and settings\All Users\Dane aplikacji\TEMP
2009-09-24 15:30 . 2007-10-29 12:00 563540 ----a-w- c:\windows\system32\perfh015.dat
2009-09-24 15:30 . 2007-10-29 12:00 109936 ----a-w- c:\windows\system32\perfc015.dat
2009-09-24 15:28 . 2009-01-05 16:51 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\skypePM
2009-09-24 04:46 . 2009-01-12 20:37 -------- d-----w- c:\program files\BearShare
2009-09-23 17:22 . 2008-08-18 17:59 -------- d-----w- c:\program files\neostrada tp
2009-09-23 17:22 . 2009-08-17 07:30 -------- d-----w- c:\program files\NeoKwinto
2009-09-19 12:39 . 2009-01-28 10:01 -------- d-----w- c:\program files\Remere's Map Editor
2009-09-16 17:52 . 2008-08-14 13:35 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-13 21:04 . 2008-09-14 11:19 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\Winamp
2009-09-13 20:22 . 2008-09-14 11:19 -------- d-----w- c:\program files\Winamp
2009-09-13 17:17 . 2009-04-11 16:45 -------- d-----w- c:\program files\XS++ centrumse edition
2009-09-13 17:16 . 2009-08-16 10:38 -------- d-----w- c:\program files\WinHex
2009-09-13 17:14 . 2008-09-14 11:22 -------- d-----w- c:\program files\Winamp Toolbar
2009-09-13 17:11 . 2009-02-12 17:54 -------- d-----w- c:\program files\WebServ
2009-09-13 17:10 . 2008-12-09 17:59 -------- d-----w- c:\program files\VirtualDJ
2009-09-13 17:09 . 2008-10-12 15:12 -------- d-----w- c:\program files\VentriloMIX
2009-09-13 17:06 . 2009-07-18 09:29 -------- d-----w- c:\program files\uTorrent
2009-09-13 17:05 . 2009-06-19 09:57 -------- d-----w- c:\program files\Tibia Auto
2009-09-13 17:04 . 2008-10-12 14:23 -------- d-----w- c:\program files\Teamspeak2_RC2
2009-09-13 16:47 . 2009-05-01 12:13 -------- d-----w- c:\program files\SCAR 3.15
2009-09-13 16:46 . 2008-08-14 13:14 -------- d-----w- c:\program files\RegCleaner
2009-09-13 16:24 . 2009-06-12 06:36 -------- d-----w- c:\program files\NAPI-PROJEKT
2009-09-13 16:08 . 2008-08-17 15:13 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-09-13 16:08 . 2009-08-15 19:48 -------- d-----w- c:\program files\JestemHardcorem
2009-09-13 16:02 . 2008-10-15 14:04 -------- d-----w- c:\program files\ipla
2009-09-13 15:47 . 2009-06-12 07:11 -------- d-----w- c:\program files\Hamachi
2009-09-13 15:38 . 2008-11-16 16:00 -------- d-----w- c:\program files\GIMP-2.0
2009-09-13 15:36 . 2009-03-21 11:23 -------- d-----w- c:\program files\ezHTML
2009-09-13 15:35 . 2009-08-24 18:23 -------- d-----w- c:\program files\ElfBot NG
2009-09-13 15:34 . 2009-05-09 14:59 -------- d-----w- c:\program files\DNA
2009-09-13 15:33 . 2008-08-16 13:08 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-09-13 15:33 . 2009-06-14 15:48 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-09-13 15:30 . 2008-08-18 15:56 -------- d-----w- c:\program files\Common Files\Teleca Shared
2009-09-13 15:17 . 2009-08-24 09:10 -------- d-----w- c:\program files\CCleaner
2009-09-13 15:11 . 2009-07-18 09:29 -------- d-----w- c:\program files\AskBarDis
2009-09-13 15:08 . 2009-07-18 11:56 -------- d-----w- c:\program files\AMX Mod X
2009-09-05 07:06 . 2009-03-21 15:27 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\gtk-2.0
2009-09-04 15:52 . 2008-10-12 14:24 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\teamspeak2
2009-08-27 11:20 . 2008-08-14 13:21 20808 ----a-w- c:\documents and settings\Marcin\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2009-08-26 10:43 . 2009-08-24 09:30 -------- d-----w- c:\program files\TibiaBot NG
2009-08-25 06:53 . 2009-08-25 06:53 129536 ----a-w- c:\windows\inout2.dll
2009-08-24 18:23 . 2008-08-29 13:31 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\Tibia
2009-08-23 20:01 . 2009-08-23 20:01 -------- d-----w- c:\program files\TalyaSoft
2009-08-23 19:50 . 2009-08-23 19:50 -------- d-----w- c:\program files\AceLogix
2009-08-23 12:25 . 2009-08-23 12:25 -------- d-----w- c:\program files\MSBuild
2009-08-23 12:25 . 2009-08-23 12:25 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 19:02 . 2009-05-03 20:38 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:01 . 2007-10-29 12:00 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-28 10:10 . 2008-08-16 14:31 -------- d-----w- c:\documents and settings\Marcin\Dane aplikacji\uTorrent
2009-07-17 19:04 . 2007-10-29 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 16:01 . 2008-08-16 13:17 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-15 16:01 . 2008-08-16 13:16 183112 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-12 10:21 . 2007-10-29 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 16:59 . 2007-10-29 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{57BCA5FA-5DBB-45a2-B558-1755C3F6253B}"= "c:\program files\Winamp Toolbar\winamptb.dll" [2008-07-16 1266992]
[HKEY_CLASSES_ROOT\clsid\{57bca5fa-5dbb-45a2-b558-1755c3f6253b}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLTBSearch]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 10:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect"="c:\program files\AutoConnect\AutoConnect.exe" [2006-12-02 310784]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-18 21633320]
"Steam"="d:\gry\steam\steam.exe" [2009-06-12 1217784]
"Nowe Gadu-Gadu"="c:\program files\Nowe Gadu-Gadu\gg.exe" [2009-08-31 11391592]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WOOWATCH"="c:\progra~1\NEOSTR~1\Watch.exe" [2004-08-23 20480]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-03-26 16859136]
"AdslTaskBar"="stmctrl.dll" - c:\windows\system32\stmctrl.dll [2006-06-02 151552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\GRY\\crysis\\Bin32\\Crysis.exe"=
"d:\\GRY\\crysis\\Bin32\\CrysisDedicatedServer.exe"=
"c:\\Program Files\\BearShare\\BearShare.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"d:\\GRY\\cl4\\Civilization4.exe"=
"d:\\GRY\\Metin2\\metin2.bin"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\RecWar\\RecWar.exe"=
"d:\\GRY\\cl4\\Warlords\\Civ4Warlords.exe"=
"d:\\GRY\\cl4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"d:\\GRY\\Setlersi\\bin\\settlershok.exe"=
"d:\\GRY\\steam\\steamapps\\zdzisieq\\counter-strike\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\GRY\\steam\\steamapps\\zdzisieq\\half-life\\hl.exe"=
"d:\\GRY\\steam\\steamapps\\zdzisieq\\day of defeat\\hl.exe"=
"d:\\GRY\\steam\\steamapps\\zdzisieq\\opposing force\\hl.exe"=
"d:\\GRY\\steam\\steamapps\\zdzisieq\\team fortress classic\\hl.exe"=
"d:\\GRY\\steam\\steamapps\\zdzisieq\\ricochet\\hl.exe"=
"d:\\GRY\\steam\\steamapps\\zdzisieq\\deathmatch classic\\hl.exe"=
"d:\\GRY\\steam\\Steam.exe"=
"d:\\GRY\\wow\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"=
"d:\\HLSW\\hlsw.exe"=
"d:\\GRY\\nonsteam\\hl.exe"=
"d:\\GRY\\CS S\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe"=
"c:\\Program Files\\WebServ\\WebServ.exe"=
"d:\\GRY\\steam\\steamapps\\zdzisieq\\half-life blue shift\\hl.exe"=
"c:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe"=
"c:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe"=
"e:\\ze starego kompa\\cały dysk D\\Film,Piosenki i Rysunki Marcina\\Tibia\\OTS\\TFS\\theforgottenserver-v0.2-win32gui\\The Forgotten Server.exe"=
"c:\\Program Files\\NAPI-PROJEKT\\napisy.exe"=
"d:\\GRY\\wow\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enGB-downloader.exe"=
"d:\\GRY\\Metin Chinski\\metin_longjuyt2_server2.exe"=
"d:\\Total comm\\TC PowerPack\\TOTALCMD.EXE"=
"c:\\Documents and Settings\\Marcin\\Pulpit\\NTSD2.4\\NTSD2.4\\NTSD.exe"=
"e:\\ze starego kompa\\cały dysk D\\Film,Piosenki i Rysunki Marcina\\Tibia\\OTS\\Darkness Otserv 0.5.3\\Darkness Otserv 0.5.3\\Darkness Otserv 0.5.3 - Gui.exe"=
"d:\\GRY\\wow\\World of Warcraft\\WoW-3.2.0-enGB-downloader.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"e:\\ze starego kompa\\cały dysk D\\Film,Piosenki i Rysunki Marcina\\Tibia\\OTS\\backup\\cryingdamson5-console\\Crying Damson.exe"=
"e:\\ze starego kompa\\cały dysk D\\Film,Piosenki i Rysunki Marcina\\Tibia\\OTS\\cryingdamson5console\\cryingdamson5-console\\Crying Damson.exe"=
"e:\\ze starego kompa\\cały dysk D\\Film,Piosenki i Rysunki Marcina\\Tibia\\OTS\\cryingdamson5-gui\\Crying Damson.exe"=
"e:\\ze starego kompa\\cały dysk D\\Film,Piosenki i Rysunki Marcina\\Tibia\\OTS\\theforgottenserver-v0.2.5-win32gui\\Mystic Spirit\\The Forgotten Server.exe"=
"c:\\xampp\\apache\\bin\\apache.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R0 mv61xx;mv61xx;c:\windows\system32\drivers\mv61xx.sys [2008-08-14 150568]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-03 108289]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-01-18 24635]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-08-15 84992]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-08-14 36864]
R3 Stmatm;ATM/ADSL miniport;c:\windows\system32\drivers\stmatm.sys [2008-08-18 60255]
R3 TaurusUsb;ADSL Modem USB Service;c:\windows\system32\drivers\torususb.sys [2008-08-18 684265]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2009-07-18 234888]
S2 XAMPP;XAMPP Service;c:\documents and settings\Marcin\Pulpit\xampp\service.exe [2009-09-20 60928]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-12-20 10976]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [2008-08-27 61536]
S3 se46mdfl;Sony Ericsson Device 070 USB WMC Modem Filter;c:\windows\system32\drivers\se46mdfl.sys [2008-08-27 9360]
S3 se46mdm;Sony Ericsson Device 070 USB WMC Modem Driver;c:\windows\system32\drivers\se46mdm.sys [2008-08-27 97088]
S3 se46mgmt;Sony Ericsson Device 070 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\se46mgmt.sys [2008-08-27 88624]
S3 se46nd5;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se46nd5.sys [2008-08-27 18704]
S3 se46obex;Sony Ericsson Device 070 USB WMC OBEX Interface;c:\windows\system32\drivers\se46obex.sys [2008-08-27 86432]
S3 se46unic;Sony Ericsson Device 070 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se46unic.sys [2008-08-27 90800]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: { - c:\program files\Messenger\msmsgs.exe
TCP: {EFB2F32A-A6CB-4166-81A2-3074C3A3C16C} = 194.204.159.1 217.98.63.164
FF - ProfilePath - c:\documents and settings\Marcin\Dane aplikacji\Mozilla\Firefox\Profiles\8v8pxpyb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.pl
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
FF - component: c:\documents and settings\Marcin\Dane aplikacji\Mozilla\Firefox\Profiles\8v8pxpyb.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Marcin\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - USUNIĘTO PUSTE WPISY - - - -
HKLM-Run-Sony Ericsson PC Suite - c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
HKLM-Run-menustart - c:\loader.exe
AddRemove-All ATI Software - c:\program files\ATI Technologies\UninstallAll\AtiCimUn.exe
AddRemove-ALLPlayer V3.3_is1 - c:\program files\MarBit\ALLPlayer\unins000.exe
AddRemove-Ask Toolbar_is1 - c:\program files\AskBarDis\unins000.exe
AddRemove-BearShare - c:\progra~1\BEARSH~1\UNWISE.EXE
AddRemove-CCleaner - c:\program files\CCleaner\uninst.exe
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe
AddRemove-ElfBot NG_is1 - c:\program files\ElfBot NG\unins000.exe
AddRemove-Fox Magic Audio Recorder_is1 - c:\program files\Fox Magic\AudioRecorder\unins000.exe
AddRemove-Hamachi - c:\program files\Hamachi\uninstall.exe
AddRemove-InstallShield_{6BE2A4A4-99FB-48ED-AE1E-4E850389F804} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
AddRemove-ipla - c:\program files\ipla\uninst.exe
AddRemove-KLiteCodecPack_is1 - c:\program files\K-Lite Codec Pack\unins000.exe
AddRemove-Mozilla Firefox (3.5.3) - c:\program files\Mozilla Firefox\uninstall\helper.exe
AddRemove-NAPIPROJEKT_is1 - c:\program files\NAPI-PROJEKT\unins000.exe
AddRemove-Nero - Burning Rom!UninstallKey - c:\program files\Ahead\nero\uninstall\UNNERO.exe
AddRemove-NeroMultiInstaller!UninstallKey - c:\program files\Common Files\Nero\Uninstall\Setupx.exe
AddRemove-NeroVision!UninstallKey - c:\windows\UNNeroVision.exe
AddRemove-NMPUninstallKey - c:\windows\UNNMP.exe
AddRemove-SCAR Divi 3.15b_is1 - c:\program files\SCAR 3.15\unins000.exe
AddRemove-Virtual DJ - Atomix Productions - c:\progra~1\VIRTUA~1\UNWISE.EXE
AddRemove-WebServ_is1 - c:\program files\WebServ\unins000.exe
AddRemove-Winamp Toolbar for Firefox - c:\documents and settings\Marcin\Dane aplikacji\Mozilla\Firefox\Profiles\8v8pxpyb.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\uninstall.exe
AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
AddRemove-WinGimp-2.0_is1 - c:\program files\GIMP-2.0\unins000.exe
AddRemove-WinGTK-2_is1 - c:\program files\Common Files\GTK\2.0\setup\unins000.exe
AddRemove-WinHex - c:\documents and settings\Marcin\Pulpit\winhex\WinHex.exe
AddRemove-World of Warcraft - c:\program files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe
AddRemove-{762D26FE-71E8-4A52-B42B-CF85E4ACC049}_is1 - c:\program files\JestemHardcorem\unins000.exe
AddRemove-{8A4D41F3-3EDA-4DAC-9403-839708EA0667} - c:\program files\InstallShield Installation Information\{8A4D41F3-3EDA-4DAC-9403-839708EA0667}\setup.exe
AddRemove-{8AF5EA22-17DC-46E0-ABA3-F30A7D288DD0} - c:\program files\InstallShield Installation Information\{8AF5EA22-17DC-46E0-ABA3-F30A7D288DD0}\setup.exe
AddRemove-{B62C4D82-8130-44CE-9D7F-4A76DC8FDFDA}_is1 - c:\program files\XS++ centrumse edition\unins000.exe
AddRemove-{BEE64C14-BEF1-4610-8A68-A16EAA47B882} - c:\program files\InstallShield Installation Information\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}\setup.exe
AddRemove-{C05D8CDB-417D-4335-A38C-A0659EDFD6B8} - c:\program files\InstallShield Installation Information\{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}\Sims3Setup.exe
AddRemove-{F138762F-5A1F-4CF0-A5E1-1588EF6088A4} - c:\program files\InstallShield Installation Information\{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}\setup.exe
AddRemove-BitTorrent DNA - c:\program files\DNA\btdna.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-24 21:46
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'winlogon.exe'(824)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3632)
c:\windows\system32\WININET.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\FTRTSVC.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\No-IP\DUC20.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Czas ukończenia: 2009-09-24 21:48 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2009-09-24 19:48
Przed: 9 465 622 528 bajtów wolnych
Po: 9 724 903 424 bajtów wolnych
WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
;
;Warning: Boot.ini is used on Windows XP and earlier operating systems.
;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.
;
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT
370 --- E O F --- 2009-09-09 18:21
Mam nadzieje, ze tym razem wszytko dobrze...
btw. ni mam przypadkiem jakis keyloggerow?
Wszytsko hula?
Odinstaluj Winamp Toolbar
Pobierz The Avenger w pole Input script here wklej poniższy tekst:
Folders to delete:
c:\documents and settings\Marcin\DoctorWeb
c:\program files\AskBarDis
Files to delete:
c:\windows\inout2.dll
Drivers to delete:
ASKUpgrade
klikasz Execute Potwierdzasz i zgadzasz się na restart klikając OK.
Po wykonaniu wklej raport na forum C:\avenger.txt
Wklej do notatnika:
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=-
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=-
Plik Zapisz jako Ustaw rozszerzenie z TXT na Wszystkie pliki zapisz pod nazwą FIX.REG uruchom utworzony plik i potwierdź
Log z avangera oczywiscie przed utworezeniem pliku fix.reg choc z tego co zauwaylem to nie ma znaczenia...
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows XP
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Folder "c:\documents and settings\Marcin\DoctorWeb" deleted successfully.
Folder "c:\program files\AskBarDis" deleted successfully.
File "c:\windows\inout2.dll" deleted successfully.
Driver "ASKUpgrade" deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Utowrylem juz tenn plik...
Zostal dodany do rejestru...
Juz wszystko czyste?
Dac jeszcze logi z hijacka?
Sprawcie czy nie mam keya jeszcze prosze....
Nic już więcej nie ma w logu. Jeszcze tylko czynności końcowe:
Pobierz OTC uruchom i kliknij CleanUp
Przeczyść dysk oraz rejestr CCleaner
Wyłącz i włącz przywracanie systemu na wszystkich dyskach Instrukcja
Wielkie dzieki to chyba wszstko...
Jeszcze jednak dam wam loga z hijacka na wszelki wypadek...
Zwroccice uwaga na keyloggery prosze...
Logfile of HijackThis v1.99.1
Scan saved at 11:02:46, on 2009-09-26
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Nowe Gadu-Gadu\gg.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\ctfmon.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\GRY\steam\Steam.exe
C:\Documents and Settings\Marcin\Pulpit\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Marcin\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\gry\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB2F32A-A6CB-4166-81A2-3074C3A3C16C}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Documents and Settings\Marcin\Pulpit\xampp\service.exe
Kosmetycznie Fix w HijackThis:
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
Nic już więcej nie ma, czysto
Zeby nie tworzyc juz nowych tematow to napisze tu.
Na poczatku chcialbym podziekowac za pomoc jaka otrzymalem ostatnio mam nadzieje, ze i tym razem mi pomozecie.
Otoz strasznie muli mi net.
Przy wysylaniu plikow na serwer ftp normalna predkosc zawsze byla w granicch 15 kb/s!
Teraz czasem skacze do 8 kb/s ale bardzo zrzadko czesto wyswietla 300 b/s...
To samo dzieje sie przy nie ktorych grach internetowych!
Moj net to neo watpie zeby byl to wirus ale daje wam loga:
Logfile of HijackThis v1.99.1
Scan saved at 09:35:41, on 2009-10-17
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\loader.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\gry\steam\steam.exe
C:\Program Files\Nowe Gadu-Gadu\gg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Marcin\Menu Start\Programy\Autostart\lsasz.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\FTRTSVC.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Total comm\TC PowerPack\totalcmd.exe
C:\Documents and Settings\Marcin\Pulpit\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\Marcin\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [menustart] c:\loader.exe
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Steam] "d:\gry\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: lsasz.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFB2F32A-A6CB-4166-81A2-3074C3A3C16C}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - C:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Documents and Settings\Marcin\Pulpit\xampp\service.exe
Pobierz The Avenger w pole Input script here wklej poniższy tekst:
Files to delete:
C:\Documents and Settings\Marcin\Menu Start\Programy\Autostart\lsasz.exe
C:\loader.exe
klikasz Execute Potwierdzasz i zgadzasz się na restart klikając OK.
Po wykonaniu wklej raport na forum C:\avenger.txt
Następnie podaj log z OTL http://www.instalki.pl/pr...spyware/OTL.php
Ten loader i sasz pochodzi od bota tibia bot ng on jest oryginalny i znany. Myslisz ze net mi muli przez niego?
Możliwe, usuń to i się okaże. Podaj też log, o który prosiłem
