Regulamin forum
1. Każdy temat powinien odzwierciedlać treść wątku.2. W przypadku wklejania logów; należy je wykonać od razu przynajmniej z dwóch narzędzi: FRST oraz z GMER
3. Wszelkie logi proszę publikować na przeznaczonych do tego stronach a w poście wklejać tylko link.
4. Nie wskazane jest skracanie logów, należy wkleić cały - od początku, do końca.
5. Nie wskazane jest podczepianie się do tematów innych użytkowników - proszę założyć nowy temat w dziale Bezpieczeństwo, ułatwi to pomoc sprawdzającemu.
6. Osoby nie posiadające odpowiedniej wiedzy, nie powinny sprawdzać logów, ponieważ grozi to poważnym uszkodzeniem systemu lub aplikacji zainstalowanych na komputerze.
7. Należy dokładnie opisać problem, występujące objawy oraz wszelkie podjęte działania.
8. Każdy skrypt jest unikatowy, napisany dla każdego przypadku z osobna, więc nie może być stosowany przez innych.
9. W przypadku zamieszczenia zrzutu ekranu (screenshot'a) proszę korzystać z zewnętrznego serwisu oferującego hosting zdjęć.
Prosze o sprawdzenie loga. Spowolniona Praca systemu
28 Kwi 2008, 23:05
Proszę o sprawdzenie logów. Komputer od jakiegoś czasu jest spowolniony i coraz wolniej działa. Wykonanie kilka operacji na raz jest dla niego ciężkim przeżyciem.
Podejrzewam że mam całe rodzinki. Podaje kolejnego loga
Z góry dziękuje
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon" ["Sony Ericsson Mobile Communications AB"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"Adobe Photo Downloader" = ""C:\Programy niesystemowe\AdobePhotoAlbumStarter\3.0\Apps\apdproxy.exe"" ["Adobe Systems Incorporated"]
"BearFlix" = ""C:\Program Files\BearFlix\BearFlix.exe" /pause" [file not found]
"avgnt" = ""C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"UDC Integration" = (empty string)
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]
"iTunesHelper" = ""C:\Programy niesystemowe\i\iTunesHelper.exe"" ["Apple Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
{HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3049C3E9-B461-4BC5-8870-4C09146192CA}\(Default) = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll" ["RealPlayer"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{176d6597-26d3-11d1-b350-080036a75b03}" = "Zarządzanie skanerem ICM"
\InProcServer32\(Default) = "icmui.dll" [MS]
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}" = "Strona właściwości OLE Docfile"
\InProcServer32\(Default) = "docprop.dll" [MS]
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}" = "Rozszerzenia powłoki dla udostępniania zasobów"
\InProcServer32\(Default) = "ntshrui.dll" [MS]
"{41E300E0-78B6-11ce-849B-444553540000}" = "PlusPack CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\themeui.dll" [MS]
"{42071712-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL karty graficznej"
\InProcServer32\(Default) = "deskadp.dll" [MS]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{4E40F770-369C-11d0-8922-00A024AB2DBB}" = "Strona zabezpieczeń usługi DS"
\InProcServer32\(Default) = "dssec.dll" [MS]
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}" = "Strona zgodności"
\InProcServer32\(Default) = "SlayerXP.dll" [MS]
"{59099400-57FF-11CE-BD94-0020AF85B590}" = "Rozszerzenie Disc Copy"
\InProcServer32\(Default) = "diskcopy.dll" [MS]
"{77597368-7b15-11d0-a0c2-080036af3f03}" = "Rozszerzenie powłoki drukarek sieci Web"
\InProcServer32\(Default) = "printui.dll" [MS]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}" = "Display TroubleShoot CPL Extension"
\InProcServer32\(Default) = "deskperf.dll" [MS]
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}" = "Połączenia sieciowe"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{992CFFA0-F557-101A-88EC-00DD010CCC48}" = "Połączenia sieciowe"
\InProcServer32\(Default) = "C:\WINDOWS\system32\NETSHELL.dll" [MS]
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" = "Microsoft Data Link"
\InProcServer32\(Default) = "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" [MS]
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}" = "Tasks Folder Icon Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mstask.dll" [MS]
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}" = "Auto Update Property Sheet Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wuaucpl.cpl" [MS]
"{596AB062-B4D2-4215-9F74-E9109B0A8153}" = "Strona właściwości Poprzednie wersje"
\InProcServer32\(Default) = "C:\WINDOWS\system32\twext.dll" [MS]
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}" = "Audio Media Properties Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shmedia.dll" [MS]
"{7e653215-fa25-46bd-a339-34a2790f3cb7}" = "Dostępny"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{88C6C381-2E85-11D0-94DE-444553540000}" = "Folder pamięci podręcznej ActiveX"
\InProcServer32\(Default) = "C:\WINDOWS\system32\occache.dll" [MS]
"{08165EA0-E946-11CF-9C87-00AA005127ED}" = "WebCheckWebCrawler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}" = "Folder skompresowany (zip)"
\InProcServer32\(Default) = "C:\WINDOWS\system32\zipfldr.dll" [MS]
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}" = "Extensions Manager Folder"
\InProcServer32\(Default) = "C:\WINDOWS\system32\extmgr.dll" [MS]
"{883373C3-BF89-11D1-BE35-080036B11A03}" = "Microsoft DocProp Shell Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{6A205B57-2567-4A2C-B881-F787FAB579A3}" = "Microsoft DocProp Inplace Calendar Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\docprop2.dll" [MS]
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}" = "Directory Query UI"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsquery.dll" [MS]
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}" = "Directory Property UI"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dsuiext.dll" [MS]
"{ECF03A33-103D-11d2-854D-006008059367}" = "MyDocs Copy Hook"
\InProcServer32\(Default) = "C:\WINDOWS\system32\mydocs.dll" [MS]
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}" = "DfsShell"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfsshlex.dll" [MS]
"{60fd46de-f830-4894-a628-6fa81bc0190d}" = "%DESC_PublishDropTarget%"
\InProcServer32\(Default) = "C:\WINDOWS\system32\photowiz.dll" [MS]
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}" = "MMC Icon Handler"
\InProcServer32\(Default) = "C:\WINDOWS\System32\mmcshext.dll" [MS]
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}" = ".CAB file viewer"
\InProcServer32\(Default) = "cabview.dll" [MS]
"{8DD448E6-C188-4aed-AF92-44956194EB1F}" = "Windows Media Player Play as Playlist Context Menu Handler"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wmpshell.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
\InProcServer32\(Default) = "C:\Programy niesystemowe\i\iTunesMiniPlayer.dll" ["Apple Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
\InProcServer32\(Default) = "c:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "c:\WINDOWS\system32\dfshim.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"SysTray" = "{35CEC8A3-2BE6-11D2-8773-92E220524153}"
\InProcServer32\(Default) = "C:\WINDOWS\system32\stobject.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
\InProcServer32\(Default) = "C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kasia i Maciek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\scrnsave.scr" [null data]
Podejrzewam że mam całe rodzinki. Podaje kolejnego loga
Logfile of HijackThis v1.99.1
Scan saved at 22:40:32, on 2008-04-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Programy niesystemowe\i\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Programy niesystemowe\eMule\emule.exe
C:\WINDOWS\system32\sndvol32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\regedit.exe
C:\ComboFix\nircmd.com
C:\Programy niesystemowe\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gazetawyborcza.pl/0,0.html?p=4
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programy niesystemowe\AdobePhotoAlbumStarter\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BearFlix] "C:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programy niesystemowe\i\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - Startup: Registration THE SETTLERS - Dziedzictwo królów - Legendy.LNK = D:\SetlersV\Support\Register\RegistrationReminder.exe
O4 - Startup: Registration THE SETTLERS - Dziedzictwo Królów - Misje Dodatkowe.LNK = D:\SetlersV\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{78DDFB36-31C9-4457-86FA-721787357789}: NameServer = 194.204.159.1,194.204.152.34
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Urządzenie mobilne Apple (Apple Mobile Device) - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
Z góry dziękuje
28 Kwi 2008, 23:12
Poproszę o log z Combofix.
Na pierwszy rzut oka logi czyste
Na pierwszy rzut oka logi czyste
28 Kwi 2008, 23:22
zaraz zrobię, jak tylko skończę go skanować antywirem. Jak narazie znalazł 16 syfów
zapuściłem maszynę/
zapuściłem maszynę/
28 Kwi 2008, 23:44
a tu jeszcze antivir:
Avira AntiVir Personal
Report file date: 28 kwietnia 2008 22:10
Scanning for 1243285 virus strains and unwanted programs.
Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Dodatek Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: KASIA-MACIEK
Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 2008-04-09 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 2008-04-17 19:47:42
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2008-04-17 19:47:42
LUKE.DLL : 8.1.2.9 151809 Bytes 2008-04-17 19:47:44
LUKERES.DLL : 8.1.2.1 12033 Bytes 2008-04-17 19:47:44
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 14:27:15
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 2008-03-07 14:57:10
ANTIVIR2.VDF : 7.0.3.197 1260032 Bytes 2008-04-22 19:44:48
ANTIVIR3.VDF : 7.0.3.224 212992 Bytes 2008-04-28 19:41:38
Engineversion : 8.1.0.35
AEVDF.DLL : 8.1.0.5 102772 Bytes 2008-04-17 19:47:49
AESCRIPT.DLL : 8.1.0.27 233851 Bytes 2008-04-25 19:44:33
AESCN.DLL : 8.1.0.14 119156 Bytes 2008-04-20 19:41:52
AERDL.DLL : 8.1.0.20 418165 Bytes 2008-04-25 19:44:30
AEPACK.DLL : 8.1.1.2 364917 Bytes 2008-04-20 19:41:50
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 2008-04-20 19:41:48
AEHEUR.DLL : 8.1.0.20 1196406 Bytes 2008-04-25 19:44:25
AEHELP.DLL : 8.1.0.14 115063 Bytes 2008-04-20 19:41:47
AEGEN.DLL : 8.1.0.18 299381 Bytes 2008-04-25 19:44:11
AEEMU.DLL : 8.1.0.5 430450 Bytes 2008-04-17 19:47:47
AECORE.DLL : 8.1.0.27 168310 Bytes 2008-04-20 19:41:45
AVWINLL.DLL : 1.0.0.7 14593 Bytes 2008-04-17 19:47:42
AVPREF.DLL : 8.0.0.1 25857 Bytes 2008-04-17 19:47:42
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 13:16:24
AVREG.DLL : 8.0.0.0 30977 Bytes 2008-04-17 19:47:42
AVARKT.DLL : 1.0.0.23 307457 Bytes 2008-04-17 19:47:41
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2008-04-17 19:47:41
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2008-04-17 19:47:45
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 2008-04-17 19:47:45
NETNT.DLL : 8.0.0.1 7937 Bytes 2008-04-17 19:47:44
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 2008-04-17 19:47:34
RCTEXT.DLL : 8.0.32.0 86273 Bytes 2008-04-17 19:47:34
Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium
Start of the scan: 28 kwietnia 2008 22:10
The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sndvol32.exe' - '1' Module(s) have been scanned
Scan process 'gg.exe' - '1' Module(s) have been scanned
Scan process 'emule.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'realsched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned
Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Starting to scan the registry.
The registry was scanned ( '22' files ).
Starting the file scan:
Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Programy niesystemowe\instalki\84.43_forceware_winxp2k_english.exe
[WARNING] No further files can be extracted from this archive. The archive will be closed
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP61\A0004865.tlb
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP61\A0004868.exe
[DETECTION] Is the Trojan horse TR/Zlob.AF
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP61\A0004900.tlb
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP61\A0004941.tlb
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP61\A0004958.tlb
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0004972.exe
[DETECTION] Is the Trojan horse TR/Drop.Zlob.RE.2
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0004975.tlb
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0005000.tlb
[DETECTION] Is the Trojan horse TR/Drop.Zlob.RE.1
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0005005.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.RB.2
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0005011.tlb
[DETECTION] Is the Trojan horse TR/Drop.Zlob.RE.1
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0005020.tlb
[DETECTION] Is the Trojan horse TR/Drop.Zlob.RE.1
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0005030.exe
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.RB.1
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0005031.exe
[DETECTION] Is the Trojan horse TR/Drop.Zlob.RE.2
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0005034.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Zlob.KA.2
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0005035.tlb
[DETECTION] Is the Trojan horse TR/Drop.Zlob.RE.1
[NOTE] The file was deleted!
C:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0071269.exe
[DETECTION] Contains detection pattern of the dropper DR/Agent.DD.1
[NOTE] The file was deleted!
Begin scan in 'D:\'
D:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0109370.ini
[DETECTION] Is the Trojan horse TR/Agent.BCF
[NOTE] The file was deleted!
D:\System Volume Information\_restore{BEA5AD53-C7F6-484C-8D41-7AB9510824E1}\RP62\A0109371.ini
[DETECTION] Is the Trojan horse TR/Agent.BCF
[NOTE] The file was deleted!
D:\Zdjęcia\Sanok-grudzień2004\Temp.Htt
[DETECTION] Is the Trojan horse TR/Jscript.Blackmal.F
[NOTE] The file was deleted!
End of the scan: 28 kwietnia 2008 23:40
Used time: 1:30:58 min
The scan has been done completely.
7322 Scanning directories
221836 Files were scanned
19 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
19 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
221817 Files not concerned
1044 Archives were scanned
2 Warnings
19 Notes
29 Kwi 2008, 00:08
i combofix
ComboFix 08-04-27.3 - Kasia i Maciek 2008-04-28 23:55:01.1 - NTFSx86
Running from: C:\Documents and Settings\Kasia i Maciek\Pulpit\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.
2008-06-25 03:14 . 2008-06-25 03:14 <DIR> d-------- C:\Documents and Settings\Kasia\Dane aplikacji\vlc
2008-04-19 09:47 . 2008-04-19 09:47 <DIR> d-------- C:\Muzyka
2008-04-16 08:31 . 2008-04-28 10:57 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-16 08:31 . 2008-04-16 08:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-01 15:06 . 2008-04-01 15:06 <DIR> d-------- C:\Documents and Settings\Kasia\Dane aplikacji\Talkback
2008-04-01 15:04 . 2008-04-01 15:04 <DIR> d-------- C:\Documents and Settings\Kasia\Dane aplikacji\Thunderbird
2008-03-29 00:37 . 2008-03-29 00:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-29 00:37 . 2008-03-29 00:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-28 17:35 . 2007-07-30 20:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-03-28 17:35 . 2007-07-30 20:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-03-28 17:35 . 2007-07-30 20:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-03-28 17:18 . 2008-03-28 17:18 <DIR> d-------- C:\Program Files\Microsoft Works
2008-03-28 17:16 . 2008-03-28 17:16 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-28 17:11 . 2008-04-09 08:46 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-03-28 17:08 . 2008-03-28 17:08 <DIR> dr-h----- C:\MSOCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 17:30 --------- d-----w C:\Documents and Settings\Kasia i Maciek\Dane aplikacji\uTorrent
2008-04-21 16:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-11 22:53 --------- d-----w C:\Documents and Settings\Kasia\Dane aplikacji\Skype
2008-04-01 21:15 --------- d-----w C:\Documents and Settings\Kasia i Maciek\Dane aplikacji\Skype
2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-16 10:08 --------- d-----w C:\Documents and Settings\Kasia i Maciek\Dane aplikacji\Thunderbird
2008-03-15 14:38 --------- d-----w C:\Documents and Settings\Kasia i Maciek\Dane aplikacji\Talkback
2008-03-11 09:59 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-11 09:59 --------- d-----w C:\Program Files\Common Files\Real
2008-03-11 09:58 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-11 09:58 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-11 09:58 --------- d-----w C:\Program Files\Real
2008-03-06 19:36 --------- d-----w C:\Program Files\uTorrent
2008-03-03 17:26 --------- d-----w C:\Program Files\iPod
2008-03-03 17:23 --------- d-----w C:\Program Files\Bonjour
2008-03-03 17:22 --------- d-----w C:\Program Files\QuickTime
2008-03-03 17:21 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2008-03-03 17:17 --------- d-----w C:\Program Files\Apple Software Update
2008-03-03 17:16 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-03 17:15 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple
2008-03-03 11:11 --------- d-----w C:\Program Files\PITy2007
2008-03-03 10:47 --------- d-----w C:\Program Files\PITy
2008-02-28 16:44 --------- d-----w C:\Documents and Settings\Kasia i Maciek\Dane aplikacji\Sony Setup
2008-02-28 16:43 --------- d-----w C:\Program Files\Sony Setup
2008-02-28 16:23 --------- d-----w C:\Program Files\Avanquest update
2008-02-28 16:23 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\BVRP Software
2008-02-28 16:22 --------- d-----w C:\Program Files\Sony Ericsson
2008-02-28 16:22 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson
2008-02-28 16:21 --------- d-----w C:\Documents and Settings\Kasia i Maciek\Dane aplikacji\InstallShield
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 09:05 662,016 ----a-w C:\WINDOWS\system32\wininet.dll
2008-01-29 11:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2003-03-21 12:45 250,544 ----a-w C:\Program Files\Common Files\keyhelp.ocx
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2007-11-20 16:29 356352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2003-10-02 14:37 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2003-10-02 14:19 118784]
"Adobe Photo Downloader"="C:\Programy niesystemowe\AdobePhotoAlbumStarter\3.0\Apps\apdproxy.exe" [2005-06-07 00:46 57344]
"BearFlix"="C:\Program Files\BearFlix\BearFlix.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 21:47 262401]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-11 11:58 185896]
"UDC Integration"="" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-29 00:37 413696]
"iTunesHelper"="C:\Programy niesystemowe\i\iTunesHelper.exe" [2008-03-30 11:36 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:44 15360]
C:\Documents and Settings\Kasia i Maciek\Menu Start\Programy\Autostart\
Registration THE SETTLERS - Dziedzictwo kr˘l˘w - Legendy.LNK - D:\SetlersV\Support\Register\RegistrationReminder.exe [2008-04-21 18:14:16 864256]
Registration THE SETTLERS - Dziedzictwo Kr˘l˘w - Misje Dodatkowe.LNK - D:\SetlersV\Support\Register\RegistrationReminder.exe [2008-04-21 18:14:16 864256]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.l3acm"= l3codecp.acm
"vidc.XVID"= xvid.dll
"vidc.3ivx"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.i263"= i263_32.drv
"msacm.imc"= imc32.acm
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programy niesystemowe\\Gadu-Gadu\\gg.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Programy niesystemowe\\Phone\\Skype.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Programy niesystemowe\\eMule\\emule.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Programy niesystemowe\\i\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2006-02-17 21:34]
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 10:50:11 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 00:00:27
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-04-29 0:06:47
ComboFix-quarantined-files.txt 2008-04-28 22:06:40
Pre-Run: 1,696,612,352 bajtów wolnych
Post-Run: 2,727,706,624 bajtów wolnych
123 --- E O F --- 2008-04-11 23:03:02
29 Kwi 2008, 04:30
We wszystkich logach które podałes jest czysto oprucz aviry
Wyłącz i włacz przywracanie systemu na wszystkich dyskach. Instrukcja
I dla pewości przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum
Wyłącz i włacz przywracanie systemu na wszystkich dyskach. Instrukcja
I dla pewości przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum
29 Kwi 2008, 09:32
Nie mogę z jakiś przyczyn tego zrobić:
---------------------------
Przywracanie systemu
---------------------------
Przywracanie systemu napotkało błąd podczas próby włączenia/wyłączenia jednego lub więcej dysków. Uruchom ponownie komputer i spróbuj ponownie.
---------------------------
OK
---------------------------
po resecie wyświetla się ten sam komunikat
---------------------------
Przywracanie systemu
---------------------------
Przywracanie systemu napotkało błąd podczas próby włączenia/wyłączenia jednego lub więcej dysków. Uruchom ponownie komputer i spróbuj ponownie.
---------------------------
OK
---------------------------
po resecie wyświetla się ten sam komunikat
29 Kwi 2008, 09:53
Usuń jeszcze ten plik D:\Zdjęcia\Sanok-grudzień2004\Temp.Htt
Spróbuj w awaryjnym wyłączyć przywracanie systemu. F8 podczas startu systemu.
Spróbuj w awaryjnym wyłączyć przywracanie systemu. F8 podczas startu systemu.
29 Kwi 2008, 11:24
nie da rady, ciagle ten sam komunikat
a moze mam za mało miejsca na dysku?
a moze mam za mało miejsca na dysku?
29 Kwi 2008, 15:35
Prosiłem cię o coś
Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum
Najwyżej pliki recznie usuniesz
Przeskanuj komputer tym (uruchom przez IE) http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum
Najwyżej pliki recznie usuniesz