całkowite zmulenie kompa, kłopoty z ie i ffoxem

**Posty:** 19 · przez **Bart_72** 19 Lip 2008, 19:27

Witam,

Komputer działa potwornie wolno, a poza tym są problemy przy przeglądarkach IE oraz Fire Fox - komputer łączy się dopiero po którymś odpaleniu dowolnego z tych programów.

Odpaliłem 2 x Combo Fixa oraz HJT. Poniżej logi, dzięki za sprawdzenie.

ComboFix wcześniejszy

Kod: Zaznacz wszystko: ComboFix 08-07-18.5 - Pikor 2008-07-19 18:32:05.1 - NTFSx86 Running from: C:\ComboFix.exe * Resident AV is active [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ijkkj.bak1 C:\WINDOWS\system32\ijkkj.bak2 C:\WINDOWS\system32\ijkkj.ini2 C:\WINDOWS\system32\ijkkj.tmp C:\WINDOWS\system32\MSINET.oca C:\WINDOWS\system32\rpcc.dll C:\WINDOWS\system32\wsnpoem . ((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 ))))))))))))))))))))))))))))))) . 2008-07-19 18:30 . 2008-07-19 18:14 2,654,479 --a------ C:\ComboFix.exe 2008-07-19 18:30 . 2008-07-19 18:15 812,344 --a------ C:\HJTInstall.exe 2008-07-19 18:30 . 2008-07-19 18:17 103,992 --a------ C:\Flash_Disinfector.exe 2008-07-19 18:30 . 2008-07-19 18:18 51,232 --a------ C:\wwdc.exe 2008-06-30 01:32 . 2008-06-30 01:32 71 --a------ C:\WINDOWS\pex.INI . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-18 13:58 --------- d-----w C:\Program Files\Minilyrics 2008-07-17 19:54 --------- d-----w C:\Program Files\emule 2008-07-13 16:16 --------- d-----w C:\Program Files\3DO 2008-07-13 16:12 --------- d-----w C:\Program Files\mIrc 2008-06-29 23:31 --------- d-----w C:\Documents and Settings\Pikor\Dane aplikacji\Ulead Systems 2008-05-26 08:53 --------- d-----w C:\Documents and Settings\Pikor\Dane aplikacji\AdobeUM 2008-01-05 13:48 34,992 ----a-w C:\Documents and Settings\Pikor\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-07-09 12:44 109 --sha-w C:\WINDOWS\system32\2027219537.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-02-17 15:03 2396160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Gadu-Gadu\\gg.exe"= "C:\\Program Files\\emule\\emule.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11] R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 17:22] S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys [] S3 arcaen;ArcaVir Monitor Kernel Engine Driver;C:\Program Files\ArcaMicroScanPro\arcaen.sys [] S3 arcaev;ArcaVir Monitor Kernel Events Driver;C:\Program Files\ArcaMicroScanPro\arcaev.sys [] S3 arcafd;ArcaVir Monitor Kernel Filter Driver;C:\Program Files\ArcaMicroScanPro\arcafd.sys [] *Newly Created Service* - CATCHME *Newly Created Service* - PROCEXP90 . Contents of the 'Scheduled Tasks' folder "2008-07-19 15:00:01 C:\WINDOWS\Tasks\AF249C52918F1412.job" - c:\docume~1\pikor\daneap~1\platfo~1\ItchOozeSlow.exe . - - - - ORPHANS REMOVED - - - - Notify-rpcc - C:\WINDOWS\system32\rpcc.dll ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-19 18:40:57 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-07-19 18:45:00 ComboFix-quarantined-files.txt 2008-07-19 16:44:55 Pre-Run: 14,386,270,208 bajtów wolnych Post-Run: 14,770,237,440 bajtów wolnych 85

ComboFix późniejszy

Kod: Zaznacz wszystko: ComboFix 08-07-18.5 - Pikor 2008-07-19 19:03:00.2 - NTFSx86 Running from: C:\ComboFix.exe * Resident AV is active [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 ))))))))))))))))))))))))))))))) . 2008-07-19 18:46 . 2008-07-19 18:46 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-19 18:45 . 2008-07-19 18:47 <DIR> d-------- C:\LOGI 2008-07-19 18:30 . 2008-07-19 18:14 2,654,479 --a------ C:\ComboFix.exe 2008-07-19 18:30 . 2008-07-19 18:15 812,344 --a------ C:\HJTInstall.exe 2008-07-19 18:30 . 2008-07-19 18:17 103,992 --a------ C:\Flash_Disinfector.exe 2008-07-19 18:30 . 2008-07-19 18:18 51,232 --a------ C:\wwdc.exe 2008-06-30 01:32 . 2008-06-30 01:32 71 --a------ C:\WINDOWS\pex.INI . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-18 13:58 --------- d-----w C:\Program Files\Minilyrics 2008-07-17 19:54 --------- d-----w C:\Program Files\emule 2008-07-13 16:16 --------- d-----w C:\Program Files\3DO 2008-07-13 16:12 --------- d-----w C:\Program Files\mIrc 2008-06-29 23:31 --------- d-----w C:\Documents and Settings\Pikor\Dane aplikacji\Ulead Systems 2008-05-26 08:53 --------- d-----w C:\Documents and Settings\Pikor\Dane aplikacji\AdobeUM 2008-01-05 13:48 34,992 ----a-w C:\Documents and Settings\Pikor\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-07-09 12:44 109 --sha-w C:\WINDOWS\system32\2027219537.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-02-17 15:03 2396160] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Gadu-Gadu\\gg.exe"= "C:\\Program Files\\emule\\emule.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11] R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 17:22] S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys [] S3 arcaen;ArcaVir Monitor Kernel Engine Driver;C:\Program Files\ArcaMicroScanPro\arcaen.sys [] S3 arcaev;ArcaVir Monitor Kernel Events Driver;C:\Program Files\ArcaMicroScanPro\arcaev.sys [] S3 arcafd;ArcaVir Monitor Kernel Filter Driver;C:\Program Files\ArcaMicroScanPro\arcafd.sys [] . Contents of the 'Scheduled Tasks' folder "2008-07-19 17:00:00 C:\WINDOWS\Tasks\AF249C52918F1412.job" - c:\docume~1\pikor\daneap~1\platfo~1\ItchOozeSlow.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-19 19:07:42 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-07-19 19:11:24 ComboFix-quarantined-files.txt 2008-07-19 17:11:15 ComboFix2.txt 2008-07-19 16:45:03 Pre-Run: 14,778,568,704 bajtów wolnych Post-Run: 14,767,620,096 bajtów wolnych 72

HJT

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:46:43, on 2008-07-19 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\tlntsvr.exe C:\Program Files\Gadu-Gadu\gg.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll O12 - Plugin for .3gp: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll O17 - HKLM\System\CCS\Services\Tcpip\..\{1D9D5920-DDD9-4CCB-8107-EB2CE6407331}: NameServer = 194.204.152.34,217.98.63.164 O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe -- End of file - 5634 bytes

**Posty:** 84 · przez **gloni** 19 Lip 2008, 20:01

To na fix w HJT :

Kod: Zaznacz wszystko: O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

mozesz jeszcze zrobic tym programem

SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt

przeskanuj tym programem http://download.grisoft.cz/softw/70/filedir/inst/avgas-setup-7.5.1.43-3339.exe

i wydaje mi sie że bedzie czysto . Podaj logi z SDFix'a i Combofix'a

Autor postu otrzymał pochwałę

**Posty:** 19 · przez **Bart_72** 19 Lip 2008, 21:51

Po zastosowaniu wszystkich programów oto wynikowe logi

SDFix

Kod: Zaznacz wszystko: [b]SDFix: Version 1.206 [/b] Run by Pikor on 2008-07-19 at 20:18 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix [b]Checking Services [/b]: Restoring Default Security Values Restoring Default Hosts File Rebooting [b]Checking Files [/b]: Trojan Files Found: [color=red]Note - Files associated with the MBR Rootkit have been found on this system, to check the PC use the [url=http://www2.gmer.net/mbr/mbr.exe]MBR Rootkit Detector[/url] by Gmer or [url=http://www.freedrweb.com/cureit]CureIt[/url] by Dr.Web[/color] Could Not Remove C:\WINDOWS\Temp\bca4e2da.$$$ Could Not Remove C:\WINDOWS\Temp\fa56d7ec.$$$ Removing Temp Files [b]ADS Check [/b]: [b]Final Check [/b]: catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-19 20:28:46 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher] "TracesProcessed"=dword:0000003a "TracesSuccessful"=dword:00000002 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 [b]Remaining Services [/b]: Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program glowny" "C:\\Program Files\\emule\\emule.exe"="C:\\Program Files\\emule\\emule.exe:*:Enabled:eMule" "C:\\WINDOWS\\system32\\dplaysvr.exe"="C:\\WINDOWS\\system32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper" "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" [b]Remaining Files [/b]: C:\WINDOWS\Temp\bca4e2da.$$$ Found C:\WINDOWS\Temp\fa56d7ec.$$$ Found File Backups: - C:\SDFix\backups\backups.zip [b]Files with Hidden Attributes [/b]: Wed 13 Sep 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 13 Sep 2006 4,348 A..H. --- "C:\Documents and Settings\Pikor\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak" Mon 23 Jul 2007 20 A..H. --- "C:\Documents and Settings\Pikor\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak" Wed 13 Sep 2006 312 A..H. --- "C:\Documents and Settings\Pikor\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak" Mon 23 Jul 2007 1,536 A..H. --- "C:\Documents and Settings\Pikor\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2lic.bak" [b]Finished![/b]

ComboFix

Kod: Zaznacz wszystko: ComboFix 08-07-18.5 - Pikor 2008-07-19 21:36:52.3 - NTFSx86 Running from: C:\ComboFix.exe * Resident AV is active [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 ))))))))))))))))))))))))))))))) . 2008-07-19 20:35 . 2008-07-19 20:35 <DIR> d-------- C:\Documents and Settings\Pikor\Dane aplikacji\Grisoft 2008-07-19 20:35 . 2008-07-19 20:35 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Grisoft 2008-07-19 20:35 . 2007-05-30 14:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2008-07-19 20:14 . 2008-07-19 20:14 <DIR> d-------- C:\WINDOWS\ERUNT 2008-07-19 20:10 . 2008-07-19 20:33 <DIR> d-------- C:\SDFix 2008-07-19 20:08 . 2008-07-19 20:08 14,113,576 --a------ C:\avgas-setup-7.5.1.43-3339.exe 2008-07-19 20:07 . 2008-07-19 20:07 1,442,142 --a------ C:\SDFix.exe 2008-07-19 18:46 . 2008-07-19 18:46 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-19 18:45 . 2008-07-19 20:34 <DIR> d-------- C:\LOGI 2008-07-19 18:30 . 2008-07-19 18:14 2,654,479 --a------ C:\ComboFix.exe 2008-07-19 18:30 . 2008-07-19 18:15 812,344 --a------ C:\HJTInstall.exe 2008-07-19 18:30 . 2008-07-19 18:17 103,992 --a------ C:\Flash_Disinfector.exe 2008-07-19 18:30 . 2008-07-19 18:18 51,232 --a------ C:\wwdc.exe 2008-06-30 01:32 . 2008-06-30 01:32 71 --a------ C:\WINDOWS\pex.INI . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-18 13:58 --------- d-----w C:\Program Files\Minilyrics 2008-07-17 19:54 --------- d-----w C:\Program Files\emule 2008-07-13 16:16 --------- d-----w C:\Program Files\3DO 2008-07-13 16:12 --------- d-----w C:\Program Files\mIrc 2008-06-29 23:31 --------- d-----w C:\Documents and Settings\Pikor\Dane aplikacji\Ulead Systems 2008-05-26 08:53 --------- d-----w C:\Documents and Settings\Pikor\Dane aplikacji\AdobeUM 2008-01-05 13:48 34,992 ----a-w C:\Documents and Settings\Pikor\Dane aplikacji\GDIPFONTCACHEV1.DAT 2007-07-09 12:44 109 --sha-w C:\WINDOWS\system32\2027219537.dat . ((((((((((((((((((((((((((((( snapshot@2008-07-19_18.44.38.48 ))))))))))))))))))))))))))))))))))))))))) . + 2008-07-17 10:57:07 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-07-19 18:14:43 6,750,208 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-07-19 18:14:43 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat + 2008-07-17 10:57:07 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-07-19 18:14:31 6,750,208 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT + 2008-07-19 18:14:31 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-02-17 15:03 2396160] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Gadu-Gadu\\gg.exe"= "C:\\Program Files\\emule\\emule.exe"= "C:\\WINDOWS\\system32\\dplaysvr.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11] R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 17:22] S2 FILESpy;FILESpy;C:\Program Files\Softwin\BitDefender9\filespy.sys [] S3 arcaen;ArcaVir Monitor Kernel Engine Driver;C:\Program Files\ArcaMicroScanPro\arcaen.sys [] S3 arcaev;ArcaVir Monitor Kernel Events Driver;C:\Program Files\ArcaMicroScanPro\arcaev.sys [] S3 arcafd;ArcaVir Monitor Kernel Filter Driver;C:\Program Files\ArcaMicroScanPro\arcafd.sys [] *Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER *Newly Created Service* - AVG_ANTI-SPYWARE_GUARD . Contents of the 'Scheduled Tasks' folder "2008-07-19 19:00:04 C:\WINDOWS\Tasks\AF249C52918F1412.job" - c:\docume~1\pikor\daneap~1\platfo~1\ItchOozeSlow.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-19 21:42:18 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-07-19 21:46:25 ComboFix-quarantined-files.txt 2008-07-19 19:46:17 ComboFix2.txt 2008-07-19 17:11:26 ComboFix3.txt 2008-07-19 16:45:03 Pre-Run: 14,640,226,304 bajtów wolnych Post-Run: 14,646,366,208 bajtów wolnych 93

**Posty:** 7956 · przez **Magik** 19 Lip 2008, 21:55

cos siedzi w mbr..w logach nic szczegolnego

sciagnij

http://www2.gmer.net/mbr/mbr.exe

sofcik stworzy plik tekstowy mbr.log :arrow:

i wklej ten log na forum :arrow:

nastepnie w lini komend

start :arrow:

uruchom "cmd"

wpisujesz

Kod: Zaznacz wszystko: C:\mbr.exe -f

Autor postu otrzymał pochwałę

**Posty:** 19 · przez **Bart_72** 19 Lip 2008, 22:22

Oto log z mbr.exe

Kod: Zaznacz wszystko: Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully MBR rootkit code detected ! malicious code @ sector 0x4a8143f size 0x1fd ! copy of MBR has been found in sector 62 ! MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

Machnąłem już tę komendę...

**Posty:** 7956 · przez **Magik** 19 Lip 2008, 22:28

Bart_72 napisał(a):Oto log z mbr.exe

Bart_72 napisał(a):Machnąłem już tę komendę...

spoko bo siedzial rootkit w mbr :arrow:

zrob jeszcze to
http://forum.programosy.pl/program-szukajacy-trojanow-i-malware-vt97108.html

i slcuhaj jakas optymalizacja systemu na ta zamule bo poza tym virem w mbr nic raczej wiecej nie bedzie

**Posty:** 19 · przez **Bart_72** 20 Lip 2008, 00:47

Dużo lepiej! Bardzo dziękuję wszystkim

**Posty:** 18165 · przez **wojtas** 20 Lip 2008, 11:58

pokaz na wszelki wypadek log z mbr...

**Posty:** 19 · przez **Bart_72** 20 Lip 2008, 20:08

Bardzo proszę, oto log z mbr

Kod: Zaznacz wszystko: Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK

**Posty:** 84 · przez **gloni** 20 Lip 2008, 20:47

Bart_72 napisał(a):Bardzo proszę, oto log z mbr

Kod: Zaznacz wszystko
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully kernel: MBR read successfully user & kernel MBR OK

log czysty jescze to zastosuj
Modlitwe by Mario

Wykonaj to co jest podane w tym temacie

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp

2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem

całkowite zmulenie kompa, kłopoty z ie i ffoxem

Całkowite zmulenie kompa, kłopoty z IE i FFoxem

Kto jest na forum