bardzo proszę o sprawdzenie :
ComboFix 10-04-19.08 - Bartek 2010-04-20 20:16:56.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.1023.560 [GMT 2:00]
Uruchomiony z: c:\documents and settings\Bartek\Pulpit\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\AutoRun.inf
.
((((((((((((((((((((((((( Pliki utworzone od 2010-03-20 do 2010-04-20 )))))))))))))))))))))))))))))))
.
2010-04-18 20:06 . 2010-04-18 20:13 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Comodo
2010-04-18 20:06 . 2010-04-18 20:06 171552 ----a-w- c:\windows\system32\guard32.dll
2010-04-18 20:06 . 2010-04-18 20:06 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-04-18 20:06 . 2010-04-18 20:06 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-18 20:06 . 2010-04-18 20:06 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-04-18 16:01 . 2010-04-18 16:01 -------- d-----w- c:\windows\l2schemas
2010-04-18 16:01 . 2010-04-18 16:01 -------- d-----w- c:\windows\system32\pl
2010-04-18 16:01 . 2010-04-18 16:01 -------- d-----w- c:\windows\system32\bits
2010-04-18 15:42 . 2010-04-18 15:42 -------- d-----w- c:\windows\EHome
2010-04-18 14:51 . 2004-08-03 20:29 73216 ------w- c:\windows\system32\drivers\atintuxx.sys
2010-04-17 10:08 . 2010-04-17 10:08 932368 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-04-17 10:08 . 2010-04-17 10:08 678416 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-04-17 10:08 . 2010-04-17 10:08 604688 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-04-17 10:08 . 2010-04-17 10:08 1096208 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-04-17 10:08 . 2010-04-17 10:08 522768 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-04-17 10:07 . 2010-04-17 10:07 397328 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-04-17 10:07 . 2010-04-17 10:07 19472 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-04-17 09:35 . 2010-04-17 09:35 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files
2010-04-17 09:29 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe
2010-04-16 21:21 . 2010-04-16 21:22 -------- d-----w- c:\program files\SkanerOnline
2010-04-16 20:21 . 2010-04-18 20:04 -------- d-----w- c:\documents and settings\Bartek\Dane aplikacji\QuickScan
2010-04-16 20:21 . 2010-04-13 13:58 670696 ----a-w- c:\documents and settings\Bartek\Dane aplikacji\Mozilla\Firefox\Profiles\ry5isy6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
2010-04-16 20:21 . 2010-04-13 13:58 833960 ----a-w- c:\documents and settings\Bartek\Dane aplikacji\Mozilla\Firefox\Profiles\ry5isy6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
2010-04-16 20:02 . 2010-04-18 20:06 -------- d-----w- c:\program files\COMODO
2010-04-16 19:58 . 2010-04-16 19:58 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Alwil Software
2010-04-16 19:45 . 2009-11-21 16:03 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-20 18:25 . 2008-04-09 18:17 -------- d-----w- c:\documents and settings\Bartek\Dane aplikacji\Skype
2010-04-20 18:24 . 2010-04-17 09:45 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab
2010-04-18 18:24 . 2004-08-04 12:00 68554 ----a-w- c:\windows\system32\perfc015.dat
2010-04-18 18:24 . 2004-08-04 12:00 439538 ----a-w- c:\windows\system32\perfh015.dat
2010-04-18 18:23 . 2008-04-09 18:42 23768 ----a-w- c:\documents and settings\Bartek\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT
2010-04-18 16:05 . 2008-04-09 17:33 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-17 10:07 . 2010-04-17 10:07 109072 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-04-17 10:07 . 2010-04-17 10:07 80400 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-04-17 10:07 . 2010-04-17 10:07 315408 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-04-17 10:07 . 2010-04-17 10:07 397328 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-04-17 10:07 . 2010-04-17 10:07 17936 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-04-17 10:07 . 2010-04-17 10:07 109072 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-04-17 10:07 . 2010-04-17 10:07 80400 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-04-17 10:06 . 2010-04-17 10:06 315408 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-04-17 09:46 . 2010-04-17 09:46 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2010-04-17 09:46 . 2010-04-17 09:46 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2010-04-17 09:45 . 2010-04-17 09:45 -------- d-----w- c:\program files\Kaspersky Lab
2010-04-16 20:47 . 2009-09-03 09:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-16 19:58 . 2009-09-03 09:28 -------- d-----w- c:\program files\Alwil Software
2010-03-11 12:35 . 2004-08-04 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:35 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:35 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:11 . 2004-08-04 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-24 13:11 . 2004-08-04 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 12:09 . 2004-08-04 12:00 2191232 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:09 . 2004-08-04 00:38 2068096 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:34 . 2004-08-04 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-04 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2008-04-09 18:16 . 2008-04-09 18:16 14290 ----a-w- c:\program files\settings.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2006-10-13 20058152]
"Gadu-Gadu"="c:\program files\Gadu-Gadu\gg.exe" [2006-02-17 2396160]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-11 49152]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-20 340456]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-04-18 1800464]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Bartek\Menu Start\Programy\Autostart\
AutoBackup Launcher.lnk - c:\program files\Memeo\AutoBackup\MemeoLauncher.exe [2007-2-8 211992]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8461:TCP"= 8461:TCP:GoD High Port
"8462:TCP"= 8462:TCP:GoD Low Port
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2010-04-18 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-04-18 25160]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-09-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-02 19472]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.onet.pl/
IE: Dodaj do blokowanych banerów - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {5D593FCE-A6FE-4F6B-9965-9ADEB84528DD} = 89.108.195.184 217.17.34.10
FF - ProfilePath - c:\documents and settings\Bartek\Dane aplikacji\Mozilla\Firefox\Profiles\ry5isy6b.default\
FF - component: c:\documents and settings\Bartek\Dane aplikacji\Mozilla\Firefox\Profiles\ry5isy6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Bartek\Dane aplikacji\Mozilla\Firefox\Profiles\ry5isy6b.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - USUNIĘTO PUSTE WPISY - - - -
HKLM-Run-Cmaudio - cmicnfg.cpl
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 20:24
Windows 5.1.2600 Dodatek Service Pack 3 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'explorer.exe'(3712)
c:\windows\system32\WININET.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Memeo\AutoBackup\MemeoService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\RunDll32.exe
c:\program files\Memeo\AutoBackup\MemeoBackup.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Czas ukończenia: 2010-04-20 20:32:23 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2010-04-20 18:32
Przed: 23 761 760 256 bajtów wolnych
Po: 23 756 328 960 bajtów wolnych
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
- - End Of File - - D532176F22FC4B17AA7B68E253F4B8CE
mam też drugie pytanie / prośbę:
po naprawie zawirusowanego kompa ( innego niż ten z którego są logi ) jest kłopot ze startem, mianowicie wszystko się fajnie włącza ale przez długi okres nie działa pasek na dole ( po najechaniu widzę klepsydrę ) i nie da sie włączyć żadnego programu aż do momentu aż komputer zaskoczy ( trwa do około 5 minut). pisze to tutaj bo zauważyłem ze był skanowany combofixem i ze np nie ma usuniętego folderu Qoobox co jak piszecie po skanowaniu należy zrobić ?
co moze byc problemem ?
dowiedziałem sie przed chwilą od serwisu w którym naprawiałem kompa ze jest to standardowy objaw po "tak ciężkim odwirusowaniu" jak ja miałem ( tak twierdzi serwis ) i ze musze sformatować kompa
B
Użytkownik BartoszM edytował ten post 21 04 2010 - 10:55