bardzo wolny internet

[Rafael]

Logfile of HijackThis v1.99.1
Scan saved at 23:48:11, on 2007-04-15
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\SAGEM WiFi manager\WLANUTL.exe
G:\Programy\Konnekt\konnekt.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Steam\Steam.exe
G:\Programy\Opera\Opera.exe
G:\Programy\The Bat\thebat.exe
G:\Programy\Winamp\winamp.exe
G:\Programy\Total Commander\TOTALCMD.EXE
D:\abc\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [AVP] "G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Program sieciowy dla SAGEM Wi-Fi 11g USB adapter.lnk = ?
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

Mianowicie, nie moge wyslac nic ze swojego kompa, na net, transfer przy laczu 2 megowym wynosi okolo 1kb/s co jest poprostu niemozliwe... To jest od jakis 3 tygodni, nie wiem dlaczego ale, powoli mnie to irytuje. Nie moge centralnie nic wyslac od siebie z kompa na net, chociaz odbieranie chodzi na poziomie 200/250 kb/s.

Czekam na jakies rady, tudziez pomysly jak to wyplewic.
Wstawiam jeszcze link z netstata

TCP raf:1029 localhost:1070 USTANOWIONO
TCP raf:1030 localhost:1034 USTANOWIONO
TCP raf:1030 localhost:1043 USTANOWIONO
TCP raf:1030 localhost:1064 USTANOWIONO
TCP raf:1030 localhost:1067 USTANOWIONO
TCP raf:1031 localhost:1068 USTANOWIONO
TCP raf:1032 localhost:1069 USTANOWIONO
TCP raf:1034 localhost:1030 USTANOWIONO
TCP raf:1043 localhost:1030 USTANOWIONO
TCP raf:1064 localhost:1030 USTANOWIONO
TCP raf:1067 localhost:1030 USTANOWIONO
TCP raf:1068 localhost:1031 USTANOWIONO
TCP raf:1069 localhost:1032 USTANOWIONO
TCP raf:1070 localhost:1029 USTANOWIONO
TCP raf:1110 localhost:4438 CZAS_OCZEKIWANIA
TCP raf:1110 localhost:4440 CZAS_OCZEKIWANIA
TCP raf:1110 localhost:4446 CZAS_OCZEKIWANIA
TCP raf:1110 localhost:4460 USTANOWIONO
TCP raf:1110 localhost:4462 USTANOWIONO
TCP raf:1993 localhost:1110 OCZEKIWANIE_ZAMKN
TCP raf:4442 localhost:1110 CZAS_OCZEKIWANIA
TCP raf:4444 localhost:1110 CZAS_OCZEKIWANIA
TCP raf:4448 localhost:1110 CZAS_OCZEKIWANIA
TCP raf:4450 localhost:1110 CZAS_OCZEKIWANIA
TCP raf:4452 localhost:1110 CZAS_OCZEKIWANIA
TCP raf:4454 localhost:1110 CZAS_OCZEKIWANIA
TCP raf:4456 localhost:1110 CZAS_OCZEKIWANIA
TCP raf:4458 localhost:1110 CZAS_OCZEKIWANIA
TCP raf:4460 localhost:1110 USTANOWIONO
TCP raf:4462 localhost:1110 USTANOWIONO

Zastanawia mnie dlaczego przy ilosci wpisow z adresem www jest ich kolo 5, samego localhost jak widac kilka razy wiecej.

Pozdrawiam
Rafal.

[wojtas]

daj loga z silent runners i comboscan


http://forum.programosy.pl/hijackthis-amp-silent-runners-gtobsuga-i-umieszczanie-vt9452.html
http://forum.programosy.pl/dodatkowe-narzedzia-do-usuwania-i-ochrony-vt42021.html

[Rafael]

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTSyncU.exe" = ""C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"" [empty string]
"Steam" = "(empty string)" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" [empty string]
"CTStartup" = "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run" ["Creative Technology Ltd."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"(Default)" = "(empty string)" [file not found]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"AVP" = ""G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{24849E2F-0A86-40CD-A62A-B12F161882DB}" = "ZEN V Series Media Explorer"
-> {HKLM...CLSID} = "ZEN V Series Media Explorer"
\InProcServer32\(Default) = "C:\Program Files\Creative\SBLive\ZEN V Series Media Explorer\SHCTMTP.dll" ["Creative Technology Ltd"]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"
-> {HKLM...CLSID} = "Web Anti-Virus statistics"
\InProcServer32\(Default) = "G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll" ["Kaspersky Lab"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll" ["Kaspersky Lab"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Rafal\Dane aplikacji\Opera\Opera\profile\skin\1198218.bmp"


Startup items in "Rafal" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"ATI CATALYST System Tray" -> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
"Program sieciowy dla SAGEM Wi-Fi 11g USB adapter" -> shortcut to: "C:\Program Files\SAGEM WiFi manager\WLANUTL.exe" [" "]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Web Anti-Virus statistics"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
Kaspersky Anti-Virus 6.0, AVP, ""G:\Programy\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r" ["Kaspersky Lab"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 465 seconds, including 4 seconds for message boxes)

Rafał.

[wojtas]

daj loga z comboscana tu nic nie ma

[Precel]

wojtas19162 nech sprawdzi loga ale mi to wyglada na problem po stronie twojego isp czyli neozdrady proponuje po upewnieniu sie ze nei ma wirusow -zazdzonic na blue lane-9393 i zapytaniu sie o co kaman

[Gerwazy]

Rafael masz internet z NETI? Tzn "Net24"? bo mam ten sam problem.

[Rafael]

Okazuje sie ze problem zostal wykryty, tzn. problem lezy po stronie TPSA. Ww calym wojewodzctwie padlo UDP, nie dziala kompletnie chociaz odbior idzie sliczniutko. Zostalem dzisiaj poinformowany o tym fakcie na 800102102 gdzie gosc zostal lekko zaskoczony podsumowaniem ktore uslyszal z mojej strony, delikatnie mnie informujac ze rozmowa ta jest nagrywana :>. Ta firma jest kompletnie niepowazna, a udp u nich nie dziala od 4 tygodni i oni nie widza kiedy sie naprawi (wkoncu moze jakies cuda sie zdarza)...

Pomijajac juz reszte, komp zostal kompletnie przeskanowany, brak jakichkolwiek trojanow, spamu, czegokolwiek co mogloby spowodowac taki a nie inny skutek.

Serdeczne dzieki za chec pomocy
Pozdrawiam Panowie
Rafal