explorel.exe blad
Mam taki problem naciskam prawy przycisk myszy i wyskakuje mi blad aplikacji explorer.exe
nie wiem co z tym zrobic prosze o pomoc
nie wiem co z tym zrobic prosze o pomoc
Odpowiedzi: 10
Witam, ja mam tez problem z explorerem ale troszke inny.
Otorz moj po jakims czasie (czasami 5, czasami kilkadziesiat minut) "zamarza". Nie moge kliknac na zadne ikony na pulpicie, nie dziala menu strat itp. Coz to moze byc ? Prosze o pomoc.
Oto logi :
Otorz moj po jakims czasie (czasami 5, czasami kilkadziesiat minut) "zamarza". Nie moge kliknac na zadne ikony na pulpicie, nie dziala menu strat itp. Coz to moze byc ? Prosze o pomoc.
Oto logi :
Logfile of HijackThis v1.99.1
Scan saved at 01:58:10, on 2005–09–18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
c:\usr\MYSQL\bin\mysqld.exe
D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CD–DVD Lock\CDVAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\D–Link AirPlus\AirPlus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
C:\PROGRA~1\SECURE~1\sseagent.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\@Stabio\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.com/btbroadbandstart
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 209.8.233.15:80
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 – BHO: Need2Find Bar BHO – {4D1C4E81–A32A–416b–BCDB–33B3EF3617D3} – (no file)
O2 – BHO: (no name) – {59879FA4–4790–461c–A1CC–4EC4DE4CA483} – (no file)
O2 – BHO: Norton Internet Security – {9ECB9560–04F9–4bbc–943D–298DDF1699E1} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 – BHO: IeCatch2 Class – {A5366673–E8CA–11D3–9CD9–0090271D075B} – C:\PROGRA~1\FLASHGET\jccatch.dll
O2 – BHO: NAV Helper – {BDF3E430–B101–42AD–A544–FADC6B084872} – D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 – BHO: FlashFXP Helper for Internet Explorer – {E5A1691B–D188–4419–AD02–90002030B8EE} – C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 – Toolbar: Steganos Internet Anonym – {00000000–5736–4205–0008–781cd0e19f00} – c:\program files\steganos internet anonym pro 7\siapro7iep.dll
O3 – Toolbar: Norton Internet Security – {0B53EAC3–8D69–4b9e–9B19–A37C9A5676A7} – C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 – Toolbar: Norton AntiVirus – {42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6} – D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 – HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 – HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 – HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 – HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 – HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 – HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 – HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 – HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 – HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 – HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 – HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 – HKLM\..\Run: [CDVAgent] C:\Program Files\CD–DVD Lock\CDVAgent.exe
O4 – HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 – HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 – Global Startup: D–Link AirPlus.lnk = ?
O8 – Extra context menu item: &Search – http://kn.bar.need2find.com/KN/menusearch.html?p=KN
O8 – Extra context menu item: Download &Flash Movies – C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 – Extra context menu item: Download All by FlashGet – C:\Program Files\FlashGet\jc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:\Program Files\FlashGet\jc_link.htm
O9 – Extra button: Trace – {04849C74–016E–4a43–8AA5–1F01DE57F4A1} – C:\Program Files\VisualRoute\vrie.dll
O9 – Extra 'Tools' menuitem: VisualRoute Trace – {04849C74–016E–4a43–8AA5–1F01DE57F4A1} – C:\Program Files\VisualRoute\vrie.dll
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:\PROGRA~1\FLASHGET\flashget.exe
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra button: Flash2X Flash Hunter – {77B563A5–2A35–4E6B–BFC8–F4B6BB65D5DF} – C:\Program Files\Flash2X\Flash Hunter\save.htm (HKCU)
O9 – Extra 'Tools' menuitem: &Launch Flash Hunter – {77B563A5–2A35–4E6B–BFC8–F4B6BB65D5DF} – C:\Program Files\Flash2X\Flash Hunter\save.htm (HKCU)
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O18 – Protocol: vskype – (no CLSID) – (no file)
O18 – Filter: text/html – {2AB289AE–4B90–4281–B2AE–1F4BB034B647} – (no file)
O23 – Service: Adobe LM Service – Adobe Systems – C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 – Service: Apache2 – Unknown owner – C:\Program Files\Apache Group\Apache2\bin\Apache.exe" –k runservice (file missing)
O23 – Service: Ati HotKey Poller – Unknown owner – C:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Network Proxy (ccProxy) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 – Service: Symantec Password Validation (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: Gene6 FTP Server (G6FTPServer) – Gene6 – C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE
O23 – Service: GFI LANguard N.S.S. 5.0 attendant service – Unknown owner – C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" –service (file missing)
O23 – Service: InterBase Guardian (InterBaseGuardian) – Unknown owner – d:\Program Files\Borland\InterBase\bin\ibguard.exe (file missing)
O23 – Service: InterBase Server (InterBaseServer) – Unknown owner – d:\Program Files\Borland\InterBase\bin\ibserver.exe (file missing)
O23 – Service: ISSvc (ISSVC) – Symantec Corporation – D:\Program Files\Norton Internet Security\ISSVC.exe
O23 – Service: MySql – Unknown owner – c:\usr/MYSQL/bin/mysqld.exe
O23 – Service: Norton AntiVirus Auto–Protect Service (navapsvc) – Symantec Corporation – D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 – Service: SAVScan – Symantec Corporation – D:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Symantec SPBBCSvc (SPBBCSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 – Service: StarWind iSCSI Service (StarWindService) – Rocket Division Software – C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 – Service: Symantec Core LC – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe
O23 – Service: SecuROM User Access Service (V7) (UserAccess7) – Unknown owner – C:\WINDOWS\system32\UAService7.exe
"Silent Runners.vbs", revision RED (R28) (Echo output), launched at: 02:08
Operating System: Windows XP SP2
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["sms–express.com"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"Active Desktop Calendar" = "C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" ["XemiComputers ltd."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"LaunchAp" = "C:\Program Files\Launch Manager\LaunchAp.exe" [empty string]
"PowerKey" = ""C:\Program Files\Launch Manager\PowerKey.exe"" [empty string]
"LManager" = "C:\Program Files\Launch Manager\HotkeyApp.exe" ["Wistron"]
"CtrlVol" = "C:\Program Files\Launch Manager\CtrlVol.exe" ["Wistron"]
"LMgrOSD" = "C:\Program Files\Launch Manager\OSDCtrl.exe" [empty string]
"Wbutton" = ""C:\Program Files\Launch Manager\Wbutton.exe"" [empty string]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot" ["RealNetworks, Inc."]
"DU Meter" = "C:\Program Files\DU Meter\DUMeter.exe" ["Hagel Technologies"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" –atboottime" ["Apple Computer, Inc."]
"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"CDVAgent" = "C:\Program Files\CD–DVD Lock\CDVAgent.exe" ["Soft Stile Co."]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312–b0f6–11d0–94ab–0080c74c7e95}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "C:\WINDOWS\inf\unregmp2.exe /ShowWMP" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class"
–> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4D1C4E81–A32A–416b–BCDB–33B3EF3617D3}\(Default) = "Need2Find Bar BHO"
–> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]
{59879FA4–4790–461c–A1CC–4EC4DE4CA483}\(Default) = (no title provided)
–> resolves to: {CLSID}\InprocServer32\(Default) = "(no data)" [file not found]
{9ECB9560–04F9–4bbc–943D–298DDF1699E1}\(Default) = "Norton Internet Security"
–> resolves to: {CLSID}\InprocServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{A5366673–E8CA–11D3–9CD9–0090271D075B}\(Default) = "IeCatch2 Class"
–> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\FLASHGET\jccatch.dll" ["Amaze Soft"]
{BDF3E430–B101–42AD–A544–FADC6B084872}\(Default) = "NAV Helper"
–> resolves to: {CLSID}\InprocServer32\(Default) = "D:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{E5A1691B–D188–4419–AD02–90002030B8EE}\(Default) = "FlashFXP Helper for Internet Explorer"
–> resolves to: {CLSID}\InprocServer32\(Default) = "C:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"PostBootReminder" = "{7849596a–48ea–486e–8937–a2a3009f31a9}"
–> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"CDBurn" = "{fbeb8a05–beee–4442–804e–409d6c4515e9}"
–> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"WebCheck" = "{E6FB5E20–DE35–11CF–9C87–00AA005127ED}"
–> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\webcheck.dll" [MS]
"SysTray" = "{35CEC8A3–2BE6–11D2–8773–92E220524153}"
–> resolves to: {CLSID}\InprocServer32\(Default) = "C:\WINDOWS\system32\stobject.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! "AtiExtEvent\DLLName" = "Ati2evxx.dll" ["ATI Technologies Inc."]
Startup items in "@Stabio" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"D–Link AirPlus" –> shortcut to: "C:\Program Files\D–Link AirPlus\AirPlus.exe" ["D–Link"]
Enabled Scheduled Tasks:
––––––––––––––––––––––––
"Norton AntiVirus – Scan my computer – @Stabio" –> launches: "D:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
Aktualizacje automatyczne, wuauserv, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\system32\wuauserv.dll" [MS]}
Apache2, Apache2, ""C:\Program Files\Apache Group\Apache2\bin\Apache.exe" –k runservice" ["Apache Software Foundation"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe –k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Bufor wydruku, Spooler, "C:\WINDOWS\system32\spoolsv.exe" [MS]
Centrum zabezpiecze, wscsvc, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\system32\wscsvc.dll" [MS]}
Dziennik zdarze, Eventlog, "C:\WINDOWS\system32\services.exe" [MS]
Gene6 FTP Server, G6FTPServer, ""C:\Program Files\Gene6 FTP Server\G6FTPSERVER.EXE"" ["Gene6"]
GFI LANguard N.S.S. 5.0 attendant service, GFI LANguard N.S.S. 5.0 attendant service, ""C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" –service" ["GFI Software Ltd."]
Harmonogram zada, Schedule, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\system32\schedsvc.dll" [MS]}
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe –k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
Instrumentacja zarzĄdzania Windows, winmgmt, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\system32\wbem\WMIsvc.dll" [MS]}
ISSvc, ISSVC, ""D:\Program Files\Norton Internet Security\ISSVC.exe"" ["Symantec Corporation"]
Klient DHCP, Dhcp, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\dhcpcsvc.dll" [MS]}
Klient DNS, Dnscache, "C:\WINDOWS\system32\svchost.exe –k NetworkService" {"C:\WINDOWS\System32\dnsrslvr.dll" [MS]}
Klient ledzenia Ączy rozproszonych, TrkWks, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\system32\trkwks.dll" [MS]}
Kompozycje, Themes, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Konfiguracja zerowej sieci bezprzewodowej, WZCSVC, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\wzcsvc.dll" [MS]}
Logowanie pomocnicze, seclogon, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\seclogon.dll" [MS]}
Magazyn chroniony, ProtectedStorage, "C:\WINDOWS\system32\lsass.exe" [MS]
Meneder dyskw logicznych, dmserver, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\dmserver.dll" ["Microsoft Corp."]}
Meneder kont zabezpiecze, SamSs, "C:\WINDOWS\system32\lsass.exe" [MS]
Meneder poĄcze usugi Dostp zdalny, RasMan, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\rasmans.dll" [MS]}
Monitor podczerwieni, Irmon, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\irmon.dll" [MS]}
MySql, MySql, "c:\usr/MYSQL/bin/mysqld.exe" [null data]
Norton AntiVirus Auto–Protect Service, navapsvc, ""D:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Plug and Play, PlugPlay, "C:\WINDOWS\system32\services.exe" [MS]
Pomoc i obsuga techniczna, helpsvc, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll" [MS]}
Pomoc TCP/IP NetBIOS, LmHosts, "C:\WINDOWS\system32\svchost.exe –k LocalService" {"C:\WINDOWS\System32\lmhsvc.dll" [MS]}
PoĄczenia sieciowe, Netman, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\netman.dll" [MS]}
Program uruchamiajĄcy proces serwera DCOM, DcomLaunch, "C:\WINDOWS\system32\svchost –k DcomLaunch" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
PrzeglĄdarka komputera, Browser, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\browser.dll" [MS]}
Rejestr zdalny, RemoteRegistry, "C:\WINDOWS\system32\svchost.exe –k LocalService" {"C:\WINDOWS\system32\regsvc.dll" [MS]}
Rozpoznawanie lokalizacji w sieci (NLA), Nla, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\mswsock.dll" [MS]}
SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\system32\UAService7.exe" [null data]
Serwer, lanmanserver, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\srvsvc.dll" [MS]}
Stacja robocza, lanmanworkstation, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\wkssvc.dll" [MS]}
StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Symantec Core LC, Symantec Core LC, ""C:\Program Files\Common Files\Symantec Shared\CCPD–LC\symlcsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
System zdarze COM+, EventSystem, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\system32\es.dll" [MS]}
Telefonia, TapiSrv, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\tapisrv.dll" [MS]}
UrzĄdzenie alarmowe, Alerter, "C:\WINDOWS\system32\svchost.exe –k LocalService" {"C:\WINDOWS\system32\alrsvc.dll" [MS]}
Usuga bramy warstwy aplikacji, ALG, "C:\WINDOWS\System32\alg.exe" [MS]
Usuga Czas systemu Windows, W32Time, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\system32\w32time.dll" [MS]}
Usuga odnajdywania SSDP, SSDPSRV, "C:\WINDOWS\system32\svchost.exe –k LocalService" {"C:\WINDOWS\System32\ssdpsrv.dll" [MS]}
Usuga raportowania bdw, ERSvc, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\ersvc.dll" [MS]}
Usugi IPSEC, PolicyAgent, "C:\WINDOWS\system32\lsass.exe" [MS]
Usugi kryptograficzne, CryptSvc, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\cryptsvc.dll" [MS]}
Usugi terminalowe, TermService, "C:\WINDOWS\System32\svchost –k DComLaunch" {"C:\WINDOWS\System32\termsrv.dll" [MS]}
WebClient, WebClient, "C:\WINDOWS\system32\svchost.exe –k LocalService" {"C:\WINDOWS\System32\webclnt.dll" [MS]}
Windows Audio, AudioSrv, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\audiosrv.dll" [MS]}
Windows Image Acquisition (WIA), stisvc, "C:\WINDOWS\system32\svchost.exe –k imgsvc" {"C:\WINDOWS\system32\wiaservc.dll" [MS]}
Wykrywanie sprztu powoki, ShellHWDetection, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
Zapora systemu Windows/Udostpnianie poĄczenia internetowego, SharedAccess, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\ipnathlp.dll" [MS]}
Zawiadomienie o zdarzeniu systemowym, SENS, "C:\WINDOWS\system32\svchost.exe –k netsvcs" {"C:\WINDOWS\system32\sens.dll" [MS]}
Zdalne wywoywanie procedur (RPC), RpcSs, "C:\WINDOWS\system32\svchost –k rpcss" {"C:\WINDOWS\system32\rpcss.dll" [MS]}
Zgodno szybkiego przeĄczania uytkownikw, FastUserSwitchingCompatibility, "C:\WINDOWS\System32\svchost.exe –k netsvcs" {"C:\WINDOWS\System32\shsvcs.dll" [MS]}
nie mam innego sytemu na kompie
mam 2 kompy w domu jeden jeszcze na gwarancji i niemoge go rozkrecic (Plomby gwarancyjne)a drugi ma wgranego wim 98 albo 95 za chiny nie pamieta bo dawno nie byl uzywany ale stawaim na 98 czy da to rabe zrobic?
kurcze jestem zileona i nie chciala bym nic popsuc wiewc moze po prostu reinstalka systemu??
a moze da sie to jakos naprawic startuja z plyty w trybie napraw??
jak bys mogl mi podac link do tego co napisal Amon–Ra o tym bylo by super
mam 2 kompy w domu jeden jeszcze na gwarancji i niemoge go rozkrecic (Plomby gwarancyjne)a drugi ma wgranego wim 98 albo 95 za chiny nie pamieta bo dawno nie byl uzywany ale stawaim na 98 czy da to rabe zrobic?
kurcze jestem zileona i nie chciala bym nic popsuc wiewc moze po prostu reinstalka systemu??
a moze da sie to jakos naprawic startuja z plyty w trybie napraw??
jak bys mogl mi podac link do tego co napisal Amon–Ra o tym bylo by super
Userinit poszedł się... F2 fixowałaś w Hijacku przed tym jak się przelogowałaś ?
Specjalnie podałem tego ostatniego fixa, źeby w razie czego poprawić userinita. Wszystko miało być hutem zrobione.
HJT powinien po zaznaczeniu i sfixowaniu tego wpisu automatycznie przerobić go do postaci domyślnej czyli: C:\WINDOWS\system32\userinit.exe,
Najwidoczniej tego nie zrobił.
Masz na dysku zainstalowany jakiś inny system ? Moze masz w pobliźu kogos znajomego, trzeba by było podpiąć u mnieg dysk i załadowac i zmodyfikować Twój rejestr w sposób opisany w przyklejonym FAQ przez Amon–Ra.
Specjalnie podałem tego ostatniego fixa, źeby w razie czego poprawić userinita. Wszystko miało być hutem zrobione.
HJT powinien po zaznaczeniu i sfixowaniu tego wpisu automatycznie przerobić go do postaci domyślnej czyli: C:\WINDOWS\system32\userinit.exe,
Najwidoczniej tego nie zrobił.
Masz na dysku zainstalowany jakiś inny system ? Moze masz w pobliźu kogos znajomego, trzeba by było podpiąć u mnieg dysk i załadowac i zmodyfikować Twój rejestr w sposób opisany w przyklejonym FAQ przez Amon–Ra.
o znow pod gorke chcialam wlaczyc tryb awaryjny a tu cos co mnie zaskoczylo loguje sie na konto administratoa trwa ladowanie ustawien osbistych przez sekunde jest pulpit i zaraz trwa wylogowywanie i tak sie dzieje tez normalnie jak chce sie zalogowac
czy teraz tylko format??
czy teraz tylko format??
W LSP czysto, odinstalowanie New.Net usunęło i stamtąd bibliotekę.
Skoro wpisy powracaja znaczy to źe jakieś smieci na dysku nadal siedzą.
– Wystartuj system w trybie awaryjnym
– Uruchom wiersz poleceń i wyrejestruj bibliotekę winacpi.dll poleceniem: regsvr32 /u winacpi.dll
– Usuń resztę syfiastych plików z dysku włącznie z winacpi.dll
– Sciągnij fixa: repsamo_fix i dodaj go do rejestru
– Wklej jeszcze coś takiego do notatnika i zapisz z rozszerzeniem reg, teź dodaj do rejestru:
Jeśli pomoźe to okey, jeśli nie chciałbym widzieć nowe logi.
Skoro wpisy powracaja znaczy to źe jakieś smieci na dysku nadal siedzą.
– Wystartuj system w trybie awaryjnym
– Uruchom wiersz poleceń i wyrejestruj bibliotekę winacpi.dll poleceniem: regsvr32 /u winacpi.dll
– Usuń resztę syfiastych plików z dysku włącznie z winacpi.dll
– Sciągnij fixa: repsamo_fix i dodaj go do rejestru
– Wklej jeszcze coś takiego do notatnika i zapisz z rozszerzeniem reg, teź dodaj do rejestru:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,"
"System"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PayTime"=–
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\>{26923b43–4d38–484f–9b9e–de460746276c}]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4E8EADB3–665B–4CFB–2D73–34B60048F5BB}]
Jeśli pomoźe to okey, jeśli nie chciałbym widzieć nowe logi.
co to znaczy Wyboldowane
hijackthis usunelam smieci
po co mi progam lsp–fix
jak sie pozbyc tego z rejestru?
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}" –> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
na kazdym razem wraca wartos
hijackthis usunelam smieci
po co mi progam lsp–fix
jak sie pozbyc tego z rejestru?
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}" –> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
na kazdym razem wraca wartos
Jest to czego się spodziewałem czyli Repsamo dodający swoją bilibotekę domenu kontekstowego.
1. Wyłącz przywracanie systemu
2. Sciągnij program Lsp–fix
3. Uruchom system w awaryjnym
4. Odinstaluj w Dodaj/Usuń program New.Net (NewDotNet)
5. Pozbądź sie w Hijacku wpisów:
6. Wyboldowane pliki/katalogi usun z dysku
7. Silent pokazał dodatkowo takie rzeczy:
To co zaznaczone na czerwowon to Twój głóny objaw, wysypywanie sie explorera po prawokliku.
Wyboldowane ciągi znikają z podanych kluczy rejestru, pliki równieź.
BTW: Niewiele sie od tego momentu zmieniło, powtórka z historii, czy oby na pewno wtedy tego fixa zapodałaś ? Jeśli nie zrób to teraz.
Update: Link poprawiono.
1. Wyłącz przywracanie systemu
2. Sciągnij program Lsp–fix
3. Uruchom system w awaryjnym
4. Odinstaluj w Dodaj/Usuń program New.Net (NewDotNet)
5. Pozbądź sie w Hijacku wpisów:
F2 – REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O4 – HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup –s
O4 – HKCU\..\Run: [Arwa] C:\Program Files\reco\ecbw.exe
O4 – HKCU\..\Run: [Hdemecy] C:\WINDOWS\System32\??rvices.exe
Plik wyglądac bedzie identycznie jak services.exe, róznią się tym ze prawidłowy jest podpisany przez Microsoft, usun tego fałszywego
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/lca.chm::/bridge–c46.cab
6. Wyboldowane pliki/katalogi usun z dysku
7. Silent pokazał dodatkowo takie rzeczy:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"PayTime" = "C:\WINDOWS\System32\paytime.exe" [file not found]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43–4d38–484f–9b9e–de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4E8EADB3–665B–4CFB–2D73–34B60048F5BB}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\zqdfbehw.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
"{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
To co zaznaczone na czerwowon to Twój głóny objaw, wysypywanie sie explorera po prawokliku.
Wyboldowane ciągi znikają z podanych kluczy rejestru, pliki równieź.
BTW: Niewiele sie od tego momentu zmieniło, powtórka z historii, czy oby na pewno wtedy tego fixa zapodałaś ? Jeśli nie zrób to teraz.
Update: Link poprawiono.
Logfile of HijackThis v1.99.1
Scan saved at 15:27:41, on 2005–09–15
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\MultiRes\MultiRes.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\windows\system32\mdms.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\reco\ecbw.exe
C:\WINDOWS\System32\??rvices.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\MYIE2\MyIE.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\martus\USTAWI~1\Temp\Rar$EX00.578\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
F2 – REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 – BHO: (no name) – {4E8EADB3–665B–4CFB–2D73–34B60048F5BB} – C:\WINDOWS\System32\zqdfbehw.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [CleanRegPath] C:\PROGRA~1\ADSLUT~1\CleanReg.exe
O4 – HKLM\..\Run: [wpkontakt] C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe –autostart
O4 – HKLM\..\Run: [MultiRes] C:\Program Files\MultiRes\MultiRes.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 – HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 – HKLM\..\Run: [Skrót do strony właściwości High Definition Audio] HDAudPropShortcut.exe
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup –s
O4 – HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\ADSL USB Router\CnxTrApp.dll",AppEntry –REG "Conexant\Conexant USB Network"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Arwa] C:\Program Files\reco\ecbw.exe
O4 – HKCU\..\Run: [Hdemecy] C:\WINDOWS\System32\??rvices.exe
O4 – Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 – Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/lca.chm::/bridge–c46.cab
O16 – DPF: {A3009861–330C–4E10–822B–39D16EC8829D} (CRAVOnline Object) – http://www.ravantivirus.com/scan/ravonline.cab
O18 – Protocol: wpmsg – {2E0AC5A0–3597–11D6–B3ED–0001021DC1C3} – C:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Arwa" = "C:\Program Files\reco\ecbw.exe" [null data]
"Hdemecy" = (value not set)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CleanRegPath" = "C:\PROGRA~1\ADSLUT~1\CleanReg.exe" [file not found]
"wpkontakt" = "C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe –autostart" [null data]
"MultiRes" = "C:\Program Files\MultiRes\MultiRes.exe" ["EnTech Taiwan"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"ATIPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"Skrót do strony właściwości High Definition Audio" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"]
"PayTime" = "C:\WINDOWS\System32\paytime.exe" [file not found]
"SysMemory manager" = "c:\windows\system32\mdms.exe" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"New.net Startup" = "rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup –s" [MS]
"CnxTrApp" = "rundll32.exe "C:\Program Files\ADSL USB Router\CnxTrApp.dll",AppEntry –REG "Conexant\Conexant USB Network"" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43–4d38–484f–9b9e–de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4E8EADB3–665B–4CFB–2D73–34B60048F5BB}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\zqdfbehw.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WPKontakt\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\martus\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "martus" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart
"ATI CATALYST System Tray" –> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\NewDotNet\newdotnet6_38.dll" ["New.net, Inc."]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\NewDotNet\newdotnet6_38.dll ["New.net, Inc."], 01 – 02, 09 – 10
%SystemRoot%\system32\mswsock.dll [MS], 03 – 06, 11 – 18
%SystemRoot%\system32\rsvpsp.dll [MS], 07 – 08
Scan saved at 15:27:41, on 2005–09–15
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\MultiRes\MultiRes.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\windows\system32\mdms.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\reco\ecbw.exe
C:\WINDOWS\System32\??rvices.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\MYIE2\MyIE.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\martus\USTAWI~1\Temp\Rar$EX00.578\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
F2 – REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O2 – BHO: (no name) – {4E8EADB3–665B–4CFB–2D73–34B60048F5BB} – C:\WINDOWS\System32\zqdfbehw.dll
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINDOWS\System32\msdxm.ocx
O4 – HKLM\..\Run: [CleanRegPath] C:\PROGRA~1\ADSLUT~1\CleanReg.exe
O4 – HKLM\..\Run: [wpkontakt] C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe –autostart
O4 – HKLM\..\Run: [MultiRes] C:\Program Files\MultiRes\MultiRes.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 – HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 – HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 – HKLM\..\Run: [Skrót do strony właściwości High Definition Audio] HDAudPropShortcut.exe
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 – HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup –s
O4 – HKLM\..\Run: [CnxTrApp] rundll32.exe "C:\Program Files\ADSL USB Router\CnxTrApp.dll",AppEntry –REG "Conexant\Conexant USB Network"
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 – HKCU\..\Run: [Arwa] C:\Program Files\reco\ecbw.exe
O4 – HKCU\..\Run: [Hdemecy] C:\WINDOWS\System32\??rvices.exe
O4 – Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 – Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 – Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 – DPF: {15AD6789–CDB4–47E1–A9DA–992EE8E6BAD6} – ms–its:mhtml:file://c:\adsuntdt.mht!http://adextension.com/ext2/lca.chm::/bridge–c46.cab
O16 – DPF: {A3009861–330C–4E10–822B–39D16EC8829D} (CRAVOnline Object) – http://www.ravantivirus.com/scan/ravonline.cab
O18 – Protocol: wpmsg – {2E0AC5A0–3597–11D6–B3ED–0001021DC1C3} – C:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Arwa" = "C:\Program Files\reco\ecbw.exe" [null data]
"Hdemecy" = (value not set)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CleanRegPath" = "C:\PROGRA~1\ADSLUT~1\CleanReg.exe" [file not found]
"wpkontakt" = "C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe –autostart" [null data]
"MultiRes" = "C:\Program Files\MultiRes\MultiRes.exe" ["EnTech Taiwan"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]
"ATIPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]
"Skrót do strony właściwości High Definition Audio" = "HDAudPropShortcut.exe" ["Windows (R) Server 2003 DDK provider"]
"PayTime" = "C:\WINDOWS\System32\paytime.exe" [file not found]
"SysMemory manager" = "c:\windows\system32\mdms.exe" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"New.net Startup" = "rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup –s" [MS]
"CnxTrApp" = "rundll32.exe "C:\Program Files\ADSL USB Router\CnxTrApp.dll",AppEntry –REG "Conexant\Conexant USB Network"" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43–4d38–484f–9b9e–de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4E8EADB3–665B–4CFB–2D73–34B60048F5BB}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\zqdfbehw.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WPKontakt\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\martus\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
–––––––––––––––––––––
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
Startup items in "martus" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart
"ATI CATALYST System Tray" –> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\NewDotNet\newdotnet6_38.dll" ["New.net, Inc."]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\NewDotNet\newdotnet6_38.dll ["New.net, Inc."], 01 – 02, 09 – 10
%SystemRoot%\system32\mswsock.dll [MS], 03 – 06, 11 – 18
%SystemRoot%\system32\rsvpsp.dll [MS], 07 – 08
Mnie się zdaje, źe masz jakies syf w systemie.
Pokaź logi z HijackThis i Silent Runners, przeglądnij logi podglądu zdarzeń.
Pokaź logi z HijackThis i Silent Runners, przeglądnij logi podglądu zdarzeń.
przejrzalam faq zanim napisalam tego posta nistety nie ma tam nic na temat tego bledu
Strona 1 / 1