Wirus !?
Komp chodzi b.wolno, przy przegl. Netu po chwili włącza sie info : 'Wystąpił problem z aplikacją iexplore.exe i zostanie ona zamknięta. Przepraszamy za kłopoty ".(jeśli tego nie zamknę mogę nadal serfować) i takźe nie moge otworzyć filmów WMPlayerem
to mój Hijack logfile :
(o17 wygląda podejrznie , ale nie wiem co to?) :(
unning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Uźytki\Phone\Skype.exe
C:\Uźytki\eMule\emule.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
F:\HijackThis.exe
C:\WINDOWS\system32\dwwin.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [Skype] "C:\Uźytki\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
O4 – HKCU\..\Run: [eMuleAutoStart] C:\Uźytki\eMule\emule.exe –AutoStart
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 – Extra button: Messenger (HKLM)
O9 – Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 – DPF: {33564D57–0000–0010–8000–00AA00389B71} – http://download.microsoft.com/download/F/6/E/F6E491A6–77E1–4E20–9F5F–94901338C922/wmv9VCM.CAB
O16 – DPF: {6E32070A–766D–4EE6–879C–DC1FA91D2FC3} (MUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135791835733
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS1\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS2\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS3\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
to mój Hijack logfile :
(o17 wygląda podejrznie , ale nie wiem co to?) :(
unning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Uźytki\Phone\Skype.exe
C:\Uźytki\eMule\emule.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
F:\HijackThis.exe
C:\WINDOWS\system32\dwwin.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=explorer.exe
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [Skype] "C:\Uźytki\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
O4 – HKCU\..\Run: [eMuleAutoStart] C:\Uźytki\eMule\emule.exe –AutoStart
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 – Extra button: Messenger (HKLM)
O9 – Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 – DPF: {33564D57–0000–0010–8000–00AA00389B71} – http://download.microsoft.com/download/F/6/E/F6E491A6–77E1–4E20–9F5F–94901338C922/wmv9VCM.CAB
O16 – DPF: {6E32070A–766D–4EE6–879C–DC1FA91D2FC3} (MUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135791835733
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS1\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS2\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS3\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
Odpowiedzi: 20
DZIĘKI WSZYSTKIM ZA POMOC !!!!
Nie miałem juź zdrowia. Postanowiłem poprosić o pomoc wujka FORMATa :wink:
Nie miałem juź zdrowia. Postanowiłem poprosić o pomoc wujka FORMATa :wink:
O ile dobrze zrozumiałem – nie masz juź kłopotów z Internet Explorer'em, natomiast wciąź są problemy z Windows Media Player?
Czy problem powtarza się na innych playerach (BSplayer, Media Player Classic, VLC Media Player)?
Jakie masz zainstalowane kodeki i filtry?
Czy próbowałeś odinstalować i zainstalować od nowa WMP?
Czy problem powtarza się na innych playerach (BSplayer, Media Player Classic, VLC Media Player)?
Jakie masz zainstalowane kodeki i filtry?
Czy próbowałeś odinstalować i zainstalować od nowa WMP?
O ile dobrze zrozumiałem – nie masz juź kłopotów z Internet Explorer'em, natomiast wciąź są problemy z Windows Media Player?
Czy problem powtarza się na innych playerach (BSplayer, Media Player Classic, VLC Media Player)?
Jakie masz zainstalowane kodeki i filtry?
Czy próbowałeś odinstalować i zainstalować od nowa WMP?
Czy problem powtarza się na innych playerach (BSplayer, Media Player Classic, VLC Media Player)?
Jakie masz zainstalowane kodeki i filtry?
Czy próbowałeś odinstalować i zainstalować od nowa WMP?
otworzyłem podgląd zdarzeń i jest tam sporo błędów i ostrzeźeń w systemie– np. źródło– najczęściej :atapi,cdrom ale prawdopodobnie ze wzgledu na dzień powstania to będzie– sr,DCOM i service control manager
Logfile of HijackThis v1.99.1
Scan saved at 11:11:07, on 2006–03–05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Uźytki\eMule\emule.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\GHOST\Nowy folder\ngserver.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\GHOST\Nowy folder\bin\dbserv.exe
E:\GHOST\Nowy folder\bin\rteng6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\abc\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: SSVHelper Class – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [NGServer] E:\GHOST\Nowy folder\ngserver.exe
O4 – HKLM\..\Run: [Odkurzacz–MCD] C:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe
O4 – HKCU\..\Run: [Skype] "C:\Uźytki\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [eMuleAutoStart] C:\Uźytki\eMule\emule.exe –AutoStart
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {6E32070A–766D–4EE6–879C–DC1FA91D2FC3} (MUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135791835733
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS1\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS2\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS3\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O18 – Protocol: bt2 – {1730B77B–F429–498F–9B15–4514D83C8294} – C:\UYTKI~1\BT2Net\BT2Net\BT2PLU~1.DLL (file missing)
O18 – Filter: application/x–bt2 – {6E1DDCE8–76BC–4390–9488–806E8FB1AD77} – C:\UYTKI~1\BT2Net\BT2Net\BT2PLU~1.DLL
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 – Service: LightScribeService Direct Disc Labeling Service (LightScribeService) – Hewlett–Packard Company – C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 – Service: Distributed Transaction Coordinator (MSDTC) – Unknown owner – C:\WINDOWS\System32\msdtc.exe (file missing)
O23 – Service: Symantec Ghost Database Service (ngdbserv) – Symantec New Zealand Limited – E:\GHOST\Nowy folder\bin\dbserv.exe
O23 – Service: Symantec Ghost Configuration Server (NGServer) – Symantec New Zealand Limited – E:\GHOST\Nowy folder\ngserver.exe
Logfile of HijackThis v1.99.1
Scan saved at 11:11:07, on 2006–03–05
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Uźytki\eMule\emule.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\GHOST\Nowy folder\ngserver.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\GHOST\Nowy folder\bin\dbserv.exe
E:\GHOST\Nowy folder\bin\rteng6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\abc\Pulpit\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: SSVHelper Class – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [NGServer] E:\GHOST\Nowy folder\ngserver.exe
O4 – HKLM\..\Run: [Odkurzacz–MCD] C:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe
O4 – HKCU\..\Run: [Skype] "C:\Uźytki\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [eMuleAutoStart] C:\Uźytki\eMule\emule.exe –AutoStart
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {6E32070A–766D–4EE6–879C–DC1FA91D2FC3} (MUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135791835733
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS1\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS2\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS3\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O18 – Protocol: bt2 – {1730B77B–F429–498F–9B15–4514D83C8294} – C:\UYTKI~1\BT2Net\BT2Net\BT2PLU~1.DLL (file missing)
O18 – Filter: application/x–bt2 – {6E1DDCE8–76BC–4390–9488–806E8FB1AD77} – C:\UYTKI~1\BT2Net\BT2Net\BT2PLU~1.DLL
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 – Service: LightScribeService Direct Disc Labeling Service (LightScribeService) – Hewlett–Packard Company – C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 – Service: Distributed Transaction Coordinator (MSDTC) – Unknown owner – C:\WINDOWS\System32\msdtc.exe (file missing)
O23 – Service: Symantec Ghost Database Service (ngdbserv) – Symantec New Zealand Limited – E:\GHOST\Nowy folder\bin\dbserv.exe
O23 – Service: Symantec Ghost Configuration Server (NGServer) – Symantec New Zealand Limited – E:\GHOST\Nowy folder\ngserver.exe
Mam dwie uwagi.
Ściągnij nowszą wersję HijackThis:
http://www.merijn.org/downloads.html
Sprawdź informacje o błędach:
Panel sterowania / Narzędzia administracyjne / Podgląd zdarzeń
Ściągnij nowszą wersję HijackThis:
http://www.merijn.org/downloads.html
Sprawdź informacje o błędach:
Panel sterowania / Narzędzia administracyjne / Podgląd zdarzeń
HALO !
Aje tu kto ? :wink:
Aje tu kto ? :wink:
wiewia ZROBIŁEM WSZYSTKO JAK NAPISAŁEŚ
na razie nie ma problemów z netem ale zaczyna się problem gdy włączę WMP :( Tego winlog.exe w System32 nie było
nowy log :
Logfile of HijackThis v1.97.7
Scan saved at 16:48:00, on 2006–03–04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Uźytki\Phone\Skype.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\GHOST\Nowy folder\ngserver.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
E:\GHOST\Nowy folder\bin\dbserv.exe
E:\GHOST\Nowy folder\bin\rteng6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
F:\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [NGServer] E:\GHOST\Nowy folder\ngserver.exe
O4 – HKLM\..\Run: [Odkurzacz–MCD] C:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe
O4 – HKCU\..\Run: [Skype] "C:\Uźytki\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [eMuleAutoStart] C:\Uźytki\eMule\emule.exe –AutoStart
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 – Extra button: Messenger (HKLM)
O9 – Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 – DPF: {33564D57–0000–0010–8000–00AA00389B71} – http://download.microsoft.com/download/F/6/E/F6E491A6–77E1–4E20–9F5F–94901338C922/wmv9VCM.CAB
O16 – DPF: {6E32070A–766D–4EE6–879C–DC1FA91D2FC3} (MUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135791835733
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS1\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS2\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS3\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
na razie nie ma problemów z netem ale zaczyna się problem gdy włączę WMP :( Tego winlog.exe w System32 nie było
nowy log :
Logfile of HijackThis v1.97.7
Scan saved at 16:48:00, on 2006–03–04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Uźytki\Phone\Skype.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
E:\GHOST\Nowy folder\ngserver.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
E:\GHOST\Nowy folder\bin\dbserv.exe
E:\GHOST\Nowy folder\bin\rteng6.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
F:\HijackThis.exe
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: (no name) – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 – BHO: (no name) – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 – HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 – HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot
O4 – HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 – HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 – HKLM\..\Run: [NGServer] E:\GHOST\Nowy folder\ngserver.exe
O4 – HKLM\..\Run: [Odkurzacz–MCD] C:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe
O4 – HKCU\..\Run: [Skype] "C:\Uźytki\Phone\Skype.exe" /nosplash /minimized
O4 – HKCU\..\Run: [eMuleAutoStart] C:\Uźytki\eMule\emule.exe –AutoStart
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 – Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 – Extra button: Messenger (HKLM)
O9 – Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 – DPF: {33564D57–0000–0010–8000–00AA00389B71} – http://download.microsoft.com/download/F/6/E/F6E491A6–77E1–4E20–9F5F–94901338C922/wmv9VCM.CAB
O16 – DPF: {6E32070A–766D–4EE6–879C–DC1FA91D2FC3} (MUWebControl Class) – http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135791835733
O16 – DPF: {D27CDB6E–AE6D–11CF–96B8–444553540000} (Shockwave Flash Object) – http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS1\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS2\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CS3\Services\Tcpip\..\{1241A49D–EE86–4EB9–9638–3CB110439132}: NameServer = 194.204.159.1,194.204.152.34
Masz wejsc w tryb awaryjny i dwa razy kliknąć myszą ma zrobiony fix. I pamietaj źeby poszukac plików nadysku co ci napisałem . i jak będa skasować. W opcjach folderów zaznacz pokaź pliki ukryte i sytemowe
Wiewia:
Otwórz notatnik i wklej w nim toWindows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"key2"=–
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mloader32]
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG i tryb awaryjny, uruchomienie pliku FIX.REG.
Wyszukaj na dysku plików mloader32 i ldr64 jak będą to je usuń. *
wszystko jasne do mom. " i tryb awaryjny ...
TO Z REJESTRU USUNĄŁEM:
Natomiast to
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * aswBoot.exe /A:"*" /L:"Polish"" [file not found], [MS], [file not found], [null data], [file not found], [file not found]
Start >>> Uruchom >>> regedit i przejdz do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager . Tam kliknij dwa razy na wartość BootExecute i z okienka usunąć wszystko z wyjątkiem autocheck autochk *
W Uruchom wpisz SERVICES.MSC i wyłącz usługę indeksowania. Przeczyść dysk np. darmowym Odkurzaczem, kaźdą partycję oddzielnie (do pobrania http://franmo.marsoft.com.pl/index.htm )zdefragmentuj dyski, moźe być systemowy defragmentator, ale godne polecenia są Diskeeper i Perfect Disk.
rozumiem źe potem włączyć USŁUGĘ INDEKSOWANIA?
Otwórz notatnik i wklej w nim to
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG i tryb awaryjny, uruchomienie pliku FIX.REG.
Wyszukaj na dysku plików mloader32 i ldr64 jak będą to je usuń.
Natomiast to
Start >>> Uruchom >>> regedit i przejdz do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager . Tam kliknij dwa razy na wartość BootExecute i z okienka usunąć wszystko z wyjątkiem autocheck autochk *
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"key2"=–
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ldr64]
[–HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mloader32]
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG i tryb awaryjny, uruchomienie pliku FIX.REG.
Wyszukaj na dysku plików mloader32 i ldr64 jak będą to je usuń.
Natomiast to
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * aswBoot.exe /A:"*" /L:"Polish"" [file not found], [MS], [file not found], [null data], [file not found], [file not found]
Start >>> Uruchom >>> regedit i przejdz do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager . Tam kliknij dwa razy na wartość BootExecute i z okienka usunąć wszystko z wyjątkiem autocheck autochk *
za poradą WIEWIA – HIJACKnąłem raz jeszcze i nie mam wpisu F2, a O4....winlog.exe nie istnieje w system32, jest tylko winlogon (apl. logowania systemu NT)
ps. Blokuje mi SP2 i wywala mi AVAST'a
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""C:\Uźytki\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"key2" = "C:\WINDOWS\system32\winlog.exe" [file not found]
"eMuleAutoStart" = "C:\Uźytki\eMule\emule.exe –AutoStart" ["http://www.emule–project.net"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot" ["RealNetworks, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NGServer" = "E:\GHOST\Nowy folder\ngserver.exe" ["Symantec New Zealand Limited"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 –k" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43–4d38–484f–9b9e–de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{761497BB–D6F0–462C–B6EB–D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{4CCEFB41–18FA–11D3–9EF3–00A0C9E897FD}" = "Skladnik rozszerzenia powloki CorelDRAW"
–> {CLSID}\InProcServer32\(Default) = "C:\Uźytki\Corel\DRAW\CDRVIEWER\CrlShell110.dll" [null data]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{57C51AF9–DEF7–11D3–A801–00C04F163490}" = "Ghost Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "E:\GHOST\Nowy folder\GhoShExt.dll" ["Symantec Corporation"]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * aswBoot.exe /A:"*" /L:"Polish"" [file not found], [MS], [file not found], [null data], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! ldr64\DLLName = "ldr64.dll" [null data]
INFECTION WARNING! mloader32\DLLName = "mloader32.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! application/x–bt2\CLSID = "{6E1DDCE8–76BC–4390–9488–806E8FB1AD77}"
–> {CLSID}\InProcServer32\(Default) = "C:\UYTKI~1\BT2Net\BT2Net\BT2PLU~1.DLL" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\abc\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Startup items in "abc" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE –b –l" [MS]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC–0015–0000–0006–ABCDEFFEDCBC}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett–Packard Company"]
Symantec Ghost Configuration Server, NGServer, "E:\GHOST\Nowy folder\ngserver.exe" ["Symantec New Zealand Limited"]
Symantec Ghost Database Service, ngdbserv, "E:\GHOST\Nowy folder\bin\dbserv.exe" ["Symantec New Zealand Limited"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 35 seconds, including 7 seconds for message boxes)
"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skype" = ""C:\Uźytki\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]
"key2" = "C:\WINDOWS\system32\winlog.exe" [file not found]
"eMuleAutoStart" = "C:\Uźytki\eMule\emule.exe –AutoStart" ["http://www.emule–project.net"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" –osboot" ["RealNetworks, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"NGServer" = "E:\GHOST\Nowy folder\ngserver.exe" ["Symantec New Zealand Limited"]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 –k" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43–4d38–484f–9b9e–de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{761497BB–D6F0–462C–B6EB–D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD–5A07–4D91–97F5–A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{4CCEFB41–18FA–11D3–9EF3–00A0C9E897FD}" = "Skladnik rozszerzenia powloki CorelDRAW"
–> {CLSID}\InProcServer32\(Default) = "C:\Uźytki\Corel\DRAW\CDRVIEWER\CrlShell110.dll" [null data]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{57C51AF9–DEF7–11D3–A801–00C04F163490}" = "Ghost Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "E:\GHOST\Nowy folder\GhoShExt.dll" ["Symantec Corporation"]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * aswBoot.exe /A:"*" /L:"Polish"" [file not found], [MS], [file not found], [null data], [file not found], [file not found]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! ldr64\DLLName = "ldr64.dll" [null data]
INFECTION WARNING! mloader32\DLLName = "mloader32.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! application/x–bt2\CLSID = "{6E1DDCE8–76BC–4390–9488–806E8FB1AD77}"
–> {CLSID}\InProcServer32\(Default) = "C:\UYTKI~1\BT2Net\BT2Net\BT2PLU~1.DLL" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\abc\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Startup items in "abc" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE –b –l" [MS]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0–4FCB–11CF–AAA5–00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC–0015–0000–0006–ABCDEFFEDCBC}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett–Packard Company"]
Symantec Ghost Configuration Server, NGServer, "E:\GHOST\Nowy folder\ngserver.exe" ["Symantec New Zealand Limited"]
Symantec Ghost Database Service, ngdbserv, "E:\GHOST\Nowy folder\bin\dbserv.exe" ["Symantec New Zealand Limited"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 35 seconds, including 7 seconds for message boxes)
"ad_aware sprawdziłem"
Chodziło mi o to by nie zdawać się tylko na jeden program, bo moźe wszystkiego nie wyłapać. Podobnie jak HijackThis – dlatego zrób tak jak napisał Wiewia.
http://www.silentrunners.org/Silent%20Runners.vbs
"beagle to chyba nie jest bo gdy się pojawił to go wywaliłem AVASTem – chyba źe jest w rejestrze, a to juź dla mnie cięźka sprawa"
Przeczytaj post Wiewia!.
Chodziło mi o to by nie zdawać się tylko na jeden program, bo moźe wszystkiego nie wyłapać. Podobnie jak HijackThis – dlatego zrób tak jak napisał Wiewia.
http://www.silentrunners.org/Silent%20Runners.vbs
"beagle to chyba nie jest bo gdy się pojawił to go wywaliłem AVASTem – chyba źe jest w rejestrze, a to juź dla mnie cięźka sprawa"
Przeczytaj post Wiewia!.
Zrób tak jak napisał w84u, ale oprócz tego...
Powyłączaj zbędne procesy np. ctfmon.exe, dwwin.exe, realsched.exe, jusched.exe, OSA.EXE.
Przeinstaluj Adobe Acrobat Reader, Javę, Shockwave Flash i RealOne Player (choć moźe zamiast niego zainstaluj RealAlternative).
Spróbuj przeinstalować Internet Explorer'a.
Sprawdź czy problem powtarza się na innych przeglądarkach (Opera, Firefox).
Nie zaszkodzi teź sprawdzić system korzystając z Ad–aware, a–squared i Spybot S&D.
Czy masz WinXP? Zainstalowany SP2 i aktualne poprawki?
ad_aware sprawdziłem, mam Service p 2
beagle to chyba nie jest bo gdy się pojawił to go wywaliłem AVASTem – chyba źe jest w rejestrze, a to juź dla mnie cięźka sprawa
:oops:
Tak, przyznaję – nie do O17 a do O10.
Tak, przyznaję – nie do O17 a do O10.
Wpisy 017 są ok zostaw je to sa twoje dns. Stracisz w koncu neta.
Placio74 odkiedy LSPfix jest do usuwania wpisów 017 :shock:
Wpisy usuń poleceniem fixchecked a plik na czerwono recznie z dysku
Daj log z silent runners masz w przyklejonych
Placio74 odkiedy LSPfix jest do usuwania wpisów 017 :shock:
F2 – REG:system.ini: Shell=explorer.exe
O4 – HKCU\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
Wpisy usuń poleceniem fixchecked a plik na czerwono recznie z dysku
Daj log z silent runners masz w przyklejonych
Zrób tak jak napisał w84u, ale oprócz tego...
Powyłączaj zbędne procesy np. ctfmon.exe, dwwin.exe, realsched.exe, jusched.exe, OSA.EXE.
Przeinstaluj Adobe Acrobat Reader, Javę, Shockwave Flash i RealOne Player (choć moźe zamiast niego zainstaluj RealAlternative).
Spróbuj przeinstalować Internet Explorer'a.
Sprawdź czy problem powtarza się na innych przeglądarkach (Opera, Firefox).
Nie zaszkodzi teź sprawdzić system korzystając z Ad–aware, a–squared i Spybot S&D.
Czy masz WinXP? Zainstalowany SP2 i aktualne poprawki?
Powyłączaj zbędne procesy np. ctfmon.exe, dwwin.exe, realsched.exe, jusched.exe, OSA.EXE.
Przeinstaluj Adobe Acrobat Reader, Javę, Shockwave Flash i RealOne Player (choć moźe zamiast niego zainstaluj RealAlternative).
Spróbuj przeinstalować Internet Explorer'a.
Sprawdź czy problem powtarza się na innych przeglądarkach (Opera, Firefox).
Nie zaszkodzi teź sprawdzić system korzystając z Ad–aware, a–squared i Spybot S&D.
Czy masz WinXP? Zainstalowany SP2 i aktualne poprawki?
W Uruchom wpisz SERVICES.MSC i wyłącz usługę indeksowania. Przeczyść dysk np. darmowym Odkurzaczem, kaźdą partycję oddzielnie (do pobrania http://franmo.marsoft.com.pl/index.htm )zdefragmentuj dyski, moźe być systemowy defragmentator, ale godne polecenia są Diskeeper i Perfect Disk.
Co do wpisów O17 – powinno być tylko:
mswock.dll – TCPIP
wnrnr.dll – NTDS
rsvpspdll – (Protocol handler)
mswock.dll – TCPIP
wnrnr.dll – NTDS
rsvpspdll – (Protocol handler)
są tylko te, więc jest OK :cry: