jak czegoś nie jestem pewien albo nie wiem co to jest to się pytam i nic nie wywalam na ślepo.

Screena niestety nie mogę wkleić. Jest to okienko
"Zamykanie systemu"
"Trwa zamykanie systemu. Zapisz wszystkie rozposczęte prace i wyloguj się. Wszystkie niezapisane zmiany zostaną utracone. Zamknięcie zostało zainicjowane przez ZARZĄDZANIE NT/SYSTEM
CZAS DO ZAMKNIĘCIA 00:OO:59

Wiadomość
Proces systemowy
C:WINDOWS/SYSTEM32/SERVICES.EXE
został nieoczekiwanie zakończony z kodem stanu 1073741674
system zostanie zamknięty i uruchomiony ponownie"

Teraz zblokowałem sobie avasta i wgrałem kaspersky – znalazł mi dwa pliki w system32 jedem to "ii" drugi to "scmt16.exe" Podał źe to jest Trojan downloader.Bat.Ftp.ab

markoswawa:

O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

To jest od twojej karty graficznej nie wywalaj tego.

Tamta reszta teź jest potrzebna. Zlikwidujesz sobie w końcu skanowanie poczty mail.

Logi masz czyste. Nie mam pojęcia co się u ciebie dzieje. Moźe cos źle robisz usuwasz co popadnie. Raz coś masz pózniej nie masz. Ten komunikat o wyłanczaniu kompa jak wygląda. Daj moźe sreena. Moze to jest wina sprzętowa. Nie wirusów bo w tych logach naprawde nic nie ma

Log z Hijack This jest ok.
Ale o logu z Silent Runners niemam pojencia.


P.S. Jest jakaś strona na której moźna sprawdzić log z Silent Runners???????

No i wszedłem do internetu i bez zmian zaczeło się zamykanie systemu. Wklejone logi z silent i hijack są zrobione juź po ataku

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"


Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{40950107–FEA6–4d53–A65F–B2DCBA57DD58}" = "Nokia Phone Browser"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864–D495–41f0–B7DC–4BB601CC295E}" = "Contact View"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A–5B72–4efe–929D–3B848C3A1E91}" = "Message View"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B–CF93–414F–8984–8CE7FDE0D391}" = "ewido shell guard"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\shellhook.dll" ["TODO: "]
INFECTION WARNING! "{9EF34FF2–3396–4527–9D27–04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido\(Default) = "{57BD36D7–CE32–4600–9B1C–1A0C47EFC02E}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7–CE32–4600–9B1C–1A0C47EFC02E}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\dom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
–––––––––––––––––––––

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\DOLPHI~1.SCR" [file not found]


Startup items in "dom" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" –> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe /W" [empty string]
INFECTION WARNING! "Microsoft Office.lnk.disabled" [null data]


Enabled Scheduled Tasks:
––––––––––––––––––––––––

"Spybot – Search & Destroy – Scheduled Task" –> launches: "D:\Program Files\Spybot – Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]


Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05


Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

avast! Antivirus, avast! Antivirus, ""d:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti–malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti–malware\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
–––––––––––––––

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor S200\Driver = "CNMLM3w.DLL" ["CANON INC."]


––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 44 seconds, including 6 seconds for message boxes)

Logfile of HijackThis v1.99.1
Scan saved at 17:30:18, on 2006–01–26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti–malware\ewidoctrl.exe
C:\Program Files\ewido anti–malware\ewidoguard.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\dom\Pulpit\HijackThis.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O4 – Global Startup: Microsoft Office.lnk.disabled
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido anti–malware\ewidoctrl.exe
O23 – Service: ewido security suite guard – ewido networks – C:\Program Files\ewido anti–malware\ewidoguard.exe
O23 – Service: InterBase Guardian (InterBaseGuardian) – Unknown owner – C:\program files\Interbase\bin\ibguard.exe (file missing)
O23 – Service: InterBase Server (InterBaseServer) – Unknown owner – C:\program files\Interbase\bin\ibserver.exe (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe


To co mi się nie podoba – wiem źe pisaliście źeby tego nie wywalać (nie dotyczy avast)
O23 – Service: avast! Mail Scanner – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: InterBase Guardian (InterBaseGuardian) – Unknown owner – C:\program files\Interbase\bin\ibguard.exe (file missing)

O23 – Service: InterBase Server (InterBaseServer) – Unknown owner – C:\program files\Interbase\bin\ibserver.exe (file missing)

To to jest napewno jakieś g... i wraca non stop z uporem maniaka:
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

Moźe odinstalować antywirusa i wgrać na nowo (co prawdabędzie bez aktualizacji)

jak źyje to takiego problemu jeszcze nie miałem

Prosze o nowy Log z Hijacka!!!

Więc nie wiem co robiłes moze jakiś skaner ci to usunał ale tych wpisów z przecinkiem juź nie ma. I reszta logów wyglada ok.

Jeśli twiedzisz źe komp dalej zamulony. Zrób moźe defragmentacje dysków. Wyczysc rejestr jakims programem np :RegCleaner jest dobry do tego. Wyczysc w trybie awaryjnym katalogi temp.

Te strony startowe Peter_l ma racje nie potrzebnie usuwałes bo tam jest pusto ni nie ma. Ale przywrócenie ich tez nie zmieni twojego problemu.

Nie ma problemu mogę z tym zrobić come back ale co jest nie tak z tym kompem ?

Nie trzeba było tego wywalać, ale co tam.

Szczerze Ci powiem źe nie usówałem go.

wywaliłem tylko to
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Czyli co? moźna powiedzieć źe jest ok? do netu go jeszcze nie podłanczałem bo wydaje mi się źe jeszcze coś w nim siedzi – jest strasznie zamulony

markoswawa:

Jest tak:



Wiewa – w tych kluczach jest faktycznie pare skarbów:
(Domyślna), AppInt_DLLs, DeviceNotSelectedTimeout, GDIProcessHandleQuota, Spooler, swapdisk, TransmissionRetryTimeout, UserProcessHandleQuota – rozumiem, źe je ot tak zaznaczyć i delete ?

Nie reszte zostaw. Nie wolno tego usuwać :!: Myślałem tylko o tym przecinku. Ale widze źe go usunołeś. Bo nie ma wpisu. Jest juź ok :)

Jest tak:

Szzzzz – usunołem niestety miałem wyłączone przywracanie systemu – po czasie przeczytałem – nowy log jest pod logiem Silent.

Wiewa – w tych kluczach jest faktycznie pare skarbów:
(Domyślna), AppInt_DLLs, DeviceNotSelectedTimeout, GDIProcessHandleQuota, Spooler, swapdisk, TransmissionRetryTimeout, UserProcessHandleQuota – rozumiem, źe je ot tak zaznaczyć i delete ? Mam nadzieje źe ten log z silent jest teraz kompletny

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"


Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{40950107–FEA6–4d53–A65F–B2DCBA57DD58}" = "Nokia Phone Browser"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864–D495–41f0–B7DC–4BB601CC295E}" = "Contact View"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A–5B72–4efe–929D–3B848C3A1E91}" = "Message View"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B–CF93–414F–8984–8CE7FDE0D391}" = "ewido shell guard"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\shellhook.dll" ["TODO: "]
INFECTION WARNING! "{9EF34FF2–3396–4527–9D27–04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido\(Default) = "{57BD36D7–CE32–4600–9B1C–1A0C47EFC02E}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7–CE32–4600–9B1C–1A0C47EFC02E}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\dom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
–––––––––––––––––––––

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\DOLPHI~1.SCR" [file not found]


Startup items in "dom" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"DSLMON" –> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe /W" [empty string]
INFECTION WARNING! "Microsoft Office.lnk.disabled" [null data]


Enabled Scheduled Tasks:
––––––––––––––––––––––––

"Spybot – Search & Destroy – Scheduled Task" –> launches: "D:\Program Files\Spybot – Search & Destroy\SpybotSD.exe /AUTOCHECK" ["Safer Networking Limited"]


Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05


Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

avast! Antivirus, avast! Antivirus, ""d:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti–malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti–malware\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
–––––––––––––––

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor S200\Driver = "CNMLM3w.DLL" ["CANON INC."]


––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 90 seconds, including 10 seconds for message boxes)


Logfile of HijackThis v1.99.1
Scan saved at 12:59:10, on 2006–01–26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti–malware\ewidoctrl.exe
C:\Program Files\ewido anti–malware\ewidoguard.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\dom\Pulpit\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O4 – Global Startup: Microsoft Office.lnk.disabled
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido anti–malware\ewidoctrl.exe
O23 – Service: ewido security suite guard – ewido networks – C:\Program Files\ewido anti–malware\ewidoguard.exe
O23 – Service: InterBase Guardian (InterBaseGuardian) – Unknown owner – C:\program files\Interbase\bin\ibguard.exe (file missing)
O23 – Service: InterBase Server (InterBaseServer) – Unknown owner – C:\program files\Interbase\bin\ibserver.exe (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe

Usuwaj z przywracaniem systemu.!!

Log z silenta nie kompletny musisz poczakać az skonczy da ci znać. moźe potrwac to chwile.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "," [file not found]

Ale Jest cos tutaj nie tak

Zrób tak. Wpisz w uruchom regedit i ok. I przejdz do klucza HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ i napisz co tam jest dokładnie. Jak będzie ",". To usuwaj ale podaj najpierw co jest dokładnie.

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

Pisalem juz w poprzednich postach co masz usunać. :!: pu usunieciu Nowy Log

To co jest nie tak???
teraz robiłem kolejny log i to co mi się nie spodobało to pojawiła się coś takiego
020–AllInt_DLLs
zresztą wklejam całego loga

Logfile of HijackThis v1.99.1
Scan saved at 10:40:42, on 2006–01–26
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti–malware\ewidoctrl.exe
C:\Program Files\ewido anti–malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\dom\Pulpit\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 – HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O4 – Global Startup: Microsoft Office.lnk.disabled
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 – Extra context menu item: E&ksport do programu Microsoft Excel – res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O20 – AppInit_DLLs: ,
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido anti–malware\ewidoctrl.exe
O23 – Service: ewido security suite guard – ewido networks – C:\Program Files\ewido anti–malware\ewidoguard.exe
O23 – Service: InterBase Guardian (InterBaseGuardian) – Unknown owner – C:\program files\Interbase\bin\ibguard.exe (file missing)
O23 – Service: InterBase Server (InterBaseServer) – Unknown owner – C:\program files\Interbase\bin\ibserver.exe (file missing)
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe

w międzyczasie w "czystym" kompie zmieniła się strona startowa (nie podłączałem do netu)
w spaboocie z uporem maniaka wyłanczam NvCplDeamon (typowo niewymagany) a on non stop się dołancza do uruchamianych programów

damiancore ma racje nie usówaj tego.!!
O23 – Usługi niestandardowe Windows NT/2000/XP/2003

Proszę zaglądnąć http://www.searchengines.pl/phpbb203/index.php?showtopic=7723a wszystko stanie się jasne. Temat do którego kieruję analizuje natywne usługi Windows XP (bez obaw: inne Windowsy typu NT mają usługi nieomal identyczne). W HijackThis ukaźą się tylko usługi, które nie są standardowe = dodane wtórnie przez dodatkowy soft. Metodą usług posługują się teź gnojki róźnego kalibru – głównie robaki sieciowe. W związku z zawiłościami nazewnictwa baz danych róźnych narzędzi czyszczących postaram się w miarę moźliwości częstować stosownymi linkami....

ibguard.exe
ibserver.exe

zaraz pousuwam ale zastanawiałem się jeszcze nad
O23 – Service: InterBase Guardian (InterBaseGuardian) – Inprise Corporation – C:\program files\Interbase\bin\ibguard.exe
O23 – Service: InterBase Server (InterBaseServer) – Inprise Corporation – C:\program files\Interbase\bin\ibserver.exe

nie wiem co to jest – coś mi one jakieś takie niewyraźne tym bardziej źe hijack nie moźe tego usunąć

Wydaje mi sie ze trzeba te wpisy uciac.!

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"


Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"avast!" = "d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962–6F74–2D53–2644–206D7942484F}\(Default) = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307–84BE–11CE–9641–444553540000}" = "WinZip"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{40950107–FEA6–4d53–A65F–B2DCBA57DD58}" = "Nokia Phone Browser"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{FBFE7864–D495–41f0–B7DC–4BB601CC295E}" = "Contact View"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]
"{C0C4375A–5B72–4efe–929D–3B848C3A1E91}" = "Message View"
–> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B–CF93–414F–8984–8CE7FDE0D391}" = "ewido shell guard"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\shellhook.dll" ["TODO: "]
INFECTION WARNING! "{9EF34FF2–3396–4527–9D27–04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "," [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido\(Default) = "{57BD36D7–CE32–4600–9B1C–1A0C47EFC02E}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7–CE32–4600–9B1C–1A0C47EFC02E}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti–malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304–84BE–11CE–9641–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\dom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
–––––––––––––––––––––

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\DOLPHI~1.SCR" [file not found]

Hijack This nie był uźywany wcześniej wgrałem go wczoraj. Problem jest tego typu źe to jest coś co sie uaktywnia w momencie podłączenia do netu. Komputer daje się potem oczyścić programami typu ad aware, spyboot, ewido, miałem otwarte porty i je uszczelniłem wwdc, wyłączyłem przywracanie systemu, i w momencie podłączenia do netu pojawia cię komunikat źe trwa zamykanie systemu proces c:/windows/system32/services.exe – powolne odliczanie 60 sekund i cały komputer zawirusowany. Co to qrcze za dziadostwo?? nie mówcie mi tylko źe frmat C: jest idealnym rozwiązaniem bo się zawziołem na dziada i musze go powalić.