Atak robali i włamywaczy


(Momayday) #1

Wklejam tutaj moj log gdyz nie jestem w stanie przeciwstawic sie narastajacej fali atakow na moj komputer :frowning:

Logfile of HijackThis v1.99.1

Scan saved at 10:40:42, on 2005-10-02

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\??anregw.exe

D:\NortonSystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

D:\NORTON~1\NORTON~1\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

D:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

D:\Opera\Opera.exe

D:\eMule\emule.exe

D:\Hijack\HijackThis1991.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\Acrobat5\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {424BB5C9-085F-05F1-20B5-0895CAF4DFC9} - C:\WINDOWS\System32\eeemlgb.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\NortonSystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\NortonSystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [o0bl6ggc] C:\WINDOWS\System32\o0bl6ggc.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe

O4 - HKCU\..\Run: [Fjeqpyj] C:\WINDOWS\System32\??anregw.exe

O4 - HKCU\..\Run: [AWMON] "D:\Ad-AwareSEPro\Ad-Watch.exe"

O4 - HKCU\..\Run: [Icsc] C:\Program Files\sale\ennd.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Office2000\Office\OSA9.EXE

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\flashget.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: kavsvc - Kaspersky Lab - D:\Kaspersky\kavsvc.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\NortonSystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\NortonSystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - D:\NortonSystemWorks\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - D:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Złączono Posta : 02.10.2005 (Nie) 10:56

Skanuje programem MS Anti Spyware, znajduje mi "robaczki", usuwa je, a jak po restarcie kompa za 2 minuty znowu skanuje to znowu znajduje te same "rovaczki" :frowning:

Co robic?


(Przemoxmx) #2

wyłącz przywracanie systemu i przeskanuj w awaryjnym, wogole przeskanuj SpyBot'em


(Kuz5) #3

W Dodaj/Usun odinstaluj Internet Optimizer oraz Media Gateway

Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Jeżeli bedzie problem ze znalezieniem pliku z pytajnikiem czyli ten:

To w C:\WINDOWS\System32 prawoklik i posortuj według nazw

wtedy ten ??anregw.exe będzie na samym spodzie

Pliki i foldery na czerwono usun ręcznie z dysku


(Momayday) #4

Bardzo dziekuje za rady. Niestety nastepujacych elementow nie ma w podanych lokacjach (ani w trybie awaryjnym ani normalnym)

C:\WINDOWS\System32\ ??anregw.exe - sprawdzalem tak jak kazales oraz przez "szukacza"

O4 - HKLM..\Run: [internet Optimizer] "C:\Program Files\ Internet Optimizer \optimize.exe" - brak folderu Internet Optimizer (sprawdzalem nawet czy nie jest schowany)

O4 - HKLM..\Run: [Media Gateway] C:\Program Files\ Media Gateway \MediaGateway.exe - tak samo jak wyzej

O4 - HKCU..\Run: [icsc] C:\Program Files\ sale \ennd.exe - to samo jak wyzej

Troche to dziwne ze ich tam nie ma (nawet inne programy antyspywarowe je wykrywaja). To co mam robic dalej?

Moze w rejestrze pokasowac te wpisy??


(Gutek) #5

Może: Mój komputer >>> Narzędzia >>> Opcje folderów >>> Widok

Zaznaczone Pokaż ukryte pliki i foldery + odznaczone Ukryj chronione pliki systemu operacyjnego...


(Momayday) #6

W ten sposob znalazlem tego C:\WINDOWS\System32\ ??anregw.exe

...tyle ze zamiast miec nazwe ??anregw.exe mial nazwe scanregw.exe i byl na samym koncu listy (dziwne bo 's' nie jest przeciez na koncu). Skasowalem go oczywiscie.

Natomiast co do tych...

C:\Program Files\ Internet Optimizer \optimize.exe

C:\Program Files\ Media Gateway \MediaGateway.exe

...to tych katalogow nie ma. Czyli teoretycznie nie powinno byc zadnego problemu.

No ale jak skanuje np MS Anti Spyware to mi pokazuje to:

aaa.jpg

A najciekawsze jes to, ze jak wchodze w start--msconfig--uruchamianie to na tej liscie sa ZAZNACZONE te elementy ktore wczesniej usunalem, czyli ??anregw.exe i o0bl6ggc.exe

Odznaczenie i ponowny restart nic nie daje, nie mozna ich usunac z tej listy.

Prawde mowiac sytuacja jest chyba bez wyjscia :cry:


(Gutek) #7

Tryb awaryjyn i usuwasz klucze start\uruchom\regedit i HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion: Run Media Gateway oraz Run Internet Optimizer :smiley:


(Kuz5) #8

No jak bez wyjścia, a odinstalowałeś te dwie aplikacje Media Gateway i Internet Optimizer wklej nowego loga


(Momayday) #9

Odinstalowac z c:\program files? Nie da rady bo ich tam nie ma. Pisalem o tym wyzej (nie ma ich ani w dodaj/usun ani po zaznaczeniu "pokazuj ukryte foldery..." tak jak kazal Gutek2222)

Odinstalowac z rejestru tak jak mi radzil Gutek 2222? Nie da rady gdyz po usunieciu ich, restartuje kompa powracajac do normalnego trybu, znowu wlaczam MS Anti Spyware (w rejestrze takze patrze) o one znowu sa !!


(Gutek) #10

OK daj log z Silent Runners

Złączono Posta : 03.10.2005 (Pon) 16:58

OK daj log z Silent Runners

Analiza log-a:

do usunięcia w trybie awaryjnym.

Pocket Killbox Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz

ścieżkę C:\WINDOWS\System32\ eeemlgb.dll Program poprosi o reset kompa ... czyli resetujesz.

Daj screena z C:\Program Files oraz dodaj\usuń

Błędemjest posiadanie 2 antywirusów: Kaspersky i Norton AntiVirus


(Momayday) #11

Log z Silent Runners. Co do tego Kill Boxa to chyba nie usunal tego pliku gdyz juz go wczesniej usunalem tak jak kazales (to pewnie dlatego obok loga z Hijack jest napisane przy nim "file missing").

Zaraz dam screena z C:\Program Files oraz dodaj\usuń.

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"NVRTCLK" = "C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe" [empty string]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "d:\Acrobat5\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"

  -> {CLSID}\InProcServer32\(Default) = "D:\NortonSystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\OFFICE~1\Office\OLKFSTUB.DLL" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "d:\WinRAR\rarext.dll" [null data]

"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 DragDrop Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.6 Property Sheet Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {CLSID}\InProcServer32\(Default) = "D:\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

  -> {CLSID}\InProcServer32\(Default) = "D:\MSAntiSpyware\shellextension.dll" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Kaspersky\shellex.dll" ["Kaspersky Lab"]

Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

  -> {CLSID}\InProcServer32\(Default) = "D:\NortonSystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "d:\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "d:\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\WinAce\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Kaspersky\shellex.dll" ["Kaspersky Lab"]

Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

  -> {CLSID}\InProcServer32\(Default) = "D:\NortonSystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "d:\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Paweł" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "D:\Office2000\Office\OSA9.EXE -b -l" [MS]



Enabled Scheduled Tasks:

------------------------


"Funkcja One Button Checkup pakietu Norton SystemWorks" -> launches: "D:\NortonSystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO" ["Symantec Corporation"]

"Norton AntiVirus - Skanuj komputer - Paweł" -> launches: "D:\NORTON~1\NORTON~3\Navw32.exe /task:"C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]

"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\NortonSystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"

  -> {CLSID}\InProcServer32\(Default) = "D:\NortonSystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "D:\FlashGet\flashget.exe" ["Amaze Soft"]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Norton AntiVirus Firewall Monitor Service, NPFMntor, "D:\NortonSystemWorks\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]

Norton Unerase Protection, NProtectService, "D:\NORTON~1\NORTON~1\NPROTECT.EXE" ["Symantec Corporation"]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Speed Disk service, Speed Disk service, "D:\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE" ["Symantec Corporation"]

Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]

Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]

Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 20 seconds, including 10 seconds for message boxes)

(Gutek) #12

Kurcze tutaj nie ma już tych wpisów. Hm........ ale to że file missing o niczym nie świadczy. Uzyj jeszcze raz Pocket Killbox


(Momayday) #13

Screen z c:\ProgramFiles wraz z "pokaz ukryte pliki i foldery" oraz "pokaz chronione pliki systemu operacyjnego").

pfiles.jpg

Screeny z dodaj/usun.

dodaj1.jpg

dodaj2.jpg

dodaj3.jpg

Złączono Posta : 03.10.2005 (Pon) 17:26

.

.

.

.

.

.

.

Co do tego Killboxa: dalem tak jak pisales i pokazuje sie okienko:

"pending file rename operations registry data has been removed by external process"


(Gutek) #14

Masz przywracanie systemu wyłączone?


(Momayday) #15

Wlaczone teraz. Moze gdzies sie machnalem z tym wlaczaniem/wylaczaniem? Powtorzyc jakis test dla pewnosci?


(Gutek) #16

A widzisz, masz Spybot - Search & Destroy czy używasz w tym programie Rezydenta??? Jak tak to on przywraca wpsiy


(Momayday) #17

Wlasnie patrze ze ten program ma opcje "Przywracanie" ale ja z niej nigdy nie korzystalem. Dodatkowo usunalem z listy Przywracania wszystkie znalezione wczesniej "robaczki". A ta opcja raczej nie jest automatyczna wiec tamte rozne wpisy nie mogly sie same z powrotem dodac.

A moze jest jakis program do czyszczenia rejestru ze zbednych wpisow?