Witam…
Chciałbym się dowiedzieć czy plik ‘commserv.exe’, znajdujący się tu: C:\WINDOWS\system32\commserv.exe to jest jakiś trojan? Antivir co chwile wyskakiwał z komunikatem że to wirus… ale nie mógł nic z nim zrobić. W końcu usunąłem ten plik w trybie awaryjnym… ale może mi ktoś powie co to dokładnie jest i skąd się bierze…?
pozdrawiam 8)
Bieniol
(Bbieniol)
16 Wrzesień 2006 16:33
#2
Logfile of HijackThis v1.99.1 Scan saved at 18:42:01, on 2006-09-16 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\SYSTEM32\GEARSEC.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BitComet\BitComet.exe C:\Program Files\CiDial\CiDial.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe C:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [Ashampoo FireWall] “C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe” -TRAY O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bitComet] “C:\Program Files\BitComet\BitComet.exe” O4 - Startup: CiDial.lnk = C:\Program Files\CiDial\CiDial.exe O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms … b31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi … b31267.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 5407166203 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me … b31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So … b31267.cab O17 - HKLM\System\CCS\Services\Tcpip…{601F6CBE-19F6-41F2-A39F-E91043229052}: NameServer = 194.204.152.34 217.98.63.164 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: Active Common Service - Unknown owner - C:\WINDOWS\system32\commserv.exe (file missing) O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\Zonelabs\vsmon.exe (file missing)
Złączono Posta : 16.09.2006 (Sob) 18:44
Przy okazji mam pytanie jak pozbyć się tej ostatniej pozycji…? nie mam już zone alarm’a a nie można tego usunąć ani w hijack this ani w trybie awaryjnym…
Złączono Posta : 16.09.2006 (Sob) 18:52
“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Steam” = (empty string) “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “BitComet” = ““C:\Program Files\BitComet\BitComet.exe”” [“www.BitComet.com ”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTHelper” = “CTHELPER.EXE” [“Creative Technology Ltd”] “UpdReg” = “C:\WINDOWS\UpdReg.EXE” [“Creative Technology Ltd.”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” [MS] “Ashampoo FireWall” = ““C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe” -TRAY” [null data] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{e82a2d71-5b2f-43a0-97b8-81be15854de8}” = “ShellLink for Application References” -> {HKLM…CLSID} = “ShellLink for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}” = “Shell Icon Handler for Application References” -> {HKLM…CLSID} = “Shell Icon Handler for Application References” \InProcServer32(Default) = “C:\WINDOWS\system32\dfshim.dll” [MS] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] “{F802F260-519B-11D1-BB5D-0060974C6013}” = “ICQ Shell Extension” -> {HKLM…CLSID} = “ICQ Shell Extension” \InProcServer32(Default) = “C:\Program Files\ICQ\ICQShExt.dll” [“ICQ”] “{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}” = “Messenger Sharing Folders” -> {HKLM…CLSID} = “My Sharing Folders” \InProcServer32(Default) = “C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll” [MS] “{0561EC90-CE54-4f0c-9C55-E226110A740C}” = “Haali Column Provider” -> {HKLM…CLSID} = “Haali Column Provider” \InProcServer32(Default) = “C:\Program Files\Matroska Pack\haali\mmfinfo.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {0561EC90-CE54-4f0c-9C55-E226110A740C}(Default) = “Haali Column Provider” -> {HKLM…CLSID} = “Haali Column Provider” \InProcServer32(Default) = “C:\Program Files\Matroska Pack\haali\mmfinfo.dll” [null data] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ICQMenu(Default) = “{f802f260-519b-11d1-bb5d-0060974c6013}” -> {HKLM…CLSID} = “ICQ Shell Extension” \InProcServer32(Default) = “C:\Program Files\ICQ\ICQShExt.dll” [“ICQ”] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICQMenu(Default) = “{f802f260-519b-11d1-bb5d-0060974c6013}” -> {HKLM…CLSID} = “ICQ Shell Extension” \InProcServer32(Default) = “C:\Program Files\ICQ\ICQShExt.dll” [“ICQ”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\wojtek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “wojtek” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\wojtek\Menu Start\Programy\Autostart “CiDial” -> shortcut to: “C:\Program Files\CiDial\CiDial.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\Ashampoo\Ashampoo FireWall\spi.dll [null data], 01 - 10, 23 - 24 %SystemRoot%\system32\mswsock.dll [MS], 11 - 22, 30 - 32 C:\Program Files\NetLimiter\nl_lsp.dll [null data], 25 - 29, 35 %SystemRoot%\system32\rsvpsp.dll [MS], 33 - 34 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided) -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] GEARSecurity, GEARSecurity, “SYSTEM32\GEARSEC.EXE” [“GEAR Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 66 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 21 seconds. ---------- (total run time: 123 seconds)
Bieniol
(Bbieniol)
16 Wrzesień 2006 16:56
#4
Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Active Common Service oraz TrueVector Internet Monitor
Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz vsmon i ok
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):
Po zabiegach daj nowy log z Hijacka
Jeśli chodzi o ‘TrueVector Internet Monitor’ to gdy daję na tryb uruchomienia ‘wyłączony’ to wyskakuje komunikat ‘odmowa dostępu’
Bieniol
(Bbieniol)
16 Wrzesień 2006 17:27
#6
Otwórz notatnik i wklej w nim to:
Plik --> zapisz jako --> zmień rozszerzenie na wszystkie pliki --> zapisz pod nazwą FIX.BAT
W trybie awaryjnym odpalasz plik: FIX.BAT
udało mi się już wyłączyć ten ‘TrueVector Internet Monitor’ w trybie awaryjnym moglem odrazu tak zrobic, sorry :? także pominąć ten krok z odpalaniem fix.bat ??
Nowy log:
Logfile of HijackThis v1.99.1 Scan saved at 19:34:07, on 2006-09-16 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\SYSTEM32\GEARSEC.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\BitComet\BitComet.exe C:\Program Files\CiDial\CiDial.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\PROGRA~1\MOZILL~3\FIREFOX.EXE C:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [CTHelper] CTHELPER.EXE O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [Ashampoo FireWall] “C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe” -TRAY O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [bitComet] “C:\Program Files\BitComet\BitComet.exe” O4 - Startup: CiDial.lnk = C:\Program Files\CiDial\CiDial.exe O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms … b31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi … b31267.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 5407166203 O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me … b31267.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So … b31267.cab O17 - HKLM\System\CCS\Services\Tcpip…{601F6CBE-19F6-41F2-A39F-E91043229052}: NameServer = 194.204.152.34 217.98.63.164 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
aha… i to mam już tak zostawić wyłączone na zawsze? i jesli chodzi o te wpisy powtarzające się: ‘O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll’ to powywalać je i zostawić tylko jeden?
Bieniol
(Bbieniol)
16 Wrzesień 2006 17:39
#10
Nic już nie wywalasz - te wpisy są od ashampoo firewall i wszystkie mają zostać :!:
Zostawiasz wyłączone
OK… Bardzo Ci dziękuje za Twój czas i pomoc!