Drwatson32.exe


(Keriz) #1

mam kompa od niedawna wiec wybaczcie jakies niedociaglosci z mojej strony. ale wracajac do temat, jest tak, mialem (mam) wirusika. wiem o tym bo przeskanowalem system antywirusem (mks skaner on-line)i wykrylo mi wiele zainfekowanych plikow, same trojany i na moje nieszczescie wykasowalem kilka z tych plikow. jednym z nich byl drwatson32.exe. no i sie zaczelo. okazuje sie ze ten plik sluzy do uruchamiania "Aplikacji". i teraz wogole nic nie moge uruchomic.

mam pytanie czy moge jakos naprawic swoj blad? czy da sie to naprawic bez reinstalacji systemu? pomozcie prosze

ps zalaczyl bym moj log ale hijacka tez nie moge odpalic


(Gutek) #2

Co ty wypisujesz http://wirusy.antivirenkit.pl/pl/opis/T ... er.do.html


(Keriz) #3

sam sie tym dziwie bo wszyscy pisza ze drwatson32.exe to wirus ale jak usunalem taki plik to od razu przestaly mi chodzic wszystkie programy. jak sie uruchamial komputer to od razu pojawialo sie okienko"nie mozna znalezc pliku" a w ramce pisalo ze nie ma tego pliku a jest on potzrebny do uruchomienia "aplikacji" i system kazal mi tego szukac na dysku C

Złączono Posta : 19.10.2005 (Sro) 21:57

jakos udalo mi sie cofnac ten blad teraz znowu wszystko dziala (szkoda ze razem z wirusami) wysylam moj log

Logfile of HijackThis v1.99.1

Scan saved at 21:59:18, on 05-10-19

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 (5.00.2919.6304)


Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\WINL0GON.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\PROGRAM FILES\GADU-GADU\GG.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\DOWNLOADS\HIJACKTHIS.EXE


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wirtualnemedia.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 CE\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\Run: [WindowsDebug] drwatson32.exe

O4 - HKLM\..\Run: [ms_anti_spywarebxp] C:\WINDOWS\mwfirebpx.exe

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKLM\..\RunOnce: [ms_anti_spywarebxp] C:\WINDOWS\mwfirebpx.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray

O4 - HKCU\..\Run: [ms_anti_spywarebxp] C:\WINDOWS\mwfirebpx.exe

O4 - HKCU\..\RunOnce: [ms_anti_spywarebxp] C:\WINDOWS\mwfirebpx.exe

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\PROGRAM FILES\FLASHGET\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\PROGRAM FILES\FLASHGET\jc_all.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: {631FF594-EC25-4CFF-B869-402DF294E1D6} (Instalator oprogramowania Onet.pl) - http://slimak.onet.pl/_m/kamerzysta/OnetInstalator012s.ocx

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

da sie cos tu naprawic?

====================================

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.

Pozdrawiam kuz5


(Gutek) #4

W trybie awaryjnym usuwasz ręcznie pliki. Hijackiem wpisy :smiley:

W systemie WIN98 SE nie ma programu drwatson32.exe, tylko drwatson.exe

A teraz przydatny link - http://www.searchengines.pl/phpbb203/in ... =dr+watson


(Keriz) #5

oki zrobilem co mi doradziles. teraz zostal mi jeszcze jeden problem. uruchamiajac kompa pojawia mi sie komunikat ze system nie potrafi znalezc pliku "ibm00002.exe" (albo jego czesci). jak sie tego pozbyc? jakby co to wklejam log

Logfile of HijackThis v1.99.1

Scan saved at 16:16:39, on 05-10-22

Platform: Windows 98 SE (Win9x 4.10.2222A)

MSIE: Internet Explorer v5.00 (5.00.2919.6304)


Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL

C:\WINDOWS\SYSTEM\MSGSRV32.EXE

C:\WINDOWS\SYSTEM\MPREXE.EXE

C:\WINDOWS\SYSTEM\mmtask.tsk

C:\WINDOWS\SYSTEM\MSTASK.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE

C:\WINDOWS\EXPLORER.EXE

C:\WINDOWS\TASKMON.EXE

C:\WINDOWS\SYSTEM\SYSTRAY.EXE

C:\PROGRAM FILES\WINAMP\WINAMPA.EXE

C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE

C:\PROGRAM FILES\GADU-GADU\GG.EXE

C:\WINDOWS\SYSTEM\WMIEXE.EXE

C:\WINDOWS\SYSTEM\RNAAPP.EXE

C:\WINDOWS\SYSTEM\TAPISRV.EXE

C:\WINDOWS\SYSTEM\PSTORES.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

C:\WINDOWS\SYSTEM\DDHELP.EXE

C:\DOWNLOADS\HIJACKTHIS.EXE


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wirtualnemedia.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 CE\READER\ACTIVEX\ACROIEHELPER.OCX

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: @msdxmLC.dll,-1@1045,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun

O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe

O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

O4 - HKLM\..\Run: [Zasobnik systemowy] SysTray.Exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer

O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe

O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\PROGRAM FILES\FLASHGET\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\PROGRAM FILES\FLASHGET\jc_all.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O14 - IERESET.INF: SEARCH_PAGE_URL=

O14 - IERESET.INF: START_PAGE_URL=

O16 - DPF: {631FF594-EC25-4CFF-B869-402DF294E1D6} (Instalator oprogramowania Onet.pl) - http://slimak.onet.pl/_m/kamerzysta/OnetInstalator012s.ocx

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

(Gutek) #6

LOG OK, czy ty aby na pewno na pewno usunołeś C:\WINDOWS\SYSTEM**** ibm00002.exe? :stuck_out_tongue:


(Keriz) #7

usunalem plik na bank. sprawdzilem nawet czy nie jest nigdzie ukryty i tez go nie znalazlo.szukalem go na calym dysku C i ciagle go brak.


(Gutek) #8

Ściagnij program Spybot - Search & Destroy oraz RegCleaner i przeleć kompa


(Keriz) #9

przebadalem kompa tymi programami i nic nie znalazlo. a ostrzezenie ze nie ma tego pliku ciagle sie pojawia, wiec nie wiem co jest nie tak


(Gutek) #10

Daj LOG z Silent Runners


(Keriz) #11

kurde chyba cos nie tak, sciagam ten program i pojawia mi sie ikonka (biala karteczka z literka S) ktorej nie potrafie otworzyc. a za to moj norton mnie ostrzega przed tym skryptem. a nie moge znalezc tego programu na google aby go sciagnac z innej lokalizacji


(Gutek) #12

http://www.silentrunners.org/Silent%20Runners.vbs albo wejdź i kliknij prawym na 2 niebieski link i zapisz na pulpicie.

Silent Runners NIE JEST SZKODLIWY i proszę w Nortonie autoryzować skrypt:

silent44ow.gif


(Keriz) #13

cholera ciagle cos nie tak. jak autoryzowalem skrypt to przy otwieraniu pojawia sie okienko ze "WMI not installed". ja chyba nigdy nie dojde do ladu z tym kompem


(Gutek) #14

Przeczytaj na dole http://www.searchengines.pl/phpbb203/in ... opic=15989


(Keriz) #15

no udalo sie. wklejam log z silent runners

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows 98

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\PROGRAM FILES\GADU-GADU\GG.EXE" /tray" ["Gadu-Gadu Sp. z oo"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]

"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]

"SystemTray" = "SysTray.Exe" [MS]

"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

"WinampAgent" = ""C:\PROGRAM FILES\WINAMP\WINAMPa.exe"" [null data]

"Zasobnik systemowy" = "SysTray.Exe" [MS]

"ccApp" = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" ["Symantec Corporation"]

"ccRegVfy" = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" ["Symantec Corporation"]

"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer" ["Symantec Corporation"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}

"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]

"SchedulingAgent" = "mstask.exe" [MS]

"ccEvtMgr" = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" ["Symantec Corporation"]

"ScriptBlocking" = ""C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg" ["Symantec Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL" ["Amaze Soft"]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0 CE\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" [null data]

{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINACE\arcext.dll" [file not found]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINACE\arcext.dll" [file not found]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"



WIN.INI & SYSTEM.INI launch points:

-----------------------------------


SYSTEM.INI

[boot]

INFECTION WARNING! "shell=explorer.exe ibm00002.exe" [MS], [file not found]



Startup items in "Startup" & "All Users...Startup" folders:

-----------------------------------------------------------


C:\WINDOWS\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]



Enabled Scheduled Tasks:

------------------------


"Rozpoczęcie aplikacji dostrajania" -> launches: "walign" [MS]

"Symantec NetDetect" -> launches: "C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE" ["Symantec Corporation"]

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\WINDOWS\ALLUSE~1\DANEAP~1\SYMANTEC\NORTON~1\TASKS\MYCOMP.SCA" ["Symantec Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:

C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1

C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4

C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL" ["Amaze Soft"]


"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRAM FILES\FLASHGET\FLASHGET.EXE" ["Amaze Soft"]


{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\

"ButtonText" = "eBay - Homepage"

"CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\SHDOCVW.DLL" [MS]

"Exec" = "C:\Program Files\IrfanView\Ebay\Ebay.htm" [null data]



Miscellaneous IE Hijack Points

------------------------------


HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data)

The Internet Explorer version cannot be found!


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

The contents of IERESET.INF cannot be reliably checked!


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL = "http://www.eu.microsoft.com/poland/"

[Strings]: SEARCH_PAGE_URL = "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[Strings]: SAFESITE_VALUE = "ie.search.msn.com"

[Strings]: MS_START_PAGE_URL = "http://www.eu.microsoft.com/poland/"


Missing lines (compared with English-language version):

[DeleteAutosearch.reg]: 1 line

[Strings]: 4 lines



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 11 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 24 seconds.

---------- (total run time: 59 seconds)

(Gutek) #16

No jest

zedytowąć musisz: Start>>>Uruchom>>> w okienku wpisz poleceniem sysedit i zedytuj ten wpis, jak się nie pokaże.

Mój komputer >>> Narzędzia >>> Opcje folderów >>> Widok

Zaznaczone Pokaż ukryte pliki i foldery + odznaczone Ukryj chronione pliki systemu operacyjnego...

Jak zedytować, w sekcji [boot] jest po shell = explorer.exe ibm00002.exe" [MS], usunąć stamtąd ibm00002.exe (ma zostać shhell=explorer.exe)


(Keriz) #17

faktycznie udalo sie. wielkie dziekuje. Gutek2222 jestes wielki. temat uwazam za zamkniety. pa

Złączono Posta : 25.10.2005 (Wto) 18:54

ps. jeszcze jedno. jak mam wystawic tobie note pochwalna. bardzo chcialbym to zrobic