nera
6 Maj 2007 10:43
#1
Na 2gim komputerze podłączonym do sieci pojawiły się problemy z internetem, otóż można np. uruchomić gadu-gadu, konnekta, gry internetowe, lecz nie działają przeglądarki internetowe (ani FF, ani IE), programy takie jak teamspeak, hamachi nie chcą się połączyć. Nie wydaje mi się by to była wina portów (na komputerze z którego piszę wszystko działa, zresztą próbowałem resetów i różnych kombinacji [mam router]). Dodatkowo komputer podczas wyłączania wyświetla niebieską planszę informujacą o krytycznym błędzie windows (w razie potrzeby mogę ją tutaj przepisać).
EDIT: Żeby nie było, skanowałem adawarem oraz antivir guardem (ten z parasolką ;P)
Log:
Logfile of HijackThis v1.99.1 Scan saved at 12:05:21, on 2007-05-06 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\LxrSII1s.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Razer\razertra.exe C:\PROGRA~1\Wanadoo\TaskbarIcon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Razer\razerofa.exe C:\Program Files\Razer\razerhid.exe D:\Program Files\DAEMON Tools\daemon.exe D:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe D:\Program Files\Winamp\winampa.exe C:\Program Files\Messenger\msmsgs.exe D:\Program Files\Konnekt\konnekt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe D:\PROGRA~1\MICROS~3\rapimgr.exe C:\Program Files\Hamachi\hamachi.exe D:\Program Files\Rainlendar\Rainlendar.exe D:\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.30gigs.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 213.21.215.158 http://www.halifax-online.co.uk O1 - Hosts: 213.21.215.158 ibank.barclays.co.uk O1 - Hosts: 213.21.215.158 online.lloydstsb.co.uk O1 - Hosts: 213.21.215.158 online-business.lloydstsb.co.uk O1 - Hosts: 213.21.215.158 http://www.ukpersonal.hsbc.co.uk O1 - Hosts: 213.21.215.158 banesnet.banesto.es O1 - Hosts: 213.21.215.158 extranet.banesto.es O1 - Hosts: 213.21.215.158 ebanking.bccbrescia.it O1 - Hosts: 213.21.215.158 http://www.bankofscotlandhalifax-online.co.uk O1 - Hosts: 213.21.215.158 oi.cajamadrid.es O1 - Hosts: 213.21.215.158 bancae.caixapenedes.com O1 - Hosts: 213.21.215.158 banking.postbank.de O1 - Hosts: 213.21.215.158 meine.deutsche-bank.de O1 - Hosts: 213.21.215.158 myonlineaccounts2.abbeynational.co.uk O1 - Hosts: 213.21.215.158 ibank.cahoot.com O1 - Hosts: 213.21.215.158 webbank.openplan.co.uk O1 - Hosts: 213.21.215.158 bancopostaonline.poste.it O1 - Hosts: 213.21.215.158 mybank.bybank.it O1 - Hosts: 213.21.215.158 ibank.internationalbanking.barclays.com O1 - Hosts: 213.21.215.158 welcome7.co-operativebank.co.uk O1 - Hosts: 213.21.215.158 welcome11.co-operativebankonline.co.uk O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [razertra] C:\Program Files\Razer\razertra.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay O4 - HKLM…\Run: [DAEMON Tools] “D:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [DaemonTools_WhenUSaveNow_Installer] C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe O4 - HKLM…\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [DesktopX] “C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe” O4 - HKCU…\Run: [Konnekt] “d:\Program Files\Konnekt\konnekt.exe” /autostart O4 - HKCU…\Run: [H/PC Connection Agent] “D:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O4 - Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{BC40298F-60E5-403F-876B-1C5E4A29FB5C}: NameServer = 194.204.159.1,194.204.152.34 O17 - HKLM\System\CCS\Services\Tcpip…{C0C88AB2-1813-4E21-83B6-F1F2075C89E0}: NameServer = 10.89.0.2 O17 - HKLM\System\CCS\Services\Tcpip…{C3096A57-5A6E-4414-BBFE-AE65011A49A9}: NameServer = 10.89.0.2 O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing) O23 - Service: Remote Procedure Call (RPC) MO (RPCSE) - Unknown owner - C:\Program.exe (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - SigmaTel, Inc. - (no file)
Bardzo proszę o pomoc.
Joan
6 Maj 2007 11:06
#2
Wchodzisz w Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługi StarWind iSCSI Service, Remote Procedure Call (RPC) MO
Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz StarWindService, RPCSE i ok
to co na czerwono usuń z dysku w trybie awaryjnym, wpisy zafixuj w Hijacku, daj nowe logi Hijack + SilentRunners
Przeczytaj to: KLIK i wklej zawartość plików minidump
Popraw tytuł na konkretny, używaj polskich znaków w pisowni - użyj przycisku
nera
6 Maj 2007 11:48
#3
Heh, a ja myślałem, że to będzie proste i szybkie do zrobienia :mrgreen:. Dzięki za pomoc, zaraz dam nowe logi
Złączono Posta : 06.05.2007 (Nie) 14:17
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “DesktopX” = ““C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe”” [file not found] “Konnekt” = ““d:\Program Files\Konnekt\konnekt.exe” /autostart” [“Stamina”] “H/PC Connection Agent” = ““D:\Program Files\Microsoft ActiveSync\wcescomm.exe”” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “razertra” = “C:\Program Files\Razer\razertra.exe” [“Razer Inc.”] “WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [“France Télécom R&D”] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay” [null data] “DAEMON Tools” = ““D:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “PWRISOVM.EXE” = “D:\Program Files\PowerISO\PWRISOVM.EXE” [“PowerISO Computing, Inc.”] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] “WinampAgent” = “D:\Program Files\Winamp\winampa.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {04079851-5845-4dea-848C-3ECD647AA554}(Default) = (no title provided) -> {HKLM…CLSID} = “MySearch Search Assistant BHO” \InProcServer32(Default) = “C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL” [file not found] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch2 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“Amaze Soft”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}” = “ImageShack QuickLoad Image Uploader” -> {HKCU…CLSID} = “QuickLoad.QuickLoadContextMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\mscoree.DLL” [MS] “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] “{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device” -> {HKLM…CLSID} = “Urządzenie przenośne” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~3\Wcesview.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] “{79BC0345-1015-11D2-A299-006008312725}” = “blue.shell” -> {HKLM…CLSID} = “Studio.Project” \InProcServer32(Default) = “D:\Program Files\Pinnacle\Studio 10\programs\BlueShellExt.dll” [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 91 domain names to IP addresses, 21 of the IP addresses are *not* localhost!
Złączono Posta : 06.05.2007 (Nie) 14:27
******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {b0, 2, 0, 804d71af} ANALYSIS: Kernel with unknown size. Will force reload symbols with known size. ANALYSIS: Force reload command: .reload /f ntoskrnl.exe=FFFFFFFF804D4000,1F2700,3D6DE35C ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : ntoskrnl.exe ( nt+31af ) Followup: MachineOwner
Logfile of HijackThis v1.99.1 Scan saved at 14:32:20, on 2007-05-06 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\LxrSII1s.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Razer\razertra.exe C:\PROGRA~1\Wanadoo\TaskbarIcon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe D:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Razer\razerofa.exe C:\Program Files\Razer\razerhid.exe D:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe D:\Program Files\Winamp\winampa.exe C:\Program Files\Messenger\msmsgs.exe D:\Program Files\Konnekt\konnekt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Hamachi\hamachi.exe D:\PROGRA~1\MICROS~3\rapimgr.exe D:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\WINDOWS\explorer.exe D:\Program Files\Mozilla Thunderbird\thunderbird.exe D:\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.30gigs.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: 213.21.215.158 http://www.halifax-online.co.uk O1 - Hosts: 213.21.215.158 ibank.barclays.co.uk O1 - Hosts: 213.21.215.158 online.lloydstsb.co.uk O1 - Hosts: 213.21.215.158 online-business.lloydstsb.co.uk O1 - Hosts: 213.21.215.158 http://www.ukpersonal.hsbc.co.uk O1 - Hosts: 213.21.215.158 banesnet.banesto.es O1 - Hosts: 213.21.215.158 extranet.banesto.es O1 - Hosts: 213.21.215.158 ebanking.bccbrescia.it O1 - Hosts: 213.21.215.158 http://www.bankofscotlandhalifax-online.co.uk O1 - Hosts: 213.21.215.158 oi.cajamadrid.es O1 - Hosts: 213.21.215.158 bancae.caixapenedes.com O1 - Hosts: 213.21.215.158 banking.postbank.de O1 - Hosts: 213.21.215.158 meine.deutsche-bank.de O1 - Hosts: 213.21.215.158 myonlineaccounts2.abbeynational.co.uk O1 - Hosts: 213.21.215.158 ibank.cahoot.com O1 - Hosts: 213.21.215.158 webbank.openplan.co.uk O1 - Hosts: 213.21.215.158 bancopostaonline.poste.it O1 - Hosts: 213.21.215.158 mybank.bybank.it O1 - Hosts: 213.21.215.158 ibank.internationalbanking.barclays.com O1 - Hosts: 213.21.215.158 welcome7.co-operativebank.co.uk O1 - Hosts: 213.21.215.158 welcome11.co-operativebankonline.co.uk O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: MySearch Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MySearch\SrchAstt\1.bin\MYSRCHAS.DLL (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [razertra] C:\Program Files\Razer\razertra.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay O4 - HKLM…\Run: [DAEMON Tools] “D:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [DesktopX] “C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe” O4 - HKCU…\Run: [Konnekt] “d:\Program Files\Konnekt\konnekt.exe” /autostart O4 - HKCU…\Run: [H/PC Connection Agent] “D:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O4 - Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{BC40298F-60E5-403F-876B-1C5E4A29FB5C}: NameServer = 194.204.159.1,194.204.152.34 O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
ok to chyba wszystko
start > uruchom > cmd i wklep:
sc stop Network Monitor
sc delete Network Monitor
Folder na czerwono usuń z dysku ręcznie a wpisy w HJT
Do notatnika wklej:
Plik > zapisz jako > zmień rozszerzenie z .txt na wszystkie pliki > zapisz pod nazwą Fix.reg np na
pulpicie > dwuklik na Fix.reg > potwierdzasz > restart.
Edytuj plik hosts - C:\WINDOWS\System32\drivers\etc\HOSTS
powina znajdować się tam tylko linijka 127.0.0.1 localhost
Czyli mniej więcej tak:
# Copyright © 1993-1999 Microsoft Corp. # # To jest przykładowy plik HOSTS używany przez Microsoft TCP/IP # w systemie Windows. # Ten plik zawiera mapowania adresów IP na nazwy komputerów # Każdy wpis powinien być w osobnej linii. # W pierwszej kolumnie powinny być umieszczone adresy IP, a następnie # odpowiadające im nazwy komputerów. Adres i nazwa powinny być oddzielone # co najmniej jedną spacją # # Dodatkowo, komentarze (takie jak te) można wstawiać w poszczególnych # liniach lub po nazwie komputera, oznaczając je symbolem ‘#’. # # Na przykład: # # 102.54.94.97 rhino.acme.com # serwer źródłowy # 38.25.63.10 x.acme.com # komputer kliencki x 127.0.0.1 localhost
Daj nowe logi HJT i Silent Runners (poczekaj aż skończy pracę i wyskoczy komunikat).
nera
6 Maj 2007 14:33
#5
Wielkie dzięki, już internet działa normalnie
Logi, logi…
Logfile of HijackThis v1.99.1 Scan saved at 16:21:24, on 2007-05-06 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\LxrSII1s.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Razer\razertra.exe C:\PROGRA~1\Wanadoo\TaskbarIcon.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe D:\Program Files\DAEMON Tools\daemon.exe D:\Program Files\PowerISO\PWRISOVM.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe D:\Program Files\Winamp\winampa.exe C:\Program Files\Messenger\msmsgs.exe D:\Program Files\Konnekt\konnekt.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe D:\Program Files\Microsoft ActiveSync\wcescomm.exe C:\Program Files\Hamachi\hamachi.exe D:\PROGRA~1\MICROS~3\rapimgr.exe D:\Program Files\Rainlendar\Rainlendar.exe D:\Program Files\Mozilla Firefox\firefox.exe D:\Downloads\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.30gigs.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [razertra] C:\Program Files\Razer\razertra.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay O4 - HKLM…\Run: [DAEMON Tools] “D:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Konnekt] “d:\Program Files\Konnekt\konnekt.exe” /autostart O4 - HKCU…\Run: [H/PC Connection Agent] “D:\Program Files\Microsoft ActiveSync\wcescomm.exe” O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O4 - Startup: Rainlendar.lnk = D:\Program Files\Rainlendar\Rainlendar.exe O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra ‘Tools’ menuitem: Utwórz łącze Ulubione dla urządzenia przenośnego… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{BC40298F-60E5-403F-876B-1C5E4A29FB5C}: NameServer = 194.204.159.1,194.204.152.34 O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Konnekt” = ““d:\Program Files\Konnekt\konnekt.exe” /autostart” [“Stamina”] “H/PC Connection Agent” = ““D:\Program Files\Microsoft ActiveSync\wcescomm.exe”” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “razertra” = “C:\Program Files\Razer\razertra.exe” [“Razer Inc.”] “WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”] “WOOTASKBARICON” = “C:\PROGRA~1\Wanadoo\TaskbarIcon.exe” [“France Télécom R&D”] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay” [null data] “DAEMON Tools” = ““D:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “PWRISOVM.EXE” = “D:\Program Files\PowerISO\PWRISOVM.EXE” [“PowerISO Computing, Inc.”] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] “WinampAgent” = “D:\Program Files\Winamp\winampa.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {A5366673-E8CA-11D3-9CD9-0090271D075B}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch2 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“Amaze Soft”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}” = “ImageShack QuickLoad Image Uploader” -> {HKCU…CLSID} = “QuickLoad.QuickLoadContextMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\mscoree.DLL” [MS] “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] “{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device” -> {HKLM…CLSID} = “Urządzenie przenośne” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~3\Wcesview.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Nera\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Nera\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Startup items in “Nera” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\Nera\Menu Start\Programy\Autostart “hamachi” -> shortcut to: “C:\Program Files\Hamachi\hamachi.exe” [“LogMeIn Inc.”] “Rainlendar” -> shortcut to: “D:\Program Files\Rainlendar\Rainlendar.exe” [“Rainy”] Enabled Scheduled Tasks: ------------------------ “B08C733B9713E3BF” -> launches: “c:\docume~1\nera\daneap~1\eachst~1\SecondDentFirst.exe” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{014DA6CE-189F-421A-88CD-07CFE51CFF10}(Default) = “My Search Bar Quick View” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\System32\shdocvw.dll” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Research” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\ “ButtonText” = “Create Mobile Favorite” “CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}” -> {HKLM…CLSID} = “Create Mobile Favorite” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~3\INetRepl.dll” [MS] {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\ “MenuText” = “Utwórz łącze Ulubione dla urządzenia przenośnego…” “CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}” -> {HKLM…CLSID} = “Create Mobile Favorite” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~3\INetRepl.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“Amaze Soft”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] Lexar Secure II, LxrSII1s, “LxrSII1s.exe” [null data] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt09\Driver = “hpzlnt09.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 492 seconds, including 8 seconds for message boxes)
Logi ok
Start > uruchom > cmd > wpisz
Kosmetyka:
Start > uruchom > msconfig > uruchamianie > możesz odznaczyć w\w.
Jeżeli nie musi startować z systemem to odptasz w komunikatorze uruchamianie przy starcie.
I jest ok.
nera
6 Maj 2007 14:59
#7
hm niestety komenda schtasks nie jest rozpoznawana
dzięki za wszystko
Joan
6 Maj 2007 15:28
#8
nera proszę po raz ostatni o zmianę tytułu tego wątku na konkretny, obrazujący problem > użyj przycisku
Wklej nowego loga z SilentRunners, użyj narzędzia NoLop
