FF otwiera mi dziwne strony, pojawil sie spysheriff etc

Dla specjalistów Bezpieczeństwo
#1

otwiera mi jakies dziwne strony, pojawil sie na pulpicie jakis spysheriff

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

F2 - REG:system.ini: Shell=Explorer.exe WunosJava.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,WunosJava.exe

O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmff_11.exe

O4 - HKLM\..\Run: [defender] C:\\dfndrff_11a.exe

O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_11a.exe

O4 - HKLM\..\Run: [djk4937e] RUNDLL32.EXE w02f3033.dll,n 0034937b0000000a02f3033

O4 - HKLM\..\RunServices: [Ms Java for Windows NT] WunosJava.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [mssp3] C:\WINNT\system32\mshost32.exe

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [wqwm] C:\PROGRA~1\COMMON~1\wqwm\wqwmm.exe

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

O4 - HKCU\..\RunServices: [Ms Java for Windows NT] WunosJava.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O20 - Winlogon Notify: Dynamic Directory - C:\WINNT\system32\gp46l3hs1.dll

O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINNT\system32\msc.cpl

O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - C:\WINNT\system32\msp.cpl

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
#2

Użyj SmitFraudFix – tu masz opis.

Potem wklejasz z niego raport + nowe logi Hijack (cały !) + Daj log z Silent Runners – tu masz opis.

Zastosuj narzędzie Look2Me-Destroyer(ściągnij i włącz w trybie awaryjnym), po użyciu tego narzędzia daj log z L2MFix (instalujesz --> odpalasz --> wybierasz opcje tworzenia loga (nr 1). - nie restartuj kompa.

#3 
Logfile of HijackThis v1.99.1

Scan saved at 10:32:34, on 2006-08-22

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\hidserv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\system32\WunosJava.exe

C:\WINNT\Explorer.exe

C:\WINNT\SOUNDMAN.EXE

C:\WINNT\VdCap03C\BisonCom.exe

C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\WINNT\system32\RUNDLL32.EXE

C:\Program Files\Skype\Phone\Skype.exe

C:\WINNT\system32\mshost32.exe

C:\PROGRA~1\COMMON~1\wqwm\wqwmm.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\PROGRA~1\COMMON~1\wqwm\wqwma.exe

C:\Documents and Settings\Administrator\Pulpit\HijackThis.exe

C:\PROGRA~1\COMMON~1\wqwm\wqwml.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

F2 - REG:system.ini: Shell=Explorer.exe WunosJava.exe

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,WunosJava.exe

O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [djk4937e] RUNDLL32.EXE w02f3033.dll,n 0034937b0000000a02f3033

O4 - HKLM\..\RunServices: [Ms Java for Windows NT] WunosJava.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [mssp3] C:\WINNT\system32\mshost32.exe

O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

O4 - HKCU\..\Run: [wqwm] C:\PROGRA~1\COMMON~1\wqwm\wqwmm.exe

O4 - HKCU\..\RunServices: [Ms Java for Windows NT] WunosJava.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINNT\system32\j2p00c7mef.dll

O21 - SSODL: SysTray - {E61B5E20-DE35-11CF-9C87-1579005127ED} - C:\WINNT\system32\msc.cpl

O21 - SSODL: msp.cpl - {E21B5E20-DE35-11CF-9C87-157900512701} - C:\WINNT\system32\msp.cpl

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

SmitFraudFix v2.81


Scan done at 10:20:13,53, Wt 2006-08-22

Run from C:\Documents and Settings\Administrator\Pulpit\SmitfraudFix

OS: Microsoft Windows 2000 [Wersja 5.00.2195] - Windows_NT

Fix ran in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


C:\defender??.exe Deleted

C:\drsmartload?.exe Deleted

C:\drsmartload????.exe Deleted

C:\keyboard??.exe Deleted

C:\MTE3NDI6ODoxNg.exe Deleted

C:\newname??.exe Deleted

C:\stub_113_4_0_4_0.exe Deleted

C:\uniq Deleted

C:\winstall.exe Deleted

C:\WINNT\icont.exe Deleted

C:\DOCUME~1\ADMINI~1\Pulpit\SpySheriff.lnk Deleted

C:\DOCUME~1\ADMINI~1\MENUST~1\Programy\SpySheriff Deleted

C:\Program Files\SpySheriff\ Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End


[/code]

[code]L2MFIX find log 032106 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 “Logoff”=“ChainWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Logoff”=“CryptnetWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] “DLLName”=“cscdll.dll” “Logon”=“WinlogonLogonEvent” “Logoff”=“WinlogonLogoffEvent” “ScreenSaver”=“WinlogonScreenSaverEvent” “Startup”=“WinlogonStartupEvent” “Shutdown”=“WinlogonShutdownEvent” “StartShell”=“WinlogonStartShellEvent” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] “Logoff”=“WLEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 “DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] “DLLName”=“WlNotify.dll” “Lock”=“SensLockEvent” “Logon”=“SensLogonEvent” “Logoff”=“SensLogoffEvent” “Safe”=dword:00000001 “MaxWait”=dword:00000258 “StartScreenSaver”=“SensStartScreenSaverEvent” “StopScreenSaver”=“SensStopScreenSaverEvent” “Startup”=“SensStartupEvent” “Shutdown”=“SensShutdownEvent” “StartShell”=“SensStartShellEvent” “Unlock”=“SensUnlockEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck] “Asynchronous”=dword:00000000 “DllName”=“C:\WINNT\system32\j2p00c7mef.dll” “Impersonate”=dword:00000000 “Logon”=“WinLogon” “Logoff”=“WinLogoff” “Shutdown”=“WinShutdown” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] “DLLName”=“wzcdlg.dll” “Logon”=“WZCEventLogon” “Logoff”=“WZCEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000000 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] “{CB22BEFC-3660-D38A-BD9B-02AC6703EE03}”="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] “{00022613-0000-0000-C000-000000000046}”=“Karta waciwoci pliku multimedialnego” “{176d6597-26d3-11d1-b350-080036a75b03}”=“ZarzĄdzanie skanerem ICM” “{1F2E5C40-9550-11CE-99D2-00AA006E086C}”=“Strona zabezpieczeä NTFS” “{3EA48300-8CF6-101B-84FB-666CCB9BCD32}”=“Strona waciwoci OLE Docfile” “{40dd6e20-7c17-11ce-a804-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{41E300E0-78B6-11ce-849B-444553540000}”=“Rozszerzenie CPL pakietu PlusPack” “{42071712-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL karty graficznej” “{42071713-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL monitora wywietlania” “{42071714-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL kadrowania wywietlania” “{4E40F770-369C-11d0-8922-00A024AB2DBB}”=“Strona zabezpieczeä usugi DS” “{56117100-C0CD-101B-81E2-00AA004AE837}”=“Program obsugi danych wycinkowych powoki” “{59099400-57FF-11CE-BD94-0020AF85B590}”=“Rozszerzenie Disc Copy” “{59be4990-f85c-11ce-aff7-00aa003ca9f6}”=“Rozszerzenia powoki dla obiekt˘w Microsoft Windows Network” “{5DB2625A-54DF-11D0-B6C4-0800091AA605}”=“ZarzĄdzanie monitorem ICM” “{675F097E-4C4D-11D0-B6C1-0800091AA605}”=“ZarzĄdzanie drukarkĄ ICM” “{764BF0E1-F219-11ce-972D-00AA00A14F56}”=“Rozszerzenia powoki dla kompresji plik˘w” “{77597368-7b15-11d0-a0c2-080036af3f03}”=“Rozszerzenie powoki drukarek sieci Web” “{7988B573-EC89-11cf-9C00-00AA00A14F56}”=“Disk Quota UI” “{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}”=“Menu kontekstowe szyfrowania” “{85BBD920-42A0-1069-A2E4-08002B30309D}”=“Akt˘wka” “{88895560-9AA2-1069-930E-00AA0030EBC8}”=“Rozszerzenie ikony HyperTerminalu” “{BD84B380-8CA2-1069-AB1D-08000948F534}”=“Fonts” “{DBCE2480-C732-101B-BE72-BA78E9AD5B27}”=“Profil ICC” “{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}”=“Strona zabezpieczeä drukarek” “{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{f92e8c40-3d33-11d2-b1aa-080036a75b03}”=“Display TroubleShoot CPL Extension” “{60254CA5-953B-11CF-8C96-00AA00B8708C}”=“Rozszerzenie powloki dla programu Windows Script Host” “{7444C717-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto PKO” “{7444C719-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto Sign” “{7007ACC7-3202-11D1-AAD2-00805FC1270E}”=“PoĄczenia sieciowe i telefoniczne” “{EFA24E61-B078-11d0-89E4-00C04FC9E26E}”=“Favorites Band” “{0A89A860-D7B1-11CE-8350-444553540000}”=“Shell Automation Inproc Service” “{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}”=“Shell DocObject Viewer” “{FBF23B40-E3F0-101B-8488-00AA003E56F8}”=“InternetShortcut” “{3C374A40-BAE4-11CF-BF7D-00AA006946EE}”=“Microsoft Url History Service” “{FF393560-C2A7-11CF-BFF4-444553540000}”=“Historia” “{7BD29E00-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=“Microsoft Url Search Hook” “{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}”=“Ekran powitalny pakietu IE4” “{67EA19A0-CCEF-11d0-8024-00C04FD75D13}”=“CDF Extension Copy Hook” “{131A6951-7F78-11D0-A979-00C04FD705A2}”=“ISFBand OC” “{9461b922-3c5a-11d2-bf8b-00c04fb93661}”=“Search Assistant OC” “{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}”=“Internet” “{871C5380-42A0-1069-A2EA-08002B30309D}”=“Internet Name Space” “{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Icon Handler” “{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Shell Extension” “{D6277990-4C6A-11CF-8D87-00AA0060F5BF}”=“Zaplanowane zadania” “{1A9BA3A0-143A-11CF-8350-444553540000}”=“Folder Ulubione powoki” “{20D04FE0-3AEA-1069-A2D8-08002B30309D}”=“M˘j komputer” “{86747AC0-42A0-1069-A2E6-08002B30309D}”=“Folder Akt˘wka” “{0AFACED1-E828-11D1-9187-B532F1E9575D}”=“Skr˘t folderu” “{12518493-00B2-11d2-9FA5-9E3420524153}”=“Wolumin zainstalowany” “{21B22460-3AEA-1069-A2DC-08002B30309D}”=“Rozszerzenie strony waciwoci pliku” “{B091E540-83E3-11CF-A713-0020AFD79762}”=“Strona typ˘w plik˘w” “{FBF23B41-E3F0-101B-8488-00AA003E56F8}”=“Przechwytywanie plik˘w typu MIME” “{C2FBB630-2971-11d1-A18C-00C04FD75D13}”=“Usuga Microsoft CopyTo” “{C2FBB631-2971-11d1-A18C-00C04FD75D13}”=“Usuga Microsoft MoveTo” “{13709620-C279-11CE-A49E-444553540000}”=“Usuga automatyzacji powoki” “{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}”=“Widok folderu automatyzacji powoki” “{4622AD11-FF23-11d0-8D34-00A0C90F2719}”=“Menu Start” “{7BA4C740-9E81-11CF-99D3-00AA004AE837}”=“Usuga Microsoft SendTo” “{D969A300-E7FF-11d0-A93B-00A0C90F2719}”=“Usuga Microsoft New Object” “{09799AFB-AD67-11d1-ABCD-00C04FC30936}”=“Obsuga menu kontekstowego “Otw˘rz z”” “{3FC0B520-68A9-11D0-8D77-00C04FD70822}”=“Wywietlaj rozszerzenia HTML Panelu sterowania” “{75048700-EF1F-11D0-9888-006097DEACF9}”=“ActiveDesktop” “{6D5313C0-8C62-11D1-B2CD-006097DF8C11}”=“Rozszerzenie strony waciwoci Opcje folder˘w” “{57651662-CE3E-11D0-8D77-00C04FC99D61}”=“CmdFileIcon” “{4657278A-411B-11d2-839A-00C04FD918D0}”=“Pomocnik dla operacji przeciĄgania i upuszczania powoki” “{A470F8CF-A1E8-4f65-8335-227475AA5C46}”=“Dodaj opcj© szyfrowania do menu kontekstowych w Eksploratorze” “{5E6AB780-7743-11CF-A12B-00AA004AE837}”=“Pasek narz©dzi programu Microsoft Internet” “{22BF0C20-6DA7-11D0-B373-00A0C9034938}”=“Stan pobierania” “{568804CA-CBD7-11d0-9816-00C04FD91972}”=“Folder powoki menu” “{5b4dae26-b807-11d0-9815-00c04fd91972}”=“Pasek menu” “{8278F931-2A3E-11d2-838F-00C04FD918D0}”=“Menu powoki ledzenia” “{E13EF4E4-D2F2-11d0-9816-00C04FD91972}”=“Lokacja menu” “{ECD4FC4F-521C-11D0-B792-00A0C90312E1}”=“Pasek pulpitu menu” “{91EA3F8B-C99B-11d0-9815-00C04FD91972}”=“Folder powoki zwi©kszonej” “{6413BA2C-B461-11d1-A18A-080036B11A03}”=“Folder powoki zwi©kszonej 2” “{F61FFEC1-754F-11d0-80CA-00AA005B4383}”=“BandProxy” “{D82BE2B0-5764-11D0-A96E-00C04FD705A2}”=“IPasek folder˘w powoki” “{7BA4C742-9E81-11CF-99D3-00AA004AE837}”=“Pasek przeglĄdarki Microsoft” “{30D02401-6A81-11d0-8274-00C04FD5AE38}”=“Pasek wyszukiwania” “{169A0691-8DF9-11d1-A1C4-00C04FD75D13}”=“Wyszukiwanie w okienku” “{07798131-AF23-11d1-9111-00A0C98BA67D}”=“Wyszukiwanie w sieci Web” “{0E5CBF21-D15F-11d0-8301-00AA005B4383}”="&ťĄcza" “{AF4F6510-F982-11d0-8595-00AA004CD6D8}”=“Narz©dzie opcji drzewa rejestru” “{01E04581-4EEE-11d0-BFE9-00AA005B4383}”="&Adres" “{A08C11D2-A228-11d0-825B-00AA005B4383}”=“Pole edycji adresu” “{00BB2763-6A77-11D0-A535-00C04FD7D062}”=“Autouzupenianie Microsoft” “{7487cd30-f71a-11d0-9ea7-00805f714772}”=“Obraz miniatury” “{7376D660-C583-11d0-A3A5-00C04FD706EC}”=“Wyodr©bnianie obraz˘w Trident” “{6756A641-DE71-11d0-831B-00AA005B4383}”=“Lista autouzupeniania MRU” “{00BB2764-6A77-11D0-A535-00C04FD7D062}”=“Lista autouzupeniania historii Microsoft” “{03C036F1-A186-11D0-824A-00AA005B4383}”=“Lista autouzupeniania folderu powoki Microsoft” “{00BB2765-6A77-11D0-A535-00C04FD7D062}”=“Kontener wielu list autouzupeniania Microsoft” “{ECD4FC4E-521C-11D0-B792-00A0C90312E1}”=“Menu witryny paska powoki” “{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}”=“Shell DeskBarApp” “{ECD4FC4C-521C-11D0-B792-00A0C90312E1}”=“Pasek pulpitu powoki” “{ECD4FC4D-521C-11D0-B792-00A0C90312E1}”=“Shell Rebar BandSite” “{DD313E04-FEFF-11d1-8ECD-0000F87A470C}”=“Pomoc dla uľytkownika” “{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}”=“Globalne ustawienia folder˘w” “{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{88C6C381-2E85-11D0-94DE-444553540000}”=“Folder pami©ci podr©cznej ActiveX” “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”=“WebCheck” “{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}”=“Subscription Mgr” “{F5175861-2688-11d0-9C5E-00AA00A45957}”=“Folder subskrypcji” “{08165EA0-E946-11CF-9C87-00AA005127ED}”=“WebCheckWebCrawler” “{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}”=“WebCheckChannelAgent” “{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}”=“TrayAgent” “{7D559C10-9FE9-11d0-93F7-00AA0059CE02}”=“Code Download Agent” “{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}”=“ConnectionAgent” “{D8BD2030-6FC9-11D0-864F-00AA006809D9}”=“PostAgent” “{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}”=“WebCheck SyncMgr Handler” “{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}”=“Miniatury” “{EAB841A0-9550-11CF-8C16-00805F1408F3}”=“Rozpakowywacz miniatur HTML” “{1AEB1360-5AFC-11D0-B806-00C04FD706EC}”=“Rozpakowywacz miniatur filtr˘w graficznych Office” “{9DBD2C50-62AD-11D0-B806-00C04FD706EC}”=“Informacje podsumowujĄce obsugi miniatur (DOCFILES)” “{500202A0-731E-11D0-B829-00C04FD706EC}”=“Obsuga interfejsu miniatur plik˘w typu LNK” “{352EC2B7-8B9A-11D1-B8AE-006008059382}”=“Menedľer aplikacji powoki” “{0B124F8C-91F0-11D1-B8B5-006008059382}”=“Wyliczanie zainstalowanych aplikacji” “{CFCCC7A0-A282-11D1-9082-006008059382}”=“Darwin App Publisher” “{fe1290f0-cfbd-11cf-a330-00aa00c16e65}”=“Directory Namespace” “{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}”=“Shell properties for a DS object” “{8A23E65E-31C2-11d0-891C-00A024AB2DBB}”=“Directory Query UI” “{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}”=“Directory Object Find” “{F020E586-5264-11d1-A532-0000F8757D7E}”=“Directory Start/Search Find” “{0D45D530-764B-11d0-A1CA-00AA00C16E65}”=“Directory Property UI” “{62AE1F9A-126A-11D0-A14B-0800361B1103}”=“Directory Context Menu Verbs” “{450D8FBA-AD25-11D0-98A8-0800361B1103}”=“MyDocs Folder” “{ECF03A33-103D-11d2-854D-006008059367}”=“MyDocs Copy Hook” “{ECF03A32-103D-11d2-854D-006008059367}”=“MyDocs Drop Target” “{4a7ded0a-ad25-11d0-98a8-0800361b1103}”=“MyDocs Properties” “{750fdf0e-2a26-11d1-a3ea-080036587f03}”=“Menu plik˘w trybu offline” “{10CFC467-4392-11d2-8DB4-00C04FA31A66}”=“Opcje folderu plik˘w trybu offline” “{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}”=“Folder plik˘w trybu offline” “{7A80E4A8-8005-11D2-BCF8-00C04F72C717}”=“MMC Icon Handler” “{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}”=".CAB file viewer" “{2F603045-309F-11CF-9774-0020AFD0CFF6}”=“Synaptics Control Panel” “{32683183-48a0-441b-a342-7c2a440a9478}”=“Pasek multimedi˘w” “{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}”=“Niestandardowa lista autouzupeniania MRU” “{7e653215-fa25-46bd-a339-34a2790f3cb7}”=“Dost©pny” “{acf35015-526e-4230-9596-becbe19f0ac9}”=“Pasek podr©czny ledzenia” “{E0E11A09-5CB8-4B6C-8332-E00720A168F2}”=“Analizator paska adresu” “{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}”=“Microsoft Browser Architecture” “{7BD29E01-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{EFA24E64-B078-11d0-89E4-00C04FC9E26E}”=“Pasek eksploratora” “{f39a0dc0-9cc8-11d0-a599-00c04fd64433}”=“Plik kanau” “{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}”=“Skr˘t kanau” “{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}”=“Obiekt obsugi kanau” “{f3da0dc0-9cc8-11d0-a599-00c04fd64437}”=“Channel Menu” “{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}”=“Channel Properties” “{32714800-2E5F-11d0-8B85-00AA0044F941}”="&Do os˘b…" “{2206CDB2-19C1-11D1-89E0-00C04FD7A829}”=“Microsoft Data Link” “{BDEADF00-C265-11D0-BCED-00A0C90AB50F}”=“Foldery w sieci Web” “{42042206-2D85-11D3-8CFF-005004838597}”=“Microsoft Office HTML Icon Handler” “{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}”="" “{23170F69-40C1-278A-1000-000100020000}”=“7-Zip Shell Extension” ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}] @="" [HKEY_CLASSES_ROOT\CLSID{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}\Implemented Categories{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}\InprocServer32] @=“C:\WINNT\system32\dbauth.dll” “ThreadingModel”=“Apartment” ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ acmeter.dll Tue 2006-08-22 10:19:08 …S.R 234 272 228,78 K dbauth.dll Tue 2006-08-22 10:47:06 …S.R 234 344 228,85 K djk4937e.dll Sun 2006-08-20 21:26:12 A… 61 952 60,50 K ivlmgicd.dll Tue 2006-08-22 10:31:16 …S.R 234 344 228,85 K j2p00c~1.dll Tue 2006-08-22 10:19:08 …S.R 234 344 228,85 K jtp607~1.dll Tue 2006-08-22 10:29:08 …S.R 234 272 228,78 K lvrs09~1.dll Tue 2006-08-22 10:36:16 …S.R 234 344 228,85 K oyjsel.dll Mon 2006-08-21 7:46:20 …S.R 234 272 228,78 K rafsaps.dll Sun 2006-08-20 21:26:00 …S.R 234 272 228,78 K rrsdlg.dll Sun 2006-08-20 21:25:42 …S.R 234 272 228,78 K rysmans.dll Sun 2006-08-20 21:25:46 …S.R 234 272 228,78 K t8r8li~1.dll Mon 2006-08-21 7:42:42 …S.R 234 272 228,78 K w02f3033.dll Sun 2006-08-20 21:26:06 A… 29 696 29,00 K 13 items found: 13 files (11 H/S), 0 directories. Total of file sizes: 2 668 928 bytes 2,54 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Wolumin w stacji C nie ma etykiety. Numer seryjny woluminu: 849F-E539 Katalog: C:\WINNT\System32 2006-08-22 10:47 234˙344 dbauth.dll 2006-08-22 10:36 234˙344 lvrs0997e.dll 2006-08-22 10:31 234˙344 iVlmgicd.dll 2006-08-22 10:29 234˙272 jtp6077se.dll 2006-08-22 10:19 234˙272 acmeter.dll 2006-08-22 10:19 234˙344 j2p00c7mef.dll 2006-08-21 07:46 234˙272 oyjsel.dll 2006-08-21 07:42 234˙272 t8r8li9u18.dll 2006-08-20 21:25 234˙272 rafsaps.dll 2006-08-20 21:25 234˙272 rYsmans.dll 2006-08-20 21:25 234˙272 RRSDLG.DLL 2006-06-05 09:44

[code]“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “mssp3” = “C:\WINNT\system32\mshost32.exe” [null data] “shell” = ““C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”” [null data] “wqwm” = “C:\PROGRA~1\COMMON~1\wqwm\wqwmm.exe” [empty string] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “BisonCom” = “C:\WINNT\VdCap03C\BisonCom” [null data] “Synchronization Manager” = “mobsync.exe /logon” [MS] “Picasa Media Detector” = “C:\Program Files\Picasa2\PicasaMediaDetector.exe” [“Google Inc.”] “djk4937e” = “RUNDLL32.EXE w02f3033.dll,n 0034937b0000000a02f3033” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\acmeter.dll” [null data] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “” = “{E61B5E20-DE35-11CF-9C87-1579005127ED}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\msc.cpl” [null data] “msp.cpl” = “{E21B5E20-DE35-11CF-9C87-157900512701}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\msp.cpl” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “Shell” = “Explorer.exe WunosJava.exe” [MS], [null data] INFECTION WARNING! “Userinit” = “C:\WINNT\system32\userinit.exe,WunosJava.exe” [MS], [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! Run\DLLName = “C:\WINNT\system32\gp46l3hs1.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in “Administrator” & “All Users” startup folders: --------------------------------------------------------------- C:\Documents and Settings\All Users.WINNT\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 12 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ “{44BE0690-5429-47F0-85BB-3FFD8020233E}” = “44BE0690-5429-47f0-85BB-3FFD8020233E” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [“Effective-i Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{44BE0690-5429-47F0-85BB-3FFD8020233E}” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [“Effective-i Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{44BE0690-5429-47F0-85BB-3FFD8020233E}” = “UCmore - The Search Accelerator” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [“Effective-i Inc.”] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- DSDM DDE sieci, NetDDEdsdm, “C:\WINNT\system32\netdde.exe” [MS] HID Input Service, HidServ, “C:\WINNT\system32\hidserv.exe” [MS] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Office Source Engine, ose, ““C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE”” [MS] System zdarzeń COM+, EventSystem, “C:\WINNT\system32\svchost.exe -k netsvcs” {“C:\WINNT\system32\es.dll” [null data]} Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINNT\System32\dmadmin.exe /com” [“VERITAS Software Corp.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] PDF-XChange\Driver = “pxc25pm.dll” [“Tracker Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 32 seconds, including 17 seconds for message boxes)

Złączono Posta : 22.08.2006 (Wto) 9:54

jeden tylko problem look2me-destroyer nie dal sie odpalic

metoda zaplanowanych zadan rowniez

wylatuje jakis blad ze pamiec nie moze byc read

zarowno w awaryjnym jak i normalnym

#4

Proszę zmienić temat na konkretny, mówiący o problemie.

#5

zmienilem temat, pojawily sie dodatkowe problemy

wyskakuje komunikat ze pamiec nie moze byc “read” oraz “written”

Look2me-destroyer informuje ze zaplanowane zadania nie sa wlaczone i ze je wlacza. po kliknieciu ok wyskakuje juz prawidlowo ze po minucie odpali sie znowu, nie odpala sie wiec uruchamiam zaplanowane zadania i wyskakuja bledy “read” albo “Written” i tak w kolo macieju