abdull1
(abdull1)
22 Styczeń 2007 12:44
#1
Logfile of HijackThis v1.99.1 Scan saved at 13:31:06, on 2007-01-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\HASPSrv.exe C:\WINDOWS\runservice.exe C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\game1.exe C:\WINDOWS\system32\game4.exe C:\Program Files\Internet Explorer\iexplore.exe D:\bzyku nie wchodzic\gg\Gadu-Gadu\gg.exe D:\anty wiry\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [sysinter] C:\WINDOWS\system32\adirss.exe O4 - HKLM…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O4 - HKLM…\Run: [clcbt.exe] C:\WINDOWS\system32\clcbt.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\all player\Ebay\Ebay.htm (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_67.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 6302967234 O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_46.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/eng/soccer_2_0_0_13.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_28.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: HASPSrv - ComArch - C:\WINDOWS\system32\HASPSrv.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
komputer strasznie zamula i internet
po logu widać że chyba aktualizacje się ściągają ale czy te procesy to normalka ?
adam9870
(adam9870)
22 Styczeń 2007 12:54
#2
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\alsys.exe
C:\WINDOWS\system32\clcbt.exe
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, a dopiero po wklejeniu ostatniej zgadzasz się na restart.
Wpisy usuń HJT.
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
Przeskanuj te pliki na stronie http://virusscan.jotti.org/ , a jeśli okażą się szkodnikami to ich ścieżki również wklej do killboxa.
adam9870
(adam9870)
22 Styczeń 2007 13:34
#4
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.
Po wykonaniu wklej nowe logi.
adam9870
(adam9870)
22 Styczeń 2007 14:23
#6
Zrobiłeś to co napisałem bo dalej siedzi :?
Start = uruchom => wpisz regedit i kliknij OK => przejdź do klucza:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
i skasuj z prawokliku znajdującą się tam wartość Agent
Przejdź do klucza:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
i skasuj z prawokliku znajdującą się tam wartość {696BA0E1-9C52-4868-9CE9-0F7E7DAC0106}
Przejdź do klucza:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
i skasuj następujące wartości:
{A46979D3-721C-4D68-A6A4-33EE4287B653}
{7A72D90A-A5C1-45E7-138A-DACF0990791C}
{F45BDCEF-A2AF-4F1B-D8A2-2784F1407FC4}
{574BD7DA-43BD-47B2-A6BB-B31A1AED2D6E}
{79A35455-0B86-492B-99BB-1C21E49E9D38}
Usuń HJT jeśli będą.
Po wykonaniu najlepiej uruchom ponownie komputer i wklej nowe logi.
abdull1
(abdull1)
22 Styczeń 2007 15:16
#7
Logfile of HijackThis v1.99.1 Scan saved at 16:06:11, on 2007-01-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\HASPSrv.exe C:\WINDOWS\runservice.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe D:\bzyku nie wchodzic\gg\Gadu-Gadu\gg.exe D:\anty wiry\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\all player\Ebay\Ebay.htm (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_67.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 6302967234 O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_46.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/eng/soccer_2_0_0_13.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_28.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: HASPSrv - ComArch - C:\WINDOWS\system32\HASPSrv.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “autoclk” = “autoclk.exe” [file not found] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“H+BEDV Datentechnik GmbH”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “E:\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}” = “eLicense Control” -> {HKLM…CLSID} = “eLicense Control” \InProcServer32(Default) = “C:\WINDOWS\lcmmfu.cpl” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\OFFICE~1\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {HKLM…CLSID} = “Mobile” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {HKLM…CLSID} = “Mobile ContextMenuHandler” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {HKLM…CLSID} = “Mobile PropertySheetHandler” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “E:\TATA\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{2B3453E4-49DF-11D3-8229-0080BE509050}” = “GMail Drive” -> {HKLM…CLSID} = “GMail Drive” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509052}” = “GMailFS Property Sheet” -> {HKLM…CLSID} = “GMailFS Property Sheet” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509054}” = “GMailFS Drop Handler” -> {HKLM…CLSID} = “GMailFS Drop Handler” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509056}” = “GMailFS Context Menu” -> {HKLM…CLSID} = “GMailFS Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “E:\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Jola\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\sspipes.scr” [MS] Startup items in “Jola” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Service Manager” -> shortcut to: “C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 14 - 15 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll” [“Yahoo! Inc.”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\ “ButtonText” = “eBay - Homepage” “CLSIDExtension” = “{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}” -> {HKLM…CLSID} = “Toolbar Extension for Executable” \InProcServer32(Default) = “C:\WINDOWS\System32\shdocvw.dll” [MS] “Exec” = “E:\all player\Ebay\Ebay.htm” [file not found] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”] AntiVir Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] HASPSrv, HASPSrv, “C:\WINDOWS\system32\HASPSrv.exe” [“ComArch”] LicCtrl Service, LicCtrlService, “C:\WINDOWS\runservice.exe” [null data] MSSQL$CDN_OPTIMA, MSSQL$CDN_OPTIMA, “C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe -sCDN_OPTIMA” [MS] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 65 seconds, including 2 seconds for message boxes)
EDIT: Próbowałem to “All Player Ebay” usunąć Hi Jackiem , ale nic z tego dalej jest.
adam9870
(adam9870)
22 Styczeń 2007 15:22
#8
Już jest ok.
To tylko kosmetyka więc nie musiałeś tego wpisu usuwać. Jeśli chcesz to przeczyść rejestr. Wykonanie tej czynności powinno przynieść taki sam efekt. opis
abdull1
(abdull1)
23 Styczeń 2007 10:43
#9
Dobra .
Dzieki
EDIT:
Dzis rano znow zaczął mi mulić net. Zrobiłem scana Hi jackiem i zauważyłem że znów cos chyba siedzi ( alsys.exe)
Logfile of HijackThis v1.99.1 Scan saved at 11:45:08, on 2007-01-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\HASPSrv.exe C:\WINDOWS\runservice.exe C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\WINDOWS\system32\cidaemon.exe D:\bzyku nie wchodzic\gg\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jola\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\all player\Ebay\Ebay.htm (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_67.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 6302967234 O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_46.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/eng/soccer_2_0_0_13.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_28.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: HASPSrv - ComArch - C:\WINDOWS\system32\HASPSrv.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
adam9870
(adam9870)
23 Styczeń 2007 10:48
#10
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Plik usuń ręcznie w trybie awaryjnym, a wpisy HJT.
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
abdull1
(abdull1)
23 Styczeń 2007 11:38
#11
Uzyełem tego programiku , i oprocz jednego wszytkie mam na zielono. ( jedno jest żółte) .
Co sie tyczy tych alsys , jest maly problem.
Przeszłem na tryb awaryjny, ale nie mogłem znajść tych plików.
Wogóle nie było zadnego o takiej czy nawet podobnej nazwie.
To All player, usunałem ale dalej jest .
Sprobowac jeszcze raz Kill boxem?
PS: A tak marginesie musze wspomnieć , że odrana Komp SAM mi się zrestartowal juz chyba 7 razy.
Logfile of HijackThis v1.99.1 Scan saved at 12:43:24, on 2007-01-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\HASPSrv.exe C:\WINDOWS\runservice.exe C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Jola\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\all player\Ebay\Ebay.htm (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_67.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 6302967234 O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_46.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/eng/soccer_2_0_0_13.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_28.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: HASPSrv - ComArch - C:\WINDOWS\system32\HASPSrv.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Agent” = “C:\WINDOWS\system32\alsys.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “autoclk” = “autoclk.exe” [file not found] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“H+BEDV Datentechnik GmbH”] “Agent” = “C:\WINDOWS\system32\alsys.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “E:\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}” = “eLicense Control” -> {HKLM…CLSID} = “eLicense Control” \InProcServer32(Default) = “C:\WINDOWS\lcmmfu.cpl” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\OFFICE~1\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {HKLM…CLSID} = “Mobile” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {HKLM…CLSID} = “Mobile ContextMenuHandler” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {HKLM…CLSID} = “Mobile PropertySheetHandler” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “E:\TATA\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{2B3453E4-49DF-11D3-8229-0080BE509050}” = “GMail Drive” -> {HKLM…CLSID} = “GMail Drive” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509052}” = “GMailFS Property Sheet” -> {HKLM…CLSID} = “GMailFS Property Sheet” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509054}” = “GMailFS Drop Handler” -> {HKLM…CLSID} = “GMailFS Drop Handler” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509056}” = “GMailFS Context Menu” -> {HKLM…CLSID} = “GMailFS Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “E:\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Jola\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\sspipes.scr” [MS] Startup items in “Jola” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Service Manager” -> shortcut to: “C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 14 - 15 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll” [“Yahoo! Inc.”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\ “ButtonText” = “eBay - Homepage” “CLSIDExtension” = “{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}” -> {HKLM…CLSID} = “Toolbar Extension for Executable” \InProcServer32(Default) = “C:\WINDOWS\System32\shdocvw.dll” [MS] “Exec” = “E:\all player\Ebay\Ebay.htm” [file not found] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”] AntiVir Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] HASPSrv, HASPSrv, “C:\WINDOWS\system32\HASPSrv.exe” [“ComArch”] LicCtrl Service, LicCtrlService, “C:\WINDOWS\runservice.exe” [null data] MSSQL$CDN_OPTIMA, MSSQL$CDN_OPTIMA, “C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe -sCDN_OPTIMA” [MS] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 55 seconds, including 3 seconds for message boxes)
adam9870
(adam9870)
23 Styczeń 2007 11:47
#12
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\system32\alsys.exe
Klikasz X czerwony i restart kompa.
Usuń HJT.
Po wykonaniu wklej nowe logi.
Podczas wykonywania jakich czynności komputer się zrestartował?
Czy wcześniej także tak się działo?
Instalowałeś coś ostatnio?
Wywołaj BSOD i spisz kod błędu na kartkę, który później przedstaw na forum.
http://portal.centrumxp.pl/forums/thread/169899.aspx
Sprawdź czy masz jakieś minidump’y, a jeśli tak to wklej zawartość np. 2 dwóch najnowszych.
http://forum.dobreprogramy.pl/viewtopic … 327#797327
abdull1
(abdull1)
23 Styczeń 2007 17:58
#13
Logfile of HijackThis v1.99.1 Scan saved at 13:12:15, on 2007-01-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\HASPSrv.exe C:\WINDOWS\runservice.exe C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\Jola\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [autoclk] autoclk.exe O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - E:\all player\Ebay\Ebay.htm (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_67.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 6302967234 O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab O16 - DPF: {BFA1F11D-3121-AFE1-4112-894323212DAC} (GameDesire Word Games) - http://67.15.101.3/g_bin/eng/words_2_0_0_46.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/eng/soccer_2_0_0_13.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/eng/billard8_2_0_0_28.cab O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/eng/snooker_2_0_0_28.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: HASPSrv - ComArch - C:\WINDOWS\system32\HASPSrv.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe.
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “autoclk” = “autoclk.exe” [file not found] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“H+BEDV Datentechnik GmbH”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “E:\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}” = “eLicense Control” -> {HKLM…CLSID} = “eLicense Control” \InProcServer32(Default) = “C:\WINDOWS\lcmmfu.cpl” [null data] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\OFFICE~1\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] “{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile” -> {HKLM…CLSID} = “Mobile” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile ContextMenuHandler” -> {HKLM…CLSID} = “Mobile ContextMenuHandler” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}” = “Mobile PropertySheetHandler” -> {HKLM…CLSID} = “Mobile PropertySheetHandler” \InProcServer32(Default) = “E:\Nowy folder\DES\DESShellExt.dll” [file not found] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “E:\TATA\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{2B3453E4-49DF-11D3-8229-0080BE509050}” = “GMail Drive” -> {HKLM…CLSID} = “GMail Drive” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509052}” = “GMailFS Property Sheet” -> {HKLM…CLSID} = “GMailFS Property Sheet” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509054}” = “GMailFS Drop Handler” -> {HKLM…CLSID} = “GMailFS Drop Handler” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] “{2B3453E4-49DF-11D3-8229-0080BE509056}” = “GMailFS Context Menu” -> {HKLM…CLSID} = “GMailFS Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “E:\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program do rozpakowywania\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Jola\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\sspipes.scr” [MS] Startup items in “Jola” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Service Manager” -> shortcut to: “C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 14 - 15 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll” [“Yahoo! Inc.”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\ “ButtonText” = “eBay - Homepage” “CLSIDExtension” = “{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}” -> {HKLM…CLSID} = “Toolbar Extension for Executable” \InProcServer32(Default) = “C:\WINDOWS\System32\shdocvw.dll” [MS] “Exec” = “E:\all player\Ebay\Ebay.htm” [file not found] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Service, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”] AntiVir Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] HASPSrv, HASPSrv, “C:\WINDOWS\system32\HASPSrv.exe” [“ComArch”] LicCtrl Service, LicCtrlService, “C:\WINDOWS\runservice.exe” [null data] MSSQL$CDN_OPTIMA, MSSQL$CDN_OPTIMA, “C:\Program Files\Microsoft SQL Server\MSSQL$CDN_OPTIMA\Binn\sqlservr.exe -sCDN_OPTIMA” [MS] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 65 seconds, including 3 seconds for message boxes)
EDIT:
Weszlem tam do rejestru , ale nie musiałem zmieniać na 0 ponieważ juztak było.
Odznaczyełem tylko we właściwościach automatyczne uruchamianie.
Niestety nie wiem jak mam tego blue screena zrobic .
Włączałem go , naciskalem na net i sie restartował.
Nie naciskałem na nic, też się restartował,
I tak kilka razy od samego rana.
Nie, tak jak pisałem od rana dzisiejszego dnia .
Jak działa ten program do sprawdzania Minidumpow?
Ściągnałem to , otwieram ten programik i co mam zrobić?
Gutek
(Gutek)
23 Styczeń 2007 18:07
#14
Zobacz http://portal.centrumxp.pl/forums/thread/165818.aspx na Debugging Tools for Windows
Jest już Ok log
abdull1
(abdull1)
24 Styczeń 2007 18:04
#15
Chyba dam sobie spokój . Nie mam zielonego pojęcia jak to zrobić.
Dałem to Open Crush Dump i otowrzylo sie tam gdzie mam to zainstalowane i mam coś wybrać. Nazwa pliku Memory .
"…Pojawia sie okienko, w którym mysimy wskazać plik *.dmp.
Najcęsciej znajdują sie one w %windir%\minidump\
Wybieramy plik (np.: Mini082205–01.dmp) najlepiej źeby data odpowiadała BSOD’owi…"
A z tego opisu nie potrafię tego zrobić .
Ważnie że logi są już dobre .
A po odznaczeniu automatycznego restatru , już się nie restartuje. Więc raczej powinno być ok.
Dzięki jeszcze raz za pomoc.
EDIT: Jednak chyba się pospieszyłem
Komp znowu sie SAM zrestartował , tylko tym razme pojawił sie na niebieskim tle jakiś komunikat. Z tego co zapamiętałem to chyba był to ten Blue Scrren . Przepisałem ten kod.
** STOP: 0x0000008E , 0x0000005 , 0x804FFE67 , 0xF02BCC98 , 0x00000000
Gutek
(Gutek)
24 Styczeń 2007 18:41
#16
Test Ram-u(memtest) - http://hcidesign.com/memtest/
Insatlowałeś coś ostatnio?
abdull1
(abdull1)
27 Styczeń 2007 14:45
#17
Ja nie. Ale na kompie siedzi kilka osób.
Ale z tego co patrzę na liste wszytkich programow to są jakieś 2 nowe.
Jakaś gra i KSPNKv 1.0 ->
Tam w tym testramie tylko nacisnąć start?
EDIT:
Dalej restartuje się sam . Co jakiś czas pojawia się niebieski ekran i jakiś komunikat. Piszę że przyczyną może być plik “wincon32.sys”
Co mam zrobić?
adam9870
(adam9870)
27 Styczeń 2007 14:52
#18
Pokaż dwa logi z Gmer’a przy takich ustawieniach:
Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
adam9870
(adam9870)
29 Styczeń 2007 15:50
#20
No i jednak jest rootkit, tak jak podejrzewałem.
Czy w Gmerze podczas wykonywania pierwszego loga zaznaczyłeś również pozycje Rejestr oraz Pliki , czy skróciłeś sobie skanowanie? Pytam ponieważ ten rootkit robi poza tym co widać w logu kilka kluczy w rejestrze oraz plik *.ini.
Uruchom system w trybie awaryjnym. Tylko jak podczas uruchamiania zostaniesz spytany czy chcesz uruchamiać sterownik sptd.sys to odpowiadasz przecząco wciskając w tym celu klawisz ESC . Gdy już będziesz w trybie awaryjnym, uruchom Gmer’a, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych. Następnie w zakładce CMD z zaznaczoną opcją CMD.EXE wklej:
następnie kliknij Uruchom po czym zostanie samo okienko Gmer’a, zostaną wykonane czynności i komputer się zrestartuje.
Po wykonaniu pokaż kompletne (tak jak poprzednio prosiłem) logi z Gmer’a.