Kłopot z kompem -help


(Kuz5) #1

cześć wszystkim :slight_smile: ostatnio coś mi spowolnił komp a objawia się tym że ciągle mam reklamy i net wolno chodzi. Jeżeli chodzi o kompy to jestem zielony :cry: Na jednym forum mi powiedziano że mam dawać zawsze log z Hijack Thisa i Silent Runners. A wiec podaję logi i proszę kogokolwiek o pomoc.

Logfile of HijackThis v1.99.1 

Scan saved at 19:32:06, on 2005-09-29 

Platform: Windows XP (WinNT 5.01.2600) 

MSIE: Internet Explorer v6.00 (6.00.2600.0000) 


Running processes: 

C:\WINDOWS\System32\smss.exe 

C:\WINDOWS\system32\csrss.exe 

C:\WINDOWS\system32\winlogon.exe 

C:\WINDOWS\system32\services.exe 

C:\WINDOWS\system32\lsass.exe 

C:\WINDOWS\system32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\System32\svchost.exe 

C:\WINDOWS\system32\spoolsv.exe 

C:\WINDOWS\System32\alg.exe 

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe 

C:\WINDOWS\System32\paytime.exe 

C:\Program Files\Messenger\msmsgs.exe 

C:\winstall.exe 

C:\WINDOWS\System32\ctfmon.exe 

C:\Program Files\SpySheriff\SpySheriff.exe 

C:\WINDOWS\tool2.exe 

C:\WINDOWS\Mixer.exe 

C:\PROGRA~1\usqxsvus\bQgCA4BN.exe 

D:\Programy\Gadu-Gadu\gg.exe 

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe 

C:\PROGRA~1\usqxsvus\NB4ACgQb.exe 

C:\WINDOWS\System32\wuauclt.exe 

C:\WINDOWS\explorer.exe 

C:\Program Files\Internet Explorer\iexplore.exe 

D:\HijackThis.exe 


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza 

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx 

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup 

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe 

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe 

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background 

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Programy\Gadu-Gadu\gg.exe" /tray 

O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe 

O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe" 

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe 

O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe 

O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe 

O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm 

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm 

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm 

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 

O8 - Extra context menu item: Email This Link - C:\Program Files\CommonName\Toolbar\emaillink.htm 

O8 - Extra context menu item: Search using CommonName - C:\Program Files\CommonName\Toolbar\navigate.htm 

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE 

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE 

O11 - Options group: [CommonName] CommonName 

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll 

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe 

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Gadu-Gadu" = ""D:\Programy\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"PayTime" = "C:\WINDOWS\System32\paytime.exe" [null data]

"Shell" = ""C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00005.exe"" [null data]

"Windows installer" = "C:\winstall.exe" [null data]

"SNInstall" = "C:\WINDOWS\tool2.exe" [null data]

"SpySheriff" = "C:\Program Files\SpySheriff\SpySheriff.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (http://www.cmedia.com.tw)"]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"(Default)" = """ = (data in unrecognized format!)" [file not found]

"PayTime" = "C:\WINDOWS\System32\paytime.exe" [null data]

"winsock32" = "msupdate32.exe" [null data]

"SM56ACL" = "sm56hlpr.exe" ["Motorola Inc."]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)

\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = "AcroIEHlprObj Class" [from CLSID]

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {CLSID}\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {CLSID}\InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "st"

-> {CLSID}\InProcServer32(Default) = "C:\windows\system32\winacpi.dll" [null data]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

AVG7 Shell Extension(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

sysacpildap(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"

-> {CLSID}\InProcServer32(Default) = "C:\windows\system32\winacpi.dll" [null data]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVG7 Shell Extension(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Default executables:


.EXE: HKLM\SOFTWARE\Classes\exefile\shell\open\command\

INFECTION WARNING! "Default" = ""C:\WINDOWS\System32\msupdate32.exe" -run "%1" %*" [null data]

Group Policies [Description] {enabled Group Policy setting}:


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HIJACK WARNING! "ForceActiveDesktopOn"=dword:00000001

[enables Active Desktop and prevents disabling it]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Enable Active Desktop}

HIJACK WARNING! "Wallpaper" = "C:\WINDOWS\desktop.html"

[disables the Display Properties|Desktop (tab) (except the "Customize

Desktop..." button); selects wallpaper if Active Desktop is enabled]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Active Desktop Wallpaper|Wallpaper Name:}

Active Desktop and Wallpaper:


Active Desktop enabled via Group Policy.

Wallpaper selected via Group Policy.

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

"SCRNSAVE.EXE" = "C:\WINDOWS\GO2SLE~1.SCR" (Go2sleep Screensaver !.scr) ["ScreenTime Media"]

Enabled Scheduled Tasks:


"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{0494D0D9-F8E0-41AD-92A3-14154ECE70AC}" = "My &Search Bar" [from CLSID]

-> {CLSID}\InProcServer32(Default) = "C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FLASHGET\JETCAR.EXE" ["Amaze Soft"]

Running Services (Display Name, Service Name, Path {Service DLL}):


AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]


  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 223 seconds, including 4 seconds for message boxes)

====================================

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.

Pozdrawiam kuz5


(boczi) #2

Wszystkie czynności wykonujesz w trybie awaryjnym [F8] w czasie bootowania komputera z wyłączonym przywracaniem systemu. Gdybyś nie wiedział, jak to zrobić, zobacz TU.

Pogrubione kasujesz z dysku oraz wszystkie wpisy z Hijacka.

Ten wpis z kreseczką “_” usuniesz edytorem rejestru Registrar Lite

Uruchom edytor w pole Address wklej ścieżke

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz i z prawokliku kasujesz wpisy

http://www.resplendence.com/reglite

Opróżnij katalogi TEMP, Prefetch z katalogu systemowego WINDOWS.

Po czynnościach nowy log i skan programami ANTY zalinkowanych w tym dziale.

Jeśli będą problemy z usuwaniem, używasz narzędzia KillBox,

http://www.downloads.subratam.org/KillBox.zip

Info:

Odpalasz Killboxa zaznacz opcję Delete on Reboot następnie w polu Full Path of File to Delete wklej ścieżkę (przykład):

C:\WINDOWS\System32\xxx.exe

następnie program będzie pytał o restart (oczywiście zgadzasz się).


(Kuz5) #3

zaraz sie zabieram do pracy. A co z tym drugim logiem. Jest wporządku czy coś też skasować ? :cry:


(Gutek) #4

boczi przeoczyłeś dewastatora exeków:

Usuwanie msupdate32.exe opisane TUTAJ

Dodatkowo masz restrykcje na tapetę, ale najpierw usuń msupdate32.exe