Komp się nie włącza i ma pełno syfów


(Romanzelu) #1

Komputer nie może sie uruchomić w trybie normalnym :frowning: Pokazuje się te okienko czarne Windows Xp itd i się komp resetuje.Działa tylko w trybie awaryjnym.Poza tym jest cały zasyfiony o czym pisałem w innym temacie.Nie mogę sobie poradzić z tymi syfami.Oto nowe logi:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]

"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"TkBellExe" = ""E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot" [file not found]

"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

"AutoSys" = "C:\WINDOWS\system32\autosys.exe" [file not found]

"{208CCCA2-0977-1045-0113-030113200030}" = ""C:\Program Files\Common Files\{208CCCA2-0977-1045-0113-030113200030}\Update.exe" te-110-12-0000273" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]

{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{308CC~1\Bar888.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"ZPqBj" = "{208CCCA3-8A26-6609-2F9B-23B659DC6923}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\juuw.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [null data]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"

  -> {HKLM...CLSID} = "AmvTransform Class"

                   \InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Roman" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\Roman\Menu Start\Programy\Autostart

"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]

"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{C1B4DEC2-2623-438E-9CA2-C9043AB28508}" = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{308CC~1\Bar888.dll" [null data]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKCU\Software\Microsoft\Internet Explorer\Extensions\

{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na angielski"

"MenuText" = "Tłumacz na angielski"

"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na polski"

"MenuText" = "Tłumacz na polski"

"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Zachowaj przetłumaczoną stronę"

"MenuText" = "Zachowaj przetłumaczoną stronę"

"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------


ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]

AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

COM+ Messages, COM+ Messages, ""C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273" [file not found]

HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}

Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

MS Internet Countermeasures Framework , ICF, "C:\WINDOWS\system32:svchost.exe" [**WMI GetObject error**]

Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]

StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

USB Data Adapter, Usbpda, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\usbpda.dll" [MS]}

Usługa administracyjna Menedżera dysków logicznych, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]

Usługa dostarczania sieci, xmlprov, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\xmlprov.dll" [MS]}

Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\system32\MsPMSNSv.dll" [MS]}

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 143 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 48 seconds.

---------- (total run time: 275 seconds)

Logfile of HijackThis v1.99.1

Scan saved at 16:18:22, on 2006-12-28

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\systems_.exe

E:\Programy\Maxthon2\Maxthon.exe

C:\Program Files\802.11g Wireless LAN\Monitor.exe

E:\Programy\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

E:\Bezpieczeństwo\HijackThis.exe


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308CC~1\Bar888.dll

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308CC~1\Bar888.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe

O4 - HKLM\..\Run: [{208CCCA2-0977-1045-0113-030113200030}] "C:\Program Files\Common Files\{208CCCA2-0977-1045-0113-030113200030}\Update.exe" te-110-12-0000273

O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe

O4 - Global Startup: RtlWake.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

O21 - SSODL: ZPqBj - {208CCCA3-8A26-6609-2F9B-23B659DC6923} - C:\WINDOWS\system32\juuw.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273 (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Proszę pomóżcie chociaż go normalnie uruchomić.


(adam9870) #2

Pobierz The avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:

=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avangera i skasuj plik backup.zip czyli np. c:\avanger\backup.zip.

Usuń w hjt.

Po wykonaniu wklej nowe logi.


(Romanzelu) #3

Wykonałem wszystko ale komp dalej się nie chce włączyć.Ale udało mi się go uruchomić normalnie w nastepujący sposób:na poczatku wcisnąłęm F8 i wybrałem"uruchom ostatnio działające ustawienia"(czy jakoś tak) i zadziałało.Uruchomił się.Czy teraz będzie się normalnie uruchamiał to nie wiem bo jeszcze nie sprawdzałem.Oto logi:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]

"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"TkBellExe" = ""E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot" [file not found]

"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"

  -> {HKLM...CLSID} = "AmvTransform Class"

                   \InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Roman" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\Roman\Menu Start\Programy\Autostart

"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]

"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKCU\Software\Microsoft\Internet Explorer\Extensions\

{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na angielski"

"MenuText" = "Tłumacz na angielski"

"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na polski"

"MenuText" = "Tłumacz na polski"

"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Zachowaj przetłumaczoną stronę"

"MenuText" = "Zachowaj przetłumaczoną stronę"

"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 147 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 49 seconds.

---------- (total run time: 260 seconds)

Logfile of HijackThis v1.99.1

Scan saved at 21:19:27, on 2006-12-28

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Mixer.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\SYSTEM32\systems_.exe

E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\802.11g Wireless LAN\Monitor.exe

C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe

C:\WINDOWS\Integrator.exe

E:\Programy\Maxthon2\Maxthon.exe

E:\Bezpieczeństwo\HijackThis.exe


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe

O4 - Global Startup: RtlWake.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(adam9870) #4

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\SYSTEM32\systems_.exe

Klikasz X czerwony i restart kompa.

Po wykonaniu proszę wkleić nowy log z hijacka.


(Romanzelu) #5

Pomóżcie raz jeszcze.Nie wiem co się dzieje.Znowu to samo.Oto logi(mam nadzieję,że tym razem usunę to do końca):

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Windows installer" = "C:\winstall.exe" [null data]

"Key" = "C:\DOCUME~1\Roman\USTAWI~1\Temp\158.tmp" [file not found]

"agent" = "C:\WINDOWS\system32\ppl.exe" [null data]

"(Default)" = """ = (data in unrecognized format!)" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]

"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"TkBellExe" = ""E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot" [file not found]

"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

"{208CCCA2-0977-1045-0113-030113200030}" = ""C:\Program Files\Common Files\{208CCCA2-0977-1045-0113-030113200030}\Update.exe" te-110-12-0000273" [null data]

"ControlPanel" = "C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile" [null data]

"agent" = "C:\WINDOWS\system32\ppl.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]

{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{308CC~1\Bar888.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"ZPqBj" = "{208CCCA3-8A26-6609-2F9B-23B659DC6923}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\juuw.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [null data]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"

  -> {HKLM...CLSID} = "AmvTransform Class"

                   \InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Roman" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\Roman\Menu Start\Programy\Autostart

"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]

"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{C1B4DEC2-2623-438E-9CA2-C9043AB28508}" = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{308CC~1\Bar888.dll" [null data]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKCU\Software\Microsoft\Internet Explorer\Extensions\

{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na angielski"

"MenuText" = "Tłumacz na angielski"

"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na polski"

"MenuText" = "Tłumacz na polski"

"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Zachowaj przetłumaczoną stronę"

"MenuText" = "Zachowaj przetłumaczoną stronę"

"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 346 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 54 seconds.

---------- (total run time: 475 seconds)

Logfile of HijackThis v1.99.1

Scan saved at 23:43:40, on 2006-12-28

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\systems_.exe

C:\Program Files\802.11g Wireless LAN\Monitor.exe

E:\Programy\Maxthon2\Maxthon.exe

E:\Bezpieczeństwo\HijackThis.exe


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308CC~1\Bar888.dll

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{308CC~1\Bar888.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [{208CCCA2-0977-1045-0113-030113200030}] "C:\Program Files\Common Files\{208CCCA2-0977-1045-0113-030113200030}\Update.exe" te-110-12-0000273

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\cmd32.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [agent] C:\WINDOWS\system32\ppl.exe

O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [Key] C:\DOCUME~1\Roman\USTAWI~1\Temp\158.tmp

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe

O4 - HKCU\..\Run: [agent] C:\WINDOWS\system32\ppl.exe

O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe

O4 - Global Startup: RtlWake.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

O21 - SSODL: ZPqBj - {208CCCA3-8A26-6609-2F9B-23B659DC6923} - C:\WINDOWS\system32\juuw.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000273 (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(adam9870) #6

Pozamykaj porty robakom. W tym celu użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Pobierz The avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:

=> Kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

Po resecie może pojawić się okienko na dosłownie kilka sekund oraz log w notatniku. Wejdź tam gdzie masz avangera i skasuj plik backup.zip czyli np. c:\avanger\backup.zip.

Usuń w hjt.

Użyj ATF Cleaner i przeczyść Current User Temp oraz All Users Temp.

Po wykonaniu wklej nowe logi.


(Romanzelu) #7

Niepokoi mnie,że system się sam nie uruchamia.Muszę cały czas przy włączaniu dawać F8 i wybierać opcje aby załadował ostatnio działające ustawienia.

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]

"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"TkBellExe" = ""E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot" [file not found]

"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"

  -> {HKLM...CLSID} = "AmvTransform Class"

                   \InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Roman" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\Roman\Menu Start\Programy\Autostart

"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]

"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKCU\Software\Microsoft\Internet Explorer\Extensions\

{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na angielski"

"MenuText" = "Tłumacz na angielski"

"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na polski"

"MenuText" = "Tłumacz na polski"

"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Zachowaj przetłumaczoną stronę"

"MenuText" = "Zachowaj przetłumaczoną stronę"

"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 167 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 50 seconds.

---------- (total run time: 292 seconds)

Logfile of HijackThis v1.99.1

Scan saved at 00:34:54, on 2006-12-29

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Mixer.exe

C:\WINDOWS\SYSTEM32\systems_.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\802.11g Wireless LAN\Monitor.exe

C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe

C:\WINDOWS\Integrator.exe

E:\Programy\Maxthon2\Maxthon.exe

E:\Programy\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

E:\Bezpieczeństwo\HijackThis.exe


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe

O4 - Global Startup: RtlWake.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(Joan Sunshine) #8

Ściągasz narzędzie KillBox, zaznaczasz Delete on Reboot, potem klikasz All Files i wklejasz do pola Full Path of File to Delete ścieżkę:

C:\WINDOWS\SYSTEM32\systems_.exe

Klikasz X i reset sysa.

Zafixuj bo nie ma progsów.

Daj nowe logi :slight_smile:


(Romanzelu) #9

Jest problem.Jak robię tak w KillBoxie to wyskakuje mi takie okienko:screenshot1167349712mr7.th.jpgi nie chce wykonać operacji.


(Joan Sunshine) #10

No to próbuj w trybie awaryjnym killboxem, jak nie puści to ściągasz GMERA

W zakładke CMD -> CMD wklej:

Klikasz Uruchom

I koniecznie wklejasz logi :slight_smile:


(Romanzelu) #11

GMER też nie chce tego usunąć.Jak już mu potwierdzam,że ma wykonać operację to zaczyna się zamykać system a po chwili pisze,że nie można usunąć przy restarcie.Ale teraz już przynajmniej się system się normalnie uruchamia.Tylko jak się pozbyć tego systems_.exe?

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]

"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"

  -> {HKLM...CLSID} = "AmvTransform Class"

                   \InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Roman" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\Roman\Menu Start\Programy\Autostart

"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]

"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKCU\Software\Microsoft\Internet Explorer\Extensions\

{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na angielski"

"MenuText" = "Tłumacz na angielski"

"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na polski"

"MenuText" = "Tłumacz na polski"

"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Zachowaj przetłumaczoną stronę"

"MenuText" = "Zachowaj przetłumaczoną stronę"

"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 137 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 57 seconds.

---------- (total run time: 276 seconds)

Logfile of HijackThis v1.99.1

Scan saved at 01:22:29, on 2006-12-29

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Mixer.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\802.11g Wireless LAN\Monitor.exe

C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe

C:\WINDOWS\Integrator.exe

E:\Programy\Maxthon2\Maxthon.exe

E:\Bezpieczeństwo\HijackThis.exe


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe

O4 - Global Startup: RtlWake.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(Joan Sunshine) #12

Wygląda na to, że któryś progs sobie z nim poradził :wink:

Logi czyste.

Użyj narzędzia WWDC (pozwoli Ci to zamknąć robaczywe porty), zmień znaczki z Disable na Enable (wszystkie mają być zielone lub żółte) i zresetuj sysa.

Przeczyść rejestr – użyj do tego jv16 PowerTools 2006 1.5.2.344.

Pozatym przejrzyj: Lista zbędników w autostarcie oraz Optymalizacja XP.

Wejdź: Start > uruchom > msconfig i w zakładce „Uruchamianie” odznacz, niepotrzebne według Ciebie, programy w autostarcie. :slight_smile:


(Romanzelu) #13

W tamtych logach go nie było bo spróbwoałem KillBoxem poprostu usunąć bez restartu i niby zniknął ale tak naprawdę jest.oto log po zrestartowaniu kompa:

Logfile of HijackThis v1.99.1

Scan saved at 02:30:16, on 2006-12-29

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Mixer.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\802.11g Wireless LAN\Monitor.exe

C:\WINDOWS\SYSTEM32\systems_.exe

C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe

C:\WINDOWS\Integrator.exe

E:\Bezpieczeństwo\HijackThis.exe


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe

O4 - Global Startup: RtlWake.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(Gutek) #14

Spybot - Search & Destroy masz włączoną ochroę w tym programie?

KillBox-em usuń w trybie awaryjnym ten plik. Jak nie da się użyj http://dobreprogramy.pl/index.php?dz=2&t=59&id=1571


(Romanzelu) #15

Unlocker też nie dał rady.miał go usunąć przy restarcie(bo normalnie się nie dało i po włączeniu ponownym kompa plik dalej jest.Udawało mi się go usuwać KillBoxem w trybie awaryjnym ale po restarcie ten plik wraca.Próbowałem już wszystkich waszych porad ale za każdym razem jest ten sam efekt.problem nie tkwi w tym,że nie da się go usunąć tylko w tym,że on mimo usunięcia po ponownym uruchomieniu kompa wraca.A co do S&D to mam go zainstalowanego ale nie używam jego strażnika.Używam strażnika z AVG Anti Spyware.


(Bbieniol) #16

Zrób skan AVG AntySpyware 7.5 po update :slight_smile:

Pobierz i uruchom narzędzie The Avenger. Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\ backup.zip i wklejasz na forum raport: C:\ avenger.txt + nowe logi.


(Romanzelu) #17

Dalej jest to samo.Raport usunąłem przez przypadek ale było w nim,że usunął ale jak zrestartowałem kompa to plik znowu jest :frowning:


(adam9870) #18

Przeskanuj jeszcze raz i pokaż raport ze skanowania oraz nowe logi.

Czy zmieniłeś znaczki w Windows Worms Doors Cleanerze ?


(Romanzelu) #19

Znaczki już dawno mam zmienione.Są na zielono tylko jeden jest na żółto.

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]

"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"

  -> {HKLM...CLSID} = "AmvTransform Class"

                   \InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Roman" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\Roman\Menu Start\Programy\Autostart

"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]

"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKCU\Software\Microsoft\Internet Explorer\Extensions\

{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na angielski"

"MenuText" = "Tłumacz na angielski"

"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Tłumacz na polski"

"MenuText" = "Tłumacz na polski"

"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\

"ButtonText" = "Zachowaj przetłumaczoną stronę"

"MenuText" = "Zachowaj przetłumaczoną stronę"

"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 131 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 48 seconds.

---------- (total run time: 247 seconds)

Logfile of HijackThis v1.99.1

Scan saved at 02:08:07, on 2006-12-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Mixer.exe

E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\802.11g Wireless LAN\Monitor.exe

C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe

C:\WINDOWS\SYSTEM32\systems_.exe

C:\WINDOWS\Integrator.exe

C:\Program Files\Konnekt\konnekt.exe

E:\Programy\Maxthon2\Maxthon.exe

E:\Programy\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

E:\Bezpieczeństwo\HijackThis.exe


O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll

O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup

O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe

O4 - Global Startup: RtlWake.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(Bbieniol) #20

Jak widać nadal siedzi :frowning:

Przeskanuj dysk tymi skanerami:

:arrow: http://www.kaspersky.pl/virusscanner.html

:arrow: http://www.pandasoftware.com/activescan ... ncipal.htm