mcleod
(Mcleod)
19 Grudzień 2006 21:00
#1
Witam wszystkich,
Odinstalowałem aplikację “VISTA Transformation Pack ver 5.5.”. Po tej operacji System pracował niestabilnie - nie wyświetlały się ikony na pulpicie.
Mam Windows XP Home Edition i z płyty dokonałem aktualizacji instalacji Windows. O ile się nie mylę, są wtedy z powrotem instalowane biblioteki i pliki systemowe. Ponadto przeczyściłem rejestr za pomocą “Eusing Free Registry Cleaner”.
Proszę jednak o spojrzenie na moje logi - może pozostało to tam coś, co powinienem usunąć. Jeśli tak to uprzejmie proszę o wskazanie co usunąć oraz w jaki sposób.
Chylę czoła przed osobami, które poświęcą odrobinę swojego cennego czasu dla mnie.
Pozdrawiam
Mcleod
Log z hijack:
Logfile of HijackThis v1.99.1 Scan saved at 21:41:53, on 2006-12-19 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\ArcaVir2006\ArcaVir\NetMonSV.exe C:\ArcaVir2006\Common\ArcaBit.Core.Configurator2.exe C:\ArcaVir2006\ArcaVir\AvMon.exe C:\WINDOWS\system32\HPZipm12.exe C:\ArcaVir2006\Common\TaskScheduler.exe C:\ArcaVir2006\Common\ArcaBit.Core.LoggingService.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\ArcaVir2006\ArcaVir\AVMenu.exe C:\ArcaVir2006\ArcaVir\ABregmon.exe C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\ctfmon.exe ?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE C:\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [ArcaCheck] “C:\ArcaVir2006\ArcaVir\ArcaCheck.exe” /startup O4 - HKLM…\Run: [AVMenu] C:\ArcaVir2006\ArcaVir\AVMenu.exe O4 - HKLM…\Run: [abregmon] C:\ArcaVir2006\ArcaVir\ABregmon.exe O4 - HKLM…\Run: [\192.168.0.10\EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P38 “\192.168.0.10\EPSON Stylus C45 Series” /O6 “USB001” /M “Stylus C45” O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://skaner.mks.com.pl O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 4026857265 O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{A233438E-A2E9-4821-822C-1D0747F239B2}: NameServer = 194.204.152.34,217.98.63.164,193.192.161.66,62.233.128.17 O20 - Winlogon Notify: TS_LogonListener - C:\WINDOWS\SYSTEM32\TS_LogonListener.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\ArcaVir2006\ArcaVir\NetMonSV.exe O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\ArcaVir2006\Common\ArcaBit.Core.Configurator2.exe O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\ArcaVir2006\Common\ArcaBit.Core.LoggingService.exe O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - C:\ArcaVir2006\Common\TaskScheduler.exe O23 - Service: ArcaVir Antivirus Monitor Service (ArcaVirMonitor) - ArcaBit - C:\ArcaVir2006\ArcaVir\AvMon.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
Silent Runners:
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ArcaCheck” = ““C:\ArcaVir2006\ArcaVir\ArcaCheck.exe” /startup” [“ArcaBit”] “AVMenu” = “C:\ArcaVir2006\ArcaVir\AVMenu.exe” [“ArcaBit”] “abregmon” = “C:\ArcaVir2006\ArcaVir\ABregmon.exe” [“ArcaBit”] “\192.168.0.10\EPSON Stylus C45 Series” = "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P38 “\192.168.0.10\EPSON Stylus C45 Series” /O6 “USB001” /M “Stylus C45"” [“SEIKO EPSON CORPORATION”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Spybot\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] “{D7824897-C8DC-49b4-B790-30F7ED16A5FD}” = “ArcaVir Shell Extension” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\ArcaVir2006\arcavir\avshell.dll” [null data] “{4EFE464B-3D0B-4800-A5DE-2321283A3256}” = “QCD IconHandler” -> {HKLM…CLSID} = “QIconHandler Class” \InProcServer32(Default) = “F:\Quintessential Player\QCDIcons.dll” [empty string] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\7-Zip\7-zip.dll” [“Igor Pavlov”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\OpenOffice.ux.pl 2.0.4.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\OpenOffice.ux.pl 2.0.4.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\OpenOffice.ux.pl 2.0.4.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\OpenOffice.ux.pl 2.0.4.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> TS_LogonListener\DLLName = “TS_LogonListener.dll” [“ArcaBit sp. z o.o.”] <> WRNotifier\DLLName = “WRLogonNTF.dll” [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\OpenOffice.ux.pl 2.0.4.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\7-Zip\7-zip.dll” [“Igor Pavlov”] ArcaVirShell(Default) = “{D7824897-C8DC-49b4-B790-30F7ED16A5FD}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\ArcaVir2006\arcavir\avshell.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ArcaVirShell(Default) = “{D7824897-C8DC-49b4-B790-30F7ED16A5FD}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\ArcaVir2006\arcavir\avshell.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\H U B E R T\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ArcaBit NetMonitor, ABNetMon, “C:\ArcaVir2006\ArcaVir\NetMonSV.exe” [“ArcaBit”] ArcaBit.Core.Configurator, ArcaBit.Core.Configurator, ““C:\ArcaVir2006\Common\ArcaBit.Core.Configurator2.exe”” [“ArcaBit”] ArcaBit.Core.LoggingService, ArcaBit.Core.LoggingService, ““C:\ArcaVir2006\Common\ArcaBit.Core.LoggingService.exe”” [“ArcaBit”] ArcaBit.TaskScheduler, ArcaBit.TaskScheduler, “C:\ArcaVir2006\Common\TaskScheduler.exe” [“ArcaBit sp. z o.o.”] ArcaVir Antivirus Monitor Service, ArcaVirMonitor, “C:\ArcaVir2006\ArcaVir\AvMon.exe” [“ArcaBit”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\system32\HPZipm12.exe” [“HP”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Canon BJ Language Monitor S100\Driver = “CNMLM3A.DLL” [“CANON INC.”] LIDIL hpzll4pi\Driver = “hpzll4pi.dll” [“Hewlett-Packard Company”] PDF995 Monitor\Driver = “pdf995mon.dll” [null data] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 85 seconds, including 8 seconds for message boxes)
adam9870
(adam9870)
19 Grudzień 2006 21:05
#2
Logi ogólnie czyste.
Usuń kosmetycznie w hjt.
Możesz zajrzeć:
http://forum.dobreprogramy.pl/viewtopic … 580#578580
mcleod
(Mcleod)
19 Grudzień 2006 21:19
#3
Bardzo dziękuję za pomoc.
Zastanawia mnie tylko ten wpis:
W linku, który mi podałeś pojawiła się sugestia, że jest to “nieoficjalny” spyware, ale po usunięciu użytkownicy sporadycznie skarżyli się na brak dźwięku. Utrata dźwięku to realne zagrożenie Twoim zdaniem?
Bieniol
(Bbieniol)
19 Grudzień 2006 21:44
#4
Moim zdaniem (a raczej praktyka), to niezbyt często się to zdarza. Decyzja należy tylko i wyłącznie do Ciebie
mcleod
(Mcleod)
19 Grudzień 2006 22:20
#5
Usunąłem wszystkie wpisy, tak jak sugerowaliście. Faktycznie, nie ma problemów z dźwiękiem.
Bardzo dziękuję Wam za pomoc.
Pozdrawiam serdecznie
Złączono Posta : 22.12.2006 (Pią) 23:41
Przepraszam, że zwracam Wam głowę, ale nasunęło mi się dodatkowe pytanie dotyczące mojego problemu. Otóż, jak pisałem powyżej, usunąłem następujący wpis:
Ale na moim dysku znajduje się nadal plik: c:\WINDOWS\ALCMTR.EXE
Czy powinienem go usunąć z dysku, czy też nie?
Pozdrawiam