Nie wiem jak usunąc Robaki zapisane jako .csrss i .smss

Maciaswawa · 24 Styczeń 2007 06:53

Tak jak w napisałem w temacie. A może mam i więcej wirusów sprawdźcie pls…

Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Logitech\iTouch\iTouch.exe C:\Program Files\Logitech\MouseWare\System\Em_exec.exe C:\Program Files\CursorXP\CursorXP.exe C:\Program Files\Avant Browser\avant.exe C:\Program Files\ESTsoft\ALZip\ALZip.exe C:\Documents and Settings\Maciek\Ustawienia lokalne\Temp_AZTMP2_\HijackThis.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe O4 - Startup: Gadu-Gadu.lnk = C:\Program Files\Gadu-Gadu\gg.exe O4 - Startup: iTouch Configuration.lnk = C:\Program Files\Logitech\iTouch\iTouchcf.exe O4 - Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O4 - Startup: Mouse Properties.lnk = C:\WINDOWS\system32\control.exe O4 - Startup: Skype.lnk = C:\Program Files\Skype\Phone\Skype.exe O4 - Startup: ZyXEL G-302 v3 Utility.lnk = C:\Program Files\ZyXEL\G-302v3\G-302v3.exe O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Otwórz w nowym Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - C:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm O18 - Protocol: bwf0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwf0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O18 - Protocol: bwg0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwg0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwh0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwi0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwj0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwk0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwl0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwm0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwn0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwo0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwp0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwq0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwr0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bws0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwt0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwu0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwv0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bww0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwx0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwy0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0 - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O18 - Protocol: bwz0s - {90785786-8F1B-452B-9D0A-2AFF7E1F4BFC} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

JNJN · 24 Styczeń 2007 08:01

Proszę zmienić temat postu na konkretny,opcja zmień i popraw.JNJN

http://forum.dobreprogramy.pl/viewtopic.php?t=66889

adam9870 · 24 Styczeń 2007 09:04

Log czysty.

Możesz kostycznie ciachnąć.

Skąd masz podejrzenia robaków ??

Możesz przeskanować http://www.ewido.net/en/ i wrzucić raport oraz log z SilentRunners.

Maciaswawa · 24 Styczeń 2007 09:08

Sprawdzałem jakie procesy są właczone i patrzyłem czy są jakieś “podejrzane” znalazłem csrss i smss i lsass sprawdziłem w google i okazało sie że to wirusy- robaki ( nie znam sie za bardzo na tym )

adam9870 · 24 Styczeń 2007 09:12

Te procesy są jak najbardziej systemowe. Zapewne znalazłeś informację o nich, że są to szkodniki ponieważ dość często bywa tak że plik szkodnika ma taką samą nazwę jak plik systemowy ale znajduje się w innej lokalizacji. Na przykład jest to poprawny plik systemowy:

C:\WINDOWS\system32\svchost.exe

a to jest zmyłka autora szkodnika:

C:\WINDOWS\svchost.exe

Te przykłady nie są wzięte z Twojego loga, ponieważ jest OK i nie masz się czym przejmować.

Maciaswawa · 24 Styczeń 2007 09:13

Log z Silenta

Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “CursorXP” = “C:\Program Files\CursorXP\CursorXP.exe” [" "] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}” = “My Logitech Pictures” -> {HKLM…CLSID} = “My Logitech Pictures” \InProcServer32(Default) = “C:\Program Files\Logitech\Video\Namespc2.dll” [“Logitech Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{F2185E5D-720E-4956-90D9-75F6AC141575}” = “Idea2 SidebarIconHandler Class” -> {HKLM…CLSID} = “SidebarIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Desktop Sidebar\sbhelp.dll” [“Idea2”] “{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}” = “Messenger Sharing Folders” -> {HKLM…CLSID} = “Moje foldery udostępniania” \InProcServer32(Default) = “C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll” [MS] “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] “{4EB37360-49E8-11D3-95B5-004033382980}” = “ALZip 4.0 Context Menu Shell Extension” -> {HKLM…CLSID} = “ALZip 5.0 Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL” [“estsoft”] “{AD392E40-428C-459F-961E-9B147782D099}” = “UltraISO” -> {HKLM…CLSID} = “UIContextMenu Class” \InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ALZip(Default) = “{4EB37360-49E8-11D3-95B5-004033382980}” -> {HKLM…CLSID} = “ALZip 5.0 Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL” [“estsoft”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] MagicISO(Default) = “{DB85C504-C730-49DD-BEC1-7B39C6103B7A}” -> {HKLM…CLSID} = “MShellExtMenu Class” \InProcServer32(Default) = “C:\Program Files\MagicISO\misosh.dll” [“MagicISO, Inc.”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] zzALZip(Default) = “{4EB37360-49E8-11D3-95B5-004033382980}” -> {HKLM…CLSID} = “ALZip 5.0 Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL” [“estsoft”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ALZip(Default) = “{4EB37360-49E8-11D3-95B5-004033382980}” -> {HKLM…CLSID} = “ALZip 5.0 Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL” [“estsoft”] MagicISO(Default) = “{DB85C504-C730-49DD-BEC1-7B39C6103B7A}” -> {HKLM…CLSID} = “MShellExtMenu Class” \InProcServer32(Default) = “C:\Program Files\MagicISO\misosh.dll” [“MagicISO, Inc.”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] UltraISO(Default) = “{AD392E40-428C-459F-961E-9B147782D099}” -> {HKLM…CLSID} = “UIContextMenu Class” \InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ALZip(Default) = “{4EB37360-49E8-11D3-95B5-004033382980}” -> {HKLM…CLSID} = “ALZip 5.0 Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL” [“estsoft”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] MagicISO(Default) = “{DB85C504-C730-49DD-BEC1-7B39C6103B7A}” -> {HKLM…CLSID} = “MShellExtMenu Class” \InProcServer32(Default) = “C:\Program Files\MagicISO\misosh.dll” [“MagicISO, Inc.”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “C:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] UltraISO(Default) = “{AD392E40-428C-459F-961E-9B147782D099}” -> {HKLM…CLSID} = “UIContextMenu Class” \InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Maciek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Maciek” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\Maciek\Menu Start\Programy\Autostart “Gadu-Gadu” -> shortcut to: “C:\Program Files\Gadu-Gadu\gg.exe” [“Gadu-Gadu S.A.”] “iTouch Configuration” -> shortcut to: “C:\Program Files\Logitech\iTouch\iTouchcf.exe” ["Logitech, Inc. "] “Kalendarz XP” -> shortcut to: “C:\Program Files\Kalendarz XP\Kalendarz.exe” [null data] “Mouse Properties” -> shortcut to: “C:\WINDOWS\system32\control.exe Mouse” [MS] “Skype” -> shortcut to: “C:\Program Files\Skype\Phone\Skype.exe” [“Skype Technologies S.A.”] “ZyXEL G-302 v3 Utility” -> shortcut to: “C:\Program Files\ZyXEL\G-302v3\G-302v3.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” -> {HKLM…CLSID} = “BearShare MediaBar” \InProcServer32(Default) = “C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” -> {HKLM…CLSID} = “BearShare MediaBar” \InProcServer32(Default) = “C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [file not found] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {7E66936C-FEA0-4984-AD26-7B6661AC5B2E}(Default) = (no title provided) -> {HKLM…CLSID} = “Hotbar Information Window” \InProcServer32(Default) = “C:\Program Files\HbTools\Bin\4.8.2.0\HbtHostIE.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {7E66936C-FEA0-4984-AD26-7B6661AC5B2E}(Default) = (no title provided) -> {HKLM…CLSID} = “Hotbar Information Window” \InProcServer32(Default) = “C:\Program Files\HbTools\Bin\4.8.2.0\HbtHostIE.dll” [file not found] {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}(Default) = (no title provided) -> {HKLM…CLSID} = “Real.com” \InProcServer32(Default) = “C:\WINDOWS\system32\Shdocvw.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Ulead Burning Helper, UleadBurningHelper, “C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe” [“Ulead Systems, Inc.”] Usługa Pomocnik IPv6, 6to4, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\6to4svc.dll” [MS]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class{4D36E96B-E325-11CE-BFC1-08002BE10318}\ “UpperFilters” = <> “Lkbdflt2” [“Logitech”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 96 seconds, including 5 seconds for message boxes)

Złączono Posty : 24.01.2007 (Sro) 10:14

Aha wielkie dzięks :mrgreen: :mrgreen:

Joan · 24 Styczeń 2007 10:35

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa