mafioz
(Mafioz09)
30 Czerwiec 2007 09:21
#1
Witam ostatnio trafiłem na program errorscafe i podczas skanowania wykrył 3500 plików które trzeba naprawić (pisze niepoprawne elementy)
Ale aby naprawić pliki trzeba zarejestrować program za 120zł szkoda mi trochę tyle kasy, czy jest jakiś darmowy odpowiednik?
Pytalski
(Pytalski)
30 Czerwiec 2007 09:36
#2
O ile dobrze wiem to ErrorSafe jest wirusem. Na twoim miejscu wrzuciłbym logi od razu.
mafioz
(Mafioz09)
30 Czerwiec 2007 09:42
#3
Wrzucę tu logi:
Logfile of HijackThis v1.99.1 Scan saved at 11:41:52, on 2007-06-30 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\WINDOWS\retadpu2000352.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe E:\FRAPS\FRAPS.EXE C:\Program Files\MSI\Core Center\CoreCenter.exe C:\Program Files\SpeedFan\speedfan.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Error Safe Free\uerscw.exe C:\Documents and Settings\Mateusz\Pulpit\hijackthisy\HijackThis.exe R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM…\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM…\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe” O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” O4 - HKLM…\Run: [mkstray] C:\Program Files\mks_vir_2007\bin\mkstray.exe O4 - HKLM…\Run: [mks_mail] C:\Program Files\mks_vir_2007\bin\mks_mail.exe O4 - HKLM…\Run: [MKSRegmon] C:\Program Files\mks_vir_2007\bin\mksregmon.exe O4 - HKLM…\Run: [runner1] C:\WINDOWS\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKLM…\Run: [icq.com ] rundll32.exe “C:\WINDOWS\system32\mvpdmelp.dll”,forkonce O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM…\Run: [Error Safe] C:\Program Files\Error Safe Free\ers.exe /scan O4 - HKLM…\Run: [uerscw] C:\Program Files\Error Safe Free\uerscw.exe -c O4 - HKCU…\Run: [TorCP] C:\Program Files\TorCP\torcp.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” O4 - HKCU…\Run: [Fraps] E:\FRAPS\FRAPS.EXE O4 - HKCU…\Run: [WinPop] C:\Program Files\WinPop\winpop.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: SpeedFan.lnk = C:\Program Files\SpeedFan\speedfan.exe O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe O8 - Extra context menu item: Download all links using BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: Download all videos using BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: Download link using &BitComet - res://E:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: Download Link Using Mega Manager… - C:\Program Files\Megaupload\Mega Manager\mm_file.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{C21B7786-8808-42E3-903C-754C577D37AE}: NameServer = 212.19.48.14 O17 - HKLM\System\CCS\Services\Tcpip…{C9A870EC-C39E-431C-9B0A-0D958868EF97}: NameServer = 208.67.222.222,208.67.220.220 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: MksFwall - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksFwall.exe (file missing) O23 - Service: MksPC - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksPC.exe (file missing) O23 - Service: MksUpdate - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksupdate.exe (file missing) O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe (file missing) O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\mks_vir_2007\bin\mks_scan.exe (file missing) O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing) O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: DiRT Drivers Auto Removal (pr2ah4nc) (pr2ah4nc) - CODEMASTERS - C:\WINDOWS\system32\pr2ah4nc.exe O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\prime95.exe (file missing) O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe O23 - Service: Steganos VPN Starter Service (SVPNStarter) - Unknown owner - C:\Program Files\Steganos Internet Anonym VPN\SVPNStarter.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “TorCP” = “C:\Program Files\TorCP\torcp.exe” [file not found] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” [“Nero AG”] “Fraps” = “E:\FRAPS\FRAPS.EXE” [“Beepa P/L”] “WinPop” = “C:\Program Files\WinPop\winpop.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “CTRegRun” = “C:\WINDOWS\CTRegRun.EXE” ["Creative Technology Ltd "] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”] “P17Helper” = “Rundll32 P17.dll,P17Helper” [MS] “NvMediaCenter” = “RunDLL32.exe NvMCTray.dll,NvTaskbarInit” [MS] “VGAUtil” = “C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe” [empty string] “HP Component Manager” = ““C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”] “HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe” [“HP”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “mkstray” = “C:\Program Files\mks_vir_2007\bin\mkstray.exe” [file not found] “mks_mail” = “C:\Program Files\mks_vir_2007\bin\mks_mail.exe” [file not found] “MKSRegmon” = “C:\Program Files\mks_vir_2007\bin\mksregmon.exe” [file not found] “runner1” = “C:\WINDOWS\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310” [empty string] “icq.com ” = “rundll32.exe “C:\WINDOWS\system32\mvpdmelp.dll”,forkonce” [MS] “MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS] “Error Safe” = “C:\Program Files\Error Safe Free\ers.exe /scan” [“ErrorSafe”] “uerscw” = “C:\Program Files\Error Safe Free\uerscw.exe -c” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {1F6581D5-AA53-4b73-A6F9-41420C6B61F1}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\wrnyvaej.dll” [null data] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “E:\Program Files\BitComet\tools\BitCometBHO_1.1.4.29.dll” [“BitComet”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] {871A6EB6-3839-4135-A962-71BB0EC34AC3}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\awtsr.dll” [null data] {A6807262-1D7A-44AB-947B-23B71E97915C}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\hggefca.dll” [null data] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] {C333CF63-767F-4831-94AC-E683D962C63C}(Default) = “TGTSoft Explorer Toolbar Changer” -> {HKLM…CLSID} = “CoTGT_BHO Class” \InProcServer32(Default) = “C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}” = “jetAudio” -> {HKLM…CLSID} = “JetFlExt Class” \InProcServer32(Default) = “C:\Program Files\JetAudio\JetFlExt.dll” [“JetAudio, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{A6807262-1D7A-44AB-947B-23B71E97915C}” = “*g” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\hggefca.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> awtsr\DLLName = “C:\WINDOWS\system32\awtsr.dll” [null data] <> hggefca\DLLName = “hggefca.dll” [null data] <> winkve32\DLLName = “winkve32.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ CnvShell(Default) = “{A118FEA0-1D1B-4165-BC37-88F95B250E7A}” -> {HKLM…CLSID} = “CnvShellATL Class” \InProcServer32(Default) = “C:\WINDOWS\system32\cnvshell.dll” [“fCoder Group International”] MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “C:\Program Files\mks_vir_2007\bin\mksshell.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ jetAudio(Default) = “{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}” -> {HKLM…CLSID} = “JetFlExt Class” \InProcServer32(Default) = “C:\Program Files\JetAudio\JetFlExt.dll” [“JetAudio, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ALSongContext(Default) = “{CBE49257-71F8-44B4-B536-FF5359F0AEAA}” -> {HKLM…CLSID} = “ALContextMenu Class” \InProcServer32(Default) = “C:\Program Files\ESTsoft\ALSong\ALSongSh.dll” [“Copyright © 2005 ESTsoft corp.”] CnvShell(Default) = “{A118FEA0-1D1B-4165-BC37-88F95B250E7A}” -> {HKLM…CLSID} = “CnvShellATL Class” \InProcServer32(Default) = “C:\WINDOWS\system32\cnvshell.dll” [“fCoder Group International”] jetAudio(Default) = “{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}” -> {HKLM…CLSID} = “JetFlExt Class” \InProcServer32(Default) = “C:\Program Files\JetAudio\JetFlExt.dll” [“JetAudio, Inc.”] MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “C:\Program Files\mks_vir_2007\bin\mksshell.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Mateusz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Mateusz” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\Mateusz\Menu Start\Programy\Autostart “Adobe Gamma” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “SpeedFan” -> shortcut to: “C:\Program Files\SpeedFan\speedfan.exe” [“Almico Software (http://www.almico.com )”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “CoreCenter” -> shortcut to: “C:\Program Files\MSI\Core Center\CoreCenter.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\mks_vir_2007\bin\mkslsp.dll [null data], 01 - 03, 10 %SystemRoot%\system32\mswsock.dll [MS], 04 - 07, 11 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_01” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTsvcCDA.exe” [“Creative Technology Ltd”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt10\Driver = “hpzlnt10.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 56 seconds, including 6 seconds for message boxes)
Złączono Posta : 30.06.2007 (Sob) 10:45
dodam że zaczęły mi dziś wyskakiwać różne okienka IE z reklamami antywirusów itp.
adam9870
(adam9870)
30 Czerwiec 2007 11:12
#4
W logach:
C:\WINDOWS\retadpu2000352.exe O4 - HKLM…\Run: [runner1] C:\WINDOWS\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 O4 - HKLM…\Run: [icq.com ] rundll32.exe “C:\WINDOWS\system32\mvpdmelp.dll”,forkonce O4 - HKLM…\Run: [Error Safe] C:\Program Files\Error Safe Free\ers.exe /scan O4 - HKLM…\Run: [uerscw] C:\Program Files\Error Safe Free\uerscw.exe -c HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “runner1” = “C:\WINDOWS\retadpu2000352.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310” [empty string] “icq.com ” = “rundll32.exe “C:\WINDOWS\system32\mvpdmelp.dll”,forkonce” [MS] “Error Safe” = “C:\Program Files\Error Safe Free\ers.exe /scan” [“ErrorSafe”] “uerscw” = “C:\Program Files\Error Safe Free\uerscw.exe -c” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {1F6581D5-AA53-4b73-A6F9-41420C6B61F1}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\wrnyvaej.dll” [null data] {871A6EB6-3839-4135-A962-71BB0EC34AC3}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\awtsr.dll” [null data] {A6807262-1D7A-44AB-947B-23B71E97915C}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\hggefca.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{A6807262-1D7A-44AB-947B-23B71E97915C}” = “*g” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\hggefca.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> awtsr\DLLName = “C:\WINDOWS\system32\awtsr.dll” [null data] <> hggefca\DLLName = “hggefca.dll” [null data] <> winkve32\DLLName = “winkve32.dll” [null data]
Na początek użyj automatów, a następnie to co zostanie usuniemy ręcznie. Zatem użyj VundoFix + FixVundo + VirtumundoBeGone + SmitFraudFix z opcji numer 2 w trybie awaryjnym.
Po wykonaniu wklej log z ComboFix . Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.
Pytanie - czy masz jeszcze MKS’a bo w Silencie w kluczach pokazujących aplikacje uruchamiane przy starcie systemu przy kilku wpisach od niego widnieje [file not found] ?
mafioz
(Mafioz09)
30 Czerwiec 2007 12:26
#5
miałem mks ale przy usuwaniu pisało że nie można dokończyć procesu to pokasowałem pliki ręcznie, ale chyba zorbie fermata bo wydaje mi sie że tego windowsa nic nie uratuje już ponad 6 miechów bez reinstalu był.