Endzia311
(Asorbjan)
20 Październik 2006 10:34
#1
Zaznaczam ze jeszcze niezbyt sie orientuje w temacie walki z takimi szkodnikami…
Logfile of HijackThis v1.99.1 Scan saved at 12:18:13, on 2006-10-20 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Browser MOUSE\mouse32a.exe C:\Program Files\Office Keyboard\KbdAp32A.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Lexmark 3300 Series\lxccmon.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Corel\Graphics8\programs\MFIndexer.exe C:\WINDOWS\System32\lxcccoms.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\BearShare\BearShare.exe C:\Documents and Settings\Aniol\Pulpit\hijackThis\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe O4 - HKLM…\Run: [FLMK08KB] C:\Program Files\Office Keyboard\MMKEYBD.EXE O4 - HKLM…\Run: [AVGCtrl] “C:\Program Files\AVPersonal\AVGNT.EXE” /min O4 - HKLM…\Run: [NT Logging Service] syslog32.exe O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM…\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16 O4 - HKLM…\Run: [lxccmon.exe] “C:\Program Files\Lexmark 3300 Series\lxccmon.exe” O4 - HKLM…\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background O4 - HKCU…\Run: [eMuleAutoStart] E:\mule\eMule\emule.exe -AutoStart O4 - HKCU…\Run: [WhenUSave] “C:\Program Files\Save\Save.exe” O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\programs\MFIndexer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c … 040510.cab O16 - DPF: {631FF594-EC25-4CFF-B869-402DF294E1D6} (Instalator oprogramowania Onet.pl) - http://slimak.onet.pl/_m/kamerzysta/One … or012s.ocx O16 - DPF: {AB8638BB-79E8-4E9D-ABF2-8F33054E3941} (Guesser Class) - http://czat.onet.pl/client/kalambury/NetPunGame1.dll O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O21 - SSODL: ECEGBFCJ - {7BA13E72-14F2-09C7-02B7-104842650FD1} - C:\WINDOWS\System32\Mldppabh.dll (file missing) O21 - SSODL: mtklef - {678241AD-BA3C-494B-A1B0-AD48C5499C20} - C:\WINDOWS\System32\nqmwmf32.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Złączono Posta : 20.10.2006 (Pią) 12:52
aha i jeszcze czeste wyskakiwanie bledow do niektorych folderow wystarczy wejsc i koniec albo przy przenoszeniu plikow. Pisze ze jest problem z aplikacja explorer.exe bez zadnych wyjasnien nio i oczywiscie zamykaja sie wszystkie okienka itd
chat
(Anonymous Dreams)
20 Październik 2006 11:17
#2
Poszukaj na ten temat w Googlach.
O4 - HKCU…\Run: [WhenUSave] “C:\Program Files\Save\Save.exe”
ale tak Ci się dzieje czy poprostu chcesz wiedzieć dlaczego i jak to zmienić? Jeżeli wyskakują ci to jest kilka sposobów: pierwszy z nich to zmień przeglądarkę na Firefox potem zainstaluj dodatek AdBlock. Następnie jak nie pomaga to skanuj system antywirusem, bo prawdopodobnie masz jakieś spyware reklamowe.
Krzychuu
(Krzychuu)
20 Październik 2006 11:58
#4
Propunuję zainstalować SP 2.
adam9870
(adam9870)
20 Październik 2006 13:11
#5
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jezeli któryś z nich bedzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz usługę NT login service następnie odpalasz HijackThis Misc Tools => Delete NT service => wpisz ntlogin32 => Ok i zresetuj komputer.
Spróbuj użyć narzędzia SmitFraudFix (opcja 2 w trybie awaryjnym). Potem sprawdz co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
Pliki i foldery zaznaczone usuwasz ręcznie z dysku natomiast wpisy w HijackThis.
Po wykonaniu w/w dajesz nowy log z HijackThis plus możesz z SilentRunners . Jeżeli podczas uruchamiania silenta pokaże się jakiś błąd to proszę podać jego dokładną treść.
Endzia311
(Asorbjan)
24 Październik 2006 10:03
#6
nie wiem czy dobrze…
Logfile of HijackThis v1.99.1 Scan saved at 11:55:21, on 2006-10-24 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Browser MOUSE\mouse32a.exe C:\Program Files\BearShare\BearShare.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Office Keyboard\KbdAp32A.exe C:\Program Files\Lexmark 3300 Series\lxccmon.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Corel\Graphics8\programs\MFIndexer.exe C:\WINDOWS\System32\lxcccoms.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\Aniol\Pulpit\hijackThis\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe O4 - HKLM…\Run: [FLMK08KB] C:\Program Files\Office Keyboard\MMKEYBD.EXE O4 - HKLM…\Run: [AVGCtrl] “C:\Program Files\AVPersonal\AVGNT.EXE” /min O4 - HKLM…\Run: [NT Logging Service] syslog32.exe O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM…\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16 O4 - HKLM…\Run: [lxccmon.exe] “C:\Program Files\Lexmark 3300 Series\lxccmon.exe” O4 - HKLM…\Run: [FaxCenterServer] “C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background O4 - HKCU…\Run: [eMuleAutoStart] E:\mule\eMule\emule.exe -AutoStart O4 - HKCU…\Run: [WhenUSave] “C:\Program Files\Save\Save.exe” O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\programs\MFIndexer.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c … 040510.cab O16 - DPF: {631FF594-EC25-4CFF-B869-402DF294E1D6} (Instalator oprogramowania Onet.pl) - http://slimak.onet.pl/_m/kamerzysta/One … or012s.ocx O16 - DPF: {AB8638BB-79E8-4E9D-ABF2-8F33054E3941} (Guesser Class) - http://czat.onet.pl/client/kalambury/NetPunGame1.dll O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O21 - SSODL: ECEGBFCJ - {7BA13E72-14F2-09C7-02B7-104842650FD1} - C:\WINDOWS\System32\Mldppabh.dll (file missing) O21 - SSODL: mtklef - {678241AD-BA3C-494B-A1B0-AD48C5499C20} - C:\WINDOWS\System32\nqmwmf32.dll (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxcccoms.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
nio i z silent runners
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [file not found] “PowerBar” = “(empty string)” [file not found] “NBJ” = ““C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “MsnMsgr” = ““C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background” [file not found] “eMuleAutoStart” = “E:\mule\eMule\emule.exe -AutoStart” [file not found] “WhenUSave” = ““C:\Program Files\Save\Save.exe”” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “RemoteControl” = ““C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “FLMOFFICE4DMOUSE” = “C:\Program Files\Browser MOUSE\mouse32a.exe” [empty string] “FLMK08KB” = “C:\Program Files\Office Keyboard\MMKEYBD.EXE” [empty string] “AVGCtrl” = ““C:\Program Files\AVPersonal\AVGNT.EXE” /min” [file not found] “NT Logging Service” = “syslog32.exe” [file not found] “BearShare” = ““C:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] “AVG7_CC” = “C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP” [“GRISOFT, s.r.o.”] “LXCCCATS” = “rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16” [MS] “lxccmon.exe” = ““C:\Program Files\Lexmark 3300 Series\lxccmon.exe”” [“Lexmark International, Inc.”] “FaxCenterServer” = ““C:\Program Files\Lexmark Fax Solutions\fm3032.exe” /s” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] “{0A082D00-EC93-11D0-B1E6-80580BC10627}” = “Corel Media Folder Root Menu Handler” -> {HKLM…CLSID} = “Corel Media Folder Root Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” = “Folder To Corel Media Folder Menu Handler” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{854AF161-1AE1-11D1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{E856F161-1AE5-11d1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{CDB89701-262F-11D1-AB9C-00C0F00683EB}” = “Corel Media Find Folder” -> {HKLM…CLSID} = “Corel Media Find Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{F8152501-455F-11D1-B1E6-444553540000}” = “Corel Media Folder Copy Hook Handler” -> {HKLM…CLSID} = “Corel Media Folder Copy Hook Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{8E524B0D-04F0-11D1-B74A-00A0C90646A4}” = “IconFactTemp.NSIconHandlerFactory” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{A2AC368A-F883-11D0-B745-00A0C90646A4}” = “NSFiltManDll.FiltManCom” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{B63FCD5A-2396-11D1-B762-00A0C90646A4}” = “*U” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFnd80.dll” [“Corel Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “ECEGBFCJ” = “{7BA13E72-14F2-09C7-02B7-104842650FD1}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\Mldppabh.dll” [file not found] “mtklef” = “{678241AD-BA3C-494B-A1B0-AD48C5499C20}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nqmwmf32.dll” [file not found] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“PFDNNT C:\WINDOWS\SYSTEM32\LIBSYS32.EXE(1).VIR” [file not found]|“PFDNNT C:\WINDOWS\SYSTEM32\F.EXE(1).VIR” [file not found]|“PFDNNT C:\WINDOWS\SYSTEM32\LIBSYS32.EXE(2).VIR” [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder(Default) = “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Free\avgse.dll” [“GRISOFT, s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ “1601” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ “1601” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ “1601” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ “1601” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ “1601” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ “1601” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Aniol\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Aniol\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Aniol” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “VIA RAID TOOL” -> shortcut to: “C:\Program Files\VIA\RAID\raid_tool.exe” [“VIA Technologies”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “Adobe Gamma Loader.exe” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] “Corel MEDIA FOLDERS INDEXER 8” -> shortcut to: "C:\Corel\Graphics8\programs\MFIndexer.exe " [“Corel Corporation”] “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG E-mail Scanner, AVGEMS, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe” [“GRISOFT, s.r.o.”] AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe” [“GRISOFT, s.r.o.”] InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] lxcc_device, lxcc_device, “C:\WINDOWS\System32\lxcccoms.exe -service” [“Lexmark International, Inc.”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 3300 Series Port\Driver = “lxcclmpm.DLL” [“Lexmark International, Inc.”] Lexmark Print-2-Fax Port\Driver = “LXPRMON.DLL” [null data] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 23 seconds. ---------- (total run time: 75 seconds)
Żaden komunikat o błedzie sie nie pojawił… czy teraz jest w porzadku? dziekuje za pomoc…
Myszak
(Myszonus)
24 Październik 2006 10:12
#7
Otwórz notatnik i wklej :
Plik --> zapisz jako --> zmień rozszerzenie z .txt na wszystkie pliki --> zapisz jako FIX.REG i uruchom w awaryjnym.
Endzia311
(Asorbjan)
24 Październik 2006 18:13
#8
nio ale co mam zrobic jak juz uruchomie w trybie awaryjnym?
Bieniol
(Bbieniol)
24 Październik 2006 18:14
#9
Odpalasz plik FIX.REG w trybie awaryjnym i potwierdzasz dodanie do rejstru. Zrestartować komputer do trybu normalnego i wkleić nowego loga z Silenta
Endzia311
(Asorbjan)
24 Październik 2006 18:54
#10
niestety wyskakuje mi blad o tresci:
Bieniol
(Bbieniol)
24 Październik 2006 18:59
#11
Start -> uruchom -> regedit i przechodzisz do kluczy:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
Usuwasz: "PowerBar"
"WhenUSave"
Przechodzisz do klucza [HKEY_LOCAL_MACHINE\HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
Usuwasz: "NT Logging Service"
Przechodzisz do klucza [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Usuwasz: "ECEGBFCJ"
"mtklef"
Przechodzisz do klucza: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
Tam kliknij podwójnie na wartość BootExecute i z okienka usuń wszystko z wyjątkiem autocheck autochk *
Endzia311
(Asorbjan)
24 Październik 2006 19:24
#12
nie mam " PowerBar "
nie mam “HKEY_LOCAL_MACHINE\ HKLM ”
nie mam “ECEGBFCJ” "mtklef"
nie mam nic poza "autochk *"
Endzia311
(Asorbjan)
24 Październik 2006 19:44
#16
ale okienka wyskakuja. a i np jak wchodze na jedna z moich partycji odrazu wyskakuje mi blad ze “Wystąpił problem z aplikacją explorer.exe i zostanie ona zamknięta. Przepraszamy za kłopoty.” nie moge nic otworzyc, skopiować ani przenieść.
Złączono Posta : 24.10.2006 (Wto) 21:45
ale okienka wyskakuja. a i np jak wchodze na jedna z moich partycji odrazu wyskakuje mi blad ze “Wystąpił problem z aplikacją explorer.exe i zostanie ona zamknięta. Przepraszamy za kłopoty.” nie moge nic otworzyc, skopiować ani przenieść.
Myszak
(Myszonus)
24 Październik 2006 20:13
#17
Start do konsoli odzyskiwania i komenda (płyta z xp w napędzie) :
X --> litera napędu.
Endzia311
(Asorbjan)
25 Październik 2006 07:16
#18
a czy moglabym prosic dokladniej (jasniej) bo niestety nie rozumiem zbytnio co mam zrobic… ;/
Myszak
(Myszonus)
25 Październik 2006 07:37
#19
Uruchom Konsolę odzyskiwania.
I w tej konsoli masz wprowadzić komendy :
Litera X to odpowidnik twojego napędu gdzie masz płytkę z systemem.