Problem z HLDRRR.EXE

wojsmol · 6 Styczeń 2007 15:27

Witam

ściągnąłem program z netu i zainstalowałem, po restarcie sysa zaczął się wieszać monitor systemowy mks_vir 2006, a do autostartu zostały dodane dwa pliki wskazujące na ten plik,

Usunąłem wpisy prowadzące do tego pliku z autostartu za pomocą menadżera autostartu zawartego w programie jv1.6 Power Tool odznaczyłem go też w msconfig na zakładce uruchamianie.

Komputer uruchamia się już poprawnie ale chce pozbyc sie na dobre tego pliku ponieważ raport z virustotal.com wskazuje że jest on zarażony. Jego proces nadal jest widoczny w HJT. Załączam logi z HJT, SR oraz wspomniany raport z virustotal.com. Pik znajduje się w następującej lokalizacji C:\WINDOWS\SYSTEM\HLDRRR.EXE.

HJT

Logfile of HijackThis v1.99.1 Scan saved at 14:21:47, on 2007-01-06 Platform: Windows ME (Win9x 4.90.3000A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\MDM.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\SMTRAY.EXE C:\WINDOWS\SM56HLPR.EXE C:\PROGRAM FILES\MULTIMEDIA CARD READER\SHWICON98.EXE C:\PROGRAM FILES\MKS_VIR_2006\MKSMONSV.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\PLUSTEK\SOFTWARE\MRPHOTO\SMART START UP\PNPDETECT.EXE C:\PROGRAM FILES\MKS_VIR_2006\MKS2006.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE C:\WINDOWS\SYSTEM\HLDRRR.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\CHELLOPL\CHELLOINFO\CHELLOINFO.EXE C:\PROGRAM FILES\GADU-GADU\GG.EXE C:\PROGRAM FILES\MKS_VIR_2006\MKS_MAIL.EXE C:\WINDOWS\PULPIT\NOTEPAD.EXE C:\PROGRAM FILES\SONY CORPORATION\PICTURE PACKAGE\PICTURE PACKAGE MENU\SONYTRAY.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\SONY CORPORATION\PICTURE PACKAGE\PICTURE PACKAGE APPLICATIONS\RESIDENCE.EXE C:\PROGRAM FILES\MKS_VIR_2006\MKS_SCAN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE C:\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE C:\WINDOWS\PULPIT\HIJACKTHIS\HIJACKTHIS.EXE R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gry.pl/index.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F1 - win.ini: run=hpfsched O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0 CE\READER\ACTIVEX\ACROIEHELPER.DLL O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRAM FILES\FREE DOWNLOAD MANAGER\IEFDMCKS.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL O4 - HKLM…\Run: [scanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM…\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s O4 - HKLM…\Run: [systemTray] SysTray.Exe O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM…\Run: [smapp] Smtray.exe O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [sunkist] C:\Program Files\Multimedia Card Reader\shwicon98.exe O4 - HKLM…\Run: [PinnacleDriverCheck] C:\WINDOWS\SYSTEM\PSDrvCheck.exe -CheckReg O4 - HKLM…\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe O4 - HKLM…\Run: [CloneCDTray] “C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s O4 - HKLM…\Run: [MKS Service Monitor] C:\Program Files\MKS_VIR_2006\mksmonsv.exe O4 - HKLM…\Run: [LoadQM] loadqm.exe O4 - HKLM…\Run: [smart Start UP] C:\Program Files\Plustek\Software\Mrphoto\Smart Start UP\PnPDetect.exe /Automation O4 - HKLM…\Run: [MKS_VIR_2006] C:\Program Files\MKS_VIR_2006\mks2006.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM…\RunServices: [schedulingAgent] mstask.exe O4 - HKLM…\RunServices: [sSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe O4 - HKLM…\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe O4 - HKLM…\RunServices: [stillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM…\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE O4 - HKCU…\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background O4 - HKCU…\Run: [ChelloInfo] C:\PROGRAM FILES\CHELLOPL\CHELLOINFO\CHELLOINFO.EXE O4 - HKCU…\Run: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe O4 - HKCU…\Run: [drvsyskit] C:\WINDOWS\Dane aplikacji\hidires\hidr.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray O4 - HKCU…\RunServices: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background O4 - HKCU…\RunServices: [ChelloInfo] C:\PROGRAM FILES\CHELLOPL\CHELLOINFO\CHELLOINFO.EXE O4 - HKCU…\RunServices: [MailScanner] C:\Program Files\MKS_VIR_2006\Mks_mail.exe O4 - HKCU…\RunServices: [drvsyskit] C:\WINDOWS\Dane aplikacji\hidires\hidr.exe O4 - HKCU…\RunServices: [Gadu-Gadu] “C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray O4 - Startup: PitPad3.lnk = C:\WINDOWS\Pulpit\NOTEPAD.EXE O4 - Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe O4 - Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: PartMetBackup.lnk = C:\Program Files\Java\jre1.5.0_07\bin\javaw.exe O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL/cmbacklinks.html O8 - Extra context menu item: Check &Spelling - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM O8 - Extra context menu item: &ieSpell Options - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM O8 - Extra context menu item: &Lookup Meaning - res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/LOOKUPMEANING.HTM O8 - Extra context menu item: Pobierz z Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm O8 - Extra context menu item: Pobierz wszystko z Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm O8 - Extra context menu item: Pobierz zaznaczenie z Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_07\BIN\SSV.DLL O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_07\BIN\SSV.DLL O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra ‘Tools’ menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O9 - Extra ‘Tools’ menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\PROGRAM FILES\IESPELL\IESPELL.DLL O10 - Unknown file in Winsock LSP: c:\windows\system\mksfirewall.dll O10 - Unknown file in Winsock LSP: c:\windows\system\mksfirewall.dll O10 - Unknown file in Winsock LSP: c:\windows\system\mksfirewall.dll O10 - Unknown file in Winsock LSP: c:\windows\system\mksfirewall.dll O10 - Unknown file in Winsock LSP: c:\windows\system\mksfirewall.dll O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} (Google Activate) - http://toolbar.google.com/data/pl/deleo … gleNav.cab O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c … 040510.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne … n_ansi.cab

SR

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows Me (Millennium Edition) Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MsnMsgr” = ““C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background” [file not found] “ChelloInfo” = “C:\PROGRAM FILES\CHELLOPL\CHELLOINFO\CHELLOINFO.EXE” [“Wortal chelloPL (http://chelloPL.one.pl)”] “MailScanner” = “C:\Program Files\MKS_VIR_2006\Mks_mail.exe” [“MKS sp. z o. o.”] “drvsyskit” = “C:\WINDOWS\Dane aplikacji\hidires\hidr.exe” [null data] “Gadu-Gadu” = ““C:\PROGRAM FILES\GADU-GADU\GG.EXE” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ScanRegistry” = “C:\WINDOWS\scanregw.exe /autorun” [MS] “TaskMonitor” = “C:\WINDOWS\taskmon.exe” [MS] “PCHealth” = “C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s” [MS] “SystemTray” = “SysTray.Exe” [MS] “LoadPowerProfile” = “Rundll32.exe powrprof.dll,LoadCurrentPwrScheme” [MS] “Smapp” = “Smtray.exe” [“Analog Devices”] “SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit” [MS] “Sunkist” = “C:\Program Files\Multimedia Card Reader\shwicon98.exe” [“Alcor Micro, Corp.”] “PinnacleDriverCheck” = “C:\WINDOWS\SYSTEM\PSDrvCheck.exe -CheckReg” [empty string] “Openwares LiveUpdate” = “C:\Program Files\LiveUpdate\LiveUpdate.exe” [“Openwares”] “CloneCDTray” = ““C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s” [“SlySoft, Inc.”] “MKS Service Monitor” = “C:\Program Files\MKS_VIR_2006\mksmonsv.exe” [“4”] “LoadQM” = “loadqm.exe” [MS] “Smart Start UP” = "C:\Program Files\Plustek\Software\Mrphoto\Smart Start UP\PnPDetect.exe /Automation " [“0”] “MKS_VIR_2006” = “C:\Program Files\MKS_VIR_2006\mks2006.exe” [null data] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “CreateCD” = “C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r” [“Adaptec”] HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\ {++} “LoadPowerProfile” = “Rundll32.exe powrprof.dll,LoadCurrentPwrScheme” [MS] “SchedulingAgent” = “mstask.exe” [MS] “SSDPSRV” = “C:\WINDOWS\SYSTEM\ssdpsrv.exe” [MS] “*StateMgr” = “C:\WINDOWS\System\Restore\StateMgr.exe” [MS] “StillImageMonitor” = “C:\WINDOWS\SYSTEM\STIMON.EXE” [MS] “Machine Debug Manager” = “C:\WINDOWS\SYSTEM\MDM.EXE” [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ PerUser_CVT_Inis(Default) = “Instalator systemu Windows — Konwerter FAT32” \StubPath = “rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL” [“Yahoo! Inc.”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”] {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A}(Default) = (no title provided) -> {HKLM…CLSID} = “Big Fish Games Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL” [empty string] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\PROGRAM FILES\ADOBE\ACROBAT 6.0 CE\READER\ACTIVEX\ACROIEHELPER.DLL” [“Adobe Systems Incorporated”] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}(Default) = (no title provided) -> {HKLM…CLSID} = “FDMIECookiesBHO Class” \InProcServer32(Default) = “C:\PROGRAM FILES\FREE DOWNLOAD MANAGER\IEFDMCKS.DLL” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Universal Plug and Play Devices” -> {HKLM…CLSID} = “Universal Plug and Play Devices” \InProcServer32(Default) = “C:\WINDOWS\SYSTEM\UPNPUI.DLL” [MS] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\SYSTEM\NVCPL.DLL” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\SYSTEM\NVSHELL.DLL” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\SYSTEM\NVSHELL.DLL” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\SYSTEM\NVSHELL.DLL” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\PROGRAM FILES\WINRAR\rarext.dll” [null data] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}” = “EditPlus Context Menu Handler” -> {HKLM…CLSID} = “EditPlus Context Menu Handler” \InProcServer32(Default) = “C:\PROGRAM FILES\EDITPLUS 2\EPPSHELL.DLL” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\PROGRAM FILES\REAL\REALPLAYER\RPSHELL.DLL” [“RealNetworks, Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.0.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\PROGRAM FILES\COMMON FILES\AHEAD\LIB\NERODIGITALEXT.DLL” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\PROGRAM FILES\WINRAR\rarext.dll” [null data] EditPlus(Default) = “{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}” -> {HKLM…CLSID} = “EditPlus Context Menu Handler” \InProcServer32(Default) = “C:\PROGRAM FILES\EDITPLUS 2\EPPSHELL.DLL” [null data] VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}” -> {HKLM…CLSID} = “Corel Versions” \InProcServer32(Default) = “C:\Program Files\Corel\shared\Versions\CVersion.dll” [null data] MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “C:\Program Files\MKS_VIR_2006\mksshell.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\PROGRAM FILES\WINRAR\rarext.dll” [null data] {D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}(Default) = “{D7B7A5AE-9D19-4F9E-9C6F-46C82D22D71C}” -> {HKLM…CLSID} = “Wyślij na Fotosik.pl” \InProcServer32(Default) = “C:\PROGRA~1\FOTOSI~1\FOTOSI~1.DLL” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\PROGRAM FILES\WINRAR\rarext.dll” [null data] VersionsMenu(Default) = “{03170921-4754-11cf-AB9A-00C0F00683EB}” -> {HKLM…CLSID} = “Corel Versions” \InProcServer32(Default) = “C:\Program Files\Corel\shared\Versions\CVersion.dll” [null data] MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “C:\Program Files\MKS_VIR_2006\mksshell.dll” [null data] System Policies {policy setting}: --------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “CDRAutoRun” = (REG_BINARY) hex:00 00 00 00 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoCDBurning” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by System Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Moje dokumenty\Moje obrazy\Chata w polu.jpg” Displayed if Active Desktop disabled and wallpaper not set by System Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “(None)” WIN.INI & SYSTEM.INI launch points: ----------------------------------- WIN.INI [windows] <> “run=hpfsched” [null data] Startup items in “Startup” & “All Users…Startup” folders: ----------------------------------------------------------- C:\WINDOWS\Menu Start\Programy\Autostart “PitPad3” -> shortcut to: “C:\WINDOWS\Pulpit\NOTEPAD.EXE -h” [“Szczepanik.org”] “Picture Package Menu” -> shortcut to: “C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe” [“Sony Corporation”] “Picture Package VCD Maker” -> shortcut to: “C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe -h” [“Sony Corporation.”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “PartMetBackup” -> shortcut to: “C:\Program Files\Java\jre1.5.0_07\bin\javaw.exe -cp “C:\Program Files\MetFileRegenerator\mfr3.jar” com.bws42.mfr.PartMetBackup --loop --cwd “C:\Program Files\eMule”” [“Sun Microsystems, Inc.”] Enabled Scheduled Tasks: ------------------------ “Rozpoczęcie aplikacji dostrajania” -> launches: “walign” [MS] “Harmonogram programu PCHealth dla zbierania danych” -> launches: “C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c” [MS] “mks_vir - Zadanie 0” -> WARNING – The file “mks_vir - Zadanie 0.job” is corrupt! (no executable) Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “C:\WINDOWS\SYSTEM\rnr20.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range: C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1 C:\WINDOWS\SYSTEM\MksFirewall.dll [“MKS”], 2 - 6 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A}” -> {HKLM…CLSID} = “Big Fish Games Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL” [empty string] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL” [“Google Inc.”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL” [“Yahoo! Inc.”] “{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A}” -> {HKLM…CLSID} = “Big Fish Games Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL” [empty string] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLENAV.DLL” [“Google Inc.”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YT.DLL” [“Yahoo! Inc.”] “{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A}” = (no title provided) -> {HKLM…CLSID} = “Big Fish Games Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL” [empty string] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in” \InProcServer32(Default) = “C:\PROGRAM FILES\JAVA\JRE1.5.0_07\BIN\SSV.DLL” [“Sun Microsystems, Inc.”] {0E17D5B7-9F5D-4FEE-9DF6-CA6EE38B68A8}\ “ButtonText” = “ieSpell” “MenuText” = “ieSpell” “Script” = “res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLCHECK.HTM” [“Red Egg Software”] {1606D6F9-9D3B-4AEA-A025-ED5B2FD488E7}\ “MenuText” = “ieSpell Options” “Script” = “res://C:\PROGRAM FILES\IESPELL\IESPELL.DLL/SPELLOPTION.HTM” [“Red Egg Software”] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\Version = (invalid data) The Internet Explorer version cannot be found! C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) The contents of IERESET.INF cannot be reliably checked! Added lines (compared with English-language version): [strings]: START_PAGE_URL=“http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome” [strings]: MS_START_PAGE_URL=“http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome” Missing lines (compared with English-language version): [strings]: 2 lines ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 226 seconds. ---------- (total run time: 388 seconds)

raport z virustotal.com

Complete scanning result of “hldrrr.exe”, received in VirusTotal at 01.06.2007, 16:22:18 (CET). Antivirus Version Update Result AntiVir 7.3.0.21 01.05.2007 no virus found Authentium 4.93.8 12.30.2006 no virus found Avast 4.7.892.0 12.30.2006 no virus found AVG 386 01.05.2007 no virus found BitDefender 7.2 01.06.2007 no virus found CAT-QuickHeal 9.00 01.05.2007 no virus found ClamAV devel-20060426 01.06.2007 no virus found DrWeb 4.33 01.06.2007 Win32.HLLM.Beagle eSafe 7.0.14.0 01.05.2007 no virus found eTrust-InoculateIT 23.73.107 01.06.2007 Win32/SillyDL.7kvd!Trojan eTrust-Vet 30.3.3307 01.06.2007 Win32/Glieder.EG Ewido 4.0 01.06.2007 no virus found Fortinet 2.82.0.0 01.06.2007 no virus found F-Prot 3.16f 01.05.2007 security risk named W32/Mitglieder.VJ F-Prot4 4.2.1.29 01.05.2007 W32/Mitglieder.VJ Ikarus T3.1.0.27 01.06.2007 no virus found Kaspersky 4.0.2.24 01.06.2007 no virus found McAfee 4933 01.05.2007 no virus found Microsoft 1.1904 01.06.2007 no virus found NOD32v2 1959 01.05.2007 probably unknown NewHeur_PE virus Norman 5.80.02 12.31.2007 no virus found Panda 9.0.0.4 01.06.2007 no virus found Prevx1 V2 01.06.2007 no virus found Sophos 4.13.0 01.05.2007 no virus found Sunbelt 2.2.907.0 01.05.2007 VIPRE.Suspicious TheHacker 6.0.3.143 01.05.2007 no virus found UNA 1.83 01.06.2007 no virus found VBA32 3.11.1 01.06.2007 no virus found VirusBuster 4.3.19:9 01.06.2007 no virus found Aditional Information File size: 1459410 bytes MD5: 62ce4ba97a638650a75afaf945c19835 SHA1: 968428d3ecc29fa14aef25e16fef8f0bc6ba6084 Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Pracuje na Win ME

Pozdrawiam i z góry dziękuje za pomoc

Gutek · 7 Styczeń 2007 01:16

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę

C:\WINDOWS\SYSTEM\HLDRRR.EXE

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

Otwórz notatnik i wklej:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa