zun
(Zun)
13 Grudzień 2006 11:21
#1
Problem mam taki ze explorer sie wywala gdy chce cokolwiek otowrzyc - obojethnie czy to jest otoczenie sieciowe , czy tez moj komputer czy tez jakikolwiek inny katalog . Po kliknieciu znika wszytsko z pulpitu i pojawia sie po sekundzie. Sprawdzielm co sie dzieje w tym czasie z procesami - tak wiec explorer znika z procesow i pojawia sie po sekundzie. Nie dzieje sie tak w trybie awaryjnym. Komputer sprawdzony panda i spybotem. Dolaczam log z hijackthis :
Logfile of HijackThis v1.99.1 Scan saved at 12:18:19, on 2006-12-13 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\ZYGMUN~1\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis[1].zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE” /s O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU…\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe O4 - HKCU…\Run: [uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: @c :\Program Files\Messenger\Msgslang.dll,-61144 - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: @c :\Program Files\Messenger\Msgslang.dll,-61144 - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Program Files\Advanced Registry Doctor\RegManServ.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
Z góry dziekuje za wszelka pomoc. System WinXP
Joan
(Joan Sunshine)
13 Grudzień 2006 11:48
#2
To jest Twój program?
Przeczyść rejestr – użyj do tego jv16 PowerTools 2006 1.5.2.344.
opis tutaj
Pozatym przejrzyj: Lista zbędników w autostarcie oraz Optymalizacja XP.
Wejdź: Start > uruchom > msconfig i w zakładce „Uruchamianie” odznacz, niepotrzebne według Ciebie, programy w autostarcie.
Podmień explorera z płyty XP.
Odpalasz Konsolę odzyskiwania i wpisujesz komende:
*expand X:\i386\explorer.ex_ C:\WINDOWS*
(zamiast X podstaw literę CD-ROMu)
zun
(Zun)
13 Grudzień 2006 11:56
#3
Joan:
To jest Twój program? Przeczyść rejestr – użyj do tego jv16 PowerTools 2006 1.5.2.344. opis tutaj Pozatym przejrzyj: Lista zbędników w autostarcie oraz Optymalizacja XP. Wejdź: Start > uruchom > msconfig i w zakładce „Uruchamianie” odznacz, niepotrzebne według Ciebie, programy w autostarcie. Podmień explorera z płyty XP. Odpalasz Konsolę odzyskiwania i wpisujesz komende: expand X:\i386\explorer.ex_ C:\WINDOWS\ (zamiast X podstaw literę CD-ROMu)
Probowalem juz uruchamiac kompa z odznaczonymi wszytskimi aplikacjami wlaczajacymi sie przy starcie (za pomoca spybota to robilem)
A jesli chodzi o zamienianie ze startowej explorera - czy gdyby byl uszkodozny to przypadkiem nie dzialal by rowniez podczas uruchomienia w trybie awaryjnym ? W trybie awaryjnym wszytsko chodzi ok.
Joan
(Joan Sunshine)
13 Grudzień 2006 12:00
#4
Nie widzę w logu nic podejrzanego. Wrzuć jeszcze na wszelki wypadek z Silent Runners (zaznaczasz No i czekasz aż skończy pracować w tle).
Moim zdaniem podmiana explorera może pomóc - tryb awaryjny to jest uruchomienie komputera w selektywny sposób, ładują się tylko najpotrzebniejsze składniki systemu.
Sprawdź jeszcze błędy w podglądzie zdarzeń:
Start => Panel Sterowania => Narzędzia Administracyjne => Podgląd zdarzeń
Jeśli będą jakieś na czerwono, to wklej szczegóły.
zun
(Zun)
13 Grudzień 2006 12:22
#5
Joan:
Nie widzę w logu nic podejrzanego. Wrzuć jeszcze na wszelki wypadek z Silent Runners (zaznaczasz No i czekasz aż skończy pracować w tle). Moim zdaniem podmiana explorera może pomóc - tryb awaryjny to jest uruchomienie komputera w selektywny sposób, ładują się tylko najpotrzebniejsze składniki systemu. Sprawdź jeszcze błędy w podglądzie zdarzeń: Start => Panel Sterowania => Narzędzia Administracyjne => Podgląd zdarzeń Jeśli będą jakieś na czerwono, to wklej szczegóły.
Panel sterowania tez sie nie uruchamia - moge go odpalic w awaryjnym , ale wtedy pewnie nie bedzie nic podejrzanego
Złączono Posta : 13.12.2006 (Sro) 13:32
Zamienilem explorera i nic nie dalo. Moze szerzej opisze co sie dzialo przedtym . Komputer jest mojego ojca , zainstalowal jakis badziew i zaczelo mu sie to dziac - zainstalowalem mu Spybota , usunal kilkanascie badziewi i problem zniknal - do nastepnego uruchomienia komputera - jak znowu uruchomilem problem znowu sie pojawil , ale komputer jest juz niby czysty - sprawdzany antivirem i spybotem.
Joan
(Joan Sunshine)
13 Grudzień 2006 12:46
#6
Ten bedziew to był wirus czy jakiś program?
Teraz są 2 opcje - syf albo system się sypie.
Prosiłam o loga z Silenta - wklej go.
To może być rootkit, dlatego wklej też logi z gmera:
Zakładka Rootkit > zaznacz wszystko oprócz Pokaż wszystko > kliknij Szukaj
Zakładka Rootkit > zaznacz tylko Usługi oraz Pokaż wszystko > kliknij Szukaj i w obydwu przypadkach poczekaj cierpliwie, aż skończy pracę
zun
(Zun)
13 Grudzień 2006 13:16
#7
Ok zanim sobie posciagam te programiki to napisze jeszcze jakie komunikaty znalazlem w podglądzie zdarzeń
Błąd w zakladce System :
"Nie można załadować następujących sterowników startu rozruchowego lub systemowego:
APPFLT
DSAFLT
Fips
FNETMON
IDSFLT
intelppm
ShldDrv
SMSFLT
WNMLT"
Ostrzeżenie w zakładce Aplikacja dotyczace aplikacji Usernv
“System windows zapisał reestr uzytkownika , kiedy aplikacja lub usługa nadal uzytkowała rejestr podczas wylogowania. Pamięć używana prze rejestr użytkownika nie została zwolniona. Rejestr zostanie zwolniony , kiedy nie będzie używany”
No i to co mnie najbardzie zastanawia to w sumie nawet nie ostrzeżenie tylko informacja z takim opisem :
"Powłoka systemowa została nagle zatrzymana i uruchomiono Explorer.exe. "
I taka informacja zostaje dodana po kazdym kliknieciu przeze mnie na jakis katalog
Złączono Posta : 13.12.2006 (Sro) 15:12
oto log z silent runners :
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “PcSync” = “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog” [“Time Information Services Ltd.”] “swg” = “C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe” [“Google Inc.”] “Uniblue Registry Booster” = “C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S” [“Uniblue Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE” /s” [“Panda Software International”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “DataLayer” = “C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe” [“Nokia Mobile Phones Ltd.”] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “igfxhkcmd” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “igfxpers” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “igfxtray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray” [“Nokia”] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {8b15971b-5355-4c82-8c07-7e181ea07608}(Default) = “Fax” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser” [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}(Default) = “Fax Provider” \StubPath = “rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{40950107-FEA6-4d53-A65F-B2DCBA57DD58}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{FBFE7864-D495-41f0-B7DC-4BB601CC295E}” = “Contact View” -> {HKLM…CLSID} = “Contact View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll” [“Nokia”] “{C0C4375A-5B72-4efe-929D-3B848C3A1E91}” = “Message View” -> {HKLM…CLSID} = “Message View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll” [“Nokia”] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> avldr\DLLName = “avldr.dll” [“Panda Software”] <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\fsc_wallpaper_mistymountain.bmp” Startup items in “Zygmunt Chłopecki” & “All Users” startup folders: ------------------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “Spybot - Search & Destroy - Scheduled Task” -> launches: “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK” [“Safer Networking Limited”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavlsp.dll [“Panda Software International”], 01 - 03, 27 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ O2Micro Flash Memory, O2Flash, “C:\WINDOWS\system32\o2flash.exe” [null data] Panda anti-virus service, PAVSRV, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe”” [“Panda Software International”] Panda Function Service, PAVFNSVR, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe”” [“Panda Software International”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe”” [“Panda Software”] Panda Network Manager, PNMSRV, ““c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE”” [“Panda Software International”] Panda Process Protection Service, PavPrSrv, ““C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe”” [“Panda Software”] Panda TPSrv, TPSrv, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe”” [“Panda Software”] Registry Management Service, RegManServ, “C:\Program Files\Advanced Registry Doctor\RegManServ.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] hpzlnt12\Driver = “hpzlnt12.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 109 seconds. ---------- (total run time: 158 seconds)
A co mam zrobic z tym gmerem ? Uruchomilem go tak jak mowiles i co dalej ??
zun
(Zun)
13 Grudzień 2006 16:07
#9
ok , juz mi sie nie chcialo dalej grzebac - wzielem uaktualniem winde z plytki i wszystko dziala - przy okazji musialem skorzystac z infolinii microsoftu zeby aktywowac windowsa :o . Bo jakos przy auktualizacji windows zmyl wszystkie ustawienia sieci i nie bylo netu - lipa.
sdar
(sdar)
14 Grudzień 2006 13:22
#10
zun - z Twojego PW dowiedziałem się, że problem powrócił. Jeśli jednak nie zaczniesz pisac używając polskich znaków (ą, ś,ć, ł, ó itd) to mimo wszystko temat wyląduje w śmietniku.
zun
(Zun)
14 Grudzień 2006 14:37
#11
sdar:
zun - z Twojego PW dowiedziałem się, że problem powrócił. Jeśli jednak nie zaczniesz pisac używając polskich znaków (ą, ś,ć, ł, ó itd) to mimo wszystko temat wyląduje w śmietniku.
Tak , problem powrócił i szczerze mówiąc nie mam zielonego pojęcia co z tym fantem zrobić . Nie będe instalował windowsa na nowo , bo to rozwiązanie porblemu tylko połowiczne - muszę się dowiedzieć jaki jest powód takiego zachowania , przecież musi być jakies logiczne wytłumaczenie. Zna ktos powód czemu sie tak dzieje ??
Bieniol
(Bbieniol)
14 Grudzień 2006 15:28
#12
zun
(Zun)
14 Grudzień 2006 16:57
#13
Oto log hijackthis :
Logfile of HijackThis v1.99.1 Scan saved at 17:55:28, on 2006-12-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\o2flash.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE c:\program files\panda software\panda titanium 2006 antivirus + antispyware\WebProxy.exe C:\Utils\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE” /s O4 - HKLM…\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM…\Run: [adiras] adiras.exe O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: @c :\Program Files\Messenger\Msgslang.dll,-61144 - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: @c :\Program Files\Messenger\Msgslang.dll,-61144 - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
A oto log silent runners
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “PcSync” = “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog” [“Time Information Services Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE” /s” [“Panda Software International”] “DataLayer” = “C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe” [“Nokia Mobile Phones Ltd.”] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray” [“Nokia”] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “igfxtray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “igfxhkcmd” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “igfxpers” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] “adiras” = “adiras.exe” [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ {8b15971b-5355-4c82-8c07-7e181ea07608}(Default) = “Fax” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser” [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}(Default) = “Fax Provider” \StubPath = “rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{1D2680C9-0E2A-469d-B787-065558BC7D43}” = “Fusion Cache” -> {HKLM…CLSID} = “Fusion Cache” \InProcServer32(Default) = “C:\WINDOWS\system32\mscoree.dll” [file not found] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{40950107-FEA6-4d53-A65F-B2DCBA57DD58}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{FBFE7864-D495-41f0-B7DC-4BB601CC295E}” = “Contact View” -> {HKLM…CLSID} = “Contact View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll” [“Nokia”] “{C0C4375A-5B72-4efe-929D-3B848C3A1E91}” = “Message View” -> {HKLM…CLSID} = “Message View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll” [“Nokia”] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> avldr\DLLName = “avldr.dll” [“Panda Software”] <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> application/octet-stream\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “mscoree.dll” [file not found] <> application/x-complus\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “mscoree.dll” [file not found] <> application/x-msdownload\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “mscoree.dll” [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {Disable Active Desktop} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {Don’t save settings at exit} “ClassicShell” = (REG_DWORD) hex:0x00000000 {Enable Classic Shell / Turn on Classic Shell} “NoThemesTab” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000000 {Enable Active Desktop} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktopChanges” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {Remove Task Manager} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {Remove Display in Control Panel} “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispAppearancePage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {Hide Desktop tab} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” DESKTOP.INI DLL launch in local fixed drive directories: -------------------------------------------------------- C:\recover\WINDOWS\assembly\DESKTOP.INI [.ShellClassInfo] CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\mscoree.dll” [file not found] C:\WINDOWS\assembly\DESKTOP.INI [.ShellClassInfo] CLSID={1D2680C9-0E2A-469d-B787-065558BC7D43} -> {HKLM…CLSID}\InProcServer32(Default) = “C:\WINDOWS\system32\mscoree.dll” [file not found] Startup items in “Zygmunt Chłopecki” & “All Users” startup folders: ------------------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “Spybot - Search & Destroy - Scheduled Task” -> launches: “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK” [“Safer Networking Limited”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavlsp.dll [“Panda Software International”], 01 - 03, 27 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ O2Micro Flash Memory, O2Flash, “C:\WINDOWS\system32\o2flash.exe” [null data] Panda anti-virus service, PAVSRV, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe”” [“Panda Software International”] Panda Function Service, PAVFNSVR, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe”” [“Panda Software International”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe”” [“Panda Software”] Panda Network Manager, PNMSRV, ““c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE”” [“Panda Software International”] Panda Process Protection Service, PavPrSrv, ““C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe”” [“Panda Software”] Panda TPSrv, TPSrv, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe”” [“Panda Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] hpzlnt12\Driver = “hpzlnt12.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 73 seconds. ---------- (total run time: 121 seconds)
Obydwa zapuścilem podczas normalnej pracy systemu , nie w trybie awaryjnym , tylko wtedy , kiedy problem istnieje.
Joan
(Joan Sunshine)
14 Grudzień 2006 17:09
#14
Zafixuj.
Ze względu na te wpisy:
HKLM\Software\Classes\PROTOCOLS\Filter\ <> application/octet-stream\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “mscoree.dll” [file not found] <> application/x-complus\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “mscoree.dll” [file not found] <> application/x-msdownload\CLSID = “{1E66F26B-79EE-11D2-8710-00C04F79ED0D}” -> {HKLM…CLSID} = “Cor MIME Filter, CorFltr, CorFltr 1” \InProcServer32(Default) = “mscoree.dll” [file not found]
Przeinstaluj proszę .NET Framework
zun
(Zun)
14 Grudzień 2006 17:21
#15
Joan:
Zafixuj.
Przez zafixuj rozumiem poprostu usniecie tego elementu z listy startowej ?
Ok zrobilem to
A jak mam przeinstalować .NET Framewrok i do czego to służy ?
Joan
(Joan Sunshine)
14 Grudzień 2006 17:36
#16
zun
(Zun)
14 Grudzień 2006 17:37
#17
Ok zrobiłem co mi poradziłeś/poardziłaś - tzn zablokowałem uruchamianie adiras.exe i przeintsalowałem .NET Framework i nie dało to żadnego efektu - dalej to samo
zun
(Zun)
14 Grudzień 2006 18:06
#19
log hijakcthis :
Logfile of HijackThis v1.99.1 Scan saved at 19:05:33, on 2006-12-14 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\mscorsvw.exe C:\WINDOWS\system32\o2flash.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\AVENGINE.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\apvxdwin.exe C:\WINDOWS\system32\wuauclt.exe c:\program files\panda software\panda titanium 2006 antivirus + antispyware\WebProxy.exe C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimreal.exe C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\avciman.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\explorer.exe C:\Utils\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM…\Run: [APVXDWIN] “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE” /s O4 - HKLM…\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM…\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM…\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O9 - Extra button: @c :\Program Files\Messenger\Msgslang.dll,-61144 - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: @c :\Program Files\Messenger\Msgslang.dll,-61144 - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Panda Network Manager (PNMSRV) - Panda Software International - c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe
log silentrunners :
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “PcSync” = “C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog” [“Time Information Services Ltd.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\APVXDWIN.EXE” /s” [“Panda Software International”] “DataLayer” = “C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe” [“Nokia Mobile Phones Ltd.”] “HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray” [“Nokia”] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “SMSERIAL” = “sm56hlpr.exe” [“Motorola Inc.”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”] “igfxtray” = “C:\WINDOWS\system32\igfxtray.exe” [“Intel Corporation”] “igfxhkcmd” = “C:\WINDOWS\system32\hkcmd.exe” [“Intel Corporation”] “igfxpers” = “C:\WINDOWS\system32\igfxpers.exe” [“Intel Corporation”] “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {8b15971b-5355-4c82-8c07-7e181ea07608}(Default) = “Fax” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser” [MS] {94de52c8-2d59-4f1b-883e-79663d2d9a8c}(Default) = “Fax Provider” \StubPath = “rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{40950107-FEA6-4d53-A65F-B2DCBA57DD58}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{FBFE7864-D495-41f0-B7DC-4BB601CC295E}” = “Contact View” -> {HKLM…CLSID} = “Contact View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll” [“Nokia”] “{C0C4375A-5B72-4efe-929D-3B848C3A1E91}” = “Message View” -> {HKLM…CLSID} = “Message View” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll” [“Nokia”] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> avldr\DLLName = “avldr.dll” [“Panda Software”] <> igfxcui\DLLName = “igfxdev.dll” [“Intel Corporation”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” -> {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\ShellTit.DLL” [“Panda Software International”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktop” = (REG_DWORD) hex:0x00000000 {Disable Active Desktop} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {Don’t save settings at exit} “ClassicShell” = (REG_DWORD) hex:0x00000000 {Enable Classic Shell / Turn on Classic Shell} “NoThemesTab” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “ForceActiveDesktopOn” = (REG_DWORD) hex:0x00000000 {Enable Active Desktop} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktopChanges” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {Remove Task Manager} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {Remove Display in Control Panel} “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispAppearancePage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {Hide Desktop tab} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp” Startup items in “Zygmunt Chłopecki” & “All Users” startup folders: ------------------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] “HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “Spybot - Search & Destroy - Scheduled Task” -> launches: “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe /AUTOCHECK” [“Safer Networking Limited”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: c:\program files\panda software\panda titanium 2006 antivirus + antispyware\pavlsp.dll [“Panda Software International”], 01 - 03, 27 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ .NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, “C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\mscorsvw.exe” [MS] O2Micro Flash Memory, O2Flash, “C:\WINDOWS\system32\o2flash.exe” [null data] Panda anti-virus service, PAVSRV, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\pavsrv51.exe”” [“Panda Software International”] Panda Function Service, PAVFNSVR, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\PavFnSvr.exe”” [“Panda Software International”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\psimsvc.exe”” [“Panda Software”] Panda Network Manager, PNMSRV, ““c:\program files\panda software\panda titanium 2006 antivirus + antispyware\firewall\PNMSRV.EXE”” [“Panda Software International”] Panda Process Protection Service, PavPrSrv, ““C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe”” [“Panda Software”] Panda TPSrv, TPSrv, ““C:\Program Files\Panda Software\Panda Titanium 2006 Antivirus + Antispyware\TPSrv.exe”” [“Panda Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] hpzlnt12\Driver = “hpzlnt12.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 81 seconds. ---------- (total run time: 117 seconds)
Rozumeime ze programy mam uruchamiac wtedy kiedy istneije problem , a nie podczas uruchomienia awaryjnego ? ja je uruchamiam podczas normlanej pracy , wtedy kiedy istneije problem
Joan
(Joan Sunshine)
14 Grudzień 2006 18:22
#20
Czysto. Wklej logi z Gmera, tak jak prosiliśmy z Bieniolem