Arizona
(Arizona)
23 Listopad 2006 16:13
#1
Moj sys to XP HOME SP2.
Mam zainstalowanego NODA oraz Kaspersky Anti-Hacker.
Nod caly czas wykrywa mi w/w trojana, ktory siedzi w TEMPIE lub TEMPORARY INTERNET FILES.
Jak wykrywa owego trojana to wyskakuje komunikat z NODA, ze komputer chce sie polaczyc ze zbiorem…bla bla bla (tutaj adres http tego zbioru) i ze to wlasnie w/w trojan i do wyboru mam tylko opcje ROZLACZ.
To okienko wyskakuje mi raz na 2 minuty
Czyscilem w trybie awaryjnym foldery TEMP oraz TEMPORARY INTERNET FILES oraz skanowalem NODEM wszystkie dyski i nic mi nie wykrylo.
OTO LOG :
Logfile of HijackThis v1.99.1 Scan saved at 17:07:30, on 2006-11-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Programy\Kaspersky Anti-Hacker\KAVPF.exe C:\Programy\Stery do myszki\MouseDrv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe F:\instalki\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [Toshiba Hotkey Utility] “C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” /lang PL O4 - HKLM…\Run: [smoothView] C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM…\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM…\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM…\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [WireLessMouse] C:\Programy\Stery do myszki\StartAutorun.exe MouseDrv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Programy\Kaspersky Anti-Hacker\KAVPF.exe O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?1499baf0d9dc47f399ef52ec7ccaa3c O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?1499baf0d9dc47f399ef52ec7ccaa3c O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: winepi32 - C:\WINDOWS\SYSTEM32\winepi32.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
Bieniol
(Bbieniol)
23 Listopad 2006 16:16
#2
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):
Po zabiegach nowy log z Hijacka + log z Silent Runners
Arizona
(Arizona)
23 Listopad 2006 16:39
#3
Sprawa ma sie tak:
-wylaczylem przywracanie sysu,
-wlaczylem awaryjny,
-wyrzucilem wpis HiJacku,
-ale pozniej chcialem recznie usunac to cos i nie moglem - wyskakiwal komunikat ze plik albo ma prawa dostepu albo aktualnie uzywany…
co teraz ?
Bieniol
(Bbieniol)
23 Listopad 2006 16:41
#4
Uruchamiasz narzędzie KillBox , zaznaczasz Delete on reboot i All Files , w polu full path of file wklej ścieżkę:
C:\WINDOWS\SYSTEM32\winepi32.dll
Klikasz X i restart kompa
Usuwasz Hijackiem wpis i wklejasz logi oo które prosiłem
Arizona
(Arizona)
23 Listopad 2006 17:07
#5
Ok, zrobilem maly blad ;/
Oto on:
Na poczatku tak robilem i nie chcialo mi uruchamiac kompa ponownie jak klikalem X…zszedlem do awaryjnego i tez nic…
To ponownie zszedlem do awaryjnego i dalem sciezke normalna i pozniej
STANDART FILE KILL
Plik niby sie usunal.
Klopot w tym ze usunalem tez plik win32spl.dll ??
Potrzebny on jest ??
Bieniol
(Bbieniol)
23 Listopad 2006 17:10
#6
To plik systemowy :!:
Wrzuć logi o które prosiłem
Gutek
(Gutek)
23 Listopad 2006 17:14
#7
Zrób tak aby plik wórcił - Wejdź w start>>>Uruchom>>>sfc /scannow przygotuj płytę instralacyjną
Arizona
(Arizona)
23 Listopad 2006 17:28
#8
Hmmm…teraz to namieszalem
OK zrobilem tak :
W KillBoxie mamy taka opcje jak BackUp…i w tym folderze widze 2 usuniete pliki : win32spl.dll oraz winepi32.dll i po prostu zrobilem kopiuj wklej tego systemowego pliku do folderu WINDOWS /System 32/
Mozna tak zrobic ??
Ok…daje logi :
Logfile of HijackThis v1.99.1 Scan saved at 18:21:44, on 2006-11-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Programy\Kaspersky Anti-Hacker\KAVPF.exe C:\Programy\Stery do myszki\MouseDrv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Programy\Gadu-Gadu\gg.exe C:\PROGRAMY\FIREFOX\FIREFOX.EXE F:\instalki\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [Toshiba Hotkey Utility] “C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” /lang PL O4 - HKLM…\Run: [smoothView] C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM…\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM…\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM…\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [WireLessMouse] C:\Programy\Stery do myszki\StartAutorun.exe MouseDrv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Programy\Kaspersky Anti-Hacker\KAVPF.exe O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?1499baf0d9dc47f399ef52ec7ccaa3c O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?1499baf0d9dc47f399ef52ec7ccaa3c O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: winepi32 - winepi32.dll (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “TOSCDSPD” = “C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [“TOSHIBA”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”] “SynTPLpr” = “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [“Synaptics, Inc.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “Toshiba Hotkey Utility” = ““C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” /lang PL” [“TOSHIBA Inc.”] “SmoothView” = “C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe” [“TOSHIBA Corporation”] “PadTouch” = “C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [“TOSHIBA”] “dla” = “C:\WINDOWS\system32\dla\tfswctrl.exe” [“Sonic Solutions”] “LogitechVideoRepair” = “C:\Program Files\Logitech\Video\ISStart.exe” [file not found] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset “] “WireLessMouse” = “C:\Programy\Stery do myszki\StartAutorun.exe MouseDrv.exe” [empty string] “WMC_AutoUpdate” = “(empty string)” [file not found] HKLM\Software\Microsoft\Active Setup\Installed Components\ {6BF52A52-394A-11d3-B153-00C04F79FAA6}(Default) = “Microsoft Windows Media Player” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {5CA3D70E-1895-11CF-8E15-001234567890}(Default) = (no title provided) -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}(Default) = (no title provided) -> {HKLM…CLSID} = “MSN Search Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{2F5AC606-70CF-461C-BFE1-6063670C3484}” = “Display CPL Extension” -> {HKLM…CLSID} = “DisplayCplExt Class” \InProcServer32(Default) = “C:\Program Files\Toshiba\TouchED\TouchED.DLL” [“TOSHIBA Inc.”] “{DEE12703-6333-4D4E-8F34-738C4DCC2E04}” = “RecordNow! SendToExt” -> {HKLM…CLSID} = “RecordNow! SendToExt” \InProcServer32(Default) = “C:\Program Files\Sonic\RecordNow!\shlext.dll” [null data] “{E91B2703-013E-4A99-AD33-2B6FB00AA356}” = “RecordNow! ContextMenuExt” -> {HKLM…CLSID} = “RecordNow! ContextMenuExt” \InProcServer32(Default) = “C:\Program Files\Sonic\RecordNow!\shlext.dll” [null data] “{5CA3D70E-1895-11CF-8E15-001234567890}” = “DriveLetterAccess” -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{13E7F612-F261-4391-BEA2-39DF4F3FA311}” = “Windows Desktop Search” -> {HKLM…CLSID} = “Windows Desktop Search” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\EXT\02.05.0001.1119\en-gb\msnlExt.dll” [MS] “{97090E2F-3062-4459-855B-014F0D3CDBB1}” = “MSN Deskbar” -> {HKLM…CLSID} = “MSN Search Deskbar” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\DB\02.05.0000.1082\en-gb\deskbar.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRar 3.3\rarext.dll” [null data] “{506F4668-F13E-4AA1-BB04-B43203AB3CC0}” = “{506F4668-F13E-4AA1-BB04-B43203AB3CC0}” -> {HKLM…CLSID} = “ImageExtractorShellExt Class” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL” [null data] “{D66DC78C-4F61-447F-942B-3FB6980118CF}” = “{D66DC78C-4F61-447F-942B-3FB6980118CF}” -> {HKLM…CLSID} = “CInfoTipShellExt Class” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL” [null data] “{6DEA92E9-8682-4b6a-97DE-354772FE5727}” = “Autodesk DWF Preview” -> {HKLM…CLSID} = “ACDWFTHMBPRXY” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “AutoCAD Digital Signatures Icon Overlay Handler” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Programy\OFFICE~1\Office\OLKFSTUB.DLL” [MS] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Programy\Real Player 10 Gold\rpshell.dll” [“RealNetworks, Inc.”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> winepi32\DLLName = “winepi32.dll” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRar 3.3\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRar 3.3\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRar 3.3\rarext.dll” [null data] Default executables: -------------------- HKCU\Software\Classes.bat(Default) = (value not set) HKCU\Software\Classes.cmd(Default) = (value not set) HKCU\Software\Classes.com (Default) = (value not set) HKCU\Software\Classes.exe(Default) = (value not set) HKCU\Software\Classes.hta(Default) = (value not set) HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = ““C:\WINDOWS\system32\notepad.exe” “%1"” [MS] <> HKLM\Software\Classes\scrfile\shell\open\command(Default) = “”%1” %*” [file not found] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\TOSHIBA1024x0768.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\TOSHIBA1024x0768.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Startup items in “Toshiba” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Kaspersky Anti-Hacker” -> shortcut to: “C:\Programy\Kaspersky Anti-Hacker\KAVPF.exe /silence” [“Kaspersky Lab”] “Windows Desktop Search” -> shortcut to: “C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe /startup” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” -> {HKLM…CLSID} = “MSN Search Toolbar” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll” [MS] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” -> {HKLM…CLSID} = “MSN Search Toolbar” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll” [MS] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” = (no title provided) -> {HKLM…CLSID} = “MSN Search Toolbar” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll” [MS] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_02” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] ConfigFree Service, CFSvcs, “C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe” [“TOSHIBA CORPORATION”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 42 seconds. ---------- (total run time: 88 seconds)
Gutek plyta instalacyjna ma jakies znaczenie ze owy sprzet to laptop i posiadam tylko RECOVERY CD ??
Joan
(Joan Sunshine)
23 Listopad 2006 18:11
#9
No czyli płytkę z preinstalowanym sysem?
W HJT zaznaczasz wpisy i klikasz na dole “Fix checked” :
Otwórz notatnik i wklej w nim to:
Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG
Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Arizona
(Arizona)
23 Listopad 2006 22:05
#10
Logfile of HijackThis v1.99.1 Scan saved at 23:03:04, on 2006-11-23 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Eset\nod32kui.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\Programy\Kaspersky Anti-Hacker\KAVPF.exe C:\Programy\Stery do myszki\MouseDrv.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Dev-Cpp\DevCpp.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\PROGRAMY\FIREFOX\FIREFOX.EXE C:\Programy\foobar2000\foobar2000.exe F:\instalki\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM…\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM…\Run: [Toshiba Hotkey Utility] “C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” /lang PL O4 - HKLM…\Run: [smoothView] C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe O4 - HKLM…\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe O4 - HKLM…\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM…\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [WireLessMouse] C:\Programy\Stery do myszki\StartAutorun.exe MouseDrv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Programy\Kaspersky Anti-Hacker\KAVPF.exe O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?1499baf0d9dc47f399ef52ec7ccaa3c O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?1499baf0d9dc47f399ef52ec7ccaa3c O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “TOSCDSPD” = “C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [“TOSHIBA”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”] “SynTPLpr” = “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [“Synaptics, Inc.”] “SynTPEnh” = “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [“Synaptics, Inc.”] “Toshiba Hotkey Utility” = ““C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe” /lang PL” [“TOSHIBA Inc.”] “SmoothView” = “C:\Program Files\TOSHIBA\Program narzędziowy TOSHIBA Zooming Utility\SmoothView.exe” [“TOSHIBA Corporation”] “PadTouch” = “C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe” [“TOSHIBA”] “dla” = “C:\WINDOWS\system32\dla\tfswctrl.exe” [“Sonic Solutions”] “LogitechVideoRepair” = “C:\Program Files\Logitech\Video\ISStart.exe” [file not found] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset “] “WireLessMouse” = “C:\Programy\Stery do myszki\StartAutorun.exe MouseDrv.exe” [empty string] HKLM\Software\Microsoft\Active Setup\Installed Components\ {6BF52A52-394A-11d3-B153-00C04F79FAA6}(Default) = “Microsoft Windows Media Player” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {5CA3D70E-1895-11CF-8E15-001234567890}(Default) = (no title provided) -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}(Default) = (no title provided) -> {HKLM…CLSID} = “MSN Search Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{2F5AC606-70CF-461C-BFE1-6063670C3484}” = “Display CPL Extension” -> {HKLM…CLSID} = “DisplayCplExt Class” \InProcServer32(Default) = “C:\Program Files\Toshiba\TouchED\TouchED.DLL” [“TOSHIBA Inc.”] “{DEE12703-6333-4D4E-8F34-738C4DCC2E04}” = “RecordNow! SendToExt” -> {HKLM…CLSID} = “RecordNow! SendToExt” \InProcServer32(Default) = “C:\Program Files\Sonic\RecordNow!\shlext.dll” [null data] “{E91B2703-013E-4A99-AD33-2B6FB00AA356}” = “RecordNow! ContextMenuExt” -> {HKLM…CLSID} = “RecordNow! ContextMenuExt” \InProcServer32(Default) = “C:\Program Files\Sonic\RecordNow!\shlext.dll” [null data] “{5CA3D70E-1895-11CF-8E15-001234567890}” = “DriveLetterAccess” -> {HKLM…CLSID} = “DriveLetterAccess” \InProcServer32(Default) = “C:\WINDOWS\system32\dla\tfswshx.dll” [“Sonic Solutions”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{13E7F612-F261-4391-BEA2-39DF4F3FA311}” = “Windows Desktop Search” -> {HKLM…CLSID} = “Windows Desktop Search” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\EXT\02.05.0001.1119\en-gb\msnlExt.dll” [MS] “{97090E2F-3062-4459-855B-014F0D3CDBB1}” = “MSN Deskbar” -> {HKLM…CLSID} = “MSN Search Deskbar” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\DB\02.05.0000.1082\en-gb\deskbar.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRar 3.3\rarext.dll” [null data] “{506F4668-F13E-4AA1-BB04-B43203AB3CC0}” = “{506F4668-F13E-4AA1-BB04-B43203AB3CC0}” -> {HKLM…CLSID} = “ImageExtractorShellExt Class” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL” [null data] “{D66DC78C-4F61-447F-942B-3FB6980118CF}” = “{D66DC78C-4F61-447F-942B-3FB6980118CF}” -> {HKLM…CLSID} = “CInfoTipShellExt Class” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL” [null data] “{6DEA92E9-8682-4b6a-97DE-354772FE5727}” = “Autodesk DWF Preview” -> {HKLM…CLSID} = “ACDWFTHMBPRXY” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll” [“Autodesk”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “AutoCAD Digital Signatures Icon Overlay Handler” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Programy\OFFICE~1\Office\OLKFSTUB.DLL” [MS] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Programy\Real Player 10 Gold\rpshell.dll” [“RealNetworks, Inc.”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRar 3.3\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRar 3.3\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Programy\WinRar 3.3\rarext.dll” [null data] Default executables: -------------------- HKCU\Software\Classes.bat(Default) = (value not set) HKCU\Software\Classes.cmd(Default) = (value not set) HKCU\Software\Classes.com (Default) = (value not set) HKCU\Software\Classes.exe(Default) = (value not set) HKCU\Software\Classes.hta(Default) = (value not set) HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile” <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = ““C:\WINDOWS\system32\notepad.exe” “%1"” [MS] <> HKLM\Software\Classes\scrfile\shell\open\command(Default) = “”%1” %*” [file not found] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\TOSHIBA1024x0768.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\TOSHIBA1024x0768.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Startup items in “Toshiba” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Kaspersky Anti-Hacker” -> shortcut to: “C:\Programy\Kaspersky Anti-Hacker\KAVPF.exe /silence” [“Kaspersky Lab”] “Windows Desktop Search” -> shortcut to: “C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe /startup” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 19 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” -> {HKLM…CLSID} = “MSN Search Toolbar” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll” [MS] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” -> {HKLM…CLSID} = “MSN Search Toolbar” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll” [MS] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” = (no title provided) -> {HKLM…CLSID} = “MSN Search Toolbar” \InProcServer32(Default) = “C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll” [MS] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_02” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] ConfigFree Service, CFSvcs, “C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe” [“TOSHIBA CORPORATION”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 47 seconds. ---------- (total run time: 91 seconds)
No ja nie wiem jak dziala RECOVERY CD…nie jest to przeciez sama plytka z systemem…
Czyli jak skopiowalem ten plik z backup z killboxa i z powrotem wsadzilem do folderu windows/system32 to jest zle ??
To juz nie bedzie dzialal ??
No niby jest z powrotem wsadzony na to samo miejsce przeciez…
z gory dzieki za pomoc
Bieniol
(Bbieniol)
23 Listopad 2006 22:11
#11
Ściągnij i zastosuj dla pewności UnHookExec.inf
Arizona
(Arizona)
23 Listopad 2006 23:45
#12
Hmmm a jak to obsluzyc ??
Ta zawartosc tego pliku tez zapisac w notatniku i zapisac jako FIX.REG ??
adam9870
(adam9870)
24 Listopad 2006 06:18
#13
Nie, klikasz na link do pliku prawym klawiszem myszki => zapisz element docelowy jako => wskaż miejsce gdzie chcesz zapisać (np. pulpit) i kliknij Zapisz => prawy klawisz myszki na pobrany plik => Instaluj.
Arizona
(Arizona)
26 Listopad 2006 23:07
#14
Ok, zrobilem tak jak poleciliscie z tym plikiem.
Skad pewnosc, ze ten plik, ktory usunalem a nastepnie “recznie” przywrocilem dziala ok ?
Bieniol
(Bbieniol)
27 Listopad 2006 14:24
#15
W razie, gdyby coś było nie tak, z pewnością zauważysz jakąś niestabilność systemu Jeżeli w tej chwili jest ok, to znaczy że jest ok
Arizona
(Arizona)
27 Listopad 2006 21:41
#16
Hmm na razie jedyna niestabilnosc systemu to to, ze podczas pobierania plikow z przegladarki (firefox) nasptepuje zatrzymanie… (np zatrzymuj sie na 30% i nie idzie dalej, musze anulowac i od nowa pobierac).
Zobacze czy reinstalka przegladarki rozwiaze klopot.
edit //
nie moge nic pobrac, poniewaz zawsze zatrzymuje sie w ktoryms momencie, reinstalka nie pomogla…;/
co robic ?