Problem ze startem paska zadań


(Szefu18) #1

Witam Serdecznie

No i stało się, od 2 lat komputer działał bez zastrzeżeń, niedawno miałem infekcję na laptopie, który także bardzo długo się uruchamiał. MKSVir (skaner online) wyleczył ją. Jednak dziś po połączeniu w sieć bezprzewodową laptopa z komputerem stacjonarnym oba komputery szlag trafił.

Po wybraniu nazwy użytkownika i zalogowaniu się do systemu pasek zadań blokuje się na 10-15 minut, system staje (dysk jest nieużywany - nic nie odczytuje).

Zaobserwowałem także iż Adobe Photoshop przestał nagle działać.

Nie mam zamiaru robić reinstalu systemu - mam tutaj wszelkie aplikacje zainstalowane potrzebne do wykonywania mojego zawodu - za dużo by ustawiać ponownie.

Dodam - wszystkie aplikacje (jak i system) mam w pełni legalne.

Skanery OnLine (PandaAntyvirus i MksVir) nic nie wykryły na dysku startowym. Innych dysków (i partycji na nich zrobionych) nie sprawdzałem dotychczas.

Poniżej logi z HijakThis, SilentRunners i ComboFix:

Logfile of HijackThis v1.99.1

Scan saved at 01:12:39, on 2007-10-01

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\Ati2evxx.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

E:\Program Files\Alwil Software\Avast4\ashServ.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\system32\Ati2evxx.exe

G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\Explorer.EXE

E:\WINDOWS\system32\Tablet.exe

E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

G:\Program Files\Motherboard Monitor 5\MBM5.EXE

E:\Program Files\DAEMON Tools\daemon.exe

E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

E:\WINDOWS\SOUNDMAN.EXE

E:\Program Files\Messenger\msmsgs.exe

E:\Program Files\RALINK\Common\RaUI.exe

E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

E:\Program Files\Alwil Software\Avast4\ashWebSv.exe

E:\WINDOWS\system32\WTablet\TabUserW.exe

E:\WINDOWS\system32\wscntfy.exe

E:\WINDOWS\system32\Tablet.exe

E:\WINDOWS\System32\svchost.exe

G:\Program Files\Mozilla Firefox\firefox.exe

E:\Program Files\Internet Explorer\IEXPLORE.EXE

E:\Program Files\WinRAR\WinRAR.exe

G:\Temp\Rar$EX00.781\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = icm.edu.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: UserInit=userinit.exe

O1 - Hosts: localhost 127.0.0.1

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [TrueImageMonitor.exe] G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MBM 5] "G:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Ralink Wireless Utility.lnk = E:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: + Offline &Explorer: Download the link - file://G:\Program Files\Offline Explorer Pro\Add_UrlO.htm

O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://G:\Program Files\Offline Explorer Pro\Add_AllO.htm

O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Utwórz Ulubione dla urządzenia przenośnego - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {33331111-1111-1111-1111-611111193423} - 

O16 - DPF: {33331111-1111-1111-1111-611111193429} - 

O16 - DPF: {33331111-1111-1111-1111-615111193427} - 

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4AD7B517-67C3-4EDE-B68F-DC5CDD6BF752}: NameServer = 85.255.113.202,85.255.112.202

O17 - HKLM\System\CCS\Services\Tcpip\..\{D6BB9F22-8389-40AB-8037-CE39B5683DF5}: NameServer = 194.204.159.1 217.98.63.164

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - G:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - G:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

O23 - Service: TabletService - Wacom Technology, Corp. - E:\WINDOWS\system32\Tablet.exe

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""E:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found]

"MSMSGS" = ""E:\Program Files\Messenger\msmsgs.exe" /background" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SpeedTouch USB Diagnostics" = ""E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"TrueImageMonitor.exe" = "G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" ["Acronis"]

"NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"MBM 5" = ""G:\Program Files\Motherboard Monitor 5\MBM5.EXE"" ["Alex van Kaam"]

"DAEMON Tools" = ""E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"avast!" = "E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

"AcronisTimounterMonitor" = "G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" ["Acronis"]

"Acronis Scheduler2 Service" = ""E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]

"SunJavaUpdateSched" = ""E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"MSConfig" = "E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar Helper"

                   \InProcServer32\(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "G:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{FCF608CF-5716-47C3-A1A8-991D873AF72B}" = "Delphi Context Menu Shell Extension Example"

  -> {HKLM...CLSID} = "Delphi Context Menu Shell Extension Example"

                   \InProcServer32\(Default) = "G:\PROGRA~1\Exifer\EXIFER~1.DLL" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\Audiodev.dll" [MS]

"{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension"

  -> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension"

                   \InProcServer32\(Default) = "G:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]

"{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension"

  -> {HKLM...CLSID} = "Acronis True Image Shell Extension"

                   \InProcServer32\(Default) = "G:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"

  -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\upnpui.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "G:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

<> "System" = "lsass.exe" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

ContMenu\(Default) = "{FCF608CF-5716-47C3-A1A8-991D873AF72B}"

  -> {HKLM...CLSID} = "Delphi Context Menu Shell Extension Example"

                   \InProcServer32\(Default) = "G:\PROGRA~1\Exifer\EXIFER~1.DLL" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoThemesTab" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "E:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "E:\Documents and Settings\Mr Death\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Mr Death" & "All Users" startup folders:

----------------------------------------------------------


E:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Ralink Wireless Utility" -> shortcut to: "E:\Program Files\RALINK\Common\RaUI.exe" ["Ralink Technology, Corp."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "G:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]


{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

"ButtonText" = "Utwórz Ulubione dla urządzenia przenośnego"

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

  -> {HKLM...CLSID} = "Create Mobile Favorite"

                   \InProcServer32\(Default) = "G:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]


{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

"MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..."

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

  -> {HKLM...CLSID} = "Create Mobile Favorite"

                   \InProcServer32\(Default) = "G:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "E:\Program Files\Messenger\msmsgs.exe" [MS]



HOSTS file

----------


E:\WINDOWS\System32\drivers\etc\HOSTS


maps: 1 domain name to an IP address,

      1 of the IP addresses is *not* localhost!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "E:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""E:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

BlueSoleil Hid Service, BlueSoleil Hid Service, "G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]

TabletService, TabletService, "E:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."]

Windows User Mode Driver Framework, UMWdf, "E:\WINDOWS\system32\wdfmgr.exe" [MS]



---------- (launch time: 2007-10-01 01:15:41)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 53 seconds, including 17 seconds for message boxes)

ComboFix 07-09-21.2 - "Mr Death" 2007-10-01 1:19:58.1 - NTFSx86 

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.413 [GMT 2:00]

 * Created a new restore point

.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.


D:\Autorun.inf


.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))



-------\NPF



((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-30 )))))))))))))))))))))))))))))))

.


2007-09-30 22:52	






[b]Pozdrawiam Serdecznie i czekam na pomoc.[/b] 



[color=darkblue][size=75][i][b]Złączono Posta[/b]: 01.10.2007 (Pon) 1:53[/i][/size][/color]

a, i takie pliki do kwarantanny dodał ComboFix - dziwne bo żaden z trzech antywirusów nie wykrył nic podejżanego :

[code] 2002-10-06 19:49 23 --a--c--- E:\Qoobox\Quarantine\D\AUTORUN.INF.vir 2007-07-08 21:23 15399 --a--c--- E:\Qoobox\Quarantine\E\ComboFix\FProps.vbs.vir 2007-10-01 01:20 2262 --a--c--- E:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.dat Zmienna PATH folderu Numer seryjny woluminu: 90A7-3719 E:\QOOBOX\QUARANTINE +---D | AUTORUN.INF.vir | +---E | ---ComboFix | FProps.vbs.vir | ---Registry_backups services_NPF.reg.dat


(Bbieniol) #2

Użyj narzędzia -> FixWareOut

Po tym daj nowe logi + raport z FixWareOut :slight_smile: (od razu mówię, że na tym się nie skończy, ale to jest priorytet).


(Szefu18) #3

Opowiem co następuje, wczoraj do godziny (w sumie dzisiaj :slight_smile: ) 7 rano walczyłem z tym paskudstwem. Zaczęło się ciut szybciej uruchamiać gdy przywróciłem komputer do stanu sprzed 3 dni. Czyżby aplikacja tabletu graficznego albo photoshop miały z tym coś do czynienia ? No i kodeki usunąłem... "Klite 3.4.5"

FixWareOutem przejechałem, innymi też, poniżej logi:

(jak się dobrze spiszecie to jeszcze później podam logi laptopa... a potem zaproszę na wspólne piwo :wink: )

Username "Mr Death" - 2007-10-01 15:09:11 [Fixwareout edited 9/01/2007]


~~~~~ Prerun check


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{4AD7B517-67C3-4EDE-B68F-DC5CDD6BF752} 

"nameserver"="85.255.113.202,85.255.112.202" 

Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.



System was rebooted successfully. 


~~~~~ Postrun check 

HKLM\SOFTWARE\~\Winlogon\ "System"="lsass.exe" 

....

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "xedocne" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "repiwoh" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23plhps" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "mgcppp" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "tesvaf" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32refaselif" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "yzomd" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp" Deleted 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "xdssc" Value deleted 

HKCR\CLSID\{0528DF25-7D7C-4DB0-BFC4-35204A604F57}\_h\4 Deleted.

....

~~~~~ Misc files. 

E:\Documents and Settings\All Users\Ulubione\Download Free Spyware Remover.url Deleted

E:\Documents and Settings\All Users\Ulubione\NEW VIAGRA at Half Price!.url Deleted

E:\Documents and Settings\All Users\Ulubione\Online Chat With Nude Girls.url Deleted

E:\Documents and Settings\All Users\Ulubione\Order CIALIS online without leaving home..url Deleted

E:\Documents and Settings\All Users\Ulubione\PC protection in under 2 minutes!.url Deleted

E:\Documents and Settings\All Users\Ulubione\SEX Dating - Real Girls For Real SEX.url Deleted

E:\Documents and Settings\All Users\Ulubione\Stop PopUps On Your Computer.url Deleted

E:\Documents and Settings\All Users\Ulubione\VIAGRA at incredible low price. Bonus Pills!.url Deleted

E:\Documents and Settings\All Users\Ulubione\View ADULT photos of REAL GIRLS!.url Deleted

E:\Documents and Settings\All Users\Ulubione\Online Pharmacy Deleted

E:\Documents and Settings\All Users\Ulubione\Sex and Dating Deleted

E:\Documents and Settings\All Users\Ulubione\Spyware Uninstall Deleted

....

~~~~~ Checking for older varients.

....


~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpeedTouch USB Diagnostics"="\"E:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"

"TrueImageMonitor.exe"="G:\\Program Files\\Acronis\\TrueImageHome\\TrueImageMonitor.exe"

"NeroFilterCheck"="E:\\WINDOWS\\system32\\NeroCheck.exe"

"MBM 5"="\"G:\\Program Files\\Motherboard Monitor 5\\MBM5.EXE\""

"DAEMON Tools"="\"E:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

"avast!"="E:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

"AcronisTimounterMonitor"="G:\\Program Files\\Acronis\\TrueImageHome\\TimounterMonitor.exe"

"Acronis Scheduler2 Service"="\"E:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""

"SunJavaUpdateSched"="\"E:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""

"SoundMan"="SOUNDMAN.EXE"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gadu-Gadu"="\"E:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"E:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""

"MSMSGS"="\"E:\\Program Files\\Messenger\\msmsgs.exe\" /background"

....

Hosts file was reset, If you use a custom hosts file please replace it...

~~~~~End report~~~~~

ComboFix 07-09-21.2 - "Mr Death" 2007-10-01 15:23:19.1 - NTFSx86 

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.436 [GMT 2:00]

 * Created a new restore point

.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.


D:\Autorun.inf


.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))



-------\NPF



((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))

.


2007-10-01 15:22	51,200	--a--c---	E:\WINDOWS\NirCmd.exe

2007-10-01 04:50

[code]"Silent Runners.vbs", revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Gadu-Gadu" = ""E:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found] "MSMSGS" = ""E:\Program Files\Messenger\msmsgs.exe" /background" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "SpeedTouch USB Diagnostics" = ""E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"] "TrueImageMonitor.exe" = "G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" ["Acronis"] "NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "MBM 5" = ""G:\Program Files\Motherboard Monitor 5\MBM5.EXE"" ["Alex van Kaam"] "DAEMON Tools" = ""E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."] "avast!" = "E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"] "AcronisTimounterMonitor" = "G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" ["Acronis"] "Acronis Scheduler2 Service" = ""E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"" ["Acronis"] "SunJavaUpdateSched" = ""E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar Helper" \InProcServer32(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32(Default) = "E:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = "G:\Program Files\Microsoft Office\Office10\msohev.dll" [MS] "{FCF608CF-5716-47C3-A1A8-991D873AF72B}" = "Delphi Context Menu Shell Extension Example" -> {HKLM...CLSID} = "Delphi Context Menu Shell Extension Example" \InProcServer32(Default) = "G:\PROGRA~1\Exifer\EXIFER~1.DLL" [null data] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32(Default) = "E:\WINDOWS\system32\Audiodev.dll" [MS] "{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension" -> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension" \InProcServer32(Default) = "G:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"] "{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension" -> {HKLM...CLSID} = "Acronis True Image Shell Extension" \InProcServer32(Default) = "G:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"] "{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play" -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play" \InProcServer32(Default) = "E:\WINDOWS\system32\upnpui.dll" [MS] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32(Default) = "G:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> "System" = "lsass.exe" [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = "E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"] ContMenu(Default) = "{FCF608CF-5716-47C3-A1A8-991D873AF72B}" -> {HKLM...CLSID} = "Delphi Context Menu Shell Extension Example" \InProcServer32(Default) = "G:\PROGRA~1\Exifer\EXIFER~1.DLL" [null data] WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoThemesTab" = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "E:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "E:\Documents and Settings\Mr Death\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Startup items in "Mr Death" & "All Users" startup folders: ---------------------------------------------------------- E:\Documents and Settings\All Users\Menu Start\Programy\Autostart "Ralink Wireless Utility" -> shortcut to: "E:\Program Files\RALINK\Common\RaUI.exe" ["Ralink Technology, Corp."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided) -> {HKLM...CLSID} = "Yahoo! Toolbar" \InProcServer32(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = "&Research" Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = "G:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_02" \InProcServer32(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_02" \InProcServer32(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "E:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Acronis Scheduler2 Service, AcrSch2Svc, ""E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"] Ati HotKey Poller, Ati HotKey Poller, "E:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] avast! Antivirus, avast! Antivirus, ""E:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"] avast! iAVS4 Control Service, aswUpdSv, ""E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"] avast! Mail Scanner, avast! Mail Scanner, ""E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"] BlueSoleil Hid Service, BlueSoleil Hid Service, "G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data] Windows User Mode Driver Framework, UMWdf, "E:\WINDOWS\system32\wdfmgr.exe" [MS] ---------- (launch time: 2007-10-01 15:21:35) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 50 seconds, including 18 seconds for message boxes)

Logfile of HijackThis v1.99.1

Scan saved at 15:18:14, on 2007-10-01

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\Ati2evxx.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

E:\Program Files\Alwil Software\Avast4\ashServ.exe

E:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\system32\Ati2evxx.exe

E:\WINDOWS\Explorer.EXE

E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

E:\Program Files\Alwil Software\Avast4\ashWebSv.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

G:\Program Files\Motherboard Monitor 5\MBM5.EXE

E:\Program Files\DAEMON Tools\daemon.exe

E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

E:\WINDOWS\SOUNDMAN.EXE

E:\Program Files\Gadu-Gadu\gg.exe

E:\Program Files\Messenger\msmsgs.exe

E:\Program Files\RALINK\Common\RaUI.exe

G:\Program Files\Mozilla Firefox\firefox.exe

E:\Program Files\WinRAR\WinRAR.exe

G:\Temp\Rar$EX00.907\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = icm.edu.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [TrueImageMonitor.exe] G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MBM 5] "G:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Ralink Wireless Utility.lnk = E:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: + Offline &Explorer: Download the link - file://G:\Program Files\Offline Explorer Pro\Add_UrlO.htm

O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://G:\Program Files\Offline Explorer Pro\Add_AllO.htm

O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {33331111-1111-1111-1111-611111193423} - 

O16 - DPF: {33331111-1111-1111-1111-611111193429} - 

O16 - DPF: {33331111-1111-1111-1111-615111193427} - 

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D6BB9F22-8389-40AB-8037-CE39B5683DF5}: NameServer = 194.204.159.1 217.98.63.164

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - (no file)

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - G:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - G:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

Na prawdę... liczę na Was! :smiley:


(Bbieniol) #4

Nie widzę już zbyt dużo syfu, praktycznie resztki po nim.

Usuwasz ręcznie z dysku plik: E:\WINDOWS\system32\ dmozy.exe

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa :slight_smile:

Usuń Hijackiem te wpisy:

Po zabiegach rzecz jasna nowe logi :slight_smile:


(Szefu18) #5

Fresh logs:

Logfile of HijackThis v1.99.1

Scan saved at 18:00:57, on 2007-10-01

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

E:\WINDOWS\System32\smss.exe

E:\WINDOWS\system32\winlogon.exe

E:\WINDOWS\system32\services.exe

E:\WINDOWS\system32\lsass.exe

E:\WINDOWS\system32\Ati2evxx.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

E:\Program Files\Alwil Software\Avast4\ashServ.exe

E:\WINDOWS\system32\spoolsv.exe

E:\WINDOWS\system32\Ati2evxx.exe

E:\WINDOWS\Explorer.EXE

E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

G:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

E:\WINDOWS\system32\svchost.exe

E:\WINDOWS\system32\Tablet.exe

E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe

G:\Program Files\Motherboard Monitor 5\MBM5.EXE

E:\Program Files\DAEMON Tools\daemon.exe

E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

E:\WINDOWS\SOUNDMAN.EXE

G:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe

E:\Program Files\Messenger\msmsgs.exe

E:\Program Files\RALINK\Common\RaUI.exe

E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

E:\Program Files\Alwil Software\Avast4\ashWebSv.exe

E:\WINDOWS\system32\WTablet\TabUserW.exe

E:\WINDOWS\system32\Tablet.exe

E:\WINDOWS\System32\svchost.exe

E:\Program Files\Gadu-Gadu\gg.exe

G:\Program Files\Mozilla Firefox\firefox.exe

G:\Temp\Rar$EX00.734\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = icm.edu.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [TrueImageMonitor.exe] G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe

O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [MBM 5] "G:\Program Files\Motherboard Monitor 5\MBM5.EXE"

O4 - HKLM\..\Run: [DAEMON Tools] "E:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [AcronisTimounterMonitor] G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe

O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [Adobe Photo Downloader] "G:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Ralink Wireless Utility.lnk = E:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: + Offline &Explorer: Download the link - file://G:\Program Files\Offline Explorer Pro\Add_UrlO.htm

O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://G:\Program Files\Offline Explorer Pro\Add_AllO.htm

O8 - Extra context menu item: Download All by FlashGet - G:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - G:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{D6BB9F22-8389-40AB-8037-CE39B5683DF5}: NameServer = 194.204.159.1 217.98.63.164

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - G:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - E:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - G:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - G:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007.SP1\RpcSandraSrv.exe

O23 - Service: TabletService - Wacom Technology, Corp. - E:\WINDOWS\system32\Tablet.exe


"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""E:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""E:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found]

"MSMSGS" = ""E:\Program Files\Messenger\msmsgs.exe" /background" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SpeedTouch USB Diagnostics" = ""E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"TrueImageMonitor.exe" = "G:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" ["Acronis"]

"NeroFilterCheck" = "E:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"MBM 5" = ""G:\Program Files\Motherboard Monitor 5\MBM5.EXE"" ["Alex van Kaam"]

"avast!" = "E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

"AcronisTimounterMonitor" = "G:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" ["Acronis"]

"Acronis Scheduler2 Service" = ""E:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]

"SunJavaUpdateSched" = ""E:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"Adobe Photo Downloader" = ""G:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"" ["Adobe Systems Incorporated"]

"MSConfig" = "E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar Helper"

                   \InProcServer32\(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "G:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{FCF608CF-5716-47C3-A1A8-991D873AF72B}" = "Delphi Context Menu Shell Extension Example"

  -> {HKLM...CLSID} = "Delphi Context Menu Shell Extension Example"

                   \InProcServer32\(Default) = "G:\PROGRA~1\Exifer\EXIFER~1.DLL" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\Audiodev.dll" [MS]

"{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context Menu Extension"

  -> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension"

                   \InProcServer32\(Default) = "G:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]

"{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Extension"

  -> {HKLM...CLSID} = "Acronis True Image Shell Extension"

                   \InProcServer32\(Default) = "G:\Program Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"

  -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"

                   \InProcServer32\(Default) = "E:\WINDOWS\system32\upnpui.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "G:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "E:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

ContMenu\(Default) = "{FCF608CF-5716-47C3-A1A8-991D873AF72B}"

  -> {HKLM...CLSID} = "Delphi Context Menu Shell Extension Example"

                   \InProcServer32\(Default) = "G:\PROGRA~1\Exifer\EXIFER~1.DLL" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "E:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "E:\Documents and Settings\Mr Death\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Mr Death" & "All Users" startup folders:

----------------------------------------------------------


E:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Ralink Wireless Utility" -> shortcut to: "E:\Program Files\RALINK\Common\RaUI.exe" ["Ralink Technology, Corp."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "G:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_02"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_02"

                   \InProcServer32\(Default) = "E:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "E:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Acronis Scheduler2 Service, AcrSch2Svc, ""E:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]

Adobe Active File Monitor V5, AdobeActiveFileMonitor5.0, "G:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe" [null data]

Ati HotKey Poller, Ati HotKey Poller, "E:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""E:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""E:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

BlueSoleil Hid Service, BlueSoleil Hid Service, "G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]

TabletService, TabletService, "E:\WINDOWS\system32\Tablet.exe" ["Wacom Technology, Corp."]

Windows User Mode Driver Framework, UMWdf, "E:\WINDOWS\system32\wdfmgr.exe" [MS]



---------- (launch time: 2007-10-01 18:02:59)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 42 seconds, including 10 seconds for message boxes)

(Bbieniol) #6

Tutaj jest już czysto. Chciałbym jeszcze przejrzeć log z ComboFixa :slight_smile:


(Szefu18) #7
ComboFix 07-09-21.2 - "Mr Death" 2007-10-01 18:04:25.2 - NTFSx86

(Gutek) #8

wygląda na -> Backdoor.Genlot.DX

Pobierz ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1 i oczyść TEMP

Pobierz program SDFix

-


(Szefu18) #9

Witaj, dziękuję za odpowiedź ale... system dostaje zawiechy gdy chcę wejśc do awaryjnego :slight_smile:

Wiesz... sterowniki się załadują, i zaczyna migać ta mała magiczna, hipnotyzująca kreseczka :slight_smile: Czekałem i wpatrywałem się w nią bezskutecznie 10 minut. Jakieś rady?

Złączono Posta : 02.10.2007 (Wto) 2:09

Dodaję info z ostatniej chwili!

Uruchomiłem tryb awaryjny na laptopie (występował tam ten sam problem co na komputerze stacjonarnym.

Aplikacja zrobiła swoje, restart i...

cały shell poszedł się jechać !!

Szef mnie zatłucze jeśli nie dostarczę mu dokumentów, miałem tam ponad 30gb danych bardzo ważnych. Żeby choć jakoś backup zrobić na dysk przenośny !

Pomagajcie :frowning: Już płakać mi się chce....


(Bbieniol) #10

Mówisz, że się komputer odpala, ale nie ma żadnej ikony?

Wejdź w Menedżer zadań (CTRL + ALT + DEL) i dodaj nowy proces: explorer.exe.


(Szefu18) #11

Rzecz w tym że shell jako taki jest (pasek zadań, tray). Nie ma natomiast fizycznego odniesienia do ikon (choć w x:\documents and settings\%winuser%\pulpit są wszystkie).

Poza tym nie mogę odpalić konfiguracji sieci... a tray jak się ładował tak się ładuje... długo :slight_smile: .

Chyba nie pozostaje mi nic innego jak uruchomić bootowalną awaryjną Vistę (polecam - CHIP zrobił dobrą robotę - stabilna i bez wodotrysków - zajmuje niecałe 400Mb) i zrobić kopię zapasową. Potem reinstall :frowning:

Zauważyłem że wszelkie te cuda rozpoczęły się po instalacji Adobe Photoshopa i driverów od tabletu Wacom.

Jakieś rady?

Pozdrawiam