andziak25
5 Październik 2006 14:30
#1
Mój mądry programik “Ad-aware SE Personal” znalazł niby trzy jakieś groźne obiekty:
ArchiveData(auto-quarantine- 2006-09-23 22-48-20.bckp) Referencefile : SE1R123 12.09.2006 ====================================================== ADWARE.GAIN.DASHBAR »»»»»»»» »»»»»»»» »»»»»»»» »»»»»»»» »»»»»» obj[0]=Plik : C:\System Volume Information_restore{5999A4C7-D55D-438D-B059-6DC710C4A1E7}\RP234\A1322388.dll obj[1]=Plik : C:\System Volume Information_restore{5999A4C7-D55D-438D-B059-6DC710C4A1E7}\RP234\A1322389.dll obj[2]=Plik : C:\System Volume Information_restore{5999A4C7-D55D-438D-B059-6DC710C4A1E7}\RP234\A1322390.dll Chzba nie jestem pierwsza, która nie umie tego usunąć. W związku z tym ściągnęłam sobie Hijackthis i proszę o sprawdzenie (to mój pierwszy raz Mam nadzieję,że to wyjdzie tak jak powinno.
Bieniol
5 Październik 2006 14:39
#2
W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):
Jak wyłączysz przywracanie systemu tak, jak napisałem wyżej, to:
Już nie będzie
Po zabiegach nowy log z Hijacka + log z Silent Runners
Gutek
5 Październik 2006 14:48
#3
Zastosuj się do tego Tematu
Pozdrawiam Gutek2222
andziak25
5 Październik 2006 16:21
#4
Hmmm
Zrobiłam część.Usunęłam te 2 pierwsze, ale nie umiem sie dostać do System Volume Information.Zrobiłam tak jak jest opisane tu i na innych stronach i ikonka tego folderu jest “niewyraźna”.
Błagam o wyrozumiałość
To jest log z Hijackthis:
Logfile of HijackThis v1.99.1 Scan saved at 18:07:25, on 2006-10-05 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ArcaVir\Bin\ABmenu.exe C:\Program Files\ArcaVir\Bin\ABregmon.exe D:\Drukarka\HP Software Update\HPWuSchd.exe C:\Program Files\Multimedia Combo Set\MouseDrv.exe C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe D:\Drukarka\Digital Imaging\bin\hpqtra08.exe D:\Drukarka\Digital Imaging\bin\hpohmr08.exe D:\Drukarka\Digital Imaging\bin\hpotdd01.exe D:\Drukarka\Digital Imaging\bin\hpoevm08.exe C:\Program Files\ArcaVir\Bin\NetMonSv.exe C:\Program Files\ArcaVir\Bin\avmonsv.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\HPZipm12.exe C:\Program Files\ArcaVir\Bin\arcascan.exe D:\Drukarka\Digital Imaging\Bin\hpoSTS08.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\anna\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\KODEKI\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [ABmenu] C:\Program Files\ArcaVir\Bin\ABmenu.exe O4 - HKLM…\Run: [ABREGMON] C:\Program Files\ArcaVir\Bin\ABregmon.exe O4 - HKLM…\Run: [HP Software Update] “D:\Drukarka\HP Software Update\HPWuSchd.exe” O4 - HKLM…\Run: [WireLessMouse] C:\Program Files\Multimedia Combo Set\MouseDrv.exe O4 - HKLM…\Run: [WireLessKeyboard] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Komunikator] D:\Power DVD\tlen.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\KODEKI\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Drukarka\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://www.mks.com.pl O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - C:\Program Files\ArcaVir\Bin\NetMonSv.exe O23 - Service: ArcaVir Monitor (ArcaMonSvc) - ArcaBit - C:\Program Files\ArcaVir\Bin\avmonsv.exe O23 - Service: ArcaScan - ArcaBit - C:\Program Files\ArcaVir\Bin\arcascan.exe O23 - Service: arcaserv - ArcaBit Sp. z o. o. - C:\Program Files\ArcaVir\bin\arcaserv.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
a to Silent Runners
“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Komunikator” = “D:\Power DVD\tlen.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “ABmenu” = “C:\Program Files\ArcaVir\Bin\ABmenu.exe” [“ArcaBit”] “ABREGMON” = “C:\Program Files\ArcaVir\Bin\ABregmon.exe” [“ArcaBit”] “HP Software Update” = ““D:\Drukarka\HP Software Update\HPWuSchd.exe”” [“Hewlett-Packard”] "WireLessMouse " = “C:\Program Files\Multimedia Combo Set\MouseDrv.exe” [empty string] "WireLessKeyboard " = “C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\KODEKI\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” - {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{BB7DF450-F119-11CD-8465-00AA00425D90}” = “Microsoft Access Custom Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Office\soa800.dll” [MS] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Explode” - {HKLM…CLSID} = “Microsoft Office Binder Explode” \InProcServer32(Default) = “D:\Office\UNBIND.DLL” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” - {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\KODEKI\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ArcaVir(Default) = “{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}” - {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaVir\Bin\ArcaShl.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ArcaVir(Default) = “{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}” - {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaVir\Bin\ArcaShl.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\anna\Moje dokumenty\Moje obrazy\Bez tytułu.bmp” Startup items in “anna” “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” - shortcut to: “D:\KODEKI\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “HP Digital Imaging Monitor” - shortcut to: “D:\Drukarka\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “hp psc 1000 series” - shortcut to: “D:\Drukarka\Digital Imaging\bin\hpohmr08.exe” [“Hewlett-Packard Co.”] “hpoddt01.exe” - shortcut to: “D:\Drukarka\Digital Imaging\bin\hpotdd01.exe” [“Hewlett-Packard”] Enabled Scheduled Tasks: ------------------------ “FRU Task #Hewlett-Packard #hp psc 1200 series#1135877353” - launches: "D:\Drukarka\Digital Imaging\Bin\hpqfrucl.exe -I “#Hewlett-Packard #hp psc 1200 series#1135877353"” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided) - {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ArcaBit NetMonitor, ABNetMon, “C:\Program Files\ArcaVir\Bin\NetMonSv.exe” [“ArcaBit sp. z o.o.”] ArcaScan, ArcaScan, “C:\Program Files\ArcaVir\Bin\arcascan.exe” [“ArcaBit”] arcaserv, arcaserv, “C:\Program Files\ArcaVir\bin\arcaserv.exe” [“ArcaBit Sp. z o. o.”] ArcaVir Monitor, ArcaMonSvc, “C:\Program Files\ArcaVir\Bin\avmonsv.exe” [“ArcaBit”] Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\system32\HPZipm12.exe” [“HP”] STI Simulator, STI Simulator, “C:\WINDOWS\System32\PAStiSvc.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt07\Driver = “hpzsnt07.dll” [“HP”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 75 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 16 seconds. ---------- (total run time: 135 seconds)
I niech mi moderator wybaczy, ale nie umiem zmienić tematu :oops:
Bieniol
5 Październik 2006 16:26
#5
Logi są już czyste
Co do System Volume Information , to wystarczy, że wyłączysz na chwile przywracanie systemu:
A nasepnie włącz ponownie. Wtedy folder ten automatycznie się opróżni
andziak25
5 Październik 2006 16:37
#6
Dziękuję bardzo
Jesteście super:)
Moderator też:)
asterisk
5 Październik 2006 16:54
#7
andziak25:
nie umiem zmienić tematu
Edytujesz pierwszego swojego posta - używasz opcji Zmień
