Prosze niech mi ktoś sprawdzi loga


(W Justyna) #1

mam problem z NewDotNet, nie mogłam wogóle wejść do netu, zrobiłam przywracanie systemu i w tej chwili mogę ale nadal nie jest dobrze :frowning: co mam zrobić? poproszę o jakąś nieskomplikowaną instrukcję :slight_smile: mo log:

====================================

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.

Widziałeś ten komunikat Ważny komunikat dotyczący tytułowania tematów zastosuj sie do niego => inaczej temat poleci do śmietnika :evil:

Pozdrawiam kuz5


(Gblade) #2

Odinstaluj newdotnet i SpySpotter w dodaj/usuń

Ściągnij LSP-Fix>>>uruchom>>>zaznacz "I know what im doing" , przenieś newdotnet*_**.dll do okienka "REMOVE" i kliknij Finish

W hijacku kasujesz resztki + pogrubione foldery ręcznie w trybie awaryjnym z wyłączonym przywracaniem systemu:

Nowy log z hijacka + silent runners (opis w przyklejonym)

Obejmij log tagami.


(W Justyna) #3

ajm sorry już się stosuję :slight_smile: newdotnet juz nie mam bo skasowałam przy okazji skanowania kasperskim. Pozostał tylko folder o tej nazwie w Program Files z plikiem readme w środku. Spyspottera też nie mam. Co oznacza "w hijacku kasujesz resztki"? ja go ściągnęłam około 20 minut temu więc nie mam o nim za bardzo pojęcia :frowning:


(Bbieniol) #4

W LSP-Fix też usunąłeś NewDotNet?

Co do kasowania wpisów, to odpalasz Hijacka --> Do a system scan only i zaznaczasz wskazane wpisy i klikasz na dole "fix checked" :slight_smile:


(W Justyna) #5

W LSP-Fix nie usuwałam bo mam do wybory tylko mswsock.dll, winrnr.dll, rsvpsp.dll. Skasowałam jak nakazałeś w Hijacku i mój log wygląda teraz tak:

Logfile of HijackThis v1.99.1

Scan saved at 17:07:05, on 2006-05-07

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\PROGRA~1\Webshots\webshots.scr

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Tlen.pl\tlen.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Justyna Wilk\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm

O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

I co dalej? :smiley:


(Bbieniol) #6

W logu już czysto :slight_smile:

Wrzuć jeszcze log z Silent Runners


(W Justyna) #7

wrzucam :smiley: :

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Creative Detector" = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R" ["Creative Technology Ltd"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"Easy-PrintToolBox" = "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."]

"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"kav" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"]

"(Default)" = (empty string)

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Helper"

\InProcServer32(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

\InProcServer32(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{23F0DC38-DC86-49D6-81EC-40C54A204212}" = "Zen Nano Plus Media Explorer"

-> {HKLM...CLSID} = "Zen Nano Plus Media Explorer"

\InProcServer32(Default) = "C:\Program Files\Creative\Creative Zen Nano Plus\CTMvns.dll" ["Creative Technology Ltd"]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

-> {HKLM...CLSID} = "Portable Media Devices"

\InProcServer32(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus"

-> {HKLM...CLSID} = "Web Anti-Virus"

\InProcServer32(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! klogon\DLLName = "C:\WINDOWS\System32\klogon.dll" ["Kaspersky Lab"]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

-> {HKLM...CLSID} = "WinZip"

\InProcServer32(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Justyna Wilk\Dane aplikacji\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp"

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\PROGRA~1\Webshots\webshots.scr" ["Webshots.com"]


(Bbieniol) #8

Log jest urwany, ale w tym co tutaj już widać to jest czysty :slight_smile:

Ale dla pewności wklej cały - poczekaj na komunikat, że log skończony i dopiero wtedy wklej go na forum (i nie zapominaj o tagach) :slight_smile:


(W Justyna) #9

:x już calusieńki :smiley: :

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Creative Detector" = "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R" ["Creative Technology Ltd"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"Easy-PrintToolBox" = "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon" ["CANON INC."]

"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"kav" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"]

"(Default)" = (empty string)


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{23F0DC38-DC86-49D6-81EC-40C54A204212}" = "Zen Nano Plus Media Explorer"

  -> {HKLM...CLSID} = "Zen Nano Plus Media Explorer"

                   \InProcServer32\(Default) = "C:\Program Files\Creative\Creative Zen Nano Plus\CTMvns.dll" ["Creative Technology Ltd"]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus"

  -> {HKLM...CLSID} = "Web Anti-Virus"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! klogon\DLLName = "C:\WINDOWS\System32\klogon.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Justyna Wilk\Dane aplikacji\Webshots\The Webshots Desktop\Webshots Wallpaper.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\PROGRA~1\Webshots\webshots.scr" ["Webshots.com"]



Startup items in "Justyna Wilk" & "All Users" startup folders:

--------------------------------------------------------------


C:\Documents and Settings\Justyna Wilk\Menu Start\Programy\Autostart

"Webshots" -> shortcut to: "C:\Program Files\Webshots\Launcher.exe /t" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

"Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"]

"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing LP"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 05, 08 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"

  -> {HKLM...CLSID} = "Easy-WebPrint"

                   \InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]


HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll" ["Kaspersky Lab"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\

"ButtonText" = "Web Anti-Virus"


{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\

"ButtonText" = "eBay - Homepage"

"CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

  -> {HKLM...CLSID} = "Toolbar Extension for Executable"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]

"Exec" = "C:\Program Files\IrfanView\Ebay\Ebay.htm" [null data]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]

Kaspersky Anti-Virus 6.0, AVP, "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe -r" ["Kaspersky Lab"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor PIXMA iP1500\Driver = "CNMLM5y.DLL" ["CANON INC."]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 120 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 230 seconds.

---------- (total run time: 776 seconds)

(Kuz5) #10

Czysty


(W Justyna) #11

superancko :mrgreen: dzięki za szybką pomoc - solidna firma :lol: :lol: :lol:

Złączono Posta : 07.05.2006 (Nie) 19:11

właśnie przeskanowałam jeszcze kompa Kasperskim i wywaliło mi zainfekowane pliki :frowning: :frowning: :

większość wygląda tak:

detected: adware not-a-virus:AdWare.Win32.NewDotNet.i: C:\System Volume Information_restore{396CCD62-576E-40DF-BA04-1EF03B85D878}\RP132

i takich jest koło 60 plus:

detected: adware not-a-virus:AdWare.Win32.SaveNow.z: C:\Documents and Settings\Justyna Wilk\Ustawienia lokalne\Temp\saveinstwm.exe/data0001.cab\VVSN.exe

detected: adware not-a-virus:AdWare.Win32.SaveNow.bo: C:\Documents and Settings\Justyna Wilk\Ustawienia lokalne\Temp\VVSNInst.exe

detected: adware not-a-virus:AdWare.Win32.SaveNow.bo: C:\Program Files\BearShare\Installer

detected: adware not-a-virus:AdWare.Win32.NewDotNet: C:\WINDOWS\NDNUnistall6_38.exe

detected: adware not-a-virus:AdWare.Win32.NewDotNet.e: C:\WINDOWS\NDNUnistall7_14.exe

w sumie jest tego 68 plików :frowning: :frowning: :frowning: i co teraz? :frowning:


(Bbieniol) #12

Ściągnij EWIDO, zrób update i przeskanuj nim dysk i wrzuć tutaj report :slight_smile:

Oraz przeczyść rejestr (polecam do tego RegCleaner 4.3.0.780)

Wyczyść folder TEMP (w trybie awaryjnym), czyli Start --> uruchom --> cmd i wpisujesz:


(W Justyna) #13

Usunęłam w Kasperskim wszystkie te pliki które wynalazł i przeskanowałam jeszcze raz. Niby czysto ale robie jeszcze to co napisałeś. Report z EWIDO:

---------------------------------------------------------

 ewido anti-malware - Scan report

---------------------------------------------------------


 + Created on: 22:06:50, 2006-05-07

 + Report-Checksum: 890D73C7


 + Scan result:


	HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup

	HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup

	HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup

	HKLM\SOFTWARE\WhenUSave\Partners\CAST -> Adware.SaveNow : Cleaned with backup

	HKLM\SOFTWARE\WhenUSave\Partners\EEPE -> Adware.SaveNow : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@a.tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@ad.adocean[1].txt -> TrackingCookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@com[1].txt -> TrackingCookie.Com : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@gde.adocean[2].txt -> TrackingCookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@idg.adocean[2].txt -> TrackingCookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@my.adocean[1].txt -> TrackingCookie.Adocean : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Cookies\justyna wilk@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned with backup

	C:\Documents and Settings\Justyna Wilk\Ustawienia lokalne\Temp\temp.frFCF5\ACM.dll -> Adware.SaveNow : Cleaned with backup

	C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup

	C:\Program Files\NewDotNet\readme.html -> Adware.NewDotNet : Cleaned with backup



::Report End

(Bbieniol) #14

Zobacz nie przypadkiem nie masz na dysku folderów:

C:\Program Files\ NewDotNet

C:\Program Files\ Save

Jeżeli masz to je skasuj :slight_smile:

Poza tym niegroźne ciasteczka, które EWIDO usunął :slight_smile:


(W Justyna) #15

PS. Jak mam przeczyścić te rejestry? :mrgreen: Ściągnęłam ten program


(Bbieniol) #16

Przeczytaj ten temat --> http://forum.dobreprogramy.pl/viewtopic ... 963#274963


(W Justyna) #17

Folderów nie mam bo już dawno skasowane :mrgreen:


(Bbieniol) #18

Wydaje mi się, że jednak folder NewDotNet jest, bo EWIDO znalazł w nim syf :roll:

Dlatego wejdź w tryb awaryjnym --> Start --> uruchom --> cmd i wpisujesz komende:


(Kuz5) #19

I go skosił


(W Justyna) #20

hmm... być nie powinno bo od tego folderu się zaczęło i go kasowałam. Ale nic to spróbujemy skasować :smiley: