Proszę o sprawdzenie logów- problem z działaniem komputera


(Konohasenpuu) #1

Problem polega na dziwnym działaniu komputera... czasami nie mogę otworzyć programów takich jak subedit itp.

Wklejam logi :

  1. HijackThis :

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 15:39:08, on 2008-01-01

    Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Boot mode: Normal

    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\SYSTEM32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\Explorer.EXE

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\sytkvlgc.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe

    C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

    E:\Alcohol 120\StarWind\StarWindService.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    C:\WINDOWS\RTHDCPL.EXE

    C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe

    C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

    C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

    C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE

    C:\WINDOWS\system32\qttask.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

    C:\WINDOWS\system32\RaConfig.exe

    C:\WINDOWS\system32\wscntfy.exe

    c:\program files\panda software\panda antivirus 2007\WebProxy.exe

    C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE

    C:\Program Files\Mozilla Firefox\firefox.exe

    E:\Winamp\winamp.exe

    E:\Gadu-Gadu\gg.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://google.dospop.com

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.onet.pl/

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

    R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)

    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\FlashGet\fgiebar.dll

    O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)

    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

    O3 - Toolbar: DosPop Toolbar - {BFB5F154-9212-46F3-B547-AC6106030A54} - C:\Program Files\DosPop Toolbar\dospop.dll

    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

    O4 - HKLM..\Run: [SkyTel] SkyTel.EXE

    O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE

    O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM..\Run: [nwiz] nwiz.exe /install

    O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

    O4 - HKLM..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe

    O4 - HKLM..\Run: [AVPDWIN] "C:\Program Files\Panda Software\Panda Demo\pandasft.exe"

    O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

    O4 - HKLM..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

    O4 - HKLM..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

    O4 - HKLM..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

    O4 - HKLM..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime

    O4 - HKLM..\Run: [98ee5142] rundll32.exe "C:\WINDOWS\system32\opadwaxp.dll",b

    O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

    O4 - HKCU..\Run: [Gadu-Gadu] "E:\Gadu-Gadu\gg.exe" /tray

    O4 - HKCU..\Policies\Explorer\Run: [w] %SystemRoot%\WinRaR.exe

    O4 - HKCU..\Policies\Explorer\Run: [mm] %SystemRoot%\sourro.exe

    O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

    O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

    O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

    O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

    O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O8 - Extra context menu item: &D&ownload &with BitComet - res://E:\BitComet\BitComet.exe/AddLink.htm

    O8 - Extra context menu item: &D&ownload all video with BitComet - res://E:\BitComet\BitComet.exe/AddVideo.htm

    O8 - Extra context menu item: &D&ownload all with BitComet - res://E:\BitComet\BitComet.exe/AddAllLink.htm

    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\MICROS~1\OFFICE11\EXCEL.EXE/3000

    O8 - Extra context menu item: Easy-WebPrint – Dodaj do listy drukowania - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

    O8 - Extra context menu item: Easy-WebPrint – Drukuj - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

    O8 - Extra context menu item: Easy-WebPrint – Drukuj z dużą szybkością - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

    O8 - Extra context menu item: Easy-WebPrint – Podgląd - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

    O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\FlashGet\jc_link.htm

    O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\FlashGet\jc_all.htm

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

    O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - E:\BitComet\tools\BitCometBHO_1.1.9.24.dll

    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\MICROS~1\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\FlashGet\flashget.exe

    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\FlashGet\flashget.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O17 - HKLM\System\CCS\Services\Tcpip..{D26BE1FF-1601-4525-AE42-43FE57F20D13}: NameServer = 194.204.159.1,194.204.152.34

    O17 - HKLM\System\CCS\Services\Tcpip..{DA9BEC7E-3782-4F3C-BA18-A9719A4B639E}: NameServer = 194.204.159.1,194.204.152.34

    O23 - Service: DomainService - - C:\WINDOWS\system32\sytkvlgc.exe

    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe

    O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe

    O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Alcohol 120\StarWind\StarWindService.exe

    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --

    End of file - 7759 bytes

2.Silent Runners :

"Silent Runners.vbs", revision 55, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"w" = "C:\WINDOWS\WinRaR.exe"

"mm" = "C:\WINDOWS\sourro.exe"


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]

"Gadu-Gadu" = ""E:\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]

"VGAUtil" = "C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [empty string]

"AVPDWIN" = ""C:\Program Files\Panda Software\Panda Demo\pandasft.exe"" [file not found]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"SSBkgdUpdate" = ""C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot" ["Nuance Communications, Inc."]

"OpwareSE4" = ""C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"" ["ScanSoft, Inc."]

"APVXDWIN" = ""C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s" ["Panda Software International"]

"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"98ee5142" = "rundll32.exe "C:\WINDOWS\system32\opadwaxp.dll",b" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}

"Flag" = dword:0x00000002


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{0072F9A9-1BF0-4BAA-B433-08D7B4CA2101}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ddcyx.dll" [null data]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "E:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch5 Class"

                   \InProcServer32\(Default) = "E:\FlashGet\jccatch.dll" ["FlashGet"]

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"

  -> {HKLM...CLSID} = "BitComet Helper"

                   \InProcServer32\(Default) = "E:\BitComet\tools\BitCometBHO_1.1.9.24.dll" ["BitComet"]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]

{57F9FEF0-6EAE-4030-A68A-30FDC38B1B13}\(Default) = "TBSB09293"

  -> {HKLM...CLSID} = "TBSB09293 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\DOSPOP~1\dospop.dll" [empty string]

{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}\(Default) = "Canon Easy Web Print Helper"

  -> {HKLM...CLSID} = "EWPBrowseObject Class"

                   \InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll" [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

{7ebfb476-1e80-4441-96e3-a9fd701cfb80}\(Default) = "{08bfc107-df9a-3e69-1444-08e1674bfbe7}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ajprmabx.dll" [null data]

{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\ddcyxus.dll" [null data]

{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "gFlash Class"

                   \InProcServer32\(Default) = "E:\FlashGet\getflash.dll" [null data]

{F97DA966-F09D-4cab-BF29-75A0026986EA}\(Default) = "XBTP02634"

  -> {HKLM...CLSID} = "XBTP02634 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\BEARSH~1\BEARSH~1\MediaBar.dll" ["IE Toolbar"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WINRAR\rarext.dll" [null data]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"

  -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.dll" ["Panda Software International"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{8E3FBDE2-7DBD-4040-85D9-29BBC559C129}" = "*n" (unwritable string)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\SYSTEM32\ddcyxus.dll" [null data]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> avldr\DLLName = "avldr.dll" ["Panda Software International"]

<> ddcyxus\DLLName = "ddcyxus.dll" [null data]


HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "E:\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.dll" ["Panda Software International"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WINRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WINRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus 2007\ShellTit.dll" ["Panda Software International"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WINRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoStartBanner" = (REG_BINARY) hex:01

{Remove "Click here to begin" from Start button}


"NoInstrumentation" = (REG_DWORD) dword:0x00000001

{unrecognized setting}


"NoStartMenuSubFolders" = (REG_DWORD) dword:0x00000001

{unrecognized setting}


"NoFavoritesMenu" = (REG_DWORD) dword:0x00000001

{User Configuration|Administrative Templates|Start Menu and Taskbar|

Remove Favorites menu from Start Menu}


HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\


"ResetWebSettings" = (REG_SZ) 0

{User Configuration|Administrative Templates|Windows Components|Internet Explorer|

Disable the Reset Web Settings feature}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Darek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Darek" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"RaConfig" -> shortcut to: "C:\WINDOWS\system32\RaConfig.exe" ["Ralink Technology, Corp."]



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]

"At1" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At10" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At11" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At12" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At13" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At14" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At15" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At16" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At17" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At18" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At19" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At2" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At20" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At21" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At22" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At23" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At24" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At3" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At4" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At5" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At6" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At7" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At8" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]

"At9" -> launches: "C:\WINDOWS\system32\U8874B1c.exe" [null data]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

c:\program files\panda software\panda antivirus 2007\pavlsp.dll ["Panda Software International"], 01 - 03, 22

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]

"{BFB5F154-9212-46F3-B547-AC6106030A54}"

  -> {HKLM...CLSID} = "DosPop Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\DosPop Toolbar\dospop.dll" [empty string]


HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "E:\FlashGet\fgiebar.dll" ["Amaze Soft"]

"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"

  -> {HKLM...CLSID} = "Easy-WebPrint"

                   \InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]

"{BFB5F154-9212-46F3-B547-AC6106030A54}" = (no title provided)

  -> {HKLM...CLSID} = "DosPop Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\DosPop Toolbar\dospop.dll" [empty string]

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]


Explorer Bars


HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\


HKLM\SOFTWARE\Classes\CLSID\{03C1C47F-0538-4645-8372-D3109B9FC636}\(Default) = "Easy-WebPrint"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Canon\Easy-WebPrint\Toolband.dll" [null data]


HKLM\SOFTWARE\Classes\CLSID\{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}\(Default) = "BitComet Button"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\BitComet\tools\BitCometBHO_1.1.9.24.dll" ["BitComet"]


HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


{461CC20B-FB6E-4F16-8FE8-C29359DB100E}\

"ButtonText" = "BitComet Search"


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "E:\FlashGet\flashget.exe" ["FlashGet.com"]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Miscellaneous IE Hijack Points

------------------------------


HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<> "Tabs" = "C:\Documents and Settings\Darek\Dane aplikacji\MEGAUPLOADTOOLBAR\tabwelcome.html" [null data]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


DomainService, DomainService, "C:\WINDOWS\system32\sytkvlgc.exe /service" [" "]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Panda anti-virus service, PAVSRV, ""C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe"" ["Panda Software International"]

Panda IManager Service, PSIMSVC, ""C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe"" ["Panda Software International"]

Panda Software Controller, Panda Software Controller, ""C:\Program Files\Panda Software\Panda Antivirus 2007\PsCtrls.exe"" ["Panda Software International"]

StarWind iSCSI Service, StarWindService, "E:\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor MP160\Driver = "CNMLM83.DLL" ["CANON INC."]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



---------- (launch time: 2008-01-01 15:39:18)

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 74 seconds.

---------- (total run time: 121 seconds)
  1. ComboFix :

    ComboFix 07-12-31.4 - Darek 2008-01-01 15:42:12.1 - NTFSx86


(Arekmalek) #2

To najnowsza infekcja VUNDO

Stosuj do tego momentu aż nie znajdzie żądnych plików:

VUNDOFIX


(Konohasenpuu) #3

Dziękuje bardzo za program. Przeskanowałem nim raz komputer i znalazło mi jednego wirusa,którego usunąłem. Potem przeskanowałem jeszcze raz w celu sprawdzenia czy owych wirusów już nie ma... i rzeczywiście nie było, ale problem występuje nadal... Proszę jednak o sprawdzenie tych logów nawet dla samej pewności, bo ja się na tym niestety nie znam... :expressionless:

Czekam na pomoc :wink:


(Arekmalek) #4

Zafixuj w hijacku:

Potem:

Wklej do notatnika:

Plik Zapisz Jako _> CFScript.txt

Następnie przeciągnij ten plik na ikonkę combo

Daj powstały log

EDIT:

Pobierz te narzędzia:

Vundofix , SDFix , FixVundo.exe , VirtumondoBeGone i użyć je w trybie awaryjnym. Proszę wklej z nich raporty na http://www.wklej.org


(Konohasenpuu) #5

Ok log z VBG:

[01/02/2008, 18:55:19] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Darek\Pulpit\VirtumundoBeGone.exe" )

[01/02/2008, 18:55:25] - User choose NOT to continue. Exiting...


[01/02/2008, 18:58:21] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Darek\Pulpit\VirtumundoBeGone.exe" )

[01/02/2008, 18:58:22] - Detected System Information:

[01/02/2008, 18:58:22] - Windows Version: 5.1.2600, Dodatek Service Pack 2

[01/02/2008, 18:58:22] - Current Username: Darek (Admin)

[01/02/2008, 18:58:22] - Windows is in SAFE mode with Networking.

[01/02/2008, 18:58:22] - Searching for Browser Helper Objects:

[01/02/2008, 18:58:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

[01/02/2008, 18:58:22] - BHO 2: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)

[01/02/2008, 18:58:22] - BHO 3: {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} (BitComet Helper)

[01/02/2008, 18:58:22] - BHO 4: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} (Megaupload Toolbar)

[01/02/2008, 18:58:22] - BHO 5: {57F9FEF0-6EAE-4030-A68A-30FDC38B1B13} (TBSB09293 Class)

[01/02/2008, 18:58:22] - BHO 6: {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} (EWPBrowseObject Class)

[01/02/2008, 18:58:22] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[01/02/2008, 18:58:22] - BHO 8: {F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)

[01/02/2008, 18:58:22] - BHO 9: {F97DA966-F09D-4cab-BF29-75A0026986EA} (XBTP02634 Class)

[01/02/2008, 18:58:22] - Finished Searching Browser Helper Objects

[01/02/2008, 18:58:22] - Finishing up...

[01/02/2008, 18:58:22] - Nothing found! Exiting...

Log z SDFix :

catchme 0.3.1333.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-02 19:02:28

Windows 5.1.2600 Dodatek Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden services & system hive ...


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:5c04c906

"s2"=dword:9cfb8a4f

"h0"=dword:00000002


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="E:\Alcohol 120\"

"h0"=dword:00000001

"ujdew"=hex:f5,31,23,e0,78,5b,75,6e,4b,e6,35,16,d1,b6,1a,74,3a,bb,36,5f,f1,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="E:\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:ee,d2,04,82,d2,b0,b2,4d,19,aa,a8,40,8d,83,31,b1,e5,a5,5f,9d,ab,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,e0,b6,3e,16,21,46,c0,3f,c8,3a,a2,2c,34,4c,3e,0b,76,..

"khjeh"=hex:e3,a5,b3,e0,e9,6b,94,af,09,e6,8d,4a,43,7d,90,e2,7a,8b,3c,f1,30,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:6d,d0,10,0e,02,d3,50,c8,5a,a5,f2,5b,b4,d6,9d,da,d9,99,d1,d0,80,..


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:25,8e,a4,c8,c4,89,6c,47,52,a3,af,42,78,69,21,b2,7d,70,7a,54,40,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04]

"p0"="E:\Alcohol 120\"

"h0"=dword:00000001

"ujdew"=hex:f5,31,23,e0,78,5b,75,6e,4b,e6,35,16,d1,b6,1a,74,3a,bb,36,5f,f1,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="E:\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:ee,d2,04,82,d2,b0,b2,4d,19,aa,a8,40,8d,83,31,b1,e5,a5,5f,9d,ab,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,e0,b6,3e,16,21,46,c0,3f,c8,3a,a2,2c,34,4c,3e,0b,76,..

"khjeh"=hex:e3,a5,b3,e0,e9,6b,94,af,09,e6,8d,4a,43,7d,90,e2,7a,8b,3c,f1,30,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:6d,d0,10,0e,02,d3,50,c8,5a,a5,f2,5b,b4,d6,9d,da,d9,99,d1,d0,80,..


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:25,8e,a4,c8,c4,89,6c,47,52,a3,af,42,78,69,21,b2,7d,70,7a,54,40,..


scanning hidden registry entries ...


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..


scanning hidden files ...


scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

a tymi vundo już skanowałem i nic już mi nie wykrywa tak więc nie wklejam loga pozdrawiam i czekam na odpowiedz. :expressionless:


(Gutek) #6

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Daj nowy log z ComboFix