Jurek104
(U Grabowska)
24 Lipiec 2006 12:16
#1
Mam prośbę aby sprawdzić w moim logu co należy wyciąć aby nie włączały mi się Adan-078,Adan-094, KillAndClean, w załaczeniu log.
Logfile of HijackThis v1.99.1 Scan saved at 13:56:25, on 2006-07-24 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe D:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wdfmgr.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe D:\Program Files\BySoft FreeRAM\FreeRAM.exe D:\Webroot\Washer\wwDisp.exe D:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\MSI\PC Alert 4\PCAlert4.exe C:\WINDOWS\System32{E1388825-0D17-49E6-B01F-9B382BC719F5}.exe D:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Jurek\USTAWI~1\Temp\Rar$EX31.203\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [Odkurzacz-MCD] D:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe O4 - HKLM…\Run: [RivaTunerStartupDaemon] “D:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /S O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [Zone Labs Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [dmhxz.exe] C:\WINDOWS\System32\dmhxz.exe O4 - HKLM…\Run: [wvoix.exe] C:\WINDOWS\System32\wvoix.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [bySoft FreeRAM] D:\Program Files\BySoft FreeRAM\FreeRAM.exe O4 - HKCU…\Run: [Window Washer] D:\Webroot\Washer\wwDisp.exe O4 - HKCU…\Run: [skype] “D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - HKCU…\Run: [KillAndClean] “C:\Program Files\KillAndClean\KillAndClean.exe” O4 - Startup: PowerReg Scheduler.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PC Alert 4.lnk = D:\Program Files\MSI\PC Alert 4\PCAlert4.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup … 0039831467 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 0039812530 O17 - HKLM\System\CCS\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip…{C0A94BC2-6ADB-426D-AB87-3219FB87AD3D}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS2\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
W dodaj/usuń odinstaluj KillAndClean
C:\WINDOWS\System32{E1388825-0D17-49E6-B01F-9B382BC719F5}.exe O1 - Hosts: localhost 127.0.0.1 O4 - HKLM…\Run: [dmhxz.exe] C:\WINDOWS\System32\dmhxz.exe O4 - HKLM…\Run: [wvoix.exe] C:\WINDOWS\System32\wvoix.exe O4 - HKCU…\Run: [KillAndClean] “C:\Program Files\KillAndClean\KillAndClean.exe” O4 - Startup: PowerReg Scheduler.exe O17 - HKLM\System\CCS\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip…{C0A94BC2-6ADB-426D-AB87-3219FB87AD3D}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS2\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70
1.Startujesz do trybu awaryjnego
2.Wyłanczasz przywracanie systemu (tylko Me/Xp)
3.Kasujesz wpisy w HijackThis
4.Kasujesz pogrubione pliki/foldery
5.Dajesz nowy log z hjt + log z Silent Runners
Puścić w ruch fixwareout i pokazać raport .
Jurek104
(U Grabowska)
24 Lipiec 2006 12:49
#3
Mam jeszcze pytanie, KillAndClean w dodaj usuń nie widać go( kiedyś go wykasowałem), oraz czy wszystkie wpisy (pliki/foldery) które wymieniłeś w cytacie mam usunąć w HijackThis, czy tylko pogrubione ?
no i ? poprostu nie musisz go już odinstalowywać
pogrubione pliki wywal ręcznie, a wpisy skasuj hijackiem
Jak zrobisz już wszystko , wklej nowe logi.
Jurek104
(U Grabowska)
24 Lipiec 2006 12:54
#5
OK
Złączono Posta : 24.07.2006 (Pon) 15:10
Niestety tryb awaryjny zawiesza się, i nie odpala. Co w tym momencie ?
adam9870
(adam9870)
24 Lipiec 2006 13:49
#6
To w końcu jak jest ?
Pojawia się może jakiś konkretny komunikat itp. ? Może zerknij tutaj:
http://forum.dobreprogramy.pl/viewtopic … 335#558335
i zobacz na odpowiedź Bieniola
to nic nie da, tylko to, że komp będzie się za każdym razem uruchamiał w awaryjnym, ale co z tego skoro mu się zawiesza.
Ściągnij Gmer’a , w zakładce cmd wklej:
Przejdź do zakładki procesy i wybierz opcje zabij wszystko, później w cmd wybierz uruchom, ponownie przejdź do zakładki procesy, wybierz 3 kropki “…” , uruchom hijackthis, zrób skan i skasuj wpisy:
O1 - Hosts: localhost 127.0.0.1 O4 - HKLM…\Run: [dmhxz.exe] C:\WINDOWS\System32\dmhxz.exe O4 - HKLM…\Run: [wvoix.exe] C:\WINDOWS\System32\wvoix.exe O4 - HKCU…\Run: [KillAndClean] “C:\Program Files\KillAndClean\KillAndClean.exe” O4 - Startup: PowerReg Scheduler.exe O17 - HKLM\System\CCS\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip…{C0A94BC2-6ADB-426D-AB87-3219FB87AD3D}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS2\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70
Restart i nowe logi razem z fixwareout
Monczkin
(Monczkin)
24 Lipiec 2006 15:16
#9
Jurek104 proszę wszelkie logi obejmować znacznikiem quote
Jurek104
(U Grabowska)
24 Lipiec 2006 17:13
#10
W załaczeniu wszystkie otrzymane raporty.
Proszę o analizę i co wykonać dalej.
Fixwareout ver 1.003 Last edited 07/1/2006 Post this report in the forums please Reg Entries that were deleted … Random Runs removed from HKLM … PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is legitimate »»»»» Search by size and names… * csr.exe C:\WINDOWS\System32\CSBQI.EXE »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal C:\WINDOWS\SYSTEM32\CSBQI.EXE 51 224 2006-07-22 C:\WINDOWS\SYSTEM32\DMAXK.EXE 61 968 2001-10-26 C:\WINDOWS\SYSTEM32\DMMJI.EXE 61 968 2001-10-26 C:\WINDOWS\SYSTEM32\DMOCT.EXE 61 968 2001-10-26 C:\WINDOWS\SYSTEM32\DMWQG.EXE 61 968 2001-10-26 Other suspects Directory of C:\WINDOWS\system32 {F53138BE-B5D1-4803-A882-8E2AFE526104}.exe {5757C670-6323-463D-92AF-761780DB17DC}.exe {1E5F7E67-EF4C-49BA-BCC8-4AD131B6A69A}.exe {0DE1D050-45F8-432B-BF6D-03742FF2D0AC}.exe {1C33A815-55F1-4853-8785-17AD87096C1E}.exe
“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “BySoft FreeRAM” = “D:\Program Files\BySoft FreeRAM\FreeRAM.exe” [“BySoft”] “Window Washer” = “D:\Webroot\Washer\wwDisp.exe” [“Webroot Software”] “Skype” = ““D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “wininet.dll” = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “Odkurzacz-MCD” = “D:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe” [“FranmoSoft”] “RivaTunerStartupDaemon” = ““D:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /S” [empty string] “RemoteControl” = ““D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “Zone Labs Client” = ““D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “dmoct.exe” = “C:\WINDOWS\System32\dmoct.exe” [null data] “cdqne.exe” = “C:\WINDOWS\System32\cdqne.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]
Logfile of HijackThis v1.99.1 Scan saved at 18:48:14, on 2006-07-24 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe D:\Program Files\BySoft FreeRAM\FreeRAM.exe D:\Webroot\Washer\wwDisp.exe D:\Program Files\Skype\Phone\Skype.exe D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\Program Files\MSI\PC Alert 4\PCAlert4.exe C:\Program Files\Internet Explorer\iexplore.exe D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe D:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wdfmgr.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\wuauclt.exe D:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Jurek\USTAWI~1\Temp\Rar$EX01.125\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [Odkurzacz-MCD] D:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe O4 - HKLM…\Run: [RivaTunerStartupDaemon] “D:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /S O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [Zone Labs Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [dmoct.exe] C:\WINDOWS\System32\dmoct.exe O4 - HKLM…\Run: [cdqne.exe] C:\WINDOWS\System32\cdqne.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [bySoft FreeRAM] D:\Program Files\BySoft FreeRAM\FreeRAM.exe O4 - HKCU…\Run: [Window Washer] D:\Webroot\Washer\wwDisp.exe O4 - HKCU…\Run: [skype] “D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PC Alert 4.lnk = D:\Program Files\MSI\PC Alert 4\PCAlert4.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup … 0039831467 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 0039812530 O17 - HKLM\System\CCS\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
W gmerze , w zakładce cmd wklej:
Zaznacz REGEDIT.EXE i wklej:
W zakładce procesy wybierz zabij wszystko, spowrotem do cmd >>>uruchom, regedit.exe>>>uruchom. Jeszcze raz przejdź do zakładki procesy, wybierz 3 kropki “…” , uruchom hijackthis , zrób skan i skasuj wpisy:
O17 - HKLM\System\CCS\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70
Zapuść również smitfraudfix http://forum.dobreprogramy.pl/viewtopic.php?t=36654 i pokaż raport.
Po zabiegu nowe logi.
Jurek104
(U Grabowska)
24 Lipiec 2006 18:59
#12
Jeden plus jest, tzn. nie pojawia się żadna informacja, że avast znalazł wirusa Adan-078 lub później Adan-094.
Mam natomiast gorącą prośbę o szczegółowe pokierowanie gmerem, ponieważ poprzednim razem nie wszystko zabił( część zostawił) a w cmd jak uruchomiłem, to niestety nie mógł żadnego wiersza poleceń znaleźć, i tak to opisał- miałem kłopot co z obydwoma faktami dalej zrobić.
Jak możesz proszę o szczegóły postępowania w gmerze.
zostawił niezbędne do jego działania, zapewne tylko 4
Poczytaj dokładnie, masz poprostu wkleić w zakładce cmd:
Później wyżej, gdzie jest zaznaczone cmd.exe , masz zaznaczyć regedit.exe i wkleić
W zakładce procesy wybrać zabij wszystko, w cmd przy zaznaczonym cmd.exe wybrać uruchom>>zaznaczyć regedit.exe i również wybrac uruchom. Później w zakładce procesy wybierasz 3 kropki i uruchamiasz hjt, skanujesz i kasujesz wpisy:
O17 - HKLM\System\CCS\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS3\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70 O17 - HKLM\System\CS4\Services\Tcpip…{4E926612-A3C2-4670-8E75-6BE3A61D01F2}: NameServer = 85.255.113.115,85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.70
restart i nowe logi.
nie rozumiem cie , czego nie mógł znaleźć
Jurek104
(U Grabowska)
24 Lipiec 2006 20:52
#14
W załączeniu nowe logi i raporty.
Logfile of HijackThis v1.99.1 Scan saved at 22:05:39, on 2006-07-24 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe D:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\WINDOWS\Explorer.EXE D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\System32\ctfmon.exe D:\Program Files\BySoft FreeRAM\FreeRAM.exe D:\Webroot\Washer\wwDisp.exe D:\Program Files\Skype\Phone\Skype.exe D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe D:\Program Files\MSI\PC Alert 4\PCAlert4.exe C:\WINDOWS\System32\wuauclt.exe D:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\Jurek\USTAWI~1\Temp\Rar$EX00.625\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [siSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [Odkurzacz-MCD] D:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe O4 - HKLM…\Run: [RivaTunerStartupDaemon] “D:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /S O4 - HKLM…\Run: [RemoteControl] “D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [Zone Labs Client] “D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [bySoft FreeRAM] D:\Program Files\BySoft FreeRAM\FreeRAM.exe O4 - HKCU…\Run: [Window Washer] D:\Webroot\Washer\wwDisp.exe O4 - HKCU…\Run: [skype] “D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PC Alert 4.lnk = D:\Program Files\MSI\PC Alert 4\PCAlert4.exe O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup … 0039831467 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 0039812530 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
SmitFraudFix v2.75b Scan done at 22:33:07,65, 2006-07-24 Run from C:\Documents and Settings\Jurek\Pulpit\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»» C:\ »»»»»»»»»»» C:\WINDOWS »»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\regperf.exe FOUND ! C:\WINDOWS\system32\1024\ FOUND ! C:\WINDOWS\system32\components\flx?.dll FOUND ! C:\WINDOWS\system32\components\flx??.dll FOUND ! »»»»»»»»»»» C:\Documents and Settings\Jurek\Application Data »»»»»»»»»»» Start Menu »»»»»»»»»»» C:\DOCUME~1\Jurek\Ulubione »»»»»»»»»»» Desktop »»»»»»»»»»» C:\Program Files »»»»»»»»»»» Corrupted keys »»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] “Source”=“About:Home” “SubscribedURL”=“About:Home” “FriendlyName”=“Moja bieľĄca strona g�˘wna” »»»»»»»»»»» Sharedtaskscheduler !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»» End “Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “BySoft FreeRAM” = “D:\Program Files\BySoft FreeRAM\FreeRAM.exe” [“BySoft”] “Window Washer” = “D:\Webroot\Washer\wwDisp.exe” [“Webroot Software”] “Skype” = ““D:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “SiSUSBRG” = “C:\WINDOWS\SiSUSBrg.exe” [“Silicon Integrated Systems Corp.”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “Odkurzacz-MCD” = “D:\Program Files\Odkurzacz 10.1 Pro\odk_mcd.exe” [“FranmoSoft”] “RivaTunerStartupDaemon” = ““D:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe” /S” [empty string] “RemoteControl” = ““D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “Zone Labs Client” = ““D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) - {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) - {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) - {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” - {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” - {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” - {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” - {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{6EE51AA0-77A0-11D7-B4E1-000347126E46}” = “Window Washer Shell Shredding Utility” - {HKLM…CLSID} = “Window Washer Shell Shredding Utility” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL” [“Webroot Software”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” - {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” - {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ “System” = (value not set) HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] Washer(Default) = “{6EE51AA0-77A0-11D7-B4E1-000347126E46}” - {HKLM…CLSID} = “Window Washer Shell Shredding Utility” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL” [“Webroot Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ Washer(Default) = “{6EE51AA0-77A0-11D7-B4E1-000347126E46}” - {HKLM…CLSID} = “Window Washer Shell Shredding Utility” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL” [“Webroot Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Jurek\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssstars.scr” [MS] Startup items in “Jurek” “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” - shortcut to: “D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Microsoft Office” - shortcut to: “D:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “PC Alert 4” - shortcut to: “D:\Program Files\MSI\PC Alert 4\PCAlert4.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” - {HKLM…CLSID} = “Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) - {HKLM…CLSID} = “Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar2.dll” [“Google Inc.”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” - {HKCU…CLSID} = “Java Plug-in” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] - {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““D:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““D:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Diskeeper, Diskeeper, “D:\Program Files\Executive Software\Diskeeper\DkService.exe” [“Executive Software International, Inc.”] LightScribeService Direct Disc Labeling Service, LightScribeService, “C:\Program Files\Common Files\LightScribe\LSSrvc.exe” [“Hewlett-Packard Company”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ EPSON V5 2KMonitor\Driver = “EBPMON2.DLL” [“SEIKO EPSON CORPORATION”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 158 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 290 seconds. ---------- (total run time: 1046 seconds)
squeet
(squeet)
24 Lipiec 2006 21:07
#15
Jurek104 byłeś o coś proszony. Więcej próśb nie będzie. Poczytaj:
http://forum.dobreprogramy.pl/viewtopic.php?t=36654
Masz tam, jak zaznacza się logi.
Te poprawiłem już.
silent i hijack czysty, w smistfraudfix masz wybrać opcje nr. 2 (automatycznego usuwania)
Jurek104
(U Grabowska)
25 Lipiec 2006 14:15
#18
Dzięki za pomoc przy utrzymaniu kompoa w czystości.
Nara
jurek1049
Złączono Posta : 25.07.2006 (Wto) 16:58
Jak zwykle za dużo szczęścia na raz, komp nie uruchamia się w trybie awaryjnym, a opcja 2 smitfraudfixa działa tylko w tym trybie.
Po właczeniu F8 i próbie uruchomienia w trybie awaryjnym, wczytane są dane tego trybu, a potem jest tylko znacznik myślenia (migający -) i na tym zostaje.
Czy masz na to jakąś rade ?
Jurek104
To spróbuj uruchomić w trybie normalnym opcje (2.)