Sprawdzenie loga

Witam. Załapałam to coś - your computer is infected i tak dalej… Starałam się to pousuwać wedle wskazówek znajdujących się na forach i wobec tego chciałam prosić o sprawdzenie loga, czy jest juz wszystko w porządku.

  1. Wyłączyć Przywracanie systemu w XP TU

  2. Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).

  3. Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.

  4. Skasować z dysku pliki, które podkreśliłem na czerwono

  5. Dokończyć skanerami online - Scanery do wyboru

  6. Pokazać nowy log :stuck_out_tongue:

Daj log z Silenta - Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989

No to teraz log Silenta wygląda tak:

Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"NCLaunch" = "C:\WINDOWS\NCLAUNCH.EXe" ["Northcode Inc."]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]

"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]

"WOOWATCH" = "C:\PROGRA~1\Wanadoo\Watch.exe" ["France Télécom R&D"]

"adiras" = "adiras.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\K-Lite Codec Pack\Real\rpshell.dll" ["RealNetworks, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{780BCB64-0CAF-473c-A9FC-E08C03D75515}" = "Matroska Shell Extension, Properties Page CLSID"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]

"{78DC191E-EFC1-4532-9A71-224577A86A7D}" = "Matroska Shell Extension, Thumbnail Handler CLSID"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]

"{794D04CA-70AC-4020-80EB-FFD59DEF8027}" = "Matroska Shell Extension, Tooltip Provider CLSID"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]

"{789111D8-68A3-46a3-9663-145A3FF4C9C9}" = "Matroska Shell Extension, ContextMenu CLSID"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]

"{781395AF-A127-469f-A06F-59B482AF4F3F}" = "Matroska Shell Extension, Column Provider CLSID"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]

"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile ContextMenuHandler"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile PropertySheetHandler"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Siemens Data Suite\DES\DESShellExt.dll" ["Siemens AG"]

"{CBF8B85B-166C-41BF-9AA2-3C09DCAFF423}" = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\MHIMTF.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "PDBoot.exe autocheck autochk *" [file not found], [file not found], [MS], [file not found]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

MatroskaContextMenu\(Default) = "{789111D8-68A3-46a3-9663-145A3FF4C9C9}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MatroskaProp\MatroskaProp.dll" [" "]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\komputer\Moje dokumenty\Moje obrazy\warszawa.bmp"


Active Desktop web content:


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\

"FriendlyName" = ""

"Source" = "file:///C:/DOCUME~1/komputer/USTAWI~1/Temp/msohtml1/02/clip_image001.jpg"

"SubscribedURL" = "file:///C:/DOCUME~1/komputer/USTAWI~1/Temp/msohtml1/02/clip_image001.jpg"



Startup items in "komputer" & "All Users" startup folders:

----------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]

"InterVideo WinCinema Manager" -> shortcut to: "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe" [file not found]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"


{85D1F590-48F4-11D9-9669-0800200C9A66}\

"MenuText" = "Uninstall BitDefender Online Scanner v8"

"Exec" = "%windir%\bdoscandel.exe" [null data]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

PDScheduler, PDSched, "C:\Program Files\Raxco\PerfectDisk\PDSched.exe" ["Raxco Software, Inc."]

SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" [null data]

Proszę otworzyć edytor rejestru Start >>> Uruchom >>> regedit i przejść do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager Tam kliknąć podwójnie na wartość BootExecute i z okienka usunąć wszystko z wyjątkiem autocheck autochk *.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa

Ok, zrobione. A czemu to właściwie miało służyć? Zaznaczam, że jestem laikiem i nie wszystko jest dla mnie oczywiste ;). Wrzucić jeszcze loga?

Poprawie błędów i usunięciu zbędnego syf-u w rejestrze :wink:

Dziekuję uprzejmie za pomoc. Mam nadzieje, że jeszcze przez jakiś czas nie będę potrzebowała ratunku :wink: