Xil
(Xil)
9 Marzec 2007 22:16
#1
Nie moge uruchomic win XP, ladowanie systemu zatrzymuje sie na oknie “trwa uruchamianie systemu” i nie chce dalej ruszyc. Avast wykryl trojana ale nie byl w stanie go usunac. Moge uruchomic kompa tylko w trybie awaryjnym. Prosze o pomoc. Zalaczam logi z HT i SR.
Log z HT:
Logfile of HijackThis v1.99.1 Scan saved at 22:46:30, on 2007-03-09 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Opera\Opera.exe C:\Documents and Settings\Grzesiek\Pulpit\HT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.infoseek.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vobis.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.dialog.net.pl:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINDOWS\System32\shdocvs.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [sysinter] C:\WINDOWS\System32\adirss.exe O4 - HKLM…\Run: [lnwin.exe] C:\WINDOWS\System32\lnwin.exe O4 - HKLM…\RunOnce: [spybot - Search & Destroy] “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” /autocheck O4 - HKLM…\RunOnce: [spybotSnD] “C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” /autocheck O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background O4 - HKCU…\Run: [adirka] C:\WINDOWS\System32\adirka.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O10 - Broken Internet access because of LSP provider ‘rsvp32_2.dll’ missing O14 - IERESET.INF: START_PAGE_URL=http://www.vobis.pl/ O17 - HKLM\System\CCS\Services\Tcpip…{7580639D-047F-4BF0-955A-8BC33065032C}: NameServer = 217.30.129.149,217.30.137.200 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O18 - Filter: text/html - {9F79E5D6-5AC3-4C5C-9672-2EAD702F6215} - C:\WINDOWS\System32\oacbmea.dll O18 - Filter: text/plain - {9F79E5D6-5AC3-4C5C-9672-2EAD702F6215} - C:\WINDOWS\System32\oacbmea.dll O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Log z SR:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “msnmsgr” = ““C:\Program Files\MSN Messenger\msnmsgr.exe” /background” [MS] “adirka” = “C:\WINDOWS\System32\adirka.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HPDJ Taskbar Utility” = “C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe” [“HP”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “sysinter” = “C:\WINDOWS\System32\adirss.exe” [null data] “lnwin.exe” = “C:\WINDOWS\System32\lnwin.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “Spybot - Search & Destroy” = ““C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” /autocheck” [“Safer Networking Limited”] “SpybotSnD” = ““C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe” /autocheck” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}(Default) = (no title provided) -> {HKLM…CLSID} = “Shell Doc Object and Control Helper Class” \InProcServer32(Default) = “C:\WINDOWS\System32\shdocvs.dll” [MS] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {9394EDE7-C8B5-483E-8773-474BF36AF6E4}(Default) = (no title provided) -> {HKLM…CLSID} = “ST” \InProcServer32(Default) = “C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll” [MS] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}(Default) = (no title provided) -> {HKLM…CLSID} = “MSNToolBandBHO” \InProcServer32(Default) = “C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real Alternative\rpshell.dll” [“RealNetworks, Inc.”] “{0A082D00-EC93-11D0-B1E6-80580BC10627}” = “Corel Media Folder Root Menu Handler” -> {HKLM…CLSID} = “Corel Media Folder Root Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” = “Folder To Corel Media Folder Menu Handler” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{854AF161-1AE1-11D1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{E856F161-1AE5-11d1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{CDB89701-262F-11D1-AB9C-00C0F00683EB}” = “Corel Media Find Folder” -> {HKLM…CLSID} = “Corel Media Find Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{F8152501-455F-11D1-B1E6-444553540000}” = “Corel Media Folder Copy Hook Handler” -> {HKLM…CLSID} = “Corel Media Folder Copy Hook Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{8E524B0D-04F0-11D1-B74A-00A0C90646A4}” = “IconFactTemp.NSIconHandlerFactory” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{A2AC368A-F883-11D0-B745-00A0C90646A4}” = “NSFiltManDll.FiltManCom” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{B63FCD5A-2396-11D1-B762-00A0C90646A4}” = “*U” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFnd80.dll” [“Corel Corporation”] “{5464D816-CF16-4784-B9F3-75C0DB52B499}” = “Yahoo! Mail” -> {HKLM…CLSID} = “YMailShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\Yahoo!\Common\ymmapi.dll” [“Yahoo! Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] HKLM\System\CurrentControlSet\Control\SecurityProviders\ <> (“zwebauth.dll” [MS]) “SecurityProviders” = “msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll” HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> A3dxq\DLLName = “C:\WINDOWS\System32\a3dxq.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/html\CLSID = “{9F79E5D6-5AC3-4C5C-9672-2EAD702F6215}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\oacbmea.dll” [file not found] <> text/plain\CLSID = “{9F79E5D6-5AC3-4C5C-9672-2EAD702F6215}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\oacbmea.dll” [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Yahoo! Mail(Default) = “{5464D816-CF16-4784-B9F3-75C0DB52B499}” -> {HKLM…CLSID} = “YMailShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\Yahoo!\Common\ymmapi.dll” [“Yahoo! Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder(Default) = “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveSearch” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Grzesiek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Grzesiek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 rsvp32_2.dll [null data], 24 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” = “0” -> {HKLM…CLSID} = “MSN” \InProcServer32(Default) = “C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\System32\msjava.dll” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\MSMSGS.EXE” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.vobis.pl/ Missing lines (compared with English-language version): [strings]: 1 line All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- ASP.NET State Service, aspnet_state, “C:\WINDOWS\Microsoft.NET \Framework\v1.1.4322\aspnet_state.exe” [MS] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\mspmsnsv.dll” [MS]} Zarządzanie aplikacjami, AppMgmt, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\appmgmts.dll” [file not found]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt04\Driver = “hpzlnt04.dll” [“HP”] hpzsnt05\Driver = “hpzsnt05.dll” [“HP”] Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 610 seconds. ---------- (total run time: 779 seconds)
adam9870
(adam9870)
10 Marzec 2007 09:16
#2
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\System32\shdocvs.dll
C:\WINDOWS\System32\adirss.exe
C:\WINDOWS\System32\lnwin.exe
C:\WINDOWS\System32\adirka.exe
C:\WINDOWS\System32\a3dxq.dll
Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Otwórz Notatnik i wklej w nim to:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] “adirka”=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] “sysinter”=- “lnwin.exe”=- [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000}] [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\A3dxq] [-HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Filter\text/html] [-HKEY_LOCAL_MACHINE\Software\Classes\PROTOCOLS\Filter\text/plain]
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Pobierz i odpal LSP-Fix zaznacz " I know what I’m doing " następnie w okienku Keep zaznacz bibliotekę rsvp32_2.dll i za pomocą strzałki (>>) przenieś ją do okienka Remover i kliknij Finish i restart.
Usuń wpisy HJT jeśli będą.
Po wykonaniu wklej nowe logi.
Xil
(Xil)
10 Marzec 2007 10:32
#3
Wszystko zrobilem, wklejam logi.
Logz HT:
Logfile of HijackThis v1.99.1 Scan saved at 11:15:00, on 2007-03-10 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Opera\Opera.exe C:\Documents and Settings\Grzesiek\Pulpit\HT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.infoseek.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.vobis.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.dialog.net.pl:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O14 - IERESET.INF: START_PAGE_URL=http://www.vobis.pl/ O17 - HKLM\System\CCS\Services\Tcpip…{7580639D-047F-4BF0-955A-8BC33065032C}: NameServer = 217.30.129.149,217.30.137.200 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Log z SR:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “msnmsgr” = ““C:\Program Files\MSN Messenger\msnmsgr.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HPDJ Taskbar Utility” = “C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe” [“HP”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {9394EDE7-C8B5-483E-8773-474BF36AF6E4}(Default) = (no title provided) -> {HKLM…CLSID} = “ST” \InProcServer32(Default) = “C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll” [MS] {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}(Default) = (no title provided) -> {HKLM…CLSID} = “MSNToolBandBHO” \InProcServer32(Default) = “C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real Alternative\rpshell.dll” [“RealNetworks, Inc.”] “{0A082D00-EC93-11D0-B1E6-80580BC10627}” = “Corel Media Folder Root Menu Handler” -> {HKLM…CLSID} = “Corel Media Folder Root Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” = “Folder To Corel Media Folder Menu Handler” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{854AF161-1AE1-11D1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{E856F161-1AE5-11d1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{CDB89701-262F-11D1-AB9C-00C0F00683EB}” = “Corel Media Find Folder” -> {HKLM…CLSID} = “Corel Media Find Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{F8152501-455F-11D1-B1E6-444553540000}” = “Corel Media Folder Copy Hook Handler” -> {HKLM…CLSID} = “Corel Media Folder Copy Hook Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] “{8E524B0D-04F0-11D1-B74A-00A0C90646A4}” = “IconFactTemp.NSIconHandlerFactory” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{A2AC368A-F883-11D0-B745-00A0C90646A4}” = “NSFiltManDll.FiltManCom” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CNSFlt80.dll” [“Corel Corporation”] “{B63FCD5A-2396-11D1-B762-00A0C90646A4}” = “*d” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFnd80.dll” [“Corel Corporation”] “{5464D816-CF16-4784-B9F3-75C0DB52B499}” = “Yahoo! Mail” -> {HKLM…CLSID} = “YMailShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\Yahoo!\Common\ymmapi.dll” [“Yahoo! Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Yahoo! Mail(Default) = “{5464D816-CF16-4784-B9F3-75C0DB52B499}” -> {HKLM…CLSID} = “YMailShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\Yahoo!\Common\ymmapi.dll” [“Yahoo! Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ FolderToCorelMediaFolder(Default) = “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [“Corel Corporation”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveSearch” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Grzesiek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Grzesiek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}” = “0” -> {HKLM…CLSID} = “MSN” \InProcServer32(Default) = “C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\System32\msjava.dll” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\MSMSGS.EXE” [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.vobis.pl/ Missing lines (compared with English-language version): [strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”] LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt04\Driver = “hpzlnt04.dll” [“HP”] hpzsnt05\Driver = “hpzsnt05.dll” [“HP”] Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 664 seconds. ---------- (total run time: 889 seconds)
adam9870
(adam9870)
10 Marzec 2007 10:53
#4
Logi są czyste.
Czy masz jeszcze jakieś problemy?
Kosmetyka:
Start >>> uruchom >>> msconfig >>> zakładka Uruchamianie >>> możesz odznaczyć w/w.
W opcjach komunikatora możesz wyłączyć uruchamianie przy starcie systemu jeśli nie jest Ci potrzebne.
Jeśli nie używasz Messenger’a to go usuń: start >>> uruchom >>> wpisz polecenie:
RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove
Xil
(Xil)
10 Marzec 2007 11:56
#5
Kosmetyka zrobiona, teraz komp chodzi bez zadnych problemow. Wielkie dzieki za pomoc. Pozdrawiam.