Wgareg.exe i .exe

Dla specjalistów Bezpieczeństwo
#1

Witam.

Kłopot z wymienionymi w temacie paskudztwami.

Objawy: po kilku lub kilkunastu minutach rozłącza neostrade.

Wiem że to te pliki bo miałem komunikaty z nimi w roli głównej.

Skanowałem twarde dyski skanerem online.

Zainstalowałem SpyBot’a, Ad Aware, Bit Defender 9.

Trochę innego syfu się pozbyłem. Ale główny problem wciąż się pojawia.

SpyBot cały czas znajduje coś takiego:

Windows Security Center.Firewall Disable Notify

Windows Security Center.Antivirus Disable Notify

Windows Security Center.Antivirus Override

Windows Security Center.Firewall Disable

Przed pojawieniem się problemu rozłączania internetu cały czas używałem AdAware i Kerio Firewall.

Nie moge z tym cholerstwem dać rady. Nie jestem mocny w te klocki więc dobrze by było żeby ktoś prowadził krok po kroku ze szczegółami.

Ludzie pomocy bo się wykończe !!

Zainstalowalem właśnie Hijackthis.

Oto Ostatni log:

Logfile of HijackThis v1.99.1

Scan saved at 19:13:19, on 2006-09-13

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\HASPSrv.exe

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\Softwin\BitDefender9\bdmcon.exe

C:\Program Files\Softwin\BitDefender9\bdoesrv.exe

C:\Program Files\Softwin\BitDefender9\bdnagent.exe

C:\Program Files\Softwin\BitDefender9\vsserv.exe

C:\Program Files\Softwin\BitDefender9\bdswitch.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Programy\GG\Gadu-Gadu\gg.exe

C:\Program Files\totalcmd\TOTALCMD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\IZAMA~1\USTAWI~1\TEMP\_tc\HIJACK~1.EXE


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\OCHRON~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"

O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"

O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"

O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"

O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{780366B2-7318-4D8F-A352-5EC95DF27AEC}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: HASPSrv - ComArch - C:\WINDOWS\System32\HASPSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)

O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)

O23 - Service: Windows Genuine Advantage Registration Service (wgareg) - Unknown owner - C:\WINDOWS\System32\wgareg.exe

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Pozdrawiam

Markos

markos5@interia.pl

#2

tu coś możesz o tym poczytać, niestety w języku angielskim

http://forums.spybot.info/showthread.php?t=75

#3

  1. Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jezeli któryś z nich bedzie na żółto to go zostaw). Po użyciu wymagany jest restart.

  2. Ściągnij Gmera

W Gmerze:

  1. Zakładka usługi -> skasuj z prawokliku usługę HASPSrv oraz wgareg

  2. Zakładka CMD -> Podopcja CMD -> Wklejasz:

    CD C:\WINDOWS\system32

    DEL winsys32.exe

    DEL HASPSrv.exe

    DEL wgareg.exe

  3. Zakładka Procesy -> Opcja Zabij wszystko.

  4. Powrót do zakładki CMD i opcja Uruchom

  5. Zakładka Procesy, kliknij , wskaż narzędzie Hijack i skasuj wpisy:

Po wykonaniu w/w dajesz nowy log z HijackThis plus z SilentRunners. Jeżeli podczas uruchamiania silenta pokaże się jakiś błąd to proszę podać jego dokładną treść.

#4

To zostawiasz :!:

#5

Witam.

Adam 9870 jest kłopot.

W Windows Worms Doors Cleaner mam tak:

1.DCOM RPC (port 135) Enable jest zielony

2.Warning: RPC Locator (port 445) is Enabled on your system.

Jest czerwony i nic nie da sie z nim zrobic.

3.Warning: NetBios will be Enabled after the next Reboot.

jest żółty i napis Close 137:139

  1. UPNP (port 5000) is safely Disabled on your system.

Jest zielony.

  1. Messenger (NetBIOS/RPC ports) is safely Disabled on your system.

Jest zielony.

I co z tym czerwonym zrobic?

Markos_21

markos5@interia.pl

#6

Kliknij na przycisk: Close 445 przy RPC Locator :slight_smile:

#7

Witam.

Oto ostatni log z HiJackThis:

Logfile of HijackThis v1.99.1

Scan saved at 23:39:23, on 2006-09-13

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\HASPSrv.exe

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\Softwin\BitDefender9\bdmcon.exe

C:\Program Files\Softwin\BitDefender9\bdoesrv.exe

C:\Program Files\Softwin\BitDefender9\bdnagent.exe

C:\Program Files\Softwin\BitDefender9\vsserv.exe

C:\Program Files\Softwin\BitDefender9\bdswitch.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\Program Files\totalcmd\TOTALCMD.EXE

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Internet Explorer\iexplore.exe

c:\My Shared Folder\antywire i spyware\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\OCHRON~1\SPYBOT~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender9\bdmcon.exe"

O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"

O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender9\bdnagent.exe"

O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Program Files\Softwin\BitDefender9\bdswitch.exe"

O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{780366B2-7318-4D8F-A352-5EC95DF27AEC}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)

O23 - Service: HASPSrv - ComArch - C:\WINDOWS\System32\HASPSrv.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)

O23 - Service: MSSQLServerADHelper - Unknown owner - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe (file missing)

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Jak to wygląda teraz ?

Pozdrawiam

Markos_21

markos5@interia.pl

#8

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz :

Plik usuń ręcznie z dysku (o ile będzie)

Wklej Loga SilentRunners

#9

Witam ponownie.

Włączyłem tryb awaryjny.

O4 - HKLM\..\RunServices: [Microsoft Update] winsys32.exe

oczywiście nie znalazłem. Muszę przyznać, że przestał się wyłączać internet i programy zaczęły działać w swoim normalnym tempie. Jest znaczna poprawa bo boję się napisać że jest doskonale. :smiley: Oto ostatni log z Silenta :

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" [null data]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"Mirabilis ICQ" = "C:\Program Files\ICQ\ICQ.exe -minimize" [file not found]

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]

"BDMCon" = ""C:\Program Files\Softwin\BitDefender9\bdmcon.exe"" ["SOFTWIN S.R.L."]

"BDOESRV" = ""C:\Program Files\Softwin\BitDefender9\bdoesrv.exe"" ["SOFTWIN SRL"]

"BDNewsAgent" = ""C:\Program Files\Softwin\BitDefender9\bdnagent.exe"" ["SOFTWIN S.R.L"]

"BDSwitchAgent" = ""C:\Program Files\Softwin\BitDefender9\bdswitch.exe"" [null data]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx" [empty string]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\OCHRON~1\SPYBOT~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {HKLM...CLSID} = "Eksplorator pulpitów"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\KWARAN~1\Programy\WINZIP~1.0\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\KWARAN~1\Programy\WINZIP~1.0\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\KWARAN~1\Programy\WINZIP~1.0\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"

  -> {HKLM...CLSID} = "IZArc DragDrop Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

"{D0FAC080-AE1A-11ce-8016-CE90976DC901}" = "Picture Publisher File Viewer"

  -> {HKLM...CLSID} = "Picture Publisher File Viewer"

                   \InProcServer32\(Default) = "ppiv20.dll" [null data]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = (no title provided)

  -> {HKLM...CLSID} = "Skrót internetowy"

                   \InProcServer32\(Default) = "shdocvw.dll" [MS]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "sockspy.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\KWARAN~1\Programy\WINZIP~1.0\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\KWARAN~1\Programy\WINZIP~1.0\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "D:\KWARAN~1\Programy\WINZIP~1.0\WZSHLSTB.DLL" ["WinZip Computing, Inc."]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Iza & Markos\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\MARINE~1.SCR" [file not found]



Startup items in "Iza & Markos" & "All Users" startup folders:

--------------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"NkbMonitor.exe" -> shortcut to: "C:\Program Files\Nikon\PictureProject\NkbMonitor.exe" ["Nikon Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

  -> {HKLM...CLSID} = "Web Browser Applet Control"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\


Missing lines (compared with English-language version):

"{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  -> {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


BitDefender Communicator, XCOMM, ""C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service" ["Softwin"]

BitDefender Desktop Update Service, LIVESRV, ""C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service" ["SOFTWIN S.R.L."]

BitDefender Scan Server, bdss, ""C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service" [null data]

BitDefender Virus Shield, VSSERV, ""C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service" ["SOFTWIN S.R.L."]

HASPSrv, HASPSrv, "C:\WINDOWS\System32\HASPSrv.exe" ["ComArch"]

NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Sunbelt Kerio Personal Firewall 4, KPF4, "C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe" ["Sunbelt Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



Keyboard Driver Filters:

------------------------


HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 103 seconds, including 8 seconds for message boxes)

Mam nadzieję, że jest OK i to koniec problemów.

Przynajmniej na razie.

Pozdrawiam i dziękuję wszystkim za bezcenne rady.

Markos_21

markos5@interia.pl

#10

Jest OK :slight_smile:

Przeczyść rejestr (polecam do tego jv16 PowerTools 1.3.0.195), zrób defragmentację, oraz przejrzyj: Optymalizacja XP

Wejdź: Start --> uruchom --> msconfig i w zakładce uruchamianie odznacz (według Ciebie) niepotrzbne przy autostarcie programy :slight_smile: