Windows uruchamia sie 10 min + log


(Pablodh) #1

Nie wiem co jest komp uruchamia sie 10 min , programy dzialaja baardzo wolno zapewne mam duzo syfu ktory trzeba usunąc wiec proszę o pomoc.

Logfile of HijackThis v1.99.1

Scan saved at 11:40:45, on 2007-03-11

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\LEXPPS.EXE

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

C:\WINNT\system32\bgsvcgen.exe

C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe

C:\Program Files\F-Secure\Common\FSMA32.EXE

C:\Program Files\F-Secure\Common\FSMB32.EXE

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\F-Secure\Common\FCH32.EXE

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\F-Secure\Common\FAMEH32.EXE

C:\Program Files\F-Secure\Anti-Virus\fsqh.exe

C:\Program Files\F-Secure\Anti-Virus\fsrw.exe

C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

C:\Program Files\F-Secure\Common\FNRB32.EXE

C:\Program Files\F-Secure\Common\FIH32.EXE

C:\Program Files\F-Secure\Anti-Virus\fssm32.exe

C:\Program Files\F-Secure\Anti-Virus\fsav32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\wuauclt.exe

C:\Program Files\F-Secure\Common\FSM32.EXE

C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe

C:\Program Files\Winamp\winampa.exe

C:\WINNT\SOUNDMAN.EXE

C:\WINNT\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe

C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

C:\Program Files\F-Secure\FSGUI\fsguidll.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

C:\Documents and Settings\ew.E-WYSOCKA\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll (file missing)

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://egeria/msrdp.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0EE66AD1-9419-4A16-921D-ED4020FDCB9D}: Domain = polski-cukier.pl

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = polski-cukier.pl

O17 - HKLM\System\CS1\Services\Tcpip\..\{0EE66AD1-9419-4A16-921D-ED4020FDCB9D}: Domain = polski-cukier.pl

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = polski-cukier.pl

O17 - HKLM\System\CS2\Services\Tcpip\..\{0EE66AD1-9419-4A16-921D-ED4020FDCB9D}: Domain = polski-cukier.pl

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = polski-cukier.pl

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

(adam9870) #2

Plik usuń ręcznie z dysku natomiast wpisy HijackThis.

Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt


(Pablodh) #3

log z hijackthis

Logfile of HijackThis v1.99.1

Scan saved at 13:00:38, on 2007-03-11

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\LEXPPS.EXE

C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

C:\WINNT\system32\bgsvcgen.exe

C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe

C:\Program Files\F-Secure\Common\FSMA32.EXE

C:\Program Files\F-Secure\Common\FSMB32.EXE

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\F-Secure\Common\FCH32.EXE

C:\WINNT\system32\MSTask.exe

C:\WINNT\system32\slserv.exe

C:\WINNT\system32\stisvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\mspmspsv.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\F-Secure\Common\FAMEH32.EXE

C:\Program Files\F-Secure\Anti-Virus\fsqh.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\F-Secure\Anti-Virus\fsrw.exe

C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

C:\Program Files\F-Secure\Common\FNRB32.EXE

C:\Program Files\F-Secure\Common\FIH32.EXE

C:\Program Files\F-Secure\Anti-Virus\fssm32.exe

C:\Program Files\F-Secure\Anti-Virus\fsav32.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\wuauclt.exe

C:\Program Files\F-Secure\Common\FSM32.EXE

C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe

C:\Program Files\Winamp\winampa.exe

C:\WINNT\SOUNDMAN.EXE

C:\WINNT\system32\ctfmon.exe

C:\PROGRA~1\F-Secure\ANTI-S~1\fsaw.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

C:\Program Files\F-Secure\FSGUI\fsguidll.exe

C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe

C:\WINNT\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\ew.E-WYSOCKA\Pulpit\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: (no name) - {84938242-5C5B-4A55-B6B9-A1507543B418} - (no file)

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash

O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: F-Secure Automatic Update.lnk = C:\Program Files\F-Secure\BackWeb\7681197\program\F-Secure Automatic Update.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Block this popup - C:\Program Files\F-Secure\Anti-Spyware\blockpopups.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll

O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\f-secure\fsps\program\fslsp.dll

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://egeria/msrdp.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0EE66AD1-9419-4A16-921D-ED4020FDCB9D}: Domain = polski-cukier.pl

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = polski-cukier.pl

O17 - HKLM\System\CS1\Services\Tcpip\..\{0EE66AD1-9419-4A16-921D-ED4020FDCB9D}: Domain = polski-cukier.pl

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = polski-cukier.pl

O17 - HKLM\System\CS2\Services\Tcpip\..\{0EE66AD1-9419-4A16-921D-ED4020FDCB9D}: Domain = polski-cukier.pl

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = polski-cukier.pl

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINNT\system32\bgsvcgen.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe

O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program Files\F-Secure\Common\FNRB32.EXE

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe

SilentRunners

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"ares" = ""C:\Program Files\Ares\Ares.exe" -h" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

"rare" = "C:\Program Files\Video Access ActiveX Object\pmsnrr.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"CHotkey" = "mHotkey.exe" [file not found]

"F-Secure Manager" = ""C:\Program Files\F-Secure\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]

"F-Secure TNB" = ""C:\Program Files\F-Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]

"LogitechCommunicationsManager" = ""C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"" ["Logitech Inc."]

"LogitechQuickCamRibbon" = ""C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide" ["Logitech Inc."]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" [file not found]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

<> "{aed6f6a3-183c-488d-9f90-23db99f56e7f}" = "apathies"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINNT\system32\geplxss.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"CDRAutoRun" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "(BRAK)" [file not found]



Startup items in "ew" & "All Users" startup folders:

----------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\F-Secure\FSPS\program\FSLSP.DLL ["F-Secure Corporation"], 01 - 02, 09

%SystemRoot%\system32\msafd.dll [MS], 03 - 06, 10 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{300DB664-75B5-47C0-8B45-A44ACCF73C00}\

"ButtonText" = "IE Shield"

"MenuText" = "IE Shield..."

"CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}"

  -> {HKLM...CLSID} = "F-Secure IE Shield COM button"

                   \InProcServer32\(Default) = "C:\Program Files\F-Secure\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"]



All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------


B's Recorder GOLD Library General Service, bgsvcgen, "C:\WINNT\system32\bgsvcgen.exe" ["B.H.A Corporation"]

DSDM DDE sieci, NetDDEdsdm, "C:\WINNT\system32\netdde.exe" [MS]

F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"]

F-Secure Automatic Update, BackWeb Plug-in - 7681197, "C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE" ["F-Secure Automatic Update"]

F-Secure Management Agent, FSMA, ""C:\Program Files\F-Secure\Common\FSMA32.EXE"" ["F-Secure Corporation"]

F-Secure Network Request Broker, F-Secure Network Request Broker, ""C:\Program Files\F-Secure\Common\FNRB32.EXE"" ["F-Secure Corporation"]

fsbwsys, fsbwsys, ""C:\Program Files\F-Secure\BackWeb\7681197\program\fsbwsys.exe"" ["F-Secure Corp."]

FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe"" ["F-Secure Corp."]

LexBce Server, LexBceS, "C:\WINNT\system32\LEXBCES.EXE" ["Lexmark International, Inc."]

LVSrvLauncher, LVSrvLauncher, "C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe" ["Logitech Inc."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

Process Monitor, LVPrcSrv, "c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe" ["Logitech Inc."]

SmartLinkService, SLService, "slserv.exe" [" "]

System zdarzeń COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

Usługa administracyjna Menedżera dysków logicznych, dmadmin, "C:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]

Usługa SNMP Trap, SNMPTRAP, "C:\WINNT\System32\snmptrap.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]

Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]

Lexmark Z65 Port Monitor\Driver = "lxalpmnt.dll" ["Lexmark International, Inc."]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 140 seconds.

---------- (total run time: 189 seconds)

a pliku rapport.txt nie ma :?


(Gutek) #4

usuń wpis HJT

Czy na pewno użyłeś SmitFraudFix wybierz opcji nr 2?


(Pablodh) #5

ok mam juz tylko jakies bled wyskoczył podczas pracy smitfraudfix .. wklejam rapport :

SmitFraudFix v2.148


Scan done at 13:41:02,67, N 2007-03-11

Run from C:\Documents and Settings\ew\Pulpit\SmitfraudFix

OS: Microsoft Windows 2000 [Wersja 5.00.2195] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{aed6f6a3-183c-488d-9f90-23db99f56e7f}"="apathies"


[HKEY_CLASSES_ROOT\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]

@="C:\WINNT\system32\geplxss.dll"


[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{aed6f6a3-183c-488d-9f90-23db99f56e7f}\InProcServer32]

@="C:\WINNT\system32\geplxss.dll"



»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» hosts



127.0.0.1 localhost


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


C:\WINNT\system32\geplxss.dll Deleted

C:\DOCUME~1\EW2FC7~1.E-W\Ulubione\Online Security Test.url Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End


[/code]

(adam9870) #6

Ok, SmitFraudFix trochę przeczyścił.

Czy masz jeszcze jakieś problemy?