killer87
(Pawelsornek)
21 Kwiecień 2007 20:18
#1
Miałem zainstalowany dodatek Vista Transformation Pack 5.5 i po odinstalowaniu po pewnym czasie komputer zaczął wolno chodzić i trzeba długo czekać aby strony internetowe się załadowały (mam neo 512). Dodam jeszcze że polecenie msconfig nie działa tzn. pisze że : Nazwa ‘msconfig’ nie jest rozpoznawalna jako polecenie wewnetrzne lub zewnętrzne , program wykonywalny lub plik wsadowy
Logfile of HijackThis v1.99.1 Scan saved at 22:13:26, on 2007-04-21 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\WINDOWS\system32\spoolsvv.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Documents and Settings\killer\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [LGODDFU] “C:\Program Files\lg_fwupdate\fwupdate.exe” blrun O4 - HKLM…\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{E94BFA99-1C63-4941-963D-65438F285E64}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: hpdj - HP - C:\DOCUME~1\killer\USTAWI~1\Temp\hpdj.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Monczkin
(Monczkin)
21 Kwiecień 2007 20:20
#2
killer87 może tak opisz dokładnie problem :!:
Joan
(Joan Sunshine)
22 Kwiecień 2007 12:52
#4
Pobierz i uruchom narzędzie The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:
Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK .
Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O4 - HKLM…\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O23 - Service: hpdj - HP - C:\DOCUME~1\killer\USTAWI~1\Temp\hpdj.exe
usun wpisy, daj logi hjt + silentrunners
cta.dll > znajdź na dysku ten plik i sprawdź we właściwościach od czego on jest
adam9870
(adam9870)
22 Kwiecień 2007 13:31
#6
Proszę pokazać nowy log z HijackThis plus z SilentRunners oraz informacje z właściwości pliku cta.dll
Joan
(Joan Sunshine)
22 Kwiecień 2007 13:44
#8
silent ucięty jest. gdzie on się znajduje to my wiemy :lol: więc teraz klik prawym klawiszem myszy na niego i sprawdzasz, co to jest i od jakiego softu
killer87
(Pawelsornek)
22 Kwiecień 2007 13:54
#9
Typ pliku : Rozszrzenie aplikacji
Otwieranie za pomocą : Nieznana aplikacja
adam9870
(adam9870)
22 Kwiecień 2007 14:07
#10
Przeskanuj ten plik na stronie http://virusscan.jotti.org/ i http://www.virustotal.com/vt/ i wklej raporty plus nowe, pełne logi.
Joan
(Joan Sunshine)
22 Kwiecień 2007 14:07
#11
wersja? podsumowanie? mamy wróżyć? :roll:
killer87
(Pawelsornek)
22 Kwiecień 2007 14:12
#12
nic więcej nie pisze
Złączono Posta : 22.04.2007 (Nie) 16:23
Złączono Posta : 22.04.2007 (Nie) 16:26
Złączono Posta : 22.04.2007 (Nie) 16:29
Logfile of HijackThis v1.99.1 Scan saved at 16:27:49, on 2007-04-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\killer\Pulpit\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [LGODDFU] “C:\Program Files\lg_fwupdate\fwupdate.exe” blrun O4 - HKLM…\Run: [jv16PT - Privacy Protector] C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb” O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\cta.dll O17 - HKLM\System\CCS\Services\Tcpip…{E94BFA99-1C63-4941-963D-65438F285E64}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
Joan
(Joan Sunshine)
22 Kwiecień 2007 14:45
#13
cóż, wywalamy
Ściągnij i odpal LSP-Fix zaznacz “I know what I’m doing” następnie w okienku Keep zaznacz plik cta.dll i za pomocą strzałki (>>) przenieś go do okienka Remover i kliknij Finish i restart kompa.
Nowe logi.
killer87
(Pawelsornek)
22 Kwiecień 2007 14:54
#14
Logfile of HijackThis v1.99.1 Scan saved at 16:53:42, on 2007-04-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\lg_fwupdate\fwupdate.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\killer\Pulpit\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O4 - HKLM…\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe” O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [LGODDFU] “C:\Program Files\lg_fwupdate\fwupdate.exe” blrun O4 - HKLM…\Run: [jv16PT - Privacy Protector] C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb” O17 - HKLM\System\CCS\Services\Tcpip…{E94BFA99-1C63-4941-963D-65438F285E64}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
Złączono Posta : 22.04.2007 (Nie) 17:00
Nie wiem czy to ważne ale w okienku Keep mam jeszcze następujące pliki:
mswsock.dll
winrnr.dll
khybidapues.dll
rsvpsp.dll
adam9870
(adam9870)
22 Kwiecień 2007 15:00
#15
Zrób to, co pisała Joan z plikiem khybidapues.dll, a następnie pokaż log z SilentRunners .
M_i_r
(Mirfi2)
22 Kwiecień 2007 15:43
#16
czy to nie jest wtyczka końcowego klienta sieci korporacyjnej
stosowana dla zabezpieczeń ? plugins from Cisco Trust Agent (clients)
http://www.google.com/search?q=cta.dll& … f8&oe=utf8
Joan
(Joan Sunshine)
22 Kwiecień 2007 15:53
#17
Heh. Zobaczymy, co się będzie działo, nikt nie ma patentu na wiedzę. Skanery pokazały w tym trojana, więc kazałam usuwać.
killer87
(Pawelsornek)
22 Kwiecień 2007 16:33
#18
Wywaliłem ten plik khybidapues.dll a pozostałe zostawic?? poniżej log z SilentRunners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NVMixerTray” = ““C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”” [“NVIDIA Corporation”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “RemoteControl” = ““C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Nero AG”] “LGODDFU” = ““C:\Program Files\lg_fwupdate\fwupdate.exe” blrun” [“BL”] “jv16PT - Privacy Protector” = “C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb”” [“Macecraft Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{FEB7DAE0-E111-11D0-BFD7-444553540000}” = “ICEOWS” -> {HKLM…CLSID} = “Folder Iceows” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\IceGUI.dll” [“Raphaël MOUNIER”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Nero AG”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] ICEOWS(Default) = “{FEB7DAE0-E111-11D0-BFD7-444553540000}” -> {HKLM…CLSID} = “Folder Iceows” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\IceGUI.dll” [“Raphaël MOUNIER”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICEOWS(Default) = “{FEB7DAE0-E111-11D0-BFD7-444553540000}” -> {HKLM…CLSID} = “Folder Iceows” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\IceGUI.dll” [“Raphaël MOUNIER”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “EnableLUA” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\killer\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Nero AG”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt08\Driver = “hpzsnt08.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 51 seconds, including 1 second for message boxes)
Złączono Posta : 22.04.2007 (Nie) 18:35
Wywaliłem ten plik khybidapues.dll a pozostałe zostawic?? poniżej log z SilentRunners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NVMixerTray” = ““C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”” [“NVIDIA Corporation”] “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “RemoteControl” = ““C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Nero AG”] “LGODDFU” = ““C:\Program Files\lg_fwupdate\fwupdate.exe” blrun” [“BL”] “jv16PT - Privacy Protector” = “C:\Program Files\jv16 PowerTools 2006\jv16PT.exe -ExecTask “C:\Program Files\jv16 PowerTools 2006\Tasks_PrivacyProtector\Task.jvb”” [“Macecraft Software”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string] “{FEB7DAE0-E111-11D0-BFD7-444553540000}” = “ICEOWS” -> {HKLM…CLSID} = “Folder Iceows” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\IceGUI.dll” [“Raphaël MOUNIER”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Nero AG”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] ICEOWS(Default) = “{FEB7DAE0-E111-11D0-BFD7-444553540000}” -> {HKLM…CLSID} = “Folder Iceows” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\IceGUI.dll” [“Raphaël MOUNIER”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ICEOWS(Default) = “{FEB7DAE0-E111-11D0-BFD7-444553540000}” -> {HKLM…CLSID} = “Folder Iceows” \InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\IceGUI.dll” [“Raphaël MOUNIER”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “EnableLUA” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\killer\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Nero AG”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt08\Driver = “hpzsnt08.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 51 seconds, including 1 second for message boxes)