Wskakujace reklamy


(Ster64) #1

Zaistnial problem poniewaz wskakuja mi reklamy komp mi sie zwolnil w sesie sie tnie czesto itp prosze HELP!!

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"DeluxeCommunications" = "D:\Program Files\DeluxeCommunications\Dxc.exe" [null data]

"IpWins" = "D:\Program Files\Ipwindows\ipwins.exe" [null data]

"BitTorrent" = ""D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized" [file not found]

"Rtsd" = ""D:\DOCUME~1\Seba\MOJEDO~1\PPATCH~1\logonui.exe" -vt yazb" [null data]

"Dchufjsj" = "D:\WINDOWS\*dobe\**rvices.exe" (unwritable string) [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"NVMixerTray" = ""D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]

"WOOKIT" = "D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe" ["France Télécom R&D"]

"WooCnxMon" = "D:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"WOOWATCH" = "D:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]

"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"NeroCheck" = "D:\WINDOWS\system32\\NeroCheck.exe" ["Ahead Software Gmbh"]

"Lexmark X1100 Series" = ""D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]

"p2p networking" = "p2pnetworking.exe" [null data]

"bantool" = "D:\WINDOWS\system32\smpi1\lin.exe" ["ewekerjkwjekjrje"]

"runner1" = "D:\WINDOWS\retadpu1000137.exe 61A847B5BBF72813329B385771FE01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310" [empty string]

"DeluxeCommunications" = "D:\Program Files\DeluxeCommunications\Dxc.exe" [null data]

"RelevantKnowledge" = "d:\windows\system32\rlvknlg.exe -boot" ["RelevantKnowledge"]

"webHancer Agent" = "D:\Program Files\webHancer\Programs\whagent.exe" ["webHancer Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{4DC4D44C-34DF-0E61-F238-6DE34BE4F990}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\rqttrbex.dll" [null data]

{c900b400-cdfe-11d3-976a-00e02913a9e0}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "WhIeHelperObj Class"

                   \InProcServer32\(Default) = "D:\Program Files\webHancer\programs\whiehlpr.dll" ["webHancer Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

Złączono Posta : 11.05.2007 (Pią) 10:19

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 10:18:26, on 2007-05-11

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\LEXBCES.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\LEXPPS.EXE

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\SOUNDMAN.EXE

D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

D:\PROGRA~1\NEOSTR~1\CnxMon.exe

D:\WINDOWS\system32\svchost.exe

D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

D:\WINDOWS\system32\RUNDLL32.EXE

D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

D:\WINDOWS\system32\smpi1\lin.exe

D:\WINDOWS\retadpu1000137.exe

D:\Program Files\webHancer\Programs\whagent.exe

D:\WINDOWS\system32\ctfmon.exe

D:\PROGRA~1\NEOSTR~1\ComComp.exe

D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

D:\Program Files\Ipwindows\ipwins.exe

D:\DOCUME~1\Seba\MOJEDO~1\PPATCH~1\logonui.exe

D:\WINDOWS\?dobe\??rvices.exe

D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

D:\Documents and Settings\All Users\Menu Start\Programy\Autostart\taskmgr.exe

D:\WINDOWS\System32\alg.exe

D:\PROGRA~1\NEOSTR~1\Watch.exe

D:\WINDOWS\system32\wscntfy.exe

d:\windows\system32\rlvknlg.exe

D:\Program Files\Mozilla Firefox\firefox.exe

D:\Program Files\Gadu-Gadu\gg.exe

d:\Program Files\WinRAR\WinRAR.exe

D:\DOCUME~1\Seba\USTAWI~1\Temp\Rar$EX00.282\HiJackThis_v2.exe

D:\WINDOWS\system32\wbem\wmiprvse.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - D:\Program Files\DeluxeCommunications\DxcBho.dll

O2 - BHO: (no name) - {4DC4D44C-34DF-0E61-F238-6DE34BE4F990} - D:\WINDOWS\system32\rqttrbex.dll

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - D:\Program Files\webHancer\programs\whiehlpr.dll

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [WOOKIT] D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

O4 - HKLM\..\Run: [WooCnxMon] D:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] D:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe

O4 - HKLM\..\Run: [bantool] D:\WINDOWS\system32\smpi1\lin.exe

O4 - HKLM\..\Run: [runner1] D:\WINDOWS\retadpu1000137.exe 61A847B5BBF72813329B385771FE01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

O4 - HKLM\..\Run: [DeluxeCommunications] D:\Program Files\DeluxeCommunications\Dxc.exe

O4 - HKLM\..\Run: [RelevantKnowledge] d:\windows\system32\rlvknlg.exe -boot

O4 - HKLM\..\Run: [webHancer Agent] D:\Program Files\webHancer\Programs\whagent.exe

O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [DeluxeCommunications] D:\Program Files\DeluxeCommunications\Dxc.exe

O4 - HKCU\..\Run: [IpWins] D:\Program Files\Ipwindows\ipwins.exe

O4 - HKCU\..\Run: [BitTorrent] "D:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

O4 - HKCU\..\Run: [Rtsd] "D:\DOCUME~1\Seba\MOJEDO~1\PPATCH~1\logonui.exe" -vt yazb

O4 - HKCU\..\Run: [Dchufjsj] D:\WINDOWS\?dobe\??rvices.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: taskmgr.exe

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8408ED-C11C-4163-BC78-E0E7C28A980C}: NameServer = 194.204.152.34 217.98.63.164

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe


--

End of file - 5769 bytes

(sdar) #2

Malarz1990 Proszę zastosować się do zaleceń zawartych w TYM temacie. W przeciwnym wypadku temat zostanie usunięty.


(Gutek) #3

  1. Wyłączyć Przywracanie systemu w XP.

  2. Zastartować do trybu awaryjnego bez internetu.

  3. Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte.

  4. Skasować z dysku pliki i foldery, które podkreśliłem na czerwono

  5. Dokończyć skanerami online - Skanery do wyboru

  6. Pokazać nowe logi HJT + Silent :stuck_out_tongue:


(Ster64) #4

tzn?? bo nie rozumiem, gdzie to jest??

Złączono Posta : 11.05.2007 (Pią) 18:49

Wrzuce odrazu tez logi z HaxFixa:

HAXFIX logfile - by Marckie


version 4.40 

2007-05-11 18:46:33,62 


--- Checking for Haxdoor ---


checking for a3d files

a3d files not found


checking for matching notify keys

no matching notify keys found 


checking for matching services

no matching services found 


checking for matching safeboot services

no matching safeboot services found 


checking for other Haxdoor-files

no other Haxdoor-files found



--- Checking for Goldun ---



checking for SSODL keys

no ssodl keys found


checking for notify keys

no notify keys found


checking for services

no services found


checking for other Goldun-files

no other Goldun-files found


checking iexplore.exe

iexplore.exe is not infected 



Finished!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 18:48:23, on 2007-05-11

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\LEXBCES.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\LEXPPS.EXE

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\system32\svchost.exe

D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

D:\WINDOWS\system32\RUNDLL32.EXE

D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

D:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Gadu-Gadu\gg.exe

D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

D:\PROGRA~1\NEOSTR~1\ComComp.exe

D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

D:\WINDOWS\system32\wscntfy.exe

D:\PROGRA~1\NEOSTR~1\Watch.exe

D:\Program Files\Mozilla Firefox\firefox.exe

d:\Program Files\WinRAR\WinRAR.exe

D:\DOCUME~1\Seba\USTAWI~1\Temp\Rar$EX03.937\HiJackThis_v2.exe


O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [WOOKIT] D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O10 - Hijacked Internet access by WebHancer

O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8408ED-C11C-4163-BC78-E0E7C28A980C}: NameServer = 194.204.152.34 217.98.63.164

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe


--

End of file - 3092 bytes

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NVMixerTray" = ""D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]

"WOOKIT" = "D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]

"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"Lexmark X1100 Series" = ""D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "d:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\Seba\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "D:\WINDOWS\system32\logon.scr" [MS]



Startup items in "Seba" & "All Users" startup folders:

------------------------------------------------------


D:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"DSLMON" -> shortcut to: "D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

D:\Program Files\webHancer\Programs\webhdll.dll ["webHancer Corporation"], 01 - 02, 20

%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "D:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "D:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "D:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


LexBce Server, LexBceS, "D:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]

WinFast(R) Display Driver Service, NVSvc, "D:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 25 seconds, including 6 seconds for message boxes)

(Vanshei) #5

Klikasz prawym na Mój komputer dajesz właściwości i w zakładce Przywracanie systemu zaznaczasz Wyłącz przywracanie systemu na wszystkich dyskach.


(Gutek) #6

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pozdrawiam Gutek2222

Zostało

Odpal LSP-Fix zaznacz "I know what I'm doing" następnie w okienku Keep zaznacz plik webhdll.dll i za pomocą strzałki (>>) przenieś go do okienka Remover i kliknij Finish


(Ster64) #7

Fla pewnosci dam jeszcze logi od HiJacka :

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 09:28:29, on 2007-05-12

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

Boot mode: Normal


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\LEXBCES.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\LEXPPS.EXE

D:\WINDOWS\system32\nvsvc32.exe

D:\WINDOWS\system32\svchost.exe

D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

D:\WINDOWS\system32\RUNDLL32.EXE

D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

D:\WINDOWS\system32\ctfmon.exe

D:\PROGRA~1\NEOSTR~1\ComComp.exe

D:\Program Files\Lexmark X1100 Series\lxbkbmon.exe

D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

D:\PROGRA~1\NEOSTR~1\Watch.exe

D:\WINDOWS\system32\wscntfy.exe

D:\Program Files\Mozilla Firefox\firefox.exe

E:\Program Files\9Dragons\NDLauncher2.exe

D:\Program Files\Gadu-Gadu\gg.exe

d:\Program Files\WinRAR\WinRAR.exe

D:\DOCUME~1\Seba\USTAWI~1\Temp\Rar$EX00.110\HiJackThis_v2.exe


O4 - HKLM\..\Run: [NVMixerTray] "D:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [WOOKIT] D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Lexmark X1100 Series] "D:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{4F8408ED-C11C-4163-BC78-E0E7C28A980C}: NameServer = 194.204.152.34 217.98.63.164

O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - D:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe


--

End of file - 3000 bytes

(Gutek) #8

Jest już Ok