Monczkin
(Monczkin)
10 Luty 2007 14:52
#2
dani123 proszę nazwać temat konkretnie i opisać w czym jest problem
adam9870
(adam9870)
10 Luty 2007 14:59
#3
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Uninstall.exe
C:\WINDOWS\System32\rpcc.dll
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Usuń wpisy HJT.
Czy masz jeszcze Pandę? Jeśli nie to pobierz i odpal LSP-Fix zaznacz " I know what I’m doing " następnie w okienku Keep zaznacz bibliotekę pavlsp.dll i za pomocą strzałki (>>) przenieś ją do okienka Remover i kliknij Finish i restart. Tylko pod żadnym pozorem nie kasuj wpisu O10 hijackiem ponieważ stracisz neta.
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
dani123
(Dal5)
10 Luty 2007 16:23
#4
dzieki spróbuje wszystko zrozumieć i postępować wg instr.
pandy nie mam - mam mks vir 2k7 czy go odinstalować?
adam9870
(adam9870)
10 Luty 2007 16:26
#5
Nie, używaj go sobie jeśli chcesz. Po prostu w logu ujrzałem resztkę po Pandzie w łańcuchu WinSock dlatego jeśli jej nie masz, to przydałoby się ją kompletnie usunąć.
dani123
(Dal5)
10 Luty 2007 16:27
#6
Monczkin próbuje opróżnić komp. ze szkodliwych programów itp.
Złączono Posta : 10.02.2007 (Sob) 22:30
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HPDJ Taskbar Utility” = “C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe” [“HP”] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe” [“Sun Microsystems, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS] “NeroCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Copyright © ahead software gmbh and its licensors”] “UserFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -u” “mkstray” = “D:\Program Files\mks_vir_2007\bin\mkstray.exe” [“MKS Sp z o.o.”] “MKSRegmon” = “D:\Program Files\mks_vir_2007\bin\mksregmon.exe” [null data] “mks_mail” = “D:\Program Files\mks_vir_2007\bin\mks_mail.exe” [“MkS Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “D:\Program Files\mks_vir_2007\bin\mksshell.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “D:\Program Files\mks_vir_2007\bin\mksshell.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Daniela\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Daniela\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: D:\Program Files\mks_vir_2007\bin\mkslsp.dll [null data], 01 - 03, 15 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_04” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Messenger” “Exec” = “C:\Program Files\Messenger\MSMSGS.EXE” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] mks_vir file monitor, MksVirMonSvc, “D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe” [null data] MksFwall, MksFwall, ““D:\Program Files\mks_vir_2007\bin\MksFwall.exe”” [“MKS Sp z o.o.”] MksPC, MksPC, ““D:\Program Files\mks_vir_2007\bin\MksPC.exe”” [null data] MksUpdate, MksUpdate, ““D:\Program Files\mks_vir_2007\bin\mksupdate.exe”” [“MKS Sp. z o. o.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt05\Driver = “hpzsnt05.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 86 seconds. ---------- (total run time: 282 seconds)
Logfile of HijackThis v1.99.1 Scan saved at 22:33:00, on 2007-02-10 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\RunDll32.exe C:\Program Files\Ahead\InCD\InCD.exe D:\Program Files\mks_vir_2007\bin\mkstray.exe D:\Program Files\mks_vir_2007\bin\mksregmon.exe D:\Program Files\mks_vir_2007\bin\mks_mail.exe C:\Program Files\Messenger\msmsgs.exe D:\Program Files\mks_vir_2007\bin\MksFwall.exe D:\Program Files\mks_vir_2007\bin\MksPC.exe D:\Program Files\mks_vir_2007\bin\mksupdate.exe D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe D:\Program Files\Opera\Opera.exe C:\Program Files\Winamp\winamp.exe D:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM…\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe O4 - HKLM…\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe O4 - HKLM…\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O8 - Extra context menu item: &Szukaj w NetSprint.pl - res://C:\WINDOWS\Downloaded Program Files\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\mkslsp.dll O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - https://swiadczeniodawca.nfz-wroclaw.pl … criptX.cab O16 - DPF: {2DF91772-19DC-47AE-B52F-B8E2FE545625} (Spd2 Class) - http://www.lemontv.pl/lmctrls.cab O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner2k7/SkanerOnline.cab O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) - http://www.lemontv.pl/lmctrlp.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://www.optimal.pl/file/swflash.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: MksFwall - MKS Sp z o.o. - D:\Program Files\mks_vir_2007\bin\MksFwall.exe O23 - Service: MksPC - Unknown owner - D:\Program Files\mks_vir_2007\bin\MksPC.exe O23 - Service: MksUpdate - MKS Sp. z o. o. - D:\Program Files\mks_vir_2007\bin\mksupdate.exe O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe O23 - Service: MkS_Scan - Unknown owner - D:\Program Files\mks_vir_2007\bin\mks_scan.exe
Złączono Posta : 10.02.2007 (Sob) 22:52
proszę sprawdzić moje nowe logi.
A resztkę po Pandzie jak usunąć?
adam9870
(adam9870)
10 Luty 2007 22:52
#7
Logi są czyste.
Resztka po Pandzie w łańcuchu WinSock została już usunięta przy pomocy programu LSP-Fix.
Kosmetyka:
Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.
Panel sterowania => Java => Update => odznacz opcję Check for updates automatically.
Jeśli nie korzystasz z Messenger’a to go usuń: Start => uruchom => wpisz:
RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove
Proponuję zainstalować dodatek Service Pack 2. Poprawia on bezpieczeństwo w systemie etc.