sprawdzenie loga

[alex2222]

po uruchomieniu komputera Avast alarmuje że znalazł trojana i zaleca
usunięcie.usuwam i wszystko jest ok.do kolejnego uruchomienia.i tak w kółko.
oto log:
Logfile of HijackThis v1.99.1
Scan saved at 23:04:13, on 2006-08-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
K:\avast!\aswUpdSv.exe
K:\avast!\ashServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
K:\avast!\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\{A03F72C6-07EE-1045-1021-040209260030}
\Update.exe
K:\skype\Phone\Skype.exe
C:\WINDOWS\CURITY~1\csrss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Rage3DTweak\GameUtil.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
K:\avast!\ashMaiSv.exe
K:\avast!\ashWebSv.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
K:\e-mule\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darek\Pulpit\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.wp.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada
TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
K:\acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
K:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01
\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] K:\avast!\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program
Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program
Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Odkurzacz-MCD] K:\odkurzacz\Odkurzacz 10.1 Pro\odk_mcd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Hidder] K:\SEKRET~1\Hidder.exe /start
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program
Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "K:\skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Mase] "C:\WINDOWS\CURITY~1\csrss.exe" -vt yax
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
K:\acrobat\Reader\reader_sl.exe
O4 - Global Startup: gameutil.exe.lnk = C:\Program
Files\Rage3DTweak\GameUtil.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4
\PCAlert4.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print -
res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\WINDOWS\System32\msjava.dll
O15 - Trusted Zone: arcaonline.arcabit.com
O15 - Trusted Zone: www.mks.com.pl
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
AutoUpdate) - www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) -
arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - software-
dl.real.com/0323541a4ae87873f220/netzip/RdxIE601.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
toolbar.google.com/data/pl/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118766765109
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - yax-
download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
212.182.113.107/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
Class) - acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) -
ax.emsisoft.com/asquared.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A93EB5C-0A56-4868-B968-
FA415AB3B9E4}: NameServer = 194.204.152.34 217.98.63.164
O20 - AppInit_DLLs: javaw.dll
O20 - Winlogon Notify: winetn32 - winetn32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
K:\avast!\aswU

[Gość: Kolobos]

> po uruchomieniu komputera Avast alarmuje że znalazł trojana

Jakiego? W jakim pliku?

W menadzerze zadan zakoncz:
C:\Program Files\Common Files\{A03F72C6-07EE-1045-1021-040209260030}
\Update.exe
C:\WINDOWS\CURITY~1\csrss.exe

W hjt usun:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada
TP
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} -
C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no
file)
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)



O4 - HKLM\..\Run: [Hidder] K:\SEKRET~1\Hidder.exe /start
O4 - HKCU\..\Run: [Mase] "C:\WINDOWS\CURITY~1\csrss.exe" -vt yax
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - software-
dl.real.com/0323541a4ae87873f220/netzip/RdxIE601.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - yax-
download.yazzle.net/YazzleActiveX.cab?refid=1123
O20 - AppInit_DLLs: javaw.dll
O20 - Winlogon Notify: winetn32 - winetn32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Log sie nie zmiescil, doklej reszte od:
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
K:\avast!\aswU

Do tego przeskanuj system przy pomocy ewido.

[alex2222]

witam
oto reszta loga:
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast!\ashMaiSv.exe"
/service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast!\ashWebSv.exe"
/service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation
- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
usunąłem co kazałeś
ostrzeżenia Avasta:
Sign of "Win32:Ndrv-B[Adw]"has been found
in"C:\DOCUME~1Darek\USTAWI~\Temp\NDrv.exe"file.
i drugie:
Sign of "Win32:Agent-RY[Trj]"has been found
in"C:\DOCUME~1\Darek\USTAW~1\Temp\NDrv.dll"file.
przeskanowałem ewido,znalazł trochę śmieci ,tylko jeden z kategorii"high"

[Gość: Kolobos]

Wpis od sekretnika, ktory podalem Ci do kasacji przywroc w hjt

Usun wszystko z katalogu temp:
C:\DOCUME~1Darek\USTAWI~\Temp\

[alex2222]

nie mogę znaleźć tego katalogu

[Gość: Kolobos]

Wylacz w opcjach folderow pokazywanie plikow ukrytych i wylacz ukrywanie
chronionych to znajdziesz.

[alex2222]

czy chodzi o ten folder?
C:\Documents and Settings\Darek\Ustawienia lokalne\Temp
to prawie 900Mb!

[kolobos]

Tak, chodzi o ten folder.

[alex2222]

dobra,usunąłem wszystko.
czy mam zrobić coś jeszcze czy komputer jest czysty?

[kolobos]

Wklej nowy log.

[alex2222]

Logfile of HijackThis v1.99.1
Scan saved at 20:33:12, on 2006-08-09
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
K:\avast!\aswUpdSv.exe
K:\avast!\ashServ.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
K:\avast!\ashDisp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\{A03F72C6-07EE-1045-1021-040209260030}\Update.exe
K:\skype\Phone\Skype.exe
C:\Program Files\Rage3DTweak\GameUtil.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
K:\avast!\ashMaiSv.exe
K:\avast!\ashWebSv.exe
C:\Program Files\Neostrada TP\Watch.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
K:\e-mule\eMule\emule.exe
K:\ad-aware SE\Ad-Aware SE Personal\Ad-Aware.exe
K:\firefox\firefox.exe
C:\Documents and Settings\Darek\Pulpit\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.wp.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
K:\acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
K:\spybot\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] K:\avast!\ashDisp.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Odkurzacz-MCD] K:\odkurzacz\Odkurzacz 10.1 Pro\odk_mcd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Hidder] K:\SEKRET~1\Hidder.exe /start
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program
Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "K:\skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = K:\acrobat\Reader\reader_sl.exe
O4 - Global Startup: gameutil.exe.lnk = C:\Program Files\Rage3DTweak\GameUtil.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program
Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O15 - Trusted Zone: arcaonline.arcabit.com
O15 - Trusted Zone: www.mks.com.pl
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate)
- www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) -
arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
toolbar.google.com/data/pl/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1118766765109
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
212.182.113.107/activex/AxisCamControl.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) -
ax.emsisoft.com/asquared.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) -
skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A93EB5C-0A56-4868-B968-FA415AB3B9E4}:
NameServer = 194.204.152.34 217.98.63.164
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner -
K:\avast!\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - K:\avast!\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - K:\avast!\ashMaiSv.exe"
/service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - K:\avast!\ashWebSv.exe"
/service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation
- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

[kolobos]

Sprawdz ten plik:
C:\Program Files\Common Files\{A03F72C6-07EE-1045-1021-040209260030}\Update.exe
tym: virusscan.jotti.org

[alex2222]

przeskanowałem,AntiVir pkazał,że jest to:
Trojan/Dldr.Banloa.AK.1
pozostałe skanery nic nie wykryły.
wtym folderze jest jeszcze jeden plik:
services dll.
przeskanowałem i tutaj odezwało się pięć skanerów:
AntiVir:
Trojan/Dldr.Banloa.AK.2
AVG Antivirus:
Downloader.Agent.ETT
BitDefender:
Adware.Mcboo.A
F-Prot Antivirus:
Possibly a new variant of W32/Downloader-Sml-based!Maximus
Fortinet:
PossibleThreat!08074

usunąć ten folder?

[Gość: Kolobos]

Tak, zakoncz ten proces, a nastepnie usun folder.

Zrob tez log przy pomocy i wklej na forum:
www.silentrunners.org/Silent%20Runners.vbs
Zobaczymy czy jest ok.

[alex2222]

[alex2222]

nie wiem czy się dobrze wkleiło bo ten log jest b.długi

[Gość: Kolobos]

Jaki log? Wkleiles zawartosc pliku, ktory miales SCIAGNAC i uruchomic Z DYSKU!

[alex2222]

kurcze,nie bardzo wiem jak...

[Gość: Kolobos]

Chyba nie chcesz napisac, ze nie umiesz kliknac prawym przyciskiem myszki na pliku i wybrac "zapisz jako..." czy jak to sie tam u Ciebie nazywa, a nastepnie kliknac dwa razy na lewym przyciskiem na zapisanym pliku?

[alex2222]

no nie,taki tępy nie jestem,ale ten link który mi dałeś nie prowadzi do strony z
plikiem

[Gość: Kolobos]

> no nie,taki tępy nie jestem,ale ten link który mi dałeś nie prowadzi do
> strony z plikiem

www.silentrunners.org/Silent%20Runners.vbs
Silent%20Runners.vbs to nie plik? W takim razie co to dla Ciebie jest?

[alex2222]

no dobra,chyba jednak jestem tępy...
to ten log?
"Silent Runners.vbs", revision 46, www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{A03F72C6-07EE-1045-1021-040209260030}" = ""C:\Program Files\Common
Files\{A03F72C6-07EE-1045-1021-040209260030}\Update.exe" mc-110-12-0000272"
[file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe"
boot" ["Logitech Inc."]
"Skype" = ""K:\skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies
S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
["ATI Technologies, Inc."]
"PCTVOICE" = "pctspk.exe" [empty string]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe"
[null data]
"avast!" = "K:\avast!\ashDisp.exe" [null data]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe "
["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech
Inc."]
"Odkurzacz-MCD" = "K:\odkurzacz\Odkurzacz 10.1 Pro\odk_mcd.exe" ["FranmoSoft"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Hidder" = "K:\SEKRET~1\Hidder.exe /start" ["G DATA Software Sp. z o.o."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath =
"C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) =
"K:\acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "K:\spybot\SPYBOT~1\SDHelper.dll"
["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
["Hilgraeve, Inc."]

[Gość: Kolobos]

Tak, ale wklej caly, a nie tylko kawalek ;-)

[alex2222]

"Silent Runners.vbs", revision 46, www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{A03F72C6-07EE-1045-1021-040209260030}" = ""C:\Program Files\Common
Files\{A03F72C6-07EE-1045-1021-040209260030}\Update.exe" mc-110-12-0000272"
[file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LogitechSoftwareUpdate" = ""C:\Program Files\Logitech\Video\ManifestEngine.exe"
boot" ["Logitech Inc."]
"Skype" = ""K:\skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies
S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
["ATI Technologies, Inc."]
"PCTVOICE" = "pctspk.exe" [empty string]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe"
[null data]
"avast!" = "K:\avast!\ashDisp.exe" [null data]
"LVCOMSX" = "C:\WINDOWS\system32\LVCOMSX.EXE" ["Logitech Inc."]
"LogitechVideoRepair" = "C:\Program Files\Logitech\Video\ISStart.exe "
["Logitech Inc."]
"LogitechVideoTray" = "C:\Program Files\Logitech\Video\LogiTray.exe" ["Logitech
Inc."]
"Odkurzacz-MCD" = "K:\odkurzacz\Odkurzacz 10.1 Pro\odk_mcd.exe" ["FranmoSoft"]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Hidder" = "K:\SEKRET~1\Hidder.exe /start" ["G DATA Software Sp. z o.o."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath =
"C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) =
"K:\acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "K:\spybot\SPYBOT~1\SDHelper.dll"
["Safer Networking Limited"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania
wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll"
["Hilgraeve, Inc."]
"{CE594922-286A-11d5-B47B-00606767FEC7}" = "Custom Display Modes"
-> {HKLM...CLSID} = "Custom Display Modes"
\InProcServer32\(Default) = "C:\Program
Files\Rage3DTweak\CDMpp.dll" ["Byron Montgomerie"]
"{86B89425-5944-11d6-BBCF-00024424ACD8}" = "Folding@Home"
-> {HKLM...CLSID} = "Folding@Home"
\InProcServer32\(Default) = "C:\Program
Files\Rage3DTweak\FAHpp.dll" ["Byron Montgomerie"]
"{7D5477E0-2629-11d5-B47B-00606767FEC7}" = "Rage3D Overclocker"
-> {HKLM...CLSID} = "Rage3D Overclocker"
\InProcServer32\(Default) = "C:\Program
Files\Rage3DTweak\OCpp.dll" ["Byron Montgomerie"]
"{BEB5F380-5501-11d3-BFDE-ADC2F2AAE920}" = "Rage3DTweak"
-> {HKLM...CLSID} = "Rage3DTweak"
\InProcServer32\(Default) = "C:\Program
Files\Rage3DTweak\RegTwk.dll" ["Byron Montgomerie"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) =
"C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) =
"C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile"
-> {HKLM...CLSID} = "Mobile"
\InProcServer32\(Default) = "L:\siemens\DESShellExt.dll"
["Siemens AG"]
"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile ContextMenuHandler"
-> {HKLM...CLSID} = "Mobile ContextMenuHandler"
\InProcServer32\(Default) = "L:\siemens\DESShellExt.dll"
["Siemens AG"]
"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile PropertySheetHandler"
-> {HKLM...CLSID} = "Mobile PropertySheetHandler"
\InProcServer32\(Default) = "L:\siemens\DESShellExt.dll"
["Siemens AG"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\Audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "K:\WinRar\rarext.dll" [null data]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "K:\avast!\ashShell.dll" ["ALWIL
Software"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\browseui.dll" [MS]
"{400CFEE2-39D0-46DC-96DF-E0BB5A4324B3}" = "My Logitech Pictures"
-> {HKLM...CLSID} = "My Logitech Pictures"
\InProcServer32\(Default) = "C:\Program
Files\Logitech\Video\Namespc2.dll" ["Logitech Inc."]
"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "My Phones"
-> {HKLM...CLSID} = "My Phones"
\InProcServer32\(Default) = "K:\sony ericsson\File
Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "K:\unlocker\UnlockerCOM.dll"
[null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "K:\acrobat\ActiveX\PDFShell.dll"
["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "K:\avast!\ashShell.dll" ["ALWIL
Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "K:\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "K:\WinRar\rarext.dll" [null data]

HKLM\Software\Cl

[alex2222]

dalszy ciąg:


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "K:\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "K:\avast!\ashShell.dll" ["ALWIL
Software"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "K:\unlocker\UnlockerCOM.dll"
[null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "K:\WinRar\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Darek\Ustawienia lokalne\Dane
aplikacji\Microsoft\Wallpaper1.bmp"


Startup items in "Darek" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "K:\acrobat\Reader\reader_sl.exe"
["Adobe Systems Incorporated"]
"gameutil.exe" -> shortcut to: "C:\Program Files\Rage3DTweak\GameUtil.exe"
["Byron Montgomerie"]
"PC Alert 4" -> shortcut to: "C:\Program Files\MSI\PC Alert 4\PCAlert4.exe"
[empty string]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
{++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
{++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program
files\google\googletoolbar1.dll" ["Google Inc."]
"{327C2873-E90D-4C37-AA9D-10AC9BABA46C}" = "Easy-WebPrint"
-> {HKLM...CLSID} = "Easy-WebPrint"
\InProcServer32\(Default) = "C:\Program
Files\Canon\Easy-WebPrint\Toolband.dll" [null data]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{21569614-B795-46B1-85F4-E737A8DC09AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) =
"C:\WINDOWS\system32\browseui.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]:
START_PAGE_URL=www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI
Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""K:\avast!\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""K:\avast!\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""K:\avast!\ashMaiSv.exe" /service"
["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""K:\avast!\ashWebSv.exe" /service"
["ALWIL Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor PIXMA iP1500\Driver = "CNMLM5y.DLL" ["CANON INC."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
--------

[Gość: Kolobos]

Start->Uruchom->regedit
przejdz do:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ i usun
tam: "{A03F72C6-07EE-1045-1021-040209260030}" = ""C:\Program Files\Common
Files\{A03F72C6-07EE-1045-1021-040209260030}\Update.exe" mc-110-12-0000272"
[file not found]

To wszystko i mam nadzieje, ze tym razem poradzisz sobie bez zadawania masy
dziwnych pytan.

[alex2222]

zrobione.
wielkie dzięki za pomoc i wyrozumiałość.
pzdr.