jule utworzono 16 czerwca 2009 utworzono 16 czerwca 2009 Witam,od jakiegos czasu pojawia mi sie taki komunikat-rundll32.exe i nie mam dojscia do panelu sterowania.Co z tym zrobic?
Mateusz J. komentarz 16 czerwca 2009 komentarz 16 czerwca 2009 Komunikat pojawia się przy starcie systemu? Wrzuć logi z HijackThis i Combofix: http://www.forumpc.pl/index.php?showtopic=11018 oraz http://www.forumpc.pl/index.php?showtopic=11017 Podejrzewam infekcję.
jule komentarz 17 czerwca 2009 Autor komentarz 17 czerwca 2009 Nic przy starcie sie nie pojawia.Jedynie nie mam dostepu do panelu sterowania Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:32:48, on 2009-06-17Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINXP\System32\smss.exeC:\WINXP\system32\csrss.exeC:\WINXP\system32\winlogon.exeC:\WINXP\system32\services.exeC:\WINXP\system32\lsass.exeC:\WINXP\system32\svchost.exeC:\WINXP\system32\svchost.exeC:\WINXP\System32\svchost.exeC:\WINXP\system32\svchost.exeC:\WINXP\system32\svchost.exeC:\WINXP\system32\svchost.exeC:\WINXP\System32\wltrysvc.exeC:\WINXP\System32\bcmwltry.exeC:\WINXP\system32\spoolsv.exeC:\WINXP\System32\SCardSvr.exeC:\WINXP\Explorer.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\PC Tools AntiVirus\PCTAVSvc.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINXP\system32\svchost.exeC:\Program Files\ThreatFire\TFService.exeC:\WINXP\system32\hkcmd.exeC:\WINXP\system32\WLTRAY.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\ThreatFire\TFTray.exeC:\Program Files\PC Tools AntiVirus\PCTAV.exeC:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Nowe Gadu-Gadu\gg.exeC:\Program Files\Ares\Ares.exeC:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exeC:\WINXP\system32\wscntfy.exeC:\WINXP\system32\wbem\wmiapsrv.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\WINXP\system32\wudfhost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINXP\system32\wbem\wmiprvse.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.imesh.com/nl/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dllO3 - Toolbar: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dllO4 - HKLM\..\Run: [igfxTray] C:\WINXP\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\system32\hkcmd.exeO4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINXP\system32\WLTRAYO4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exeO4 - HKLM\..\Run: [Monitor] C:\WINXP\PixArt\PAC207\Monitor.exeO4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINXP\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCANO4 - HKCU\..\Run: [ALLUpdate] "C:\Program Files\ALLPlayer\ALLUpdate.exe" "sleep"O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automountO4 - HKCU\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologonO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - HKCU\..\Run: [Nowe Gadu-Gadu] "C:\Program Files\Nowe Gadu-Gadu\gg.exe"O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -hO4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exeO4 - Global Startup: AVerQuick.lnk = C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exeO9 - Extra button: Wpis w blogu - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra 'Tools' menuitem: &Wpis w blogu w Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO17 - HKLM\System\CCS\Services\Tcpip\..\{0A02E84C-A7A4-4468-9015-91DF443E620F}: NameServer = 62.140.138.237 62.140.140.250O17 - HKLM\System\CS1\Services\Tcpip\..\{0A02E84C-A7A4-4468-9015-91DF443E620F}: NameServer = 62.140.138.237 62.140.140.250O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Usługa bramy warstwy aplikacji (ALG) - Unknown owner - C:\WINXP\System32\alg.exe (file missing)O23 - Service: CiSvc - Unknown owner - C:\WINXP\system32\cisvc.exe (file missing)O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: lxcf_device - Unknown owner - C:\WINXP\system32\lxcfcoms.exeO23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exeO23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exeO23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exeO23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINXP\System32\wltrysvc.exe--End of file - 6892 bytes "Silent Runners.vbs", revision 59, http://www.silentrunners.org/Operating System: Windows XPOutput limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"ALLUpdate" = ""C:\Program Files\ALLPlayer\ALLUpdate.exe" "sleep"" [null data]"AlcoholAutomount" = ""C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount" ["Alcohol Soft Development Team"]"Sony Ericsson PC Suite" = ""C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon" ["Sony Ericsson Mobile Communications AB"]"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]"Nowe Gadu-Gadu" = ""C:\Program Files\Nowe Gadu-Gadu\gg.exe"" ["GG Network S.A."]"ares" = ""C:\Program Files\Ares\Ares.exe" -h" ["Ares Development Group"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"IgfxTray" = "C:\WINXP\system32\igfxtray.exe" ["Intel Corporation"]"HotKeysCmds" = "C:\WINXP\system32\hkcmd.exe" ["Intel Corporation"]"Dell Wireless Manager UI" = "C:\WINXP\system32\WLTRAY" ["Dell Inc"]"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]"ThreatFire" = "C:\Program Files\ThreatFire\TFTray.exe" ["PC Tools"]"Monitor" = "C:\WINXP\PixArt\PAC207\Monitor.exe" ["PixArt Imaging Incorporation"]"LXCFCATS" = "rundll32 C:\WINXP\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16" [file not found]"PCTAVApp" = ""C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN" ["PC Tools Research Pty Ltd"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found]"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINXP\system32\hticons.dll" ["Hilgraeve, Inc."]"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINXP\system32\shdocvw.dll" [MS]"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search" -> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search" \InProcServer32\(Default) = "C:\WINXP\system32\ieframe.dll" [MS]"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]"{0563DB41-F538-4B37-A92D-4659049B7766}" = "WLMD Message Handler" -> {HKLM...CLSID} = "CLSID_WLMCMimeFilter" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Mail\mailcomm.dll" [MS]"{00F33137-EE26-412F-8D71-F84E4C2C6625}" = (no title provided) -> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Autoplay Shim" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]"{00F346CB-35A4-465B-8B8F-65A29DBAB1F6}" = "Windows Live Photo Gallery Viewer Drop Target Shim" -> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Shim" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]"{00F3712A-CA79-45B4-9E4D-D7891E7F8B9D}" = "Windows Live Photo Gallery Editor Drop Target Shim" -> {HKLM...CLSID} = "Windows Live Photo Gallery Editor Shim" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]"{00F30F90-3E96-453B-AFCD-D71989ECC2C7}" = "Windows Live Photo Gallery Autoplay Drop Target Shim" -> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Autoplay Shim" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINXP\system32\wpdshserviceobj.dll" [MS]HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\PCTAVShellExtension\(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}" -> {HKLM...CLSID} = "PCTAVShlExt Class" \InProcServer32\(Default) = "C:\Program Files\PC Tools AntiVirus\PCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}" -> {HKLM...CLSID} = "PowerArchiver Shell Extensions" \InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PCTAVShellExtension\(Default) = "{AEEAEC2D-7EE9-4C66-937C-80BF8B03FD54}" -> {HKLM...CLSID} = "PCTAVShlExt Class" \InProcServer32\(Default) = "C:\Program Files\PC Tools AntiVirus\PCTAVShellExtension.dll" ["PC Tools Research Pty Ltd"]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}" -> {HKLM...CLSID} = "PowerArchiver Shell Extensions" \InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]Default executables:--------------------<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoSMHelp" = (REG_DWORD) dword:0x00000001{User Configuration|Administrative Templates|Start Menu and Taskbar|Remove Help menu from Start Menu}"NoSMMyPictures" = (REG_DWORD) dword:0x00000001{User Configuration|Administrative Templates|Start Menu and Taskbar|Remove My Pictures icon from Start Menu}"NoSMConfigurePrograms" = (REG_DWORD) dword:0x00000001{unrecognized setting}"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoResolveTrack" = (REG_DWORD) dword:0x00000001{unrecognized setting}"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoResolveSearch" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoDrives" = (REG_DWORD) dword:0x00000000{unrecognized setting}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NoDesktopCleanupWizard" = (REG_DWORD) dword:0x00000001{unrecognized setting}"NoDrives" = (REG_DWORD) dword:0x00000000{unrecognized setting}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001{unrecognized setting}"DisableStatusMessages" = (REG_DWORD) dword:0x00000001{unrecognized setting}"VerboseStatus" = (REG_DWORD) dword:0x00000000{unrecognized setting}"DisableRegistryTools" = (REG_DWORD) dword:0x00000000{unrecognized setting}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\Administrator\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\AlcoholAutoPlayV2.BurnDisc\"Provider" = "Alcohol 120%""InvokeProgID" = "AlcoholAutoPlayV2""InvokeVerb" = "BurnDisc"HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""C:\Program Files\Alcohol Soft\Alcohol 120\_Alcohol.exe" %1" ["Alcohol Soft Development Team"]AlcoholAutoPlayV2.ReadDisc\"Provider" = "Alcohol 120%""InvokeProgID" = "AlcoholAutoPlayV2""InvokeVerb" = "BurnDisc"HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""C:\Program Files\Alcohol Soft\Alcohol 120\_Alcohol.exe" %1" ["Alcohol Soft Development Team"]IMMediaPlayerOnArrival\"Provider" = "iMesh""ProgID" = "iMesh.LauncherEventHandler"HKLM\SOFTWARE\Classes\iMesh.LauncherEventHandler\CLSID\(Default) = "{2C353E32-B8AC-4B82-B988-4C2D3394388A}" -> {HKLM...CLSID} = "CLauncherEventHandler Object" \LocalServer32\(Default) = ""C:\PROGRA~2\IMESHA~1\iMesh\Launcher.exe"" ["iMesh Inc."]IMPlayCDAudioOnArrival\"Provider" = "iMesh""InvokeProgID" = "iMesh.AudioCD""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\iMesh.AudioCD\shell\play\Command\(Default) = "C:\PROGRA~2\IMESHA~1\iMesh\iMesh.exe --playdrive %L" ["iMesh, Inc"]IMRipCDAudioOnArrival\"Provider" = "iMesh""InvokeProgID" = "iMesh.AudioCD""InvokeVerb" = "rip"HKLM\SOFTWARE\Classes\iMesh.AudioCD\shell\rip\Command\(Default) = "C:\PROGRA~2\IMESHA~1\iMesh\iMesh.exe --ripdrive %L" ["iMesh, Inc"]IMShowCDAudioOnArrival\"Provider" = "iMesh""InvokeProgID" = "iMesh.AudioCD""InvokeVerb" = "show"HKLM\SOFTWARE\Classes\iMesh.AudioCD\shell\show\Command\(Default) = "C:\PROGRA~2\IMESHA~1\iMesh\iMesh.exe --showdrive %L" ["iMesh, Inc"]IMShowVolumeOnArrival\"Provider" = "iMesh""InvokeProgID" = "iMesh.Device""InvokeVerb" = "show"HKLM\SOFTWARE\Classes\iMesh.Device\shell\show\Command\(Default) = "C:\PROGRA~2\IMESHA~1\iMesh\iMesh.exe --showportable = 1 %L" ["iMesh, Inc"]MSLivePhotoAcqHWEventHandler\"Provider" = "@%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10""ProgID" = "Microsoft.LivePhotoAcqHWEventHandler"HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqHWEventHandler\CLSID\(Default) = "{3BD0ACD1-71CA-4475-92CC-E0AA0AAF843F}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\WLXPhotoAcquireWizard.exe" [MS]MSLivePhotoAcquireDropHandler\"Provider" = "@%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10""InvokeProgID" = "Microsoft.LivePhotoAcqDTShim.1""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\Microsoft.LivePhotoAcqDTShim.1\shell\open\DropTarget\CLSID = "{00F33137-EE26-412F-8D71-F84E4C2C6625}" -> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Autoplay Shim" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]MSLiveShowPicturesOnArrival\"Provider" = "@%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10""InvokeProgID" = "Microsoft.Photos.LiveAutoplayShim.1""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\Microsoft.Photos.LiveAutoplayShim.1\shell\open\DropTarget\CLSID = "{00F30F90-3E96-453B-AFCD-D71989ECC2C7}" -> {HKLM...CLSID} = "Windows Live Photo Gallery Viewer Autoplay Shim" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Photo Gallery\PhotoViewerShim.dll" [MS]MSLiveVideoCameraArrivalCaptureWizard\"Provider" = "@%ProgramFiles%\Windows Live\Photo Gallery\regres.dll,-10""ProgID" = "WLXAutoPlayMgr.WLXHWEventHandler""InitCmdLine" = "WLXVideoAcquireWizard"HKLM\SOFTWARE\Classes\WLXAutoPlayMgr.WLXHWEventHandler\CLSID\(Default) = "{9B5C97F6-B3A5-4A6D-8B03-993EC7291A22}" -> {HKLM...CLSID} = "WLXWEventHandler Class" \LocalServer32\(Default) = ""C:\Program Files\Windows Live\Photo Gallery\WLXVideoCameraAutoPlayManager.exe"" [MS]MSWPDShellNamespaceHandler\"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501""CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}""InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINXP\system32\WPDShextAutoplay.exe" [MS]WinampMTPHandler\"Provider" = "Winamp""ProgID" = "Shell.HWEventHandlerShellExecute""InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [file not found]WinampPlayMediaOnArrival\"Provider" = "Winamp""InvokeProgID" = "Winamp.File""InvokeVerb" = "Play"HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]Startup items in "Administrator" & "All Users" startup folders:---------------------------------------------------------------C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart"OpenOffice.org 3.0" -> shortcut to: "C:\Program Files\OpenOffice.org 3\program\quickstart.exe" [null data]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart"AVerQuick" -> shortcut to: "C:\Program Files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe" [empty string]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:C:\Program Files\Common Files\PC Tools\Lsp\PCTLsp.dll ["PC Tools Research Pty Ltd."], 01 - 03, 27%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 26%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" -> {HKLM...CLSID} = "&Windows Live Toolbar" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Toolbar\wltcore.dll" [MS]"{B7D3E479-CC68-42B5-A338-938ECE35F419}" -> {HKLM...CLSID} = "iMesh MediaBar" \InProcServer32\(Default) = "C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dll" ["iMesh"]HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" = (no title provided) -> {HKLM...CLSID} = "&Windows Live Toolbar" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Toolbar\wltcore.dll" [MS]"{B7D3E479-CC68-42B5-A338-938ECE35F419}" = (no title provided) -> {HKLM...CLSID} = "iMesh MediaBar" \InProcServer32\(Default) = "C:\Program Files\iMesh Applications\iMesh MediaBar\iMeshMediaBar.dll" ["iMesh"]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{219C3416-8CB2-491A-A3C7-D9FCDDC9D600}\"ButtonText" = "Wpis w blogu""MenuText" = "&Wpis w blogu w Windows Live Writer""CLSIDExtension" = "{5F7B1267-94A9-47F5-98DB-E99415F33AEC}" -> {HKLM...CLSID} = "BlogThisToolbarButton Class" \InProcServer32\(Default) = "C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll" [MS]{E2E2DD38-D088-4134-82B7-F2BA38496583}\"MenuText" = "@xpsp3res.dll,-20001""Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Windows Messenger""Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]Miscellaneous IE Hijack Points------------------------------C:\WINXP\INF\IERESET.INF (used to "Reset Web Settings")Added lines (compared with English-language version):[strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"[strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"Missing lines (compared with English-language version):[strings]: 2 linesHKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------Dell Wireless WLAN Tray Service, wltrysvc, "C:\WINXP\System32\wltrysvc.exe C:\WINXP\System32\bcmwltry.exe" [null data]Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]Karta wydajności WMI, WmiApSrv, "C:\WINXP\system32\wbem\wmiapsrv.exe" [MS]PC Tools AntiVirus Engine, PCTAVSvc, "C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe" ["PC Tools Research Pty Ltd"]SeaPort, SeaPort, ""C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe"" [MS]StarWind AE Service, StarWindServiceAE, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]ThreatFire, ThreatFire, "C:\Program Files\ThreatFire\TFService.exe service" ["PC Tools"]Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINXP\system32\svchost.exe -k WudfServiceGroup" {"C:\WINXP\System32\WUDFSvc.dll" [MS]}Keyboard Driver Filters:------------------------HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\"UpperFilters" = <<!>> "TfKbMon" ["PC Tools"]Print Monitors:---------------HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\730 Series Port\Driver = "lxcflmpm.DLL" [empty string]---------- (launch time: 2009-06-17 20:38:34)<<!>>: Suspicious data at a malware launch point.<<H>>: Suspicious data at a browser hijack point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box.---------- (total run time: 116 seconds, including 11 seconds for message boxes)
jule komentarz 18 czerwca 2009 Autor komentarz 18 czerwca 2009 ComboFix 09-06-17.04 - Administrator 2009-06-18 19:55.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.510.108 [GMT 2:00]Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe * Utworzono nowy punkt przywracania.((((((((((((((((((((((((( Pliki utworzone od 2009-05-18 do 2009-06-18 ))))))))))))))))))))))))))))))).2009-06-17 18:30 . 2009-06-17 18:30 -------- d-----w- c:\program files\Trend Micro2009-06-15 17:29 . 2009-06-01 22:39 82432 ----a-w- c:\winxp\system32\msxml4r.dll2009-06-15 17:29 . 2009-06-01 22:39 44544 ----a-w- c:\winxp\system32\msxml4a.dll2009-06-15 17:29 . 2009-06-01 22:39 1233920 ----a-w- c:\winxp\system32\msxml4.dll2009-06-15 17:29 . 2009-06-15 17:30 -------- d-----w- c:\program files\File Recover2009-06-15 05:01 . 2008-06-16 13:28 221184 ----a-w- c:\winxp\system32\wmpns.dll2009-06-15 04:52 . 2008-04-14 20:51 71680 ------w- c:\winxp\system32\blastcln.exe2009-06-15 04:46 . 2009-06-15 04:46 -------- d-----w- c:\winxp\ServicePackFiles2009-06-14 17:58 . 2006-11-03 08:59 48128 ----a-w- c:\winxp\system32\Remove.exe2009-06-14 17:58 . 2009-06-14 17:58 -------- d-----w- c:\program files\Common Files\PAC2072009-06-14 17:58 . 2009-06-14 17:58 -------- d-----w- c:\program files\Trust2009-06-14 13:12 . 2009-06-14 13:12 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\15A52009-06-13 18:27 . 2009-06-13 18:27 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\Ares2009-06-13 18:27 . 2009-06-13 18:27 -------- d-----w- c:\program files\Ares2009-06-04 17:59 . 2009-06-04 17:59 -------- d-----w- c:\program files\CCleaner2009-06-03 20:26 . 2009-06-04 16:17 -------- d-----w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\AVer MediaCenter2009-06-03 20:25 . 2008-04-13 18:16 15232 ----a-w- c:\winxp\system32\drivers\MPE.sys2009-06-03 20:25 . 2008-04-13 18:16 15232 ----a-w- c:\winxp\system32\dllcache\mpe.sys2009-06-03 20:25 . 2008-04-14 16:50 363520 ----a-w- c:\winxp\system32\PsisDecd.dll2009-06-03 20:25 . 2008-04-14 16:50 363520 ----a-w- c:\winxp\system32\dllcache\psisdecd.dll2009-06-03 20:25 . 2008-04-13 18:16 11776 ----a-w- c:\winxp\system32\drivers\BdaSup.sys2009-06-03 20:25 . 2008-04-13 18:16 11776 ----a-w- c:\winxp\system32\dllcache\bdasup.sys2009-06-03 20:24 . 2006-11-14 09:11 1180544 ----a-w- c:\winxp\system32\drivers\AVerBDA3x.sys2009-06-03 20:24 . 2006-08-03 09:14 81920 ----a-w- c:\winxp\system32\TVRate.dll2009-06-03 20:24 . 2006-01-24 08:12 3072 ----a-w- c:\winxp\system32\34CoInstaller.dll2009-06-03 20:23 . 2009-06-03 20:24 -------- d-----w- c:\program files\AVerMedia2009-06-03 20:23 . 2009-06-03 20:24 -------- d-----w- c:\program files\Common Files\AVerMedia2009-06-03 20:10 . 2005-04-28 03:08 49152 ------r- c:\winxp\system32\AVerIO.dll2009-06-03 20:10 . 2005-04-28 03:08 3456 ------r- c:\winxp\system32\AVerIO.sys2009-06-03 20:10 . 2007-01-05 11:17 69632 ------r- c:\winxp\system32\CardID.dll2009-06-03 20:10 . 2006-11-18 03:35 262144 ------r- c:\winxp\system32\sptlib01.dll2009-06-03 20:10 . 2006-05-10 02:38 249856 ------r- c:\winxp\system32\sptlib02.dll2009-05-31 20:39 . 2009-05-31 20:40 -------- d-----w- c:\winxp\system32\NtmsData2009-05-28 16:41 . 2009-05-28 20:23 -------- d-----w- c:\program files\Lx_cats2009-05-28 16:38 . 2009-05-28 16:38 -------- d-----w- C:\Lexmark2009-05-28 16:27 . 2008-04-13 18:17 25856 ----a-w- c:\winxp\system32\drivers\usbprint.sys2009-05-28 16:27 . 2008-04-13 18:17 25856 ----a-w- c:\winxp\system32\dllcache\usbprint.sys2009-05-28 09:23 . 2009-05-28 09:23 42088 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll2009-05-28 08:34 . 2009-05-28 08:34 11264 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll2009-05-19 18:23 . 2009-05-19 18:23 -------- d-----w- c:\program files\E-Tuner2009-05-19 18:23 . 2009-05-19 18:23 -------- d-----w- c:\winxp\E-Tuner.(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-06-18 18:02 . 2009-04-23 15:03 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Skype2009-06-18 17:55 . 2009-04-16 13:18 -------- d---a-w- c:\documents and settings\All Users\Dane aplikacji\TEMP2009-06-18 17:40 . 2009-04-16 13:18 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\PC Tools2009-06-18 17:09 . 2009-04-25 16:58 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\skypePM2009-06-17 18:37 . 2009-04-16 08:23 -------- d-----w- c:\program files\PowerArchiver2009-06-14 17:59 . 2009-04-16 07:22 -------- d--h--w- c:\program files\InstallShield Installation Information2009-05-31 07:16 . 2009-04-23 15:21 -------- d-----w- c:\program files\Nowe Gadu-Gadu2009-05-28 16:42 . 2009-05-28 16:39 -------- d-----w- c:\program files\Lexmark 730 Series2009-05-20 22:14 . 2009-04-16 08:18 -------- d-----w- c:\program files\ALLPlayer2009-05-19 18:04 . 2009-05-19 17:48 -------- d-----w- c:\program files\Wru2009-05-17 07:38 . 2009-05-17 07:37 -------- d-----w- c:\program files\iMesh Applications2009-05-16 22:32 . 2009-04-16 08:18 -------- d-----w- c:\program files\NAPI-PROJEKT2009-05-06 20:20 . 2009-05-06 19:41 13704 ----a-w- c:\documents and settings\Administrator\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT2009-05-06 20:19 . 2009-05-06 20:06 -------- d-----w- c:\program files\Windows Live2009-05-06 20:16 . 2009-04-15 23:08 73054 ----a-w- c:\winxp\system32\perfc015.dat2009-05-06 20:16 . 2009-04-15 23:08 445870 ----a-w- c:\winxp\system32\perfh015.dat2009-05-06 20:10 . 2009-05-06 20:10 -------- d-----w- c:\program files\Microsoft Sync Framework2009-05-06 20:08 . 2009-05-06 20:08 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition2009-05-06 20:07 . 2009-05-06 20:07 -------- d-----w- c:\program files\Microsoft2009-05-06 20:06 . 2009-05-06 20:06 -------- d-----w- c:\program files\Windows Live SkyDrive2009-05-06 19:41 . 2009-05-06 19:41 -------- d-----w- c:\program files\Common Files\Windows Live2009-04-25 18:17 . 2009-04-25 17:57 230432 ----a-w- C:\PA207.DAT2009-04-25 17:43 . 2009-04-25 17:43 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\ArcSoft2009-04-25 17:28 . 2009-04-25 17:28 -------- d-----w- c:\program files\Common Files\ArcSoft2009-04-25 17:27 . 2009-04-25 17:27 -------- d-----w- c:\program files\ArcSoft2009-04-25 16:58 . 2009-04-25 16:58 48 ---ha-w- c:\winxp\system32\ezsidmv.dat2009-04-24 17:23 . 2009-04-24 17:23 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\OpenFM2009-04-23 15:22 . 2009-04-23 15:21 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\Nowe Gadu-Gadu2009-04-23 15:01 . 2009-04-23 15:01 -------- d-----r- c:\program files\Skype2009-04-23 15:01 . 2009-04-23 15:01 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Skype2009-04-23 15:01 . 2009-04-23 15:01 -------- d-----w- c:\program files\Common Files\Skype2009-04-22 19:28 . 2009-04-22 19:28 -------- d-----w- c:\program files\Avanquest update2009-04-22 19:28 . 2009-04-22 19:28 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\BVRP Software2009-04-22 19:27 . 2009-04-22 19:27 -------- d-----w- c:\program files\Sony Ericsson2009-04-22 19:27 . 2009-04-22 19:27 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Sony Ericsson2009-04-22 19:27 . 2009-04-22 19:27 -------- d-----w- c:\documents and settings\Administrator\Dane aplikacji\InstallShield2009-04-16 13:05 . 2009-04-16 13:05 152576 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\Sun\Java\jre1.6.0_13\lzma.dll2009-04-16 08:40 . 2009-04-16 08:40 1 ----a-w- c:\documents and settings\Administrator\Dane aplikacji\OpenOffice.org\3\user\uno_packages\cache\stamp.sys2009-04-16 08:21 . 2009-04-16 08:21 716272 ----a-w- c:\winxp\system32\drivers\sptd.sys2009-04-16 08:14 . 2009-04-16 08:14 0 ----a-w- c:\winxp\nsreg.dat2009-04-16 07:27 . 2009-04-16 07:27 17801 ----a-w- c:\winxp\system32\drivers\AegisP.sys2009-04-16 07:08 . 2009-04-16 07:08 21856 ----a-w- c:\winxp\system32\emptyregdb.dat.((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))..*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2008-11-24 869888]"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-02-22 217544]"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 360448]"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]"Nowe Gadu-Gadu"="c:\program files\Nowe Gadu-Gadu\gg.exe" [2009-05-28 10486376]"ares"="c:\program files\Ares\Ares.exe" [2009-02-03 1004544][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Dell Wireless Manager UI"="c:\winxp\system32\WLTRAY" [X]"IgfxTray"="c:\winxp\system32\igfxtray.exe" [2004-08-20 155648]"HotKeysCmds"="c:\winxp\system32\hkcmd.exe" [2004-08-20 118784]"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-03-03 263440]"Monitor"="c:\winxp\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]"LXCFCATS"="c:\winxp\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-04-27 69632][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"nltide_2"="shell32" [X]"nltide_3"="advpack.dll" - c:\winxp\system32\advpack.dll [2009-03-08 128512]c:\documents and settings\Administrator\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-9-12 384000]c:\documents and settings\All Users\Menu Start\Programy\Autostart\AVerQuick.lnk - c:\program files\Common Files\AVerMedia\AVerQuick\AVerQuick.exe [2009-6-3 610304][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"DisableStatusMessages"= 1 (0x1)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"= 1 (0x1)"NoSMMyPictures"= 1 (0x1)"NoSMConfigurePrograms"= 1 (0x1)"NoResolveTrack"= 1 (0x1)[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"= 1 (0x1)"NoSMMyPictures"= 1 (0x1)"NoSMConfigurePrograms"= 1 (0x1)"NoResolveTrack"= 1 (0x1)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Nowe Gadu-Gadu\\gg.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"="c:\\WINXP\\system32\\lxcfcoms.exe"="c:\\Program Files\\Ares\\Ares.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=R0 TfFsMon;TfFsMon;c:\winxp\system32\drivers\TfFsMon.sys [2009-04-16 51472]R0 TfSysMon;TfSysMon;c:\winxp\system32\drivers\TfSysMon.sys [2009-04-16 39184]R2 fssfltr;FssFltr;c:\winxp\system32\drivers\fssfltr_tdi.sys [2009-05-06 55152]R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]R3 GTICARD;GTICARD;c:\winxp\system32\drivers\gticard.sys [2003-02-06 59328]R3 TfNetMon;TfNetMon;c:\winxp\system32\drivers\TfNetMon.sys [2009-04-16 33040]S3 AVerBDA3x;AVerMedia SAA713x BDA Service;c:\winxp\system32\drivers\AVerBDA3x.sys [2009-06-03 1180544]S3 fsssvc;Bezpieczeństwo rodzinne usługi Windows Live;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]--- Inne Usługi/Sterowniki w Pamięci ---*Deregistered* - mchInjDrv[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\winxp\system32\rundll32.exe" "c:\winxp\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP..------- Skan uzupełniający -------.uStart Page = hxxp://search.imesh.com/nl/FF - ProfilePath - .**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-06-18 20:05Windows 5.1.2600 Dodatek Service Pack 3 NTFSskanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run LXCFCATS = rundll32 c:\winxp\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? skanowanie ukrytych plików ... skanowanie pomyślnie ukończoneukryte pliki: 0**************************************************************************.--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------- - - - - - - > 'winlogon.exe'(872)c:\program files\ThreatFire\TFWAH.dllc:\program files\ThreatFire\TFNI.dll- - - - - - - > 'lsass.exe'(932)c:\program files\ThreatFire\TFWAH.dll- - - - - - - > 'explorer.exe'(1728)c:\program files\ThreatFire\TFWAH.dllc:\winxp\system32\SynTPFcs.dllc:\program files\ThreatFire\TFNI.dllc:\winxp\system32\ieframe.dllc:\winxp\system32\webcheck.dllc:\winxp\system32\wpdshserviceobj.dllc:\winxp\system32\portabledevicetypes.dllc:\winxp\system32\portabledeviceapi.dll.Czas ukończenia: 2009-06-18 20:08ComboFix-quarantined-files.txt 2009-06-18 18:08Przed: 21 719 527 424 bajtów wolnychPo: 21 724 188 672 bajtów wolnych198
Gość komentarz 18 czerwca 2009 komentarz 18 czerwca 2009 Wszystkie logi powtierdzają, że masz czysto. Scan --> http://www.forumpc.pl/index.php?showtopic=104994&hl= .
jule komentarz 29 czerwca 2009 Autor komentarz 29 czerwca 2009 Witam,nic nie pomoglo,ten program tez nic nie wykryl.Co moge jeszcze zrobic?
MarekM25 komentarz 29 czerwca 2009 komentarz 29 czerwca 2009 co dokładnie piszę na komunikacie?? chyba wiem co trzeba zrobić tylko jeszcze niech mnie upewni komunikat kamil staraj się sprawdzać logi pod konkretny problem usera:)
jule komentarz 30 czerwca 2009 Autor komentarz 30 czerwca 2009 system Windows nie moze odnalezc pliku C:/WINXP/rundll32.exe.Upewniej sie ze wpisana nazwa jest poprawna i sprobuj ponownie.Aby wyszukac pliki kliknij start a nastepnie polecenie wyszukaj
dawid_c komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 Przez chwilę pomyślałem, żeby kolega o prostu skopiował ten plik jeszcze raz z płyty, ale plik rundll32.exe powinien znajdować się w x:\WINDOWS\system32 a nie x:\WINDOWS (bo WINXP zastępuje ten właśnie folder?) w związku z czym jest to prawdopodobnie pozostałość po wirusie. Dla pewności umieść instalkę windowsa w napędzie i uruchom "sfc /scannow". Program sprawdzi czy na komputerze znajdują się poprawne pliki windows i jeśli jakiegoś będzie faktycznie brakować to przywróci go z płytki. Jeśli nic to nie da to przeskanuj system anywirusem i sprawdź czy coś nie uruchamia się przy starcie (msconfig)
MarekM25 komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 (edytowane) Skopiuj ten plik z płyty z systemem z pomocą konsoli odzyskiwania http://www.pcformat.pl/forum/showthread.php?tid=9395
dawid_c komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 http://www.neuber.com/taskmanager/process/rundll32.exe.html
MarekM25 komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 http://www.neuber.com/taskmanager/process/rundll32.exe.html po co dajesz linka do biblioteki procesów ;|?
dawid_c komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 Po prostu chcę powiedzieć, że w folderze \Windows plik rundll32.exe jest śmieciem. Systemowy plik znajduje się w folderze \Windows\system32. Po co więc ten plik kopiować? Niepotrzebnie zaśmieci komputer. Trzeba raczej poszukać aplikacji, która chce ten plik odczytać i ją usunąć
MarekM25 komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 u autora jest w prawidłowej lokalizacji: c:\winxp\system32\rundll32.exe ale plik nie działa poprawnie
dawid_c komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 Autor pisze: system Windows nie moze odnalezc pliku C:/WINXP/rundll32.exe.Upewniej sie ze wpisana nazwa jest poprawna i sprobuj ponownie.Aby wyszukac pliki kliknij start a nastepnie polecenie wyszukaj
MarekM25 komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 ale spójrz na log:P zobacz czy wgl jest ten plik: C:/WINXP/rundll32.exe najlepiej przeskanuj na virustotal
dawid_c komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 (edytowane) No skoro "system Windows nie moze odnalezc pliku" to raczej nie ma A logach się nie znam za dobrze, ale widzę: [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]"c:\winxp\system32\rundll32.exe" "c:\winxp\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP Ale nie ma się co kłócić. Niech kolega z problemem przeskanuje komputer i sprawdzi autostart i wtedy zobaczymy edit down: czyli widać plik w prawidłowej lokalizacjiNo właśnie. A jakiś śmieć próbuje się odwołać do błędnej lokalizacji co napisałem już parę postów wcześniej
MarekM25 komentarz 30 czerwca 2009 komentarz 30 czerwca 2009 czyli widać plik w prawidłowej lokalizacji no tak, ale pewnie autor już zaniechał wątek
jule komentarz 4 lipca 2009 Autor komentarz 4 lipca 2009 Ja nie widze tego pliku tam gdzie powinie byc .Skanowanie nic nie wykazuje.A z plyty nie umiem wyodrebic pliku,bo stacja odmowila posluszenstwa :-)) czyli ze bez plyty sie nie obejdzie?
magdadzik komentarz 19 października 2009 komentarz 19 października 2009 hej mam podobny problem z tym rundll32 wyslauje mi ze nie mozna odnalezc aplikcji niewiem co gdzi i jak prosze o pomoc bo jestem kompletnie zielona w tym temacie
adrianoziomek komentarz 21 października 2009 komentarz 21 października 2009 a wyswietla ci sie wiadomosc ze trzeba kupic jakis tam antywirus?
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.