x-kom hosting

Prośba o sprawdzenie loga

mik2
utworzono
utworzono

Witam wszystkich :) Nie wiem co się z komputerem dzieje, ale gdy chcę otworzyc jakąś aplikację to uruchamia się na chwilę proces IExplorer'a, po czym się wyłacza, nic się dalej nie dzieje. Z trudem udało mi się uruchomić HJT, więc wklejam log i bardzo proszę o jak najszybszą pomoc!

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:10:49, on 2008-06-30Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\system32\RaConfig.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu 7\gg.exe" /trayO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /backgroundO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-21-1123561945-789336058-1060284298-1003\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu 7\gg.exe" /tray (User '?')O4 - HKUS\S-1-5-21-1123561945-789336058-1060284298-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User '?')O4 - HKUS\S-1-5-21-1123561945-789336058-1060284298-1003\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User '?')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: CDMNet - https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cabO16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exeO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206280263925O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe--End of file - 4541 bytes

seba115
komentarz
komentarz

FIX:

 	O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe

ja wiecej nie widze, ale niech jeszcze to ktos sprawdzi bo ja jestem poczatkujacy :huh:

mik2
komentarz
komentarz

Normalnie po daniu fix'a i ponownym skanie ten element znów się pojawiał, ale udało się go usunac w trybie awaryjnym :) Ma ktos jeszcze jakieś sugestie co do tego loga? Bo usunięcie tego czegoś nic nie pomogło...

Tutaj jeszcze daję loga z SilentRunners:

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/Operating System: Windows XPOutput limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu 7\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]"MSMSGS" = ""C:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)  -> {HKLM...CLSID} = "AcroIEHlprObj Class"				   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"				   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)  -> {HKLM...CLSID} = "Google Toolbar Helper"				   \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbar1.dll" ["Google Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"				   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"  -> {HKLM...CLSID} = "Eksplorator pulpitów"				   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"  -> {HKLM...CLSID} = (no title provided)				   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"				   \InProcServer32\(Default) = "D:\PROGRA~1\OFFICE~1\Office\OLKFSTUB.DLL" [MS]"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"  -> {HKLM...CLSID} = "Portable Media Devices Menu"				   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"  -> {HKLM...CLSID} = "WinRAR"				   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile"  -> {HKLM...CLSID} = "Mobile"				   \InProcServer32\(Default) = "D:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll" ["Siemens AG"]"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile ContextMenuHandler"  -> {HKLM...CLSID} = "Mobile ContextMenuHandler"				   \InProcServer32\(Default) = "D:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll" ["Siemens AG"]"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile PropertySheetHandler"  -> {HKLM...CLSID} = "Mobile PropertySheetHandler"				   \InProcServer32\(Default) = "D:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll" ["Siemens AG"]"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"				   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"  -> {HKLM...CLSID} = "7-Zip Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"  -> {HKLM...CLSID} = "PDF Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"  -> {HKLM...CLSID} = "7-Zip Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"				   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"  -> {HKLM...CLSID} = "7-Zip Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"				   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"				   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"  -> {HKLM...CLSID} = "WinRAR"				   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]Default executables:--------------------<<!>> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\"Application" = "iexplore.exe"<<!>> HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\(Default) = ""C:\Program Files\Internet Explorer\iexplore.exe" %1" [MS]HKLM\SOFTWARE\Classes\.bat\(Default) = "batfile"HKLM\SOFTWARE\Classes\batfile\shell\open\command\(Default) = (value not set)HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = (value not set)HKLM\SOFTWARE\Classes\.pif\(Default) = "piffile"HKLM\SOFTWARE\Classes\piffile\shell\open\command\(Default) = (value not set)HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = (value not set)Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\Documents and Settings\AMD 800\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\AMD 800\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\RPCDBurningOnArrival\"Provider" = "RealPlayer""InvokeProgID" = "RealPlayer.CDBurn.6""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]RPDeviceOnArrival\"Provider" = "RealPlayer""ProgID" = "RealPlayer.HWEventHandler"HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}"  -> {HKLM...CLSID} = "RealNetworks Scheduler"				   \LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]RPPlayCDAudioOnArrival\"Provider" = "RealPlayer""InvokeProgID" = "RealPlayer.AudioCD.6""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe"  /play %1 " ["RealNetworks, Inc."]RPPlayDVDMovieOnArrival\"Provider" = "RealPlayer""InvokeProgID" = "RealPlayer.DVD.6""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe"  /dvd %1 " ["RealNetworks, Inc."]RPPlayMediaOnArrival\"Provider" = "RealPlayer""InvokeProgID" = "RealPlayer.AutoPlay.6""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]Startup items in "AMD 800" & "All Users" startup folders:---------------------------------------------------------C:\Documents and Settings\All Users\Menu Start\Programy\Autostart"RaConfig" -> shortcut to: "C:\WINDOWS\system32\RaConfig.exe" ["Ralink Technology, Corp."]Enabled Scheduled Tasks:------------------------"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 11%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 23%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"  -> {HKLM...CLSID} = "&Google"				   \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbar1.dll" ["Google Inc."]HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)  -> {HKLM...CLSID} = "&Google"				   \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbar1.dll" ["Google Inc."]Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)  -> {HKLM...CLSID} = "Real.com"				   \InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\"ButtonText" = "Real.com"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\"MenuText" = "Spybot - Search & Destroy Configuration""CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"				   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Messenger""Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" ["Sony DADC Austria AG."]Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]---------- (launch time: 2008-06-30 16:16:19)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds,  launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI  DLL launch points, use the -supp parameter or answer "No" at the  first message box and "Yes" at the second message box.---------- (total run time: 121 seconds, including 6 seconds for message boxes)
snip91
komentarz
komentarz
O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')O16 - DPF: CDMNet - https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab

Jeszcze to sfixuj.

mik2
komentarz
komentarz

Usunięte... Aktualny log:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:34:40, on 2008-06-30Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\UAService7.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeD:\Program Files\Opera\Opera.exeC:\WINDOWS\System32\wuauclt.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu 7\gg.exe" /trayO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /backgroundO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206280263925O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe--End of file - 4155 bytes

Ale niestety cały czas jest tak samo... Jak tylko się chce otworzyć jakas aplikację to rozpoczyna na sekundę proces IE, po czym go wyłącza. Dalej nic. Co to może być?

diablo45
komentarz
komentarz

Mogę tyle powiedzieć, że ten log jest czysty. Nie spotkałem się z takim zjawiskiem.

mik2
komentarz
komentarz

A może ktoś wie jak to rozwiazać? Może po prostu do otwierania tych aplikacji jest przypisany IE? Czy coś w tym stylu? Nie wiem, nie znam się na tym... Ale za wszelką pomoc z góry dziękuję :)

CatchMe
komentarz
komentarz

Zrób zdjęcie menadżera kiedy uruchamia on ten proces i wklej nam zdjęcie.

mik2
komentarz
komentarz

Proszę, chciałem uruchomić word'a i wychodzi proces IE:

qqqgm4.jpg

CatchMe
komentarz
komentarz

Nie wygląda to źle - wszystko jest normalne. Wklej log z ComboFix.

mik2
komentarz
komentarz

Log z ComboFix'a:

ComboFix 08-06-20.4 - AMD 800 2008-07-01 12:21:03.3 - [b]FAT32[/b]x86Microsoft Windows XP Professional  5.1.2600.1.1250.1.1045.18.313 [GMT 2:00]Running from: C:\Documents and Settings\AMD 800\Pulpit\G R Y   MICHAŁA\ComboFix.exe * Resident AV is active[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b].(((((((((((((((((((((((((   Files Created from 2008-06-01 to 2008-07-01  ))))))))))))))))))))))))))))))).2008-06-30 14:10 . 2008-06-30 14:10	<DIR>	d--------	C:\Program Files\Trend Micro2008-06-30 14:09 . 2008-06-30 14:09	<DIR>	d--------	C:\Program Files\Lavalys2008-06-30 09:16 . 2008-06-30 09:16	<DIR>	d--hs----	C:\FOUND.0112008-06-28 13:16 . 2001-08-17 22:03	24,192	--a------	C:\WINDOWS\system32\drivers\usbser.sys2008-06-28 13:16 . 2001-08-17 22:03	24,192	--a------	C:\WINDOWS\system32\dllcache\usbser.sys2008-06-27 18:06 . 2008-06-27 18:07	0	--ah-----	C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf2008-06-27 18:06 . 2008-06-27 18:07	0	--ah-----	C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf2008-06-27 15:20 . 2008-06-27 15:20	<DIR>	d--------	C:\WINDOWS\system32\DRVSTORE2008-06-27 15:20 . 2008-06-27 15:20	<DIR>	d--------	C:\Program Files\PC Connectivity Solution2008-06-27 15:20 . 2008-06-27 15:20	<DIR>	d--------	C:\Program Files\DIFX2008-06-27 15:20 . 2007-11-29 10:33	1,419,232	--a------	C:\WINDOWS\system32\wdfcoinstaller01005.dll2008-06-27 15:20 . 2007-11-29 10:39	95,744	--a------	C:\WINDOWS\system32\nmwcdcocls.dll2008-06-27 15:20 . 2007-11-29 10:32	48,128	--a------	C:\WINDOWS\system32\nmwcdcls.dll2008-06-27 15:20 . 2007-09-17 15:53	21,632	--a------	C:\WINDOWS\system32\drivers\pccsmcfd.sys2008-06-27 15:20 . 2007-11-29 10:39	16,896	--a------	C:\WINDOWS\system32\drivers\ccdcmb.sys2008-06-27 15:20 . 2007-11-29 10:39	8,064	--a------	C:\WINDOWS\system32\drivers\usbser_lowerflt.sys2008-06-27 15:19 . 2008-06-27 15:19	<DIR>	d--------	C:\Documents and Settings\All Users\Dane aplikacji\Installations2008-06-26 16:49 . 2008-06-26 16:50	<DIR>	d--------	C:\Program Files\7-Zip2008-06-25 23:12 . 2008-06-25 23:12	<DIR>	d--------	C:\Program Files\Wesnoth 1.4.((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))..(((((((((((((((((((((((((((((   snapshot@2008-06-30_21.29.59,22   ))))))))))))))))))))))))))))))))))))))))).- 2008-06-30 16:51:22	2,048	--s-a-w	C:\WINDOWS\bootstat.dat+ 2008-07-01 09:30:50	2,048	--s-a-w	C:\WINDOWS\bootstat.dat.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="D:\Program Files\Gadu-Gadu 7\gg.exe" [2005-09-15 15:43 1712128]"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 21:19 4841472]"nwiz"="nwiz.exe" [2003-07-28 21:19 323584 C:\WINDOWS\system32\nwiz.exe]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-02-28 15:34 921600]"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 16:05 13312]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\RaConfig.lnk - C:\WINDOWS\system32\RaConfig.exe [2006-11-06 13:38:57 380928][HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]"NoAutoUpdate"= 1 (0x1)[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnkbackup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]Z:\Program Files\TLEN\tlen.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]Z:\Program Files\Skype\Phone\Skype.exeR3 RT2400;RT2400 Wireless Driver;C:\WINDOWS\System32\DRIVERS\RT2400.sys [2003-10-08 13:14]S3 WLPCIV27;IEEE802.11b WLAN PCI Card v3.0 Driver;C:\WINDOWS\System32\DRIVERS\WLPCIV27.sys [2002-07-30 10:22].Contents of the 'Scheduled Tasks' folder"2008-06-26 13:50:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-01 12:24:50Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPIscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\system32\lsass.exe-> C:\Program Files\Eset\pr_imon.dll.Completion time: 2008-07-01 12:25:28ComboFix-quarantined-files.txt  2008-07-01 10:25:26ComboFix3.txt  2008-06-30 19:30:20ComboFix2.txt  2008-07-01 09:27:56Pre-Run: 1,638,432,768 bajtów wolnychPost-Run: 1,629,663,232 bajtów wolnych95
CatchMe
komentarz
komentarz

Wygląda OK. Widocznie jakiś proces go używa. Może Spy boot...

mik2
komentarz
komentarz

Ale dlaczego uruchamia się on przy każdej aplikacji? Nic nie można otworzyć normalnie, dopiero po wybraniu uruchom jako -> bieżący użytkownik -> ok się odpala większosć aplikacji, normalnie nic nie wchodzi. Spybot-S&D jest na komputerze zainstalowany, myślisz że to może mieć związek?

CatchMe
komentarz
komentarz

Może lecz nie musi. Przejedź system skanerem on-line: http://www.kaspersky.pl/virusscanner.html i wklej raport.

mik2
komentarz
komentarz

Z okienka skanera:

Usługa Online Scanner oferowana przez firmę Kaspersky Lab wykorzystuje technologię Microsoft ActiveX. Technologia Microsoft ActiveX oraz Kaspersky Online Scanner pracują tylko pod kontrolą MS Internet Explorer w wersji 5.0 lub wyższej.

A IE za nic w świecie nie chce sie uruchomić.

CatchMe
komentarz
komentarz

Przeinstaluj IE... zapraszam na stronę Microsoftu.

mik2
komentarz
komentarz

Przeinstalowałem, nadal nic, przeglądarka się nie uruchamia.

Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!

Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.

×
×
  • Dodaj nową pozycję...

Powiadomienie o plikach cookie

Strona wykorzystuje pliki cookies w celu prawidłowego świadczenia usług i wygody użytkowników. Warunki przechowywania i dostępu do plików cookies możesz zmienić w ustawieniach przeglądarki.