mik2 utworzono 30 czerwca 2008 utworzono 30 czerwca 2008 Witam wszystkich Nie wiem co się z komputerem dzieje, ale gdy chcę otworzyc jakąś aplikację to uruchamia się na chwilę proces IExplorer'a, po czym się wyłacza, nic się dalej nie dzieje. Z trudem udało mi się uruchomić HJT, więc wklejam log i bardzo proszę o jak najszybszą pomoc! Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:10:49, on 2008-06-30Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\system32\RaConfig.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu 7\gg.exe" /trayO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /backgroundO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-21-1123561945-789336058-1060284298-1003\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu 7\gg.exe" /tray (User '?')O4 - HKUS\S-1-5-21-1123561945-789336058-1060284298-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background (User '?')O4 - HKUS\S-1-5-21-1123561945-789336058-1060284298-1003\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User '?')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: CDMNet - https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cabO16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exeO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206280263925O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe--End of file - 4541 bytes
seba115 komentarz 30 czerwca 2008 komentarz 30 czerwca 2008 FIX: O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe ja wiecej nie widze, ale niech jeszcze to ktos sprawdzi bo ja jestem poczatkujacy
mik2 komentarz 30 czerwca 2008 Autor komentarz 30 czerwca 2008 Normalnie po daniu fix'a i ponownym skanie ten element znów się pojawiał, ale udało się go usunac w trybie awaryjnym Ma ktos jeszcze jakieś sugestie co do tego loga? Bo usunięcie tego czegoś nic nie pomogło... Tutaj jeszcze daję loga z SilentRunners: "Silent Runners.vbs", revision 58, http://www.silentrunners.org/Operating System: Windows XPOutput limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu 7\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]"MSMSGS" = ""C:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided) -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbar1.dll" ["Google Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów" -> {HKLM...CLSID} = "Eksplorator pulpitów" \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "D:\PROGRA~1\OFFICE~1\Office\OLKFSTUB.DLL" [MS]"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile" -> {HKLM...CLSID} = "Mobile" \InProcServer32\(Default) = "D:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll" ["Siemens AG"]"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile ContextMenuHandler" -> {HKLM...CLSID} = "Mobile ContextMenuHandler" \InProcServer32\(Default) = "D:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll" ["Siemens AG"]"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}" = "Mobile PropertySheetHandler" -> {HKLM...CLSID} = "Mobile PropertySheetHandler" \InProcServer32\(Default) = "D:\Program Files\Siemens AG\Data Exchange Software\DESShellExt.dll" ["Siemens AG"]"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {HKLM...CLSID} = "RealOne Player Context Menu Class" \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]Default executables:--------------------<<!>> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\"Application" = "iexplore.exe"<<!>> HKLM\SOFTWARE\Classes\Applications\iexplore.exe\shell\open\command\(Default) = ""C:\Program Files\Internet Explorer\iexplore.exe" %1" [MS]HKLM\SOFTWARE\Classes\.bat\(Default) = "batfile"HKLM\SOFTWARE\Classes\batfile\shell\open\command\(Default) = (value not set)HKLM\SOFTWARE\Classes\.exe\(Default) = "exefile"HKLM\SOFTWARE\Classes\exefile\shell\open\command\(Default) = (value not set)HKLM\SOFTWARE\Classes\.pif\(Default) = "piffile"HKLM\SOFTWARE\Classes\piffile\shell\open\command\(Default) = (value not set)HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = (value not set)Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop enabled and wallpaper not set by Group Policy:HKCU\Software\Microsoft\Internet Explorer\Desktop\General\"Wallpaper" = "C:\Documents and Settings\AMD 800\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Displayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Documents and Settings\AMD 800\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\RPCDBurningOnArrival\"Provider" = "RealPlayer""InvokeProgID" = "RealPlayer.CDBurn.6""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\RealPlayer.CDBurn.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /burn "%1"" ["RealNetworks, Inc."]RPDeviceOnArrival\"Provider" = "RealPlayer""ProgID" = "RealPlayer.HWEventHandler"HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID\(Default) = "{67E76F1D-BDE2-4052-913C-2752366192D2}" -> {HKLM...CLSID} = "RealNetworks Scheduler" \LocalServer32\(Default) = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -autoplay" ["RealNetworks, Inc."]RPPlayCDAudioOnArrival\"Provider" = "RealPlayer""InvokeProgID" = "RealPlayer.AudioCD.6""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\RealPlayer.AudioCD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /play %1 " ["RealNetworks, Inc."]RPPlayDVDMovieOnArrival\"Provider" = "RealPlayer""InvokeProgID" = "RealPlayer.DVD.6""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\RealPlayer.DVD.6\shell\play\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /dvd %1 " ["RealNetworks, Inc."]RPPlayMediaOnArrival\"Provider" = "RealPlayer""InvokeProgID" = "RealPlayer.AutoPlay.6""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\RealPlayer.AutoPlay.6\shell\open\command\(Default) = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" /autoplay "%1"" ["RealNetworks, Inc."]Startup items in "AMD 800" & "All Users" startup folders:---------------------------------------------------------C:\Documents and Settings\All Users\Menu Start\Programy\Autostart"RaConfig" -> shortcut to: "C:\WINDOWS\system32\RaConfig.exe" ["Ralink Technology, Corp."]Enabled Scheduled Tasks:------------------------"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 11%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 23%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10Toolbars, Explorer Bars, Extensions:------------------------------------ToolbarsHKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbar1.dll" ["Google Inc."]HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbar1.dll" ["Google Inc."]Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided) -> {HKLM...CLSID} = "Real.com" \InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\"ButtonText" = "Real.com"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\"MenuText" = "Spybot - Search & Destroy Configuration""CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}" -> {HKLM...CLSID} = "Spybot-S&D IE Protection" \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]{FB5F1910-F110-11D2-BB9E-00C04F795683}\"ButtonText" = "Messenger""MenuText" = "Messenger""Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" ["Sony DADC Austria AG."]Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]---------- (launch time: 2008-06-30 16:16:19)<<!>>: Suspicious data at a malware launch point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box.---------- (total run time: 121 seconds, including 6 seconds for message boxes)
snip91 komentarz 30 czerwca 2008 komentarz 30 czerwca 2008 O4 - HKUS\S-1-5-18\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User '?')O4 - HKUS\.DEFAULT\..\RunOnce: [sRUUninstall] "C:\WINDOWS\System32\msiexec.exe" /L*v C:\WINDOWS\TEMP\SND532unin.txt /x {6AF90EF6-F7F9-466C-99F4-1774826FBB40} /qn REBOOT=ReallySuppress (User 'Default user')O16 - DPF: CDMNet - https://www.cdm.net.pl/cdm2/jar/CDMNetOnl.cab Jeszcze to sfixuj.
mik2 komentarz 30 czerwca 2008 Autor komentarz 30 czerwca 2008 Usunięte... Aktualny log: Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:34:40, on 2008-06-30Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Eset\nod32krn.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\UAService7.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeD:\Program Files\Opera\Opera.exeC:\WINDOWS\System32\wuauclt.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = ŁączaO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICEO4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu 7\gg.exe" /trayO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /backgroundO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: RaConfig.lnk = C:\WINDOWS\system32\RaConfig.exeO9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXEO16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206280263925O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exeO23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe--End of file - 4155 bytes Ale niestety cały czas jest tak samo... Jak tylko się chce otworzyć jakas aplikację to rozpoczyna na sekundę proces IE, po czym go wyłącza. Dalej nic. Co to może być?
diablo45 komentarz 30 czerwca 2008 komentarz 30 czerwca 2008 Mogę tyle powiedzieć, że ten log jest czysty. Nie spotkałem się z takim zjawiskiem.
mik2 komentarz 30 czerwca 2008 Autor komentarz 30 czerwca 2008 A może ktoś wie jak to rozwiazać? Może po prostu do otwierania tych aplikacji jest przypisany IE? Czy coś w tym stylu? Nie wiem, nie znam się na tym... Ale za wszelką pomoc z góry dziękuję
CatchMe komentarz 30 czerwca 2008 komentarz 30 czerwca 2008 Zrób zdjęcie menadżera kiedy uruchamia on ten proces i wklej nam zdjęcie.
mik2 komentarz 1 lipca 2008 Autor komentarz 1 lipca 2008 Proszę, chciałem uruchomić word'a i wychodzi proces IE:
CatchMe komentarz 1 lipca 2008 komentarz 1 lipca 2008 Nie wygląda to źle - wszystko jest normalne. Wklej log z ComboFix.
mik2 komentarz 1 lipca 2008 Autor komentarz 1 lipca 2008 Log z ComboFix'a: ComboFix 08-06-20.4 - AMD 800 2008-07-01 12:21:03.3 - [b]FAT32[/b]x86Microsoft Windows XP Professional 5.1.2600.1.1250.1.1045.18.313 [GMT 2:00]Running from: C:\Documents and Settings\AMD 800\Pulpit\G R Y MICHAŁA\ComboFix.exe * Resident AV is active[b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b].((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 ))))))))))))))))))))))))))))))).2008-06-30 14:10 . 2008-06-30 14:10 <DIR> d-------- C:\Program Files\Trend Micro2008-06-30 14:09 . 2008-06-30 14:09 <DIR> d-------- C:\Program Files\Lavalys2008-06-30 09:16 . 2008-06-30 09:16 <DIR> d--hs---- C:\FOUND.0112008-06-28 13:16 . 2001-08-17 22:03 24,192 --a------ C:\WINDOWS\system32\drivers\usbser.sys2008-06-28 13:16 . 2001-08-17 22:03 24,192 --a------ C:\WINDOWS\system32\dllcache\usbser.sys2008-06-27 18:06 . 2008-06-27 18:07 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf2008-06-27 18:06 . 2008-06-27 18:07 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf2008-06-27 15:20 . 2008-06-27 15:20 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE2008-06-27 15:20 . 2008-06-27 15:20 <DIR> d-------- C:\Program Files\PC Connectivity Solution2008-06-27 15:20 . 2008-06-27 15:20 <DIR> d-------- C:\Program Files\DIFX2008-06-27 15:20 . 2007-11-29 10:33 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll2008-06-27 15:20 . 2007-11-29 10:39 95,744 --a------ C:\WINDOWS\system32\nmwcdcocls.dll2008-06-27 15:20 . 2007-11-29 10:32 48,128 --a------ C:\WINDOWS\system32\nmwcdcls.dll2008-06-27 15:20 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys2008-06-27 15:20 . 2007-11-29 10:39 16,896 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys2008-06-27 15:20 . 2007-11-29 10:39 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys2008-06-27 15:19 . 2008-06-27 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Installations2008-06-26 16:49 . 2008-06-26 16:50 <DIR> d-------- C:\Program Files\7-Zip2008-06-25 23:12 . 2008-06-25 23:12 <DIR> d-------- C:\Program Files\Wesnoth 1.4.(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))..((((((((((((((((((((((((((((( snapshot@2008-06-30_21.29.59,22 ))))))))))))))))))))))))))))))))))))))))).- 2008-06-30 16:51:22 2,048 --s-a-w C:\WINDOWS\bootstat.dat+ 2008-07-01 09:30:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Gadu-Gadu"="D:\Program Files\Gadu-Gadu 7\gg.exe" [2005-09-15 15:43 1712128]"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 21:19 4841472]"nwiz"="nwiz.exe" [2003-07-28 21:19 323584 C:\WINDOWS\system32\nwiz.exe]"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2006-02-28 15:34 921600]"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-20 16:05 13312]C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\RaConfig.lnk - C:\WINDOWS\system32\RaConfig.exe [2006-11-06 13:38:57 380928][HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]"NoAutoUpdate"= 1 (0x1)[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnkbackup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnkbackup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Komunikator]Z:\Program Files\TLEN\tlen.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]--a------ 2004-11-15 16:18 1670144 C:\Program Files\Messenger\msmsgs.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]Z:\Program Files\Skype\Phone\Skype.exeR3 RT2400;RT2400 Wireless Driver;C:\WINDOWS\System32\DRIVERS\RT2400.sys [2003-10-08 13:14]S3 WLPCIV27;IEEE802.11b WLAN PCI Card v3.0 Driver;C:\WINDOWS\System32\DRIVERS\WLPCIV27.sys [2002-07-30 10:22].Contents of the 'Scheduled Tasks' folder"2008-06-26 13:50:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"- C:\Program Files\Apple Software Update\SoftwareUpdate.exe.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-01 12:24:50Windows 5.1.2600 Dodatek Service Pack. 1 FAT NTAPIscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- DLLs Loaded Under Running Processes ---------------------PROCESS: C:\WINDOWS\system32\lsass.exe-> C:\Program Files\Eset\pr_imon.dll.Completion time: 2008-07-01 12:25:28ComboFix-quarantined-files.txt 2008-07-01 10:25:26ComboFix3.txt 2008-06-30 19:30:20ComboFix2.txt 2008-07-01 09:27:56Pre-Run: 1,638,432,768 bajtów wolnychPost-Run: 1,629,663,232 bajtów wolnych95
CatchMe komentarz 1 lipca 2008 komentarz 1 lipca 2008 Wygląda OK. Widocznie jakiś proces go używa. Może Spy boot...
mik2 komentarz 1 lipca 2008 Autor komentarz 1 lipca 2008 Ale dlaczego uruchamia się on przy każdej aplikacji? Nic nie można otworzyć normalnie, dopiero po wybraniu uruchom jako -> bieżący użytkownik -> ok się odpala większosć aplikacji, normalnie nic nie wchodzi. Spybot-S&D jest na komputerze zainstalowany, myślisz że to może mieć związek?
CatchMe komentarz 1 lipca 2008 komentarz 1 lipca 2008 Może lecz nie musi. Przejedź system skanerem on-line: http://www.kaspersky.pl/virusscanner.html i wklej raport.
mik2 komentarz 1 lipca 2008 Autor komentarz 1 lipca 2008 Z okienka skanera: Usługa Online Scanner oferowana przez firmę Kaspersky Lab wykorzystuje technologię Microsoft ActiveX. Technologia Microsoft ActiveX oraz Kaspersky Online Scanner pracują tylko pod kontrolą MS Internet Explorer w wersji 5.0 lub wyższej. A IE za nic w świecie nie chce sie uruchomić.
CatchMe komentarz 1 lipca 2008 komentarz 1 lipca 2008 Przeinstaluj IE... zapraszam na stronę Microsoftu.
mik2 komentarz 1 lipca 2008 Autor komentarz 1 lipca 2008 Przeinstalowałem, nadal nic, przeglądarka się nie uruchamia.
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.