Avira wykryła WORM/VB.DW , który to przeniosłem do kwarantan


(Gismo137) #1

witam, moja Avira wykryła WORM/VB.DW , który to przeniosłem do kwarantanny, czy muszę coś jeszcze zrobic?


(kwasior) #2

Możesz dać logi z HijackThis.


(Gismo137) #3

Logfile of HijackThis v1.99.1

Scan saved at 13:18:06, on 2007-02-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lexmark 3300 Series\lxccmon.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\iTunes\iTunesHelper.exe

D:\instalki\komunikator internet\Tlen.pl\tlen.exe

D:\instalki\TLENGA~1\AQQ\AQQ.exe

D:\instalki\google desktop\RocketDock\RocketDock.exe

C:\WINDOWS\system32\ctfmon.exe

D:\instalki\dla outlook\HideOE\HideOE.exe

D:\instalki\kalendarz XP\Kalendarz XP\Kalendarz.exe

C:\Program Files\outlook express\msimn.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

D:\instalki\bluetooth\BTNtService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

D:\alkohol 120%\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\lxcccoms.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Mozilla Firefox\firefox.exe

D:\instalki\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\ATI Technologies\ATI.ACE\help\wwhelp\wwhimpl\common\html\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu46\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Program Files\ICQToolbar\tbu46\toolbaru.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\instalki\Adobe reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\instalki\SPYBOT~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\tbu46\toolbaru.dll

O4 - HKLM…\Run: [lxccmon.exe] “C:\Program Files\Lexmark 3300 Series\lxccmon.exe”

O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min

O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAShCut.exe

O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM…\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay

O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”

O4 - HKCU…\Run: [Komunikator] D:\instalki\komunikator internet\Tlen.pl\tlen.exe

O4 - HKCU…\Run: [AQQ] D:\instalki\TLENGA~1\AQQ\AQQ.exe

O4 - HKCU…\Run: [RocketDock] “D:\instalki\google desktop\RocketDock\RocketDock.exe”

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [HideOE] “D:\instalki\dla outlook\HideOE\HideOE.exe”

O4 - Global Startup: Kalendarz XP.lnk = D:\instalki\kalendarz XP\Kalendarz XP\Kalendarz.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoftware.com/activescan … asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip…{75976636-84E5-4EAF-9A54-1234DFD59702}: NameServer = 213.241.79.37 83.238.255.76

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\toolbars\Shared\Skype4ComAPI.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\instalki\bluetooth\BTNtService.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - D:\instalki\Common\Database\bin\fbserver.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\alkohol 120%\Alcohol 120\StarWind\StarWindService.exe


(JNJN) #4

gismo137

Przeczytaj tematy przyklejone w tym dziale i popraw posty.JNJN


(adam9870) #5

Log czysty.

Możesz przeskanować http://www.ewido.net/en/ i wrzucić raport oraz log z SilentRunners.


(Gismo137) #6

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Komunikator” = “D:\instalki\komunikator internet\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”]

“AQQ” = “D:\instalki\TLENGA~1\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”]

“RocketDock” = ““D:\instalki\google desktop\RocketDock\RocketDock.exe”” [null data]

“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

“HideOE” = ““D:\instalki\dla outlook\HideOE\HideOE.exe”” [“r2 studios”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“lxccmon.exe” = ““C:\Program Files\Lexmark 3300 Series\lxccmon.exe”” [“Lexmark International, Inc.”]

“avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”]

“Skrót do strony właściwości High Definition Audio” = “HDAShCut.exe” [“Windows ® Server 2003 DDK provider”]

“QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Nero AG”]

“LClock” = “C:\Program Files\LClock\LClock.exe” [null data]

“ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime -Delay” [null data]

“iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”]

HKLM\Software\Microsoft\Active Setup\Installed Components\

>{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer”

\StubPath = “C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{055FD26D-3A88-4e15-963D-DC8493744B1D}(Default) = “XTTBPos00”

-> {HKLM…CLSID} = “XTTBPos00 Class”

\InProcServer32(Default) = “C:\Program Files\ICQToolbar\tbu46\toolbaru.dll” [“IE Toolbar”]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “D:\instalki\Adobe reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “D:\instalki\SPYBOT~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW”

-> {HKLM…CLSID} = “Shell Extension for CDRW”

\InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Nero AG”]

“{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension”

-> {HKLM…CLSID} = “SimpleShlExt Class”

\InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll” [empty string]

“{2B3453E4-49DF-11D3-8229-0080BE509050}” = “GMail Drive”

-> {HKLM…CLSID} = “GMail Drive”

\InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”]

“{2B3453E4-49DF-11D3-8229-0080BE509052}” = “GMailFS Property Sheet”

-> {HKLM…CLSID} = “GMailFS Property Sheet”

\InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”]

“{2B3453E4-49DF-11D3-8229-0080BE509054}” = “GMailFS Drop Handler”

-> {HKLM…CLSID} = “GMailFS Drop Handler”

\InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”]

“{2B3453E4-49DF-11D3-8229-0080BE509056}” = “GMailFS Context Menu”

-> {HKLM…CLSID} = “GMailFS Context Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\ShellExt\GMailFS.dll” [“Bjarke Viksoe”]

“{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”

-> {HKLM…CLSID} = “iTunes”

\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”

-> {HKLM…CLSID} = “WPDShServiceObj Class”

\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = ““D:\instalki\Openoffice\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”]

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “D:\instalki\Adobe reader\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}”

-> {HKLM…CLSID} = “7-Zip Shell Extension”

\InProcServer32(Default) = “D:\instalki\7-Zip\7-zip.dll” [“Igor Pavlov”]

IZArcCM(Default) = “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}”

-> {HKLM…CLSID} = “IZArc Shell Context Menu”

\InProcServer32(Default) = “D:\instalki\IZARCK~1\IZArc\IZArcCM.dll” [null data]

Notepad++(Default) = “{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}”

-> {HKLM…CLSID} = “Notepad++”

\InProcServer32(Default) = “D:\instalki\notepad\Notepad++\nppcm.dll” [“Burgaud.com”]

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}”

-> {HKLM…CLSID} = “7-Zip Shell Extension”

\InProcServer32(Default) = “D:\instalki\7-Zip\7-zip.dll” [“Igor Pavlov”]

IZArcCM(Default) = “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}”

-> {HKLM…CLSID} = “IZArc Shell Context Menu”

\InProcServer32(Default) = “D:\instalki\IZARCK~1\IZArc\IZArcCM.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ALSongContext(Default) = “{CBE49257-71F8-44B4-B536-FF5359F0AEAA}”

-> {HKLM…CLSID} = “ALContextMenu Class”

\InProcServer32(Default) = “D:\instalki\alsong\ALSong\ALSongSh.dll” [“Copyright © 2005 ESTsoft corp.”]

ImageResizer(Default) = “{2BB59FC0-31E8-42DA-9D3C-E9A52953853B}”

-> {HKLM…CLSID} = “ImageResizer Shell Extension”

\InProcServer32(Default) = “D:\instalki\PHOTO_~1\IMAGER~1\RSZShell.dll” [“VSO Software”]

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

“SynchronousMachineGroupPolicy” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

“SynchronousUserGroupPolicy” = (REG_DWORD) hex:0x00000000

{unrecognized setting}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\Adamiak\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\system32\Vista.scr” [MS]

Startup items in “Adamiak” & “All Users” startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Kalendarz XP” -> shortcut to: “D:\instalki\kalendarz XP\Kalendarz XP\Kalendarz.exe” [null data]

Enabled Scheduled Tasks:


“AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task” [“Apple Computer, Inc.”]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{855F3B16-6D32-4FE6-8A56-BBB695989046}”

-> {HKLM…CLSID} = “ICQ Toolbar”

\InProcServer32(Default) = “C:\Program Files\ICQToolbar\tbu46\toolbaru.dll” [“IE Toolbar”]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{855F3B16-6D32-4FE6-8A56-BBB695989046}” = (no title provided)

-> {HKLM…CLSID} = “ICQ Toolbar”

\InProcServer32(Default) = “C:\Program Files\ICQToolbar\tbu46\toolbaru.dll” [“IE Toolbar”]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.5.0_06”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”]

Miscellaneous IE Hijack Points


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> “{855F3B16-6D32-4fe6-8A56-BBB695989046}” = (no title provided)

-> {HKLM…CLSID} = “ICQ Toolbar”

\InProcServer32(Default) = “C:\Program Files\ICQToolbar\tbu46\toolbaru.dll” [“IE Toolbar”]

Running Services (Display Name, Service Name, Path {Service DLL}):


AntiVir PersonalEdition Classic Guard, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”]

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”]

Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

BlueSoleil Hid Service, BlueSoleil Hid Service, “D:\instalki\bluetooth\BTNtService.exe” [null data]

InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Nero AG”]

iPod Service, iPod Service, ““C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Computer, Inc.”]

Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS]

LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”]

lxcc_device, lxcc_device, “C:\WINDOWS\system32\lxcccoms.exe -service” [“Lexmark International, Inc.”]

StarWind iSCSI Service, StarWindService, “D:\alkohol 120%\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

3300 Series Port\Driver = “lxcclmpm.DLL” [“Lexmark International, Inc.”]

Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS]

PDFCreator\Driver = “pdfcmnnt.dll” [null data]


<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 94 seconds.

---------- (total run time: 144 seconds)


(adam9870) #7

Oba logi czyste.

Ewido znalazł tylko całkowicie niegroźne ciasteczka. Możesz je usunąć (np. przy pomocy darmowego programu ATF Cleaner) ale po wykonaniu tej czynności możesz stracić np. automatyczne logowanie na forach internetowych.


(Gismo137) #8

dzięki, pozdrawiam