Ok wielkie dzieki za info.Nie pozostaje Mi nic innego jak zabrac sie do roboty…jak zrobie to sie odezwe.Pozdrawiam…
Złączono Posta : 09.02.2007 (Pią) 21:41
HijackThis:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Programy\Power DVD 6\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
D:\Programy\Java\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programy\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Slawek\Pulpit\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programy\Java\bin\ssv.dll
O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM…\Run: [RemoteControl] “D:\Programy\Power DVD 6\PDVDServ.exe”
O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM…\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Programy\Java\bin\jusched.exe”
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM…\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [WinampAgent] D:\Programy\Winamp\winampa.exe
O4 - HKLM…\Run: [TRIXX] “D:\Programy\ATI Trixx\TRIXX\TRIXX.exe” -s
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”
O4 - HKCU…\Run: [Gadu-Gadu] “D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Startup: HDDlife.lnk = D:\Programy\HDDLifePro\HDDlifePro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programy\Java\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programy\Java\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_71.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_30.cab
O16 - DPF: {4539348E-01D7-11D5-9A39-0080C8D85044} (GameDesire Slots 90th) - http://67.15.101.3/g_bin/pl/slots90_2_0_0_30.cab
O16 - DPF: {4B4513E2-4E57-43DF-9496-FCD37E9DFA64} (GameDesire Sea Battle) - http://67.15.101.3/g_bin/pl/navy_2_0_0_23.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab
O16 - DPF: {9085316E-42BA-11D4-BAA3-0080C8D7ED4A} (GameDesire JungleHunter) - http://67.15.101.3/g_bin/pl/hunter_2_0_0_22.cab
O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/pl/darts_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C2} (GameDesire Pool 9) - http://67.15.101.3/g_bin/pl/billard9_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C3} (GameDesire Pool 14) - http://67.15.101.3/g_bin/pl/billard14_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_28.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
SilentRunners:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”” [“Nero AG”]
“Gadu-Gadu” = ““D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]
“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“Skrót do strony właściwości High Definition Audio” = “HDAudPropShortcut.exe” [“Windows ® Server 2003 DDK provider”]
“RemoteControl” = ““D:\Programy\Power DVD 6\PDVDServ.exe”” [“Cyberlink Corp.”]
“High Definition Audio Property Page Shortcut” = “HDAShCut.exe” [“Windows ® Server 2003 DDK provider”]
“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]
“AlcWzrd” = “ALCWZRD.EXE” [“RealTek Semicoductor Corp.”]
“SunJavaUpdateSched” = ““D:\Programy\Java\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“HP Component Manager” = ““C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”]
“avast!” = “d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]
“WinampAgent” = “D:\Programy\Winamp\winampa.exe” [null data]
“TRIXX” = ““D:\Programy\ATI Trixx\TRIXX\TRIXX.exe” -s” [“Sapphire Technologies”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”
-> {HKLM…CLSID} = “Skype add-on (mastermind)”
\InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”]
{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “D:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “D:\Programy\Java\bin\ssv.dll” [“Sun Microsystems, Inc.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx”
-> {HKLM…CLSID} = “AlcoholShellEx”
\InProcServer32(Default) = “D:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Programy\WinRAR 3.20 PL\rarext.dll” [null data]
“{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler”
-> {HKLM…CLSID} = “NeroDigitalIconHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
“{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler”
-> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “d:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
“{CCA60260-A2C9-11D2-BA62-0020188191B2}” = “Registrar Registry Manager SHell Extension”
-> {HKLM…CLSID} = “Registrar Registry Manager SHell Extension”
\InProcServer32(Default) = “rrShellX.dll” [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
-> {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler”
-> {HKLM…CLSID} = “NeroDigitalColumnHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “d:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Programy\WinRAR 3.20 PL\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Programy\WinRAR 3.20 PL\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “d:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Programy\WinRAR 3.20 PL\rarext.dll” [null data]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\Slawek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\WINDOWS\system32\sstext3d.scr” [MS]
Startup items in “Slawek” & “All Users” startup folders:
C:\Documents and Settings\Slawek\Menu Start\Programy\Autostart
“HDDlife” -> shortcut to: “D:\Programy\HDDLifePro\HDDlifePro.exe” [file not found]
Enabled Scheduled Tasks:
“Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDetect.exe” [file not found]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.5.0_10”
\InProcServer32(Default) = “D:\Programy\Java\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.5.0_10”
\InProcServer32(Default) = “D:\Programy\Java\bin\npjpi150_10.dll” [“Sun Microsystems, Inc.”]
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
“ButtonText” = “Skype”
“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”
-> {HKLM…CLSID} = “Skype add-on (button)”
\InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
“MenuText” = “@xpsp3res.dll,-20001”
“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]
avast! Antivirus, avast! Antivirus, ““d:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]
avast! iAVS4 Control Service, aswUpdSv, ““d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]
avast! Mail Scanner, avast! Mail Scanner, ““d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]
avast! Web Scanner, avast! Web Scanner, ““d:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]
SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\system32\UAService7.exe” [“Sony DADC Austria AG.”]
<>: Suspicious data at a malware launch point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer “No” at the
first message box and “Yes” at the second message box.
---------- (total run time: 47 seconds, including 18 seconds for message boxes)
zawartość pliku c:\fixwareout\report.txt
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\System32\kdqqw.exe will be moved to C:\WINDOWS\temp\kdqqw.ren at reboot.
»»»»» System restarted
Reg Entries that were deleted
…
Random Runs removed from HKLM
…
»»»»» Misc files.
»»»»» Checking for older varients.
»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
“system”=""
»»»»»
PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Search five digit cs, dm kd and jb files.
»»»»»
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skrót do strony właściwości High Definition Audio”=“HDAudPropShortcut.exe”
“RemoteControl”="“D:\Programy\Power DVD 6\PDVDServ.exe”"
“High Definition Audio Property Page Shortcut”=“HDAShCut.exe”
“SoundMan”=“SOUNDMAN.EXE”
“AlcWzrd”=“ALCWZRD.EXE”
“SunJavaUpdateSched”="“D:\Programy\Java\bin\jusched.exe”"
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe”
“HP Component Manager”="“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”"
“avast!”=“d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“WinampAgent”=“D:\Programy\Winamp\winampa.exe”
“TRIXX”="“D:\Programy\ATI Trixx\TRIXX\TRIXX.exe” -s"
“bgg”=“C:\WINDOWS\bggskan.exe”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe”
“MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background"
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”="“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”"
“Gadu-Gadu”="“D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray"
“Skype”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized"
Hosts file was reset, If you use a custom hosts file please replace it
Złączono Posta : 09.02.2007 (Pią) 21:45
HijackThis:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Programy\Power DVD 6\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
D:\Programy\Java\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programy\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Slawek\Pulpit\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programy\Java\bin\ssv.dll
O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM…\Run: [RemoteControl] “D:\Programy\Power DVD 6\PDVDServ.exe”
O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM…\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Programy\Java\bin\jusched.exe”
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM…\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [WinampAgent] D:\Programy\Winamp\winampa.exe
O4 - HKLM…\Run: [TRIXX] “D:\Programy\ATI Trixx\TRIXX\TRIXX.exe” -s
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”
O4 - HKCU…\Run: [Gadu-Gadu] “D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Startup: HDDlife.lnk = D:\Programy\HDDLifePro\HDDlifePro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programy\Java\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programy\Java\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_71.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_30.cab
O16 - DPF: {4539348E-01D7-11D5-9A39-0080C8D85044} (GameDesire Slots 90th) - http://67.15.101.3/g_bin/pl/slots90_2_0_0_30.cab
O16 - DPF: {4B4513E2-4E57-43DF-9496-FCD37E9DFA64} (GameDesire Sea Battle) - http://67.15.101.3/g_bin/pl/navy_2_0_0_23.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab
O16 - DPF: {9085316E-42BA-11D4-BAA3-0080C8D7ED4A} (GameDesire JungleHunter) - http://67.15.101.3/g_bin/pl/hunter_2_0_0_22.cab
O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/pl/darts_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C2} (GameDesire Pool 9) - http://67.15.101.3/g_bin/pl/billard9_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C3} (GameDesire Pool 14) - http://67.15.101.3/g_bin/pl/billard14_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_28.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
SilentRunners:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”” [“Nero AG”]
“Gadu-Gadu” = ““D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]
“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“Skrót do strony właściwości High Definition Audio” = “HDAudPropShortcut.exe” [“Windows ® Server 2003 DDK provider”]
“RemoteControl” = ““D:\Programy\Power DVD 6\PDVDServ.exe”” [“Cyberlink Corp.”]
“High Definition Audio Property Page Shortcut” = “HDAShCut.exe” [“Windows ® Server 2003 DDK provider”]
“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]
“AlcWzrd” = “ALCWZRD.EXE” [“RealTek Semicoductor Corp.”]
“SunJavaUpdateSched” = ““D:\Programy\Java\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“HP Component Manager” = ““C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”]
“avast!” = “d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]
“WinampAgent” = “D:\Programy\Winamp\winampa.exe” [null data]
“TRIXX” = ““D:\Programy\ATI Trixx\TRIXX\TRIXX.exe” -s” [“Sapphire Technologies”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”
-> {HKLM…CLSID} = “Skype add-on (mastermind)”
\InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”]
{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “D:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “D:\Programy\Java\bin\ssv.dll” [“Sun Microsystems, Inc.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx”
-> {HKLM…CLSID} = “AlcoholShellEx”
\InProcServer32(Default) = “D:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Programy\WinRAR 3.20 PL\rarext.dll” [null data]
“{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler”
-> {HKLM…CLSID} = “NeroDigitalIconHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
“{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler”
-> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “d:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
“{CCA60260-A2C9-11D2-BA62-0020188191B2}” = “Registrar Registry Manager SHell Extension”
-> {HKLM…CLSID} = “Registrar Registry Manager SHell Extension”
\InProcServer32(Default) = “rrShellX.dll” [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
-> {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler”
-> {HKLM…CLSID} = “NeroDigitalColumnHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “d:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Programy\WinRAR 3.20 PL\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Programy\WinRAR 3.20 PL\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “d:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Programy\WinRAR 3.20 PL\rarext.dll” [null data]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\Slawek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “C:\WINDOWS\system32\sstext3d.scr” [MS]
Startup items in “Slawek” & “All Users” startup folders:
C:\Documents and Settings\Slawek\Menu Start\Programy\Autostart
“HDDlife” -> shortcut to: “D:\Programy\HDDLifePro\HDDlifePro.exe” [file not found]
Enabled Scheduled Tasks:
“Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDetect.exe” [file not found]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.5.0_10”
\InProcServer32(Default) = “D:\Programy\Java\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.5.0_10”
\InProcServer32(Default) = “D:\Programy\Java\bin\npjpi150_10.dll” [“Sun Microsystems, Inc.”]
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
“ButtonText” = “Skype”
“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”
-> {HKLM…CLSID} = “Skype add-on (button)”
\InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”]
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
“MenuText” = “@xpsp3res.dll,-20001”
“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]
avast! Antivirus, avast! Antivirus, ““d:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]
avast! iAVS4 Control Service, aswUpdSv, ““d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]
avast! Mail Scanner, avast! Mail Scanner, ““d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]
avast! Web Scanner, avast! Web Scanner, ““d:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]
SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\system32\UAService7.exe” [“Sony DADC Austria AG.”]
<>: Suspicious data at a malware launch point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer “No” at the
first message box and “Yes” at the second message box.
---------- (total run time: 47 seconds, including 18 seconds for message boxes)
zawartość pliku c:\fixwareout\report.txt
Prerun check
»»»»» HKLM run and Winlogon System values
C:\WINDOWS\System32\kdqqw.exe will be moved to C:\WINDOWS\temp\kdqqw.ren at reboot.
»»»»» System restarted
Reg Entries that were deleted
…
Random Runs removed from HKLM
…
»»»»» Misc files.
»»»»» Checking for older varients.
»»»»» Postrun check
»»»»» HKLM run
»»»»» Winlogon System value
“system”=""
»»»»»
PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.
This WILL/CAN also list Legit Files, Submit them at Virustotal
Search five digit cs, dm kd and jb files.
»»»»»
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skrót do strony właściwości High Definition Audio”=“HDAudPropShortcut.exe”
“RemoteControl”="“D:\Programy\Power DVD 6\PDVDServ.exe”"
“High Definition Audio Property Page Shortcut”=“HDAShCut.exe”
“SoundMan”=“SOUNDMAN.EXE”
“AlcWzrd”=“ALCWZRD.EXE”
“SunJavaUpdateSched”="“D:\Programy\Java\bin\jusched.exe”"
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe”
“HP Component Manager”="“C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”"
“avast!”=“d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe”
“WinampAgent”=“D:\Programy\Winamp\winampa.exe”
“TRIXX”="“D:\Programy\ATI Trixx\TRIXX\TRIXX.exe” -s"
“bgg”=“C:\WINDOWS\bggskan.exe”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe”
“MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background"
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”="“C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe”"
“Gadu-Gadu”="“D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray"
“Skype”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized"
Hosts file was reset, If you use a custom hosts file please replace it
Złączono Posta : 09.02.2007 (Pią) 21:51
Przez przypadek złaczyłem ze saba POSTY za co przepraszam…:/:/:/Moim zdaniem jeszcze nie jest ok bo np.w HijackThis tej sciezki:O23 - Service: Bezpieczne GG - tymczasowa usluga (RPC) (bgg) - Unknown owner - C:\WINDOWS\enbgg.exe (file missing) nie było wogole.Co do Bezpiecznika gdy wpisywałem te Wymienione komendy to tylko w 1 wyskoczył kom ze DOBRZE reszta nie wiadomo…
Złączono Posta : 09.02.2007 (Pią) 22:11
Czekam na odp.;p;p;p
Złączono Posta : 09.02.2007 (Pią) 22:13
hijacKthis:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
d:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Programy\Power DVD 6\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
D:\Programy\Java\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programy\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Slawek\Pulpit\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Programy\Java\bin\ssv.dll
O4 - HKLM…\Run: [skrót do strony właściwości High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM…\Run: [RemoteControl] "D:\Programy\Power DVD 6\PDVDServ.exe"
O4 - HKLM…\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM…\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM…\Run: [sunJavaUpdateSched] "D:\Programy\Java\bin\jusched.exe"
O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM…\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [WinampAgent] D:\Programy\Winamp\winampa.exe
O4 - HKLM…\Run: [TRIXX] “D:\Programy\ATI Trixx\TRIXX\TRIXX.exe” -s
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU…\Run: [Gadu-Gadu] “D:\Programy\Gadu-Gadu\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Startup: HDDlife.lnk = D:\Programy\HDDLifePro\HDDlifePro.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programy\Java\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Programy\Java\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [iNTERNATIONAL] International*
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_71.cab
O16 - DPF: {41ACD49D-1974-791A-0981-AA9872721044} (Ganymede Board Games) - http://67.15.101.3/g_bin/pl/boards_2_0_0_30.cab
O16 - DPF: {4539348E-01D7-11D5-9A39-0080C8D85044} (GameDesire Slots 90th) - http://67.15.101.3/g_bin/pl/slots90_2_0_0_30.cab
O16 - DPF: {4B4513E2-4E57-43DF-9496-FCD37E9DFA64} (GameDesire Sea Battle) - http://67.15.101.3/g_bin/pl/navy_2_0_0_23.cab
O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_43.cab
O16 - DPF: {9085316E-42BA-11D4-BAA3-0080C8D7ED4A} (GameDesire JungleHunter) - http://67.15.101.3/g_bin/pl/hunter_2_0_0_22.cab
O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.3/g_bin/pl/darts_2_0_0_35.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C2} (GameDesire Pool 9) - http://67.15.101.3/g_bin/pl/billard9_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C3} (GameDesire Pool 14) - http://67.15.101.3/g_bin/pl/billard14_2_0_0_28.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C5} (GameDesire Snooker) - http://67.15.101.3/g_bin/pl/snooker_2_0_0_28.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - d:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - d:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe