Dialer

Dla specjalistów Bezpieczeństwo
#1

Przyznam, że śledzę ten temat od kilku dni bo sam mam właśnie taką konfigurację (win2000 i dokładnie ten sam dialer).

Ponieważ nie doczekałem się porad działam na własną rękę.

Moim ISP jest NETIA, siedzę na czymś co możnaby nazwać Neostradą od Netii i dialer wkurza mnie niemiłosiernie, bo jak tylko się połączę z netem resetuje mi połączenie i wyświetla monit w stylu “czy połączyć ponownie” oczywiście już w ramach aplikacji diallera.

Oto co mi się udało ustalić:

  • pliki do wykasowania (manualnie, albo antydiallerem) to:

c:\winnt\55u1r4r7h8.exe

c:\Program Files\Common Files\delsim\del (czy jakoś tak)

c:\WINNT\system32\dllcache\checkweb.dll

Z tym ostatnim jest niestety najwięcej kłopotu (nie bardzo jest go jak usunąć bo zasadza się na nim system, ja miałem trudności również odpalając DOS’a; udało się dopiero po zmianach w rejestrze).

  • wydaje się, że z działaniem diallera powiązany jest proces o nazwie isampi

  • pomocne w zlokalizowaniu były aplikacje:

EWIDO (teraz AVG AntiSpy) - darmowy skaner online: http://www.ewido.net/en/onlinescan/

McAfee - skaner online (wymaga instalacji komponentu) - darmowy skaner online http://us.mcafee.com/root/runapplication.asp?appid=73

A-Square Malware scanner online - http://www.windowsecurity.com/trojanscan/trojanscan.asp (można również za darmo ściągnąć AntyDiallera ze strony http://www.emsisoft.com/en/ - polecam)

niestety wszelkie zainstalowane przeze mnie antydiallery (antydialler Tp, DialKill, A-Square) nie radzą sobie z mechanizmem odnawiania dialera, usuwają jedynie exeki…

  • narzędziem, które w ogóle pozwoliło mi COKOLWIEK zrobić na sieci okazał się firewall Sunbelt Kerio Personal Firewall (do ściągnięcia chociażby z Dobreprogramy.pl… tylko nie wiem jak, skoro dialer resetuje połączenie - goodluck)

  • korzystałem też z innych palikacji, takich jak Ad-Aware lub SpyBot, również z innych skanerów online, wydaje się jednak, że nie wiele mi to dało

  • na razie wciąż walczę, ale pewne postępy udało mi się osiągnąć po usunięciu niektórych wpisów w rejestrze; niestety nie jestem w stanie podać szczegółów bo improwizowałem :stuck_out_tongue: (regedit, opcja edycja->szukaj i kolejne nazwy: isampi, delsim, checkweb.dll oraz trafficjam i asam@delsim)

Za wszelkie podpowiedzi będę wdzięczny.

=================

EDIT: wygląda na to, że odpuścił?!? zdjąłem na parę minut firewalla i głowa nie odrosła tej hydrze - sądzę, że kluczem jest tutaj ten plik checkweb.dll

#2

wantul nie dopisuj się to tematów innych userów.

wydzielono

http://forum.dobreprogramy.pl/viewtopic … 065#994065

#3

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Zastosuj webcheck.vbs.

Po wykonaniu wklej komplet logów - HijackThis i SilentRunners:

http://forum.dobreprogramy.pl/viewtopic.php?t=36654

Dodatkowo przeskanuj system skanerem on-line http://www.ewido.net/en/onlinescan/ i wklej raport.

#4

Monczkin:

  1. sorry za zamieszanie

adam9870:

  1. rejestry poprawione zgodnie z instrukcją (dzięki, wcześniej robiłem to ręcznie i nie wiem czy wszystko udało mi się znaleźć)

  2. po poprawkach w rejestrach skrypcik webcheck.vbs wyświetla komunikat “Registry entry normal” - więc chyba wszystko gra

  3. wklejam logi (wykonane po poprawkach)

    Logfile of HijackThis v1.99.1

    Scan saved at 10:13:51, on 2007-04-22

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)

    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:

    C:\WINNT\System32\smss.exe

    C:\WINNT\system32\csrss.exe

    C:\WINNT\system32\winlogon.exe

    C:\WINNT\system32\services.exe

    C:\WINNT\system32\lsass.exe

    C:\WINNT\system32\nslsvice.exe

    C:\WINNT\system32\nsl.exe

    C:\WINNT\system32\svchost.exe

    C:\WINNT\system32\spoolsv.exe

    C:\Program Files\Avast4\aswUpdSv.exe

    C:\Program Files\Avast4\ashServ.exe

    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

    C:\WINNT\System32\svchost.exe

    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

    c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

    C:\WINNT\system32\nvsvc32.exe

    C:\WINNT\system32\regsvc.exe

    C:\WINNT\system32\MSTask.exe

    C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe

    C:\WINNT\System32\WBEM\WinMgmt.exe

    C:\WINNT\system32\mspmspsv.exe

    C:\WINNT\system32\svchost.exe

    C:\Program Files\Avast4\ashWebSv.exe

    C:\Program Files\Avast4\ashMaiSv.exe

    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

    C:\WINNT\Explorer.EXE

    C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe

    C:\WINNT\AGRSMMSG.exe

    C:\Program Files\PowerDVD\PDVDServ.exe

    C:\Program Files\McAfee.com\Agent\mcagent.exe

    C:\Program Files\iTunes\iTunesHelper.exe

    C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

    C:\PROGRA~1\Avast4\ashDisp.exe

    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

    C:\Program Files\Dialer Killer\DialKill.exe

    C:\Program Files\iPod\bin\iPodService.exe

    C:\Program Files\a-squared Anti-Dialer\a2adguard.exe

    C:\WINNT\system32\internat.exe

    C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

    C:\Program Files\Mozilla Firefox\firefox.exe

    D:\instalki\tools\bezpieczenstwo\inne\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.pl/

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

    O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll (file missing)

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

    O4 - HKLM…\Run: [Synchronization Manager] mobsync.exe /logon

    O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

    O4 - HKLM…\Run: [AGRSMMSG] AGRSMMSG.exe

    O4 - HKLM…\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe

    O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\PowerDVD\PDVDServ.exe”

    O4 - HKLM…\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

    O4 - HKLM…\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe

    O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”

    O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime

    O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup

    O4 - HKLM…\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe

    O4 - HKLM…\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

    O4 - HKLM…\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe

    O4 - HKLM…\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”

    O4 - HKLM…\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

    O4 - HKLM…\Run: [DialerKiller] C:\Program Files\Dialer Killer\DialKill.exe -h

    O4 - HKLM…\Run: [a-squared Anti-Dialer] “C:\Program Files\a-squared Anti-Dialer\a2adguard.exe”

    O4 - HKCU…\Run: [internat.exe] internat.exe

    O4 - HKCU…\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart

    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O4 - Global Startup: SpeedTouch Dial-up.lnk = C:\Program Files\Thomson\SpeedTouch USB\stdialup.exe

    O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

    O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)

    O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)

    O15 - Trusted Zone: http://www.mks.com.pl

    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

    O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

    O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37710.cab

    O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5014/mcfscan.cab

    O17 - HKLM\System\CCS\Services\Tcpip…{1CF987F0-1659-41D3-809A-B2E74145DD08}: NameServer = 194.204.159.1,194.204.152.34

    O17 - HKLM\System\CCS\Services\Tcpip…{33805B51-FD0F-4421-926B-D9AB492E63EB}: NameServer = 213.241.79.37 83.238.255.76

    O17 - HKLM\System\CCS\Services\Tcpip…{D31507B7-FF67-46FA-88F5-F6D072A3E2AE}: NameServer = 194.204.159.1,194.204.152.34

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = crm.eon.altkom.pl

    O17 - HKLM\System\CS1\Services\Tcpip…{1CF987F0-1659-41D3-809A-B2E74145DD08}: NameServer = 194.204.159.1,194.204.152.34

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = crm.eon.altkom.pl

    O17 - HKLM\System\CS2\Services\Tcpip…{1CF987F0-1659-41D3-809A-B2E74145DD08}: NameServer = 194.204.159.1,194.204.152.34

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = crm.eon.altkom.pl

    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe

    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe

    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)

    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)

    O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

    O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe

    O23 - Service: Lotus Notes — pojedyncze logowanie (Lotus Notes Single Logon) - Unknown owner - C:\WINNT\system32\nslsvice.exe

    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe

    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

    O23 - Service: SiS WirelessLan Service (SiSWLSvc) - Unknown owner - C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe

    “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/

    Operating System: Windows 2000

    Output limited to non-default values, except where indicated by “{++}”

    Startup items buried in registry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

    “internat.exe” = “internat.exe” [MS]

    “OM_Monitor” = “C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart” [“OLYMPUS IMAGING CORP.”]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

    “Synchronization Manager” = “mobsync.exe /logon” [MS]

    “NvCplDaemon” = “RUNDLL32.EXE NvQTwk,NvCplDaemon initialize” [MS]

    “AGRSMMSG” = “AGRSMMSG.exe” [“Agere Systems”]

    “NeroCheck” = “C:\WINNT\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

    “RemoteControl” = ““C:\Program Files\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

    “MCAgentExe” = “C:\Program Files\McAfee.com\Agent\mcagent.exe” [“McAfee.com Corporation”]

    “MCUpdateExe” = “C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe” [“McAfee.com Corporation”]

    “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”]

    “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”]

    “PCSuiteTrayApplication” = “C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup” [“Nokia”]

    “avast!” = “C:\PROGRA~1\Avast4\ashDisp.exe” [“ALWIL Software”]

    “GhostStartTrayApp” = “C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe” [“Symantec Corporation”]

    “OM_Monitor” = “C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe” [“OLYMPUS IMAGING CORP.”]

    “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”]

    “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

    “DialerKiller” = “C:\Program Files\Dialer Killer\DialKill.exe -h” [empty string]

    “a-squared Anti-Dialer” = ““C:\Program Files\a-squared Anti-Dialer\a2adguard.exe”” [“a-squared”]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

    -> {HKLM…CLSID} = “AcroIEHlprObj Class”

                    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

    -> {HKLM…CLSID} = “SSVHelper Class”

                    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]

    {C08DF07A-3E49-4E25-9AB0-D3882835F153}(Default) = (no title provided)

    -> {HKLM…CLSID} = “QUICKfind BHO Object”

                    \InProcServer32\(Default) = "C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll" [file not found]

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

    “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

    -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

                    \InProcServer32\(Default) = "deskpan.dll" [file not found]

    “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

    -> {HKLM…CLSID} = “HyperTerminal Icon Ext”

                    \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

    “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

    -> {HKLM…CLSID} = “Microsoft Office Outlook”

                    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

    “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

    -> {HKLM…CLSID} = “Outlook File Icon Extension”

                    \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

    “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

    -> {HKLM…CLSID} = (no title provided)

                    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

    “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

    -> {HKLM…CLSID} = “WinRAR”

                    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    “{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    “{506F4668-F13E-4AA1-BB04-B43203AB3CC0}” = “{506F4668-F13E-4AA1-BB04-B43203AB3CC0}”

    -> {HKLM…CLSID} = “ImageExtractorShellExt Class”

                    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

    “{D66DC78C-4F61-447F-942B-3FB6980118CF}” = “{D66DC78C-4F61-447F-942B-3FB6980118CF}”

    -> {HKLM…CLSID} = “CInfoTipShellExt Class”

                    \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

    “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser”

    -> {HKLM…CLSID} = “Nokia Phone Browser”

                    \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

    “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

    -> {HKLM…CLSID} = “avast”

                    \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

    “{6C6BA5E0-1277-11D5-8DC4-444553540000}” = “4th split file property sheet”

    -> {HKLM…CLSID} = “The4thSplitPropertySheet”

                    \InProcServer32\(Default) = "C:\PROGRA~1\4THFEB~1\UTILIT~1\split\EN\4thsprop.dll" [null data]

    “{57C51AF9-DEF7-11D3-A801-00C04F163490}” = “Ghost Shell Extension”

    -> {HKLM…CLSID} = “PropPage Class”

                    \InProcServer32\(Default) = "C:\Program Files\Symantec\Norton Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]

    “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Uchwyt nakładania ikony podpisu cyfrowego”

    -> {HKLM…CLSID} = “AcSignIcon”

                    \InProcServer32\(Default) = "C:\WINNT\system32\AcSignIcon.dll" ["Autodesk"]

    “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview”

    -> {HKLM…CLSID} = “ACTHUMBNAIL”

                    \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

    HKLM\Software\Classes\PROTOCOLS\Filter\

    <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”

    -> {HKLM…CLSID} = (no title provided)

                    \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

    {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

    -> {HKLM…CLSID} = “PDF Shell Extension”

                    \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

    HKLM\Software\Classes*\shellex\ContextMenuHandlers\

    Autodesk.DWF.ContextMenu(Default) = “{6C18531F-CA85-45F7-8278-FF33CF0A5964}”

    -> {HKLM…CLSID} = “DWFShellExt Class”

                    \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk shared\dwf common\DWFShellExtension.dll" ["Autodesk, Inc."]

    avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

    -> {HKLM…CLSID} = “avast”

                    \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

    WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

    -> {HKLM…CLSID} = “WinRAR”

                    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

    WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

    -> {HKLM…CLSID} = “WinRAR”

                    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

    avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

    -> {HKLM…CLSID} = “avast”

                    \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

    WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

    -> {HKLM…CLSID} = “WinRAR”

                    \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

    WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”

    -> {HKLM…CLSID} = “WinZip”

                    \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing LP"]

    Default executables:

    HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile”

    <> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = "“C:\WINNT\system32\NOTEPAD.EXE” “%1"” [MS]

    Group Policies {GPedit.msc branch and setting}:

    Note: detected settings may not have any effect.

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

    “CDRAutoRun” = (REG_DWORD) hex:0x00000000

    {unrecognized setting}

    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

    “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

    Shutdown: Allow system to be shut down without having to log on}

    Active Desktop and Wallpaper:

    Active Desktop may be enabled at this entry:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

    “Wallpaper” = “%APPDATA%\IrfanView\IrfanView_Wallpaper.bmp”

    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

    HKCU\Control Panel\Desktop\

    “Wallpaper” = “C:\Documents and Settings\Administrator\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp”

    Startup items in “Administrator” & “All Users” startup folders:

    C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

    “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

    “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS]

    “SpeedTouch Dial-up” -> shortcut to: “C:\Program Files\Thomson\SpeedTouch USB\stdialup.exe” [“THOMSON Telecom Belgium”]

    Enabled Scheduled Tasks:

    McAfee.com Update Check (WCJ1-Administrator)” -> launches: “C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe /Schedule” [“McAfee.com Corporation”]

    Winsock2 Service Provider DLLs:

    Namespace Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

    000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS]

    000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

    Transport Service Providers

    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

    %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 17

    %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

    Toolbars, Explorer Bars, Extensions:

    Explorer Bars

    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

    HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie”

    Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

    InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS]

    Extensions (Tools menu items, main toolbar menu buttons)

    HKLM\Software\Microsoft\Internet Explorer\Extensions\

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

    “MenuText” = “Sun Java Console”

    “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}”

    -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11”

                    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]

    -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11”

                    \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]

    {85D1F590-48F4-11D9-9669-0800200C9A66}\

    “MenuText” = “Uninstall BitDefender Online Scanner v8”

    “Exec” = “%windir%\bdoscandel.exe” [null data]

    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\

    “ButtonText” = “Badanie”

    {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\

    “ButtonText” = “Yahoo! Messenger”

    “MenuText” = “Yahoo! Messenger”

    “Exec” = “C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE” [file not found]

    Running Services (Display Name, Service Name, Path {Service DLL}):

    avast! Antivirus, avast! Antivirus, ““C:\Program Files\Avast4\ashServ.exe”” [“ALWIL Software”]

    avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Avast4\aswUpdSv.exe”” [“ALWIL Software”]

    avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]

    avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]

    EPSON Printer Status Agent2, EPSONStatusAgent2, “C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe” [“SEIKO EPSON CORPORATION”]

    GhostStartService, GhostStartService, “C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe” [“Symantec Corporation”]

    iPodService, iPodService, “C:\Program Files\iPod\bin\iPodService.exe” [“Apple Computer, Inc.”]

    Lotus Notes — pojedyncze logowanie, Lotus Notes Single Logon, “C:\WINNT\system32\nslsvice.exe” [null data]

    Machine Debug Manager, MDM, ““c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS]

    NVIDIA Driver Helper Service, NVSvc, “C:\WINNT\system32\nvsvc32.exe” [“NVIDIA Corporation”]

    ServiceLayer, ServiceLayer, ““C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe”” [“Nokia.”]

    SiS WirelessLan Service, SiSWLSvc, “C:\Program Files\802.11 Wireless LAN\802.11g Pen Size Wireless USB 2.0 Adapter HW.32 V1.00\SiSWLSvc.exe” [null data]

    Sunbelt Kerio Personal Firewall 4, KPF4, ““C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe”” [“Sunbelt Software”]

    System zdarzeń COM+, EventSystem, “C:\WINNT\System32\svchost.exe -k netsvcs” {“C:\WINNT\System32\es.dll” [null data]}

    Print Monitors:

    HKLM\System\CurrentControlSet\Control\Print\Monitors\

    EPSON V3 2KMonitor352\Driver = “E_SL2352.DLL” [“SEIKO EPSON CORPORATION”]

    Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS]

    <>: Suspicious data at a malware launch point.

    • This report excludes default entries except where indicated.

    • To see everywhere the script checks and everything it finds,

      launch it from a command prompt or a shortcut with the -all parameter.

    • The search for DESKTOP.INI DLL launch points on all local fixed drives

      took 131 seconds.

    ---------- (total run time: 204 seconds)

    ewido anti-spyware online scanner

     http://www.ewido.net

    Name: TrackingCookie.Doubleclick

    Path: C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt

    Risk: Medium

    Name: TrackingCookie.Gemius

    Path: C:\Documents and Settings\Administrator\Cookies\administrator@hit.gemius[1].txt

    Risk: Medium

    Name: TrackingCookie.Gemius

    Path: :mozilla.7:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\89newgbm.default\cookies.txt

    Risk: Medium

    Name: TrackingCookie.Gemius

    Path: :mozilla.8:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\89newgbm.default\cookies.txt

    Risk: Medium

    Name: TrackingCookie.Tradedoubler

    Path: :mozilla.21:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\89newgbm.default\cookies.txt

    Risk: Medium

    Name: TrackingCookie.Tradedoubler

    Path: :mozilla.22:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\89newgbm.default\cookies.txt

    Risk: Medium

    Name: TrackingCookie.Adocean

    Path: :mozilla.42:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\89newgbm.default\cookies.txt

    Risk: Medium

    Name: TrackingCookie.Adocean

    Path: :mozilla.43:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\89newgbm.default\cookies.txt

    Risk: Medium

    Name: TrackingCookie.Adocean

    Path: :mozilla.47:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\89newgbm.default\cookies.txt

    Risk: Medium

    Name: TrackingCookie.Adocean

    Path: :mozilla.48:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\89newgbm.default\cookies.txt

    Risk: Medium

Oczywiście te ciasteczka już wycięte (musiały się wgryźć jak zdjąłem firewalla - sprawdzałem czy delsim dialer dalej mi się odnawia)

Właściwie to zamyka sprawę - serdeczne dzięki za pomoc.

*)Gdybym jeszcze tylko uzyskał odpowiedź na pytanie jaki jest w Win2k odpowiednim msconfiga byłbym bardzo wdzięczny.

#5

Logi są ok.

Proponuję przeczyścić rejestr ponieważ masz kilka pustych kluczy, opis.

System Windows 2000 nie posiada wbudowanego narzędzia msconfg pozwalającego na kontrolę nad autostartem. Rozwiązaniem tego problemu może być pobranie tego narzędzia pod ten system lub skorzystanie z zewnętrznego programu umożliwiającego kontrolę autostartu.

http://www2.whidbey.com/djdenham/Msconfig.htm