Dinet.info i plik p.exe, trojan?


(El Baton) #1

Witam...

od jakiegoś czasu przy próbie połączenia się z internetem (np. wejście na jaką kolwiek stronę) powoduje prubę ściągnięcia pliku p.exe z serwera dinet.info... NOD za każdym razem podaje komunikat:

Informacje o wirusie:

Zbiór:

http://dinet.info/p/us06/p.exe


Wirus:

Win32/TrojanDropper.Oleloa.J Trojan


Uwagi:

Zbiór zawiera wirusa, który zagraża komputerowi.

Zrobiłem loga:

Logfile of HijackThis v1.99.1

Scan saved at 10:30:50, on 2006-09-24

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

D:\Program Files\UZYTKOWE\NOD\nod32krn.exe

C:\Program Files\Cyberlink\Shared files\RichVideo.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

D:\Program Files\DO NAPEDOW\Alcohol 52\StarWind\StarWindService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\UAService7.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\ntsystem.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

D:\Program Files\DO FILMOW\PowerDVD\PDVDServ.exe

E:\Tymczasowe\programy\HijackThis.exe

D:\Program Files\UZYTKOWE\Acrobat 7.0\Reader\reader_sl.exe

D:\Program Files\INTERNETOWE\Kaspersky Anti-Hacker\KAVPF.exe

D:\Program Files\UZYTKOWE\NOD\nod32kui.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\WINDOWS\system32\wuauclt.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 127.255.255.255 195.137.236.101

O1 - Hosts: 127.255.255.255 195.137.236.101

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\UZYTKOWE\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - 

D:\PROGRA~1\INTERN~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\INTERNETOWE\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\SYSTEMOWE\Java\bin\ssv.dll

O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - 

D:\PROGRA~1\INTERN~1\FlashGet\getflash.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - 

D:\PROGRA~1\INTERN~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [gwiz] C:\WINDOWS\system32\ntsystem.exe

O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray

O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\DO FILMOW\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\DO FILMOW\PowerDVD\Language\Language.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [HijackThis startup scan] E:\Tymczasowe\programy\HijackThis.exe /startupscan

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\UZYTKOWE\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kaspersky Anti-Hacker.lnk = D:\Program Files\INTERNETOWE\Kaspersky Anti-Hacker\KAVPF.exe

O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\UZYTKOWE\Office\Office10\OSA.EXE

O4 - Global Startup: nod32kui.lnk = D:\Program Files\UZYTKOWE\NOD\nod32kui.exe

O4 - Global Startup: SMax4.lnk = C:\Program Files\Analog Devices\SoundMAX\SMax4.exe

O4 - Global Startup: SMax4PNP.lnk = C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - 

res://D:\PROGRA~1\UZYTKOWE\Office\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - D:\Program Files\INTERNETOWE\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - D:\Program Files\INTERNETOWE\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\SYSTEMOWE\Java\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - 

D:\Program Files\SYSTEMOWE\Java\bin\ssv.dll

O9 - Extra button: Send this URL to WTR - Web The Ripper 2 - 

{c23e2132-960c-44fc-8ebd-39b37aa4de78} - D:\Program Files\INTERNETOWE\WTR - Web The Ripper 2\wtr.ie.html (file missing)

O9 - Extra 'Tools' menuitem: WTR - Web The Ripper 2 - {c23e2132-960c-44fc-8ebd-39b37aa4de78} - 

D:\Program Files\INTERNETOWE\WTR - Web The Ripper 2\wtr.ie.html (file missing)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - 

D:\PROGRA~1\INTERN~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - 

D:\PROGRA~1\INTERN~1\FlashGet\flashget.exe

O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - 

C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - 

C:\Program Files\Messenger\msmsgs.exe

O20 - AppInit_DLLs: SF3.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - 

C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common 

Files\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - 

Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - D:\Program Files\UZYTKOWE\NOD\nod32krn.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - 

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\DO NAPEDOW\Alcohol 52\StarWind\StarWindService.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - 

C:\WINDOWS\system32\UAService7.exe

Co Wy na to?


(Gutek) #2

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE - POPRAW

plik ręcznie w trybie awaryjnym

Skan EWIDO po update :wink:

Daj log z Silenta


(El Baton) #3

to będzie chyba to…

---------------------------------------------------------

ewido anti-spyware - Scan Report

---------------------------------------------------------


 + Created at:	12:03:46 2006-09-24


 + Scan result:	




C:\WINDOWS\system32\ntsystem.exe -> Hijacker.Agent.hg : No action taken.

reszta to cookie więc sobie darowałem :slight_smile: chyba o ten plik chodziło…


Chyba pomógł skan :smiley: wygląda na to że już wszystko dobrze, dzięki :smiley:

Świetny program, napewno się jeszcze kiedyś przyda.


(Bbieniol) #4

Owszem :slight_smile:

Gdzie log z Silenta?


(El Baton) #5

To chyba o to chodziło :slight_smile:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

"UpdateManager" = "C:\Program Files\Common Files\Microsoft Shared\Web Components\WUpdMan32.exe" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMax" = ""C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray" ["Analog Devices, Inc."]

"RemoteControl" = ""D:\Program Files\DO FILMOW\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"LanguageShortcut" = ""D:\Program Files\DO FILMOW\PowerDVD\Language\Language.exe"" [null data]

"!ewido" = ""D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch5 Class"

                   \InProcServer32\(Default) = "D:\PROGRA~1\INTERN~1\FlashGet\jccatch.dll" ["FlashGet"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "D:\Program Files\SYSTEMOWE\Java\bin\ssv.dll" ["Sun Microsystems, Inc."]

{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "gFlash Class"

                   \InProcServer32\(Default) = "D:\PROGRA~1\INTERN~1\FlashGet\getflash.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\ARCHIWIZUJACE\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{67C63340-679B-11D2-92EE-000021474C19}" = "IrfanView Extensions"

  -> {HKLM...CLSID} = "IrfanView Extensions"

                   \InProcServer32\(Default) = "D:\Program Files\GRAFICZNE\IrfanView\IVEX.dll" ["BAxBEx Software"]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\NOD\nodshex.dll" [null data]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

  -> {HKLM...CLSID} = "ShellLink for Application References"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "D:\PROGRA~1\DONAPE~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\Office\Office10\msohev.dll" [MS]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

"{70B28949-EC23-4D00-A411-AD8A1B3A8A5A}" = "awxDTools - ContextMenu ShellExtension"

  -> {HKLM...CLSID} = "awxDTShlExt Class"

                   \InProcServer32\(Default) = "D:\Program Files\DO NAPEDOW\DAEMON Tools\awxDTools.dll" ["arniWORX"]

"{7A5117B0-B594-4DA8-829D-D15BF11996F2}" = "awxDTools - ColumnHandler ShellExtension"

  -> {HKLM...CLSID} = "awxDTColumnHandler Class"

                   \InProcServer32\(Default) = "D:\Program Files\DO NAPEDOW\DAEMON Tools\awxDTools.dll" ["arniWORX"]

"{D7C3180D-83AA-464B-9154-6BD0B4E34FBD}" = "awxDTools - PropertySheetHandler ShellExtension"

  -> {HKLM...CLSID} = "awxDToolsPropSheet Class"

                   \InProcServer32\(Default) = "D:\Program Files\DO NAPEDOW\DAEMON Tools\awxDTools.dll" ["arniWORX"]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\Unlocker\UnlockerCOM.dll" [null data]

"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"

  -> {HKLM...CLSID} = "IZArc DragDrop Menu"

                   \InProcServer32\(Default) = "D:\PROGRA~1\ARCHIW~1\IZArc\IZArcCM.dll" [null data]

"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "D:\PROGRA~1\ARCHIW~1\IZArc\IZArcCM.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = " SF3.DLL" [file not found]


HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\

INFECTION WARNING! (" ntoskrnl.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7A5117B0-B594-4DA8-829D-D15BF11996F2}\(Default) = "awxDTools - ColumnHandler"

  -> {HKLM...CLSID} = "awxDTColumnHandler Class"

                   \InProcServer32\(Default) = "D:\Program Files\DO NAPEDOW\DAEMON Tools\awxDTools.dll" ["arniWORX"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "D:\PROGRA~1\ARCHIW~1\IZArc\IZArcCM.dll" [null data]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\NOD\nodshex.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\ARCHIWIZUJACE\WinRAR\rarext.dll" [null data]

{67C63340-679B-11D2-92EE-000021474C19}\(Default) = "{67C63340-679B-11D2-92EE-000021474C19}"

  -> {HKLM...CLSID} = "IrfanView Extensions"

                   \InProcServer32\(Default) = "D:\Program Files\GRAFICZNE\IrfanView\IVEX.dll" ["BAxBEx Software"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

  -> {HKLM...CLSID} = "IZArc Shell Context Menu"

                   \InProcServer32\(Default) = "D:\PROGRA~1\ARCHIW~1\IZArc\IZArcCM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\ARCHIWIZUJACE\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

  -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\NOD\nodshex.dll" [null data]

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\Unlocker\UnlockerCOM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\ARCHIWIZUJACE\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Mateusz\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"



Startup items in "Mateusz" & "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "D:\Program Files\UZYTKOWE\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Kaspersky Anti-Hacker" -> shortcut to: "D:\Program Files\INTERNETOWE\Kaspersky Anti-Hacker\KAVPF.exe /silence" ["Kaspersky Lab"]

"Microsoft Office" -> shortcut to: "D:\Program Files\UZYTKOWE\Office\Office10\OSA.EXE -b -l" [MS]

"nod32kui" -> shortcut to: "D:\Program Files\UZYTKOWE\NOD\nod32kui.exe" ["Eset "]

"SMax4PNP" -> shortcut to: "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "D:\PROGRA~1\INTERN~1\FlashGet\fgiebar.dll" ["Amaze Soft"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_08"

                   \InProcServer32\(Default) = "D:\Program Files\SYSTEMOWE\Java\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_08"

                   \InProcServer32\(Default) = "D:\Program Files\SYSTEMOWE\Java\bin\npjpi150_08.dll" ["Sun Microsystems, Inc."]


{C23E2132-960C-44FC-8EBD-39B37AA4DE78}\

"ButtonText" = "Send this URL to WTR - Web The Ripper 2"

"MenuText" = "WTR - Web The Ripper 2"

"Script" = "D:\Program Files\INTERNETOWE\WTR - Web The Ripper 2\wtr.ie.html" [file not found]


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "D:\PROGRA~1\INTERN~1\FlashGet\flashget.exe" ["FlashGet.com"]


{E19ADC6E-3909-43E4-9A89-B7B676377EE3}\

"ButtonText" = "Sothink SWF Catcher"

"MenuText" = "Sothink SWF Catcher"

"Script" = "C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm" [null data]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



HOSTS file

----------


C:\WINDOWS\System32\drivers\etc\HOSTS


maps: 3 domain names to IP addresses,

      2 of the IP addresses are *not* localhost!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\Cyberlink\Shared files\RichVideo.exe"" [empty string]

ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]

LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]

LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

NOD32 Kernel Service, NOD32krn, ""D:\Program Files\UZYTKOWE\NOD\nod32krn.exe"" ["Eset "]

SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\system32\UAService7.exe" [null data]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

StarWind iSCSI Service, StarWindService, "D:\Program Files\DO NAPEDOW\Alcohol 52\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Keyboard Driver Filters:

------------------------


HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech, Inc."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 99 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 15 seconds.

---------- (total run time: 143 seconds)

(Gutek) #6

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177 albo jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509


(El Baton) #7

Ok, tak zrobie ale i tak wole RegSupreme :smiley: szybszy jest :smiley:


(Gutek) #8

Ale jv16 PowerTools lepszy jest :mrgreen:


(El Baton) #9

Chętnie przetestuje :smiley:

-------Edit-------

Heh… dobry program :mrgreen: będę używał go częściej.