Dziwne pliki .dll i .exe po starcie systemu + zamulony komp

Hertz1 · 6 Lipiec 2007 21:11

witam

po starcie systemu wyskakuje mi na ekranie kilka lub kilkanaście okienek informujących że jakieś pliki .dll i .exe zostały zamknięte /wszystkie pliki mają dziwaczne i długie nazwy/

po włączeniu internetu pojawia mi się 15-20 pop-upów z IE chociaż nie używam tej przeglądarki do przeglądania netu

internet często się rozłącza

gg raz jest a raz go nie ma /to samo z icq/

podczas surfowania po necie non-stop pojawiają się okienka “wystąpił błąd podczas ładowania modułu C:\Windows\system32\costam.dll nie można odnaleźć określonego modułu”

firefox rozłącza sie bez powodu

bez przerwy pojawia się okienko informujące że nie można załadować pliku osa9.exe /nie mam pojęcia co to jest/

ikony “wędrują” po pulpicie /nie wiem jak to inaczej określić, po prostu po włączeniu za każdym razem znajdują się w innym miejscu/

spybot wyłapuje ok 30-50 śmieci dziennie

plus znaczne spowolnienie pracy kompa

załączam logi z hijakthis & silentrunners - jeżeli ktoś wie jak mi pomóc, to bardzo proszę o radę

komp został sprawdzony programami avast, kaspersky, spybot, ad-aware plus skanery on-line /mks_vir panda itp./ ale to nic nie dało.

Logfile of HijackThis v1.99.1

Scan saved at 22:12:45, on 2007-07-06

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\Drivers\WTSRV.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\WService.EXE

C:\WINDOWS\system32\osa9.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iISystem Wiper\SystemWiper.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\Security\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll

O2 - BHO: (no name) - {43D02096-01B2-403B-8739-090C13D78506} - C:\WINDOWS\system32\gebyw.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\bgcjfyhd.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\fccccyy.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {F3DECB76-D936-4D62-A747-46FD4B34CFF0} - (no file)

O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll

O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [WService] WService.EXE

O4 - HKLM\..\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe

O4 - HKLM\..\Run: [odk_mon] C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe

O4 - HKLM\..\Run: [Microsoft System Service] taskmgr1.exe

O4 - HKLM\..\Run: [Office SturtUp] osa9.exe

O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\pjnrwhjn.dll",realset

O4 - HKLM\..\RunServices: [Microsoft System Service] taskmgr1.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem Wiper\SystemWiper.exe m

O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: hp psc 1000 series.lnk = ?

O4 - Global Startup: hpoddt01.exe.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mks.com.pl

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0FA7A95B-565F-4E94-AE2B-B522C6247D4B}: NameServer = 194.204.159.1 217.98.63.164

O17 - HKLM\System\CS1\Services\Tcpip\..\{0FA7A95B-565F-4E94-AE2B-B522C6247D4B}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O20 - Winlogon Notify: fccccyy - C:\WINDOWS\SYSTEM32\fccccyy.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\dvqmxoev.exe (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"iIWiper" = "C:\Program Files\iISystem Wiper\SystemWiper.exe m" ["iISoftware"]

"Odkurzacz-MCD" = "C:\Program Files\Odkurzacz\odk_mcd.exe" ["Franmo Software"]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"High Definition Audio Property Page Shortcut" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]

"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]

"VGAUtil" = "C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe" [empty string]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]

"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"RunOnStartup" = (empty string)

"WService" = "WService.EXE" ["Tablet Driver"]

"hldrrr" = "C:\WINDOWS\system32\hldrrr.exe" [file not found]

"odk_mon" = "C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe" [file not found]

"Microsoft System Service" = "taskmgr1.exe" [file not found]

"Office SturtUp" = "osa9.exe" [null data]

"gfxtray" = "rundll32 ctccw32.dll,findwnd" [MS]

"GPLv3" = "rundll32.exe "C:\WINDOWS\system32\pjnrwhjn.dll",realset" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{055FD26D-3A88-4e15-963D-DC8493744B1D}\(Default) = "XTTBPos00"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]

{43D02096-01B2-403B-8739-090C13D78506}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\gebyw.dll" [null data]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{5ADF3862-9E2E-4ad3-86F7-4510E6550CD0}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\bgcjfyhd.dll" [file not found]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

{8A61098D-612B-4EF2-943D-64E920684061}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\fccccyy.dll" [null data]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = "Windows Live Sign-in Helper" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}" = "ShellPlusContextMenu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\B4FM.dll" [file not found]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]

"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]

"{43886CD5-6529-41c4-A707-7B3C92C05E68}" = "IE Navigation Bar"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE AutoComplete"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{4B78D326-D922-44f9-AF2A-07805C2A3560}" = "IE Menu Band"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{6CF48EF8-44CD-45d2-8832-A16EA016311B}" = "IE IShellFolderBand"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{F2CF5485-4E02-4f68-819C-B92DE9277049}" = "&Links"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" = "IE Fade Task"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" = "IE Tracking Shell Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{44C76ECD-F7FA-411c-9929-1B77BA77F524}" = "IE Menu Site"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [file not found]

"{B28C18DB-6816-4F31-9630-397683E3C2C3}" = "Filzip Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{35786D3C-B075-49b9-88DD-029876E11C01}" = "Portable Devices"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]

"{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8}" = "Portable Devices Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshext.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

  -> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

  -> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

  -> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

  -> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{8BE13461-936F-11D1-A87D-444553540000}" = "Eraser Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{8A61098D-612B-4EF2-943D-64E920684061}" = "*g" (unwritable string)

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\fccccyy.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * lsdelete aswBoot.exe /M:4a86b3d4666" [file not found], [MS], [file not found], [null data], ["ALWIL Software"], [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

INFECTION WARNING! fccccyy\DLLName = "fccccyy.dll" [null data]

INFECTION WARNING! gebyw\DLLName = "C:\WINDOWS\system32\gebyw.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]

Filzip\(Default) = "{B28C18DB-6816-4F31-9630-397683E3C2C3}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Erasext\(Default) = "{8BE13461-936F-11D1-A87D-444553540000}"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\erasext.dll" ["-"]

Filzip\(Default) = "{B28C18DB-6816-4F31-9630-397683E3C2C3}"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Filzip\fzshext.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Rutkiewicz-Hertz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Vulc" & "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe" [empty string]

"hp psc 1000 series" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe" ["Hewlett-Packard Co."]

"hpoddt01.exe" -> shortcut to: "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" ["Hewlett-Packard"]



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]

"FRU Task #Hewlett-Packard#hp psc 1200 series#1170615521" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1170615521"" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{855F3B16-6D32-4FE6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]


{E59EB121-F339-4851-A3BA-FE49C35617C2}\

"ButtonText" = "ICQ6"

"MenuText" = "ICQ6"

"Exec" = "C:\Program Files\ICQ6\ICQ.exe" ["ICQ, Inc."]


{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\

"ButtonText" = "Yahoo! Messenger"

"MenuText" = "Yahoo! Messenger"

"Exec" = "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" ["Yahoo! Inc."]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\


Missing lines (compared with English-language version):

"{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = "Search Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [file not found]

"{855F3B16-6D32-4fe6-8A56-BBB695989046}" = "ICQ Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ICQTOO~1\toolbaru.dll" ["IE Toolbar"]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ad-Aware 2007 Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft AB"]

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 30 seconds, including 10 seconds for message boxes)

:shock:

Gutek · 7 Lipiec 2007 14:23

Użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.

Daj log z Combofix

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Hertz1 · 7 Lipiec 2007 18:34

VF + TVRT + VBG - zrobione

log

"Rutkiewicz-Hertz" - 2007-07-07 20:07:57 - ComboFix 07-07-07.3 - Dodatek Service Pack 2

Gutek · 8 Lipiec 2007 10:25

usuń plik ręcznie

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509

Daj log z Combofix-a