Dziwny wirus :|


(Rocznik87) #1

witam wstaje dzisaj rano a tu psikus zero działajacych skrótów i wogóle dziwnie zachowujacy sie komp.Wrzucam event log z ad-watch może ktos juz miał podobny problem. z góry dzieki za pomoc

2006-05-12 08:56:59 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:SOFTWARE\Classes\regfile\shell\open\command

Value:

Data:

New Data:regedit.exe "%1"

===============================================

2006-05-12 08:57:10 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:SOFTWARE\Classes\lnkfile\CLSID

Value:

Data:

New Data:{00021401-0000-0000-C000-000000000046}

===============================================

2006-05-12 08:57:11 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:SOFTWARE\Classes\exefile\shell\open\command

Value:

Data:

New Data:"%1" %*

===============================================

2006-05-12 08:57:12 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Classes.com

Value:

Data:

New Data:comfile

===============================================

2006-05-12 08:57:12 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Classes.scr

Value:

Data:

New Data:scrfile

===============================================

2006-05-12 08:57:13 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Classes.bat

Value:

Data:

New Data:batfile

===============================================

2006-05-12 08:57:14 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Classes.pif

Value:

Data:

New Data:piffile

===============================================

2006-05-12 08:57:15 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Classes.reg

Value:

Data:

New Data:regfile

===============================================

2006-05-12 08:57:16 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Classes.lnk

Value:

Data:

New Data:lnkfile

===============================================

2006-05-12 08:57:25 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Classes.exe

Value:

Data:

New Data:exefile

===============================================

2006-05-12 08:57:26 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Value:0aMCPClient

Data:

New Data:{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}

===============================================

2006-05-12 08:57:27 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Policies\System

Value:dontdisplaylastusername

Data:

New Data:0

===============================================

2006-05-12 09:52:36 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value:NoLowDiskSpaceChecks

Data:

New Data:1

===============================================

2006-05-12 09:52:39 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value:LinkResolveIgnoreLinkInfo

Data:

New Data:0

===============================================

2006-05-12 09:52:40 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Run

Value:SunJavaUpdateSched

Data:

New Data:C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe

===============================================

2006-05-12 09:52:41 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Windows\CurrentVersion\Run

Value:Konnekt

Data:

New Data:"C:\Program Files\Konnekt\konnekt.exe" /autostart

===============================================

2006-05-12 09:52:41 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Internet Explorer\Search

Value:SearchAssistant

Data:

New Data:

===============================================

2006-05-12 09:52:41 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Internet Explorer\Main

Value:Default_Page_URL

Data:

New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

===============================================

2006-05-12 09:52:42 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Internet Explorer\SearchUrl

Value:provider

Data:

New Data:intranet

===============================================

2006-05-12 09:52:42 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Value:PostBootReminder

Data:

New Data:{7849596a-48ea-486e-8937-a2a3009f31a9}

2006-05-12 09:52:43 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Policies\System

Value:legalnoticecaption

Data:

New Data:

===============================================

2006-05-12 09:52:43 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value:NoInstrumentation

Data:

New Data:0

===============================================

2006-05-12 09:52:43 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value:NoResolveSearch

Data:

New Data:1

===============================================

2006-05-12 09:52:44 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Run

Value:avast!

Data:

New Data:d:\Program Files\Alwil Software\Avast4\ashDisp.exe

===============================================

2006-05-12 09:52:44 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Windows\CurrentVersion\Run

Value:AWMON

Data:

New Data:"D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

===============================================

2006-05-12 09:52:44 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Internet Explorer\Search

Value:CustomizeSearch

Data:

New Data:http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

===============================================

2006-05-12 09:52:44 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Internet Explorer\Main

Value:Default_Search_URL

Data:

New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

===============================================

2006-05-12 09:52:45 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Internet Explorer\Main

Value:Search Page

Data:

New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

===============================================

2006-05-12 09:52:46 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Windows\CurrentVersion\Run

Value:tinydialer

Data:

New Data:"C:\Program Files\Tiny Dialer\dialup.exe" /tray

===============================================

2006-05-12 09:52:46 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Value:ForceClassicControlPanel

Data:

New Data:1

===============================================

2006-05-12 09:52:46 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Policies\System

Value:legalnoticetext

Data:

New Data:

===============================================

2006-05-12 09:52:46 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Value:CDBurn

Data:

New Data:{fbeb8a05-beee-4442-804e-409d6c4515e9}

===============================================

2006-05-12 09:52:47 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Value:WebCheck

Data:

New Data:{E6FB5E20-DE35-11CF-9C87-00AA005127ED}

===============================================

2006-05-12 09:52:47 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Policies\System

Value:shutdownwithoutlogon

Data:

New Data:1

===============================================

2006-05-12 09:52:48 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Internet Explorer\Main

Value:Local Page

Data:

New Data:C:\WINDOWS\System32\blank.htm

===============================================

2006-05-12 09:52:48 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Internet Explorer\Main

Value:Start Page

Data:

New Data:http://www.google.pl

===============================================

2006-05-12 09:53:56 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\Policies\System

Value:undockwithoutlogon

Data:

New Data:1

===============================================

2006-05-12 09:53:57 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Value:SysTray

Data:

New Data:{35CEC8A3-2BE6-11D2-8773-92E220524153}

===============================================

2006-05-12 09:53:58 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Value:IconPackager Repair

Data:

New Data:{1799460C-0BC8-4865-B9DF-4A36CD703FF0}

===============================================

2006-05-12 09:53:59 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Internet Explorer\Main

Value:Local Page

Data:

New Data:C:\WINDOWS\System32\blank.htm

===============================================

2006-05-12 09:54:39 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Internet Explorer\Main

Value:Search Page

Data:

New Data:http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

===============================================

2006-05-12 09:54:40 - Registry modification detected

Root:HKEY_CURRENT_USER

Key:Software\Microsoft\Internet Explorer\Main

Value:Start Page

Data:

New Data:http://www.sfd.pl/

2006-05-12 10:07:34 - Registry modification detected

Root:HKEY_LOCAL_MACHINE

Key:Software\Classes.exe

Value:Content Type

Data:

New Data:application/x-msdownload

Złączono Posta : 12.05.2006 (Pią) 11:09

dorzucam jescze akutualny log z hijacka

Logfile of HijackThis v1.99.1

Scan saved at 11:09:01, on 2006-05-12

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\crypserv.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

C:\Program Files\Raxco\PerfectDisk\PDSched.exe

D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Tiny Dialer\dialup.exe

C:\Documents and Settings\Dracula\Pulpit\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.34.123.125:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\Program Files\Spyware Doctor\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\Program Files\Spyware Doctor\tools\iesdpb.dll

O4 - HKCU\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\Program Files\Spyware Doctor\tools\iesdpb.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O17 - HKLM\System\CCS\Services\Tcpip\..\{5AA8224E-924F-4A99-B5B2-72E584214528}: NameServer = 194.204.152.34 217.98.63.164

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: kavsvc - Unknown owner - d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe (file missing)

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

(Kuz5) #2

W logu czysto

Ciachnij kosmetycznie:

Opisz dokładniej co sie dzieje, nie wyskakuja komunikaty itp. ??

Pobierz program Ewido zrób update i przeskanuj

Wklej loga SilentRunners


(Rocznik87) #3

przestały mi działać wszystkie możliwe skróty na kompie, nie moge utworzyć nowych skrótw, wczesniej wyskakiwało mi cos z attention z adwatcha ale dawałem blokuj i narazie nic mi nie wyskakuje, ad-aware i sbybot search and destroy nic nie znalazły, Dlatego naspiałem ze dziwny bo w sumie ani oficjalnie go nie ma ani za dużych szkod nie zrobił, ale boje sie ze to cisza przed burza:D przeskanowałem anti-malware i wynalazł mi :adware.contetxtuad ,adware.webrebates, heuristic.win32.backdoor.ircbot, trojan.vb.aci , adware.purityscan, trojan.limir.acq a ja głupi ufałem ad-aware:P myslisz ze to te robaczki mogły mi narobic tych chochlików?:smiley:


(Kuz5) #4

Ponawiam prośbę:

Wynik skanu ewido także wklej na forum


(Grzesiek1) #5

Wydaje mi sie ze jakiś wirus zczyścił ci w rejstrze pare rzeczy w tym to z zapisanymi rozszerzeniami (zapisane tam jest co czym sie otwiera itp)


(system) #6

szeff napisał:

Prawdopodobnie to jest rozwiązanie Twojego problemu. Adwatchem można zablokować różne rzeczy, również te pożyteczne.


(Rocznik87) #7
HKLM\SOFTWARE\Classes\CLSID\{57A70350-87D9-4EA2-B3AC-C1C1B5296035} -> Adware.ContextuAd : Cleaned with backup

	HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup

	C:\WINDOWS\hl2crack.CAB/hl2crack.exe -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup

	C:\WINDOWS\system32\ldrtt.exe -> Trojan.VB.aci : Cleaned with backup

	C:\WINDOWS\system32\wіnlogon.exe -> Adware.PurityScan : Cleaned with backup

	D:\filmy\MM\Materiały maturalne - Jez.angielski.rar/Materiay maturalne - Jez.angielski\prace\Politics\Crime and Drugs\Legalizing Marijuana - A Convincing Case to Make it Legal .doc -> Trojan.Lmir.acq : Cleaned with backup

	G:\pulpit\flood\vclone\vclone\VcLoNe.exe -> Not-A-Virus.DoS.Win32.Vnuke.b : Cleaned with backup

	G:\pulpit\hack\serwerftp\NetBusHack.zip/NetBusHack.exe -> Not-A-Virus.HackTool.Win32.Netbuser : Cleaned with backup

i log z silenta:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"AWMON" = ""D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"" ["Lavasoft Sweden"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "PCTools Site Guard"

                   \InProcServer32\(Default) = "D:\Program Files\Spyware Doctor\tools\iesdsg.dll" ["PC Tools"]

{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "PCTools Browser Monitor"

                   \InProcServer32\(Default) = "D:\Program Files\Spyware Doctor\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}" = "Tauscan Menu"

  -> {HKLM...CLSID} = "Tauscan Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\Microsoft Office\Office\OLKFSTUB.DLL" [MS]

"{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive"

  -> {HKLM...CLSID} = "GMail Drive"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet"

  -> {HKLM...CLSID} = "GMailFS Property Sheet"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler"

  -> {HKLM...CLSID} = "GMailFS Drop Handler"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu"

  -> {HKLM...CLSID} = "GMailFS Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{611AD258-4138-4348-A534-9856FA6BA398}" = "IconPackager Icon Handler"

  -> {HKLM...CLSID} = "IPIconHandlerExt Class"

                   \InProcServer32\(Default) = "D:\Program Files\Stardock\Object Desktop\IconPackager\shellext.dll" [file not found]

"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"

  -> {HKLM...CLSID} = "dBpShell Class"

                   \InProcServer32\(Default) = "d:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]

"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"

  -> {HKLM...CLSID} = "dMCIShell Class"

                   \InProcServer32\(Default) = "d:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [file not found]

"{1AED2A52-81A3-404D-AEF9-7DE981C316D1}" = "R-Wipe&Clean"

  -> {HKLM...CLSID} = "FWipeShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\R-Wipe&Clean\RWipe.dll" ["R-tools Technology Inc."]

"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"

  -> {HKLM...CLSID} = "Shell Extension for CDRW"

                   \InProcServer32\(Default) = "C:\Program Files\Ahead\InCD\incdshx.dll" ["Nero AG"]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "PDBoot.exe autocheck autochk *" [file not found], [file not found], [MS], [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"

  -> {HKLM...CLSID} = "dBpShell Class"

                   \InProcServer32\(Default) = "d:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" [file not found]

PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"

  -> {HKLM...CLSID} = "PowerArchiver Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]

Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"

  -> {HKLM...CLSID} = "Tauscan Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"

  -> {HKLM...CLSID} = "Tauscan Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "d:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll" [file not found]

PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"

  -> {HKLM...CLSID} = "PowerArchiver Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]

Tauscan Menu\(Default) = "{B6122A50-EAB5-11D3-9E7F-EBF4F0595714}"

  -> {HKLM...CLSID} = "Tauscan Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Agnitum\Tauscan 1.7\Taumenu.dll" ["Agnitum Ltd."]

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKLM\Software\Classes\.bat\(Default) = (value not set)


HKLM\Software\Classes\.pif\(Default) = (value not set)



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Dracula\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmyst.scr" [MS]



Startup items in "Dracula" & "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Adobe Reader Speed Launch" -> shortcut to: "D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

  -> {HKLM...CLSID} = "Web Browser Applet Control"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]


{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\

"ButtonText" = "Spyware Doctor"

"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"

  -> {HKLM...CLSID} = "PCTools Browser Monitor"

                   \InProcServer32\(Default) = "D:\Program Files\Spyware Doctor\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Messenger"

"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

Crypkey License, Crypkey License, "crypserv.exe" ["Kenonic Controls Ltd."]

InCD Helper, InCDsrv, "C:\Program Files\Ahead\InCD\InCDsrv.exe" ["Nero AG"]

Panda Process Protection Service, PavPrSrv, ""C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe"" ["Panda Software"]

PDScheduler, PDSched, ""C:\Program Files\Raxco\PerfectDisk\PDSched.exe"" ["Raxco Software, Inc."]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 147 seconds, including 12 seconds for message boxes)

mysle ze to na bank nie ad watch gdyz używam go juz naprawde sporo czasu i raczej by mi tego nie zrobił:smiley: niestety dalej nie moge utworzyc zadnego skrótu, w sumie to skrót sie robi jednak gdy na neigo klikam wyskauje okienko zebym wybrał program którym otworze ten skrót:D a taka błahostka naprawde potarfi uniemilić zycie:/ zastanawiam sie powoli nad formatem... dzieki za zainteresowanie i dzieki za kolejne odpowiedzi :smiley: pozdrawiam


(Bbieniol) #8

Log jest czysty :slight_smile:

Kosmetycznie możesz zrobić:

Otwórz edytor rejestru Start >>> Uruchom >>> regedit i przejdź do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Tam kliknij podwójnie na wartość BootExecute i z okienka usuń wszystko z wyjątkiem autocheck autochk *

EWIDO co miał usunąć, to usunął :slight_smile:


(Rocznik87) #9

dzięki wielkie za pomoc i zainteresowanie :mrgreen: szacunek , jescze mam jeden problem nie moge utworzyć skrótów a juz mnie h** strzela jak musze otwierac 5 folderów zeby konekta włączyc:D jakies pomysły?:slight_smile:


(Bbieniol) #10

Co masz na mysli mówiąć "nie moge utworzyć skrótu"?

Napisz coś dokładniej :slight_smile:


(Rocznik87) #11

robie skrót (wiadomo jak) jednak nie jest on odnosnikiem do danego programu , otwiera sie okienko wybierz program z listy albo szukaj w sieci web cos czuje ze robaczki namąciły coś w rejestrze:P w skrócie w właściwościach lokalizacja programu matki jest w porzadku) wiec nie wiem dlaczeo nie działa :frowning: