IEXEPLORER.exe - keylogger, wirus, czy nie złego?


(Marcinsdg) #1

Witam,

Zacznijmy od początku, wczoraj zassałem zdjecie z neta o dziwnym formacie - scr. Otworzyłem je i zaczeły sie jaja. Windows wyrzucił okno że pliki zostały podmienione i do stabilnego działania systemu należy wrzucic płyte z windowsem, której nie miałem pod reka dlatego też zignorowałem to. Po pewnym czasie zauwazyłem drobne mulenie kompa, wylogowałem sie, zalogowałem ponownie i było w porządku. Później panda zaczeła szaleć że IEXEPLORER.exe próbuje uzyskać dostęp do internetu, zablokowałego, kilkukrotnie. Dzisiaj komputer troche przymulał i ponownie panda wołał o dostęp do iexeplorer, używam Avanta wiec w końcu zezwoliłem na dostep do neta. Chwile było w porządku i znowu komp zaczął mulić. Pobrałem hijackthis, którego nie udało mi sie odpalić, dopiero za którymś razem, zrobiłem scana i wyszło coś takiego na początku

Unable to get Internet Explorer version!

pomyślałem że coś zepsułe,, pobrałem nową wersje IE z neta, co również nie pomogło. Wrzuciłem logi z hijack na stronie i wyszło mi pare rzeczy do usunięcia, ale nie moge odpalić hijackthis ><.

I teraz : co dalej? Czy możliwe jest że coś podpieło sie pod to zdjęcie i zmodyfikowało ie.exe? Czy mógł to być keylogger? I co z tym cholerstwem zrobić.

Sry za taki troche monotony post ale starałem sie wszystko ujać, z góry dzięki za pomoc.


(boczi) #2

Pod tymi rozszerzeniami najczęściej są wirusy, szczególnie rozsyłane poprzez maile :!:

Zrób skan antywirusem - skanery online, linki do nich w dziale Bezpieczeństwo. Skan programem Ewido. Wrzuć loga z Hijackthis i Silentrunners. System możesz próbować naprawić bootując system z płyty poprzez R (repair).

http://forum.dobreprogramy.pl/viewforum.php?f=16


(Marcinsdg) #3
Logfile of HijackThis v1.99.1

Scan saved at 15:30:20, on 2006-06-09

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\Winamp\Winampa.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Documents and Settings\Marcin\Pulpit\download\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_85.dll

O2 - BHO: C:\WINDOWS\lbbho.dll - {4C3BEF17-EC8C-4747-B335-5659827188BB} - C:\WINDOWS\lbbho.dll

O2 - BHO: Knight Online Toolbar Helper - {686E5EC7-76D5-408e-AC31-DDDA63D98ACD} - C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: Knight Online Toolbar - {D6C0B521-6926-4bf1-80D2-61C7DAB2511C} - C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{02D9DA91-8D04-4D51-846F-018F5DB12D5B}: NameServer = 192.168.1.1,193.110.120.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{8709B20F-38B2-4A32-B720-D99A401C1B27}: NameServer = 194.204.152.34,194.204.159.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{02D9DA91-8D04-4D51-846F-018F5DB12D5B}: NameServer = 192.168.1.1,193.110.120.5

O17 - HKLM\System\CS2\Services\Tcpip\..\{02D9DA91-8D04-4D51-846F-018F5DB12D5B}: NameServer = 192.168.1.1,193.110.120.5

O17 - HKLM\System\CS3\Services\Tcpip\..\{02D9DA91-8D04-4D51-846F-018F5DB12D5B}: NameServer = 192.168.1.1,193.110.120.5

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Z hijacka już jest, jeszcze zanim zaczał sie bawić z ie nowym. Teraz hijacka nie moge odpalić. Zaraz wrzuce loga z silenta. Próbowałem odpalić ad aware i tez nie moge. Moge podać linka do zdjecia które możliwe ze zaczeło to wszystko, jesli to coś pomoże. Złączono Posta : 09.06.2006 (Pią) 18:19ok lag z silenta

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]

"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]

"CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]

"New.net Startup" = "rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup" [MS]

"WinampAgent" = ""C:\Program Files\Winamp\Winampa.exe"" [null data]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]

"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]

"MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]

"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]

"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]

"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

"SCANINICIO" = ""C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"" ["Panda Software"]

"APVXDWIN" = ""C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{014DA6C1-189F-421a-88CD-07CFE51CFF10}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "My Search BHO"

                   \InProcServer32\(Default) = "C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL" ["My Search"]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "URLLink Class"

                   \InProcServer32\(Default) = "C:\Program Files\NewDotNet\newdotnet4_85.dll" ["New.net, Inc."]

{4C3BEF17-EC8C-4747-B335-5659827188BB}\(Default) = "C:\WINDOWS\lbbho.dll"

  -> {HKLM...CLSID} = " "

                   \InProcServer32\(Default) = "C:\WINDOWS\lbbho.dll" [null data]

{686E5EC7-76D5-408e-AC31-DDDA63D98ACD}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Knight Online Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll" [null data]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {HKLM...CLSID} = "Eksplorator pulpitów"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "SimpleShlExt extension"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Wirtualna Polska\wpkontakt\shellext_wpmsg.dll" [empty string]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}" = "ABBYYPDFContextMenuExtension"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"

  -> {HKLM...CLSID} = "Siemens Device"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"

  -> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"

  -> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

INFECTION WARNING! "System" = "C:\WINDOWS\system32\system32.exe" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ABBYYPDFContextMenuExtension\(Default) = "{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WPKontakt\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Wirtualna Polska\wpkontakt\shellext_wpmsg.dll" [empty string]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Marcin\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "C:\Program Files\NewDotNet\newdotnet4_85.dll" ["New.net, Inc."]

000000000005\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\NewDotNet\newdotnet4_85.dll ["New.net, Inc."], 01 - 02, 08 - 09

%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 10 - 26

%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{014DA6C9-189F-421A-88CD-07CFE51CFF10}"

  -> {HKLM...CLSID} = "My Search Bar"

                   \InProcServer32\(Default) = "C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL" ["My Search"]

"{D6C0B521-6926-4BF1-80D2-61C7DAB2511C}"

  -> {HKLM...CLSID} = "Knight Online Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll" [null data]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{014DA6C9-189F-421A-88CD-07CFE51CFF10}" = (no title provided)

  -> {HKLM...CLSID} = "My Search Bar"

                   \InProcServer32\(Default) = "C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL" ["My Search"]

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\fgiebar.dll" ["Amaze Soft"]

"{D6C0B521-6926-4BF1-80D2-61C7DAB2511C}" = "Knight Online Toolbar"

  -> {HKLM...CLSID} = "Knight Online Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll" [null data]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Panda anti-virus service, PAVSRV, "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe" ["Panda Software"]

Panda Firewall Service, PAVFIRES, "C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe" ["Panda Software"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]

LIDIL Language Monitor\Driver = "hpzll3xu.dll" ["Hewlett-Packard Company"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 285 seconds, including 18 seconds for message boxes)

Skanuje ewido ale to troche potrwa.


(Gutek) #4

w trybie awaryjnym usuń wpisy a foldery i plik ręcznie

Odpal LSP-Fix zaznacz "I know what I'm doing" następnie w okienku Keep zaznacz plik newdotnet4_85.dll i za pomocą strzałki (>>) przenieś go do okienka Remover i kliknij Finish

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa


(Marcinsdg) #5

Zrobiłem juz prawie wszystko, czekam aż sie skończy ewido scan i przejde na tryb awaryjny. Znajomy powiedział żeby odpalił Hitman Pro, tak też zrobiłem. Zaczął już mi sie hijack otwierać, mam nadzieje że bedzie dobrze.

Wielkie dzięki.


(Gutek) #6

Logi do kontroli po wszystkim :wink:


(Marcinsdg) #7

Zrobiłem wszystko ^^

Log z hijacka

Logfile of HijackThis v1.99.1

Scan saved at 20:43:06, on 2006-06-09

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe

C:\Program Files\Winamp\Winampa.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

C:\Program Files\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Wirtualna Polska\wpkontakt\wpkontakt.exe

C:\Documents and Settings\Marcin\Pulpit\download\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Knight Online Toolbar Helper - {686E5EC7-76D5-408e-AC31-DDDA63D98ACD} - C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O3 - Toolbar: Knight Online Toolbar - {D6C0B521-6926-4bf1-80D2-61C7DAB2511C} - C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm

O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm

O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm

O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {83AFB5CA-ED35-11D4-A452-0080C8D85045} (GameDesire Poker Games) - http://67.15.101.3/g_bin/pl/poker_2_0_0_39.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{02D9DA91-8D04-4D51-846F-018F5DB12D5B}: NameServer = 192.168.1.1,193.110.120.5

O17 - HKLM\System\CCS\Services\Tcpip\..\{8709B20F-38B2-4A32-B720-D99A401C1B27}: NameServer = 194.204.152.34,194.204.159.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{02D9DA91-8D04-4D51-846F-018F5DB12D5B}: NameServer = 192.168.1.1,193.110.120.5

O17 - HKLM\System\CS2\Services\Tcpip\..\{02D9DA91-8D04-4D51-846F-018F5DB12D5B}: NameServer = 192.168.1.1,193.110.120.5

O17 - HKLM\System\CS3\Services\Tcpip\..\{02D9DA91-8D04-4D51-846F-018F5DB12D5B}: NameServer = 192.168.1.1,193.110.120.5

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O18 - Protocol: wpmsg - {2E0AC5A0-3597-11D6-B3ED-0001021DC1C3} - C:\Program Files\Wirtualna Polska\wpkontakt\url_wpmsg.dll

O20 - AppInit_DLLs: C:\WINDOWS\System32\wmfhotfix.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe

O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

I z silenta

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [file not found]

"ctfmon.exe" = "C:\WINDOWS\System32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]

"CloneCDTray" = ""C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" ["SlySoft, Inc."]

"WinampAgent" = ""C:\Program Files\Winamp\Winampa.exe"" [null data]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]

"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]

"MSPY2002" = "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC" [null data]

"PHIME2002ASync" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]

"PHIME2002A" = "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]

"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

"SCANINICIO" = ""C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"" ["Panda Software"]

"APVXDWIN" = ""C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{686E5EC7-76D5-408e-AC31-DDDA63D98ACD}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Knight Online Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll" [null data]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {HKLM...CLSID} = "Eksplorator pulpitów"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "SimpleShlExt extension"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Wirtualna Polska\wpkontakt\shellext_wpmsg.dll" [empty string]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}" = "ABBYYPDFContextMenuExtension"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"

  -> {HKLM...CLSID} = "Siemens Device"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"

  -> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"

  -> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{65756541-C65C-11CD-0000-4B656E696100}" = "Panda Antivirus"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "C:\WINDOWS\System32\wmfhotfix.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! WRNotifier\DLLName = "WRLogonNTF.dll" ["Webroot Software, Inc."]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ABBYYPDFContextMenuExtension\(Default) = "{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WPKontakt\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Wirtualna Polska\wpkontakt\shellext_wpmsg.dll" [empty string]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Panda Antivirus\(Default) = "{65756541-C65C-11CD-0000-4B656E696100}"

  -> {HKLM...CLSID} = "Panda Antivirus"

                   \InProcServer32\(Default) = "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavOLE.dll" ["Panda Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Marcin\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{014DA6C9-189F-421A-88CD-07CFE51CFF10}"

  -> {HKLM...CLSID} = "My Search Bar"

                   \InProcServer32\(Default) = "C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL" [file not found]

"{D6C0B521-6926-4BF1-80D2-61C7DAB2511C}"

  -> {HKLM...CLSID} = "Knight Online Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll" [null data]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\fgiebar.dll" ["Amaze Soft"]

"{D6C0B521-6926-4BF1-80D2-61C7DAB2511C}" = "Knight Online Toolbar"

  -> {HKLM...CLSID} = "Knight Online Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Knight Online Toolbar\v2.0.0.5\Knight_Online_Toolbar.dll" [null data]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{014DA6CE-189F-421A-88CD-07CFE51CFF10}\(Default) = "My Search Bar Quick View"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\

"ButtonText" = "Spyware Doctor"

"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"

  -> {HKLM...CLSID} = "PCTools Browser Monitor"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["PC Tools"]


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Panda anti-virus service, PAVSRV, "C:\Program Files\Panda Software\Panda Antivirus Platinum\pavsrv51.exe" ["Panda Software"]

Panda Firewall Service, PAVFIRES, "C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe" ["Panda Software"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]

LIDIL Language Monitor\Driver = "hpzll3xu.dll" ["Hewlett-Packard Company"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 331 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 36 seconds.

---------- (total run time: 463 seconds)

Ok, trzymam kciuki że wszystko w porządku jest.


(Gutek) #8

do usunięcia plik i nowy log


(Marcinsdg) #9

Oto i nowy :slight_smile:

Wielki dzięki :slight_smile:


(Mayster X) #10

Log wygląda na ok ... :wink:

Jeśli nie używasz to usuń

Start=>Uruchom=>Wpisz polecenie

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove


(Marcinsdg) #11

hehe, mam nadzieje że nareszcie sie to wszystko skończyło ^^.

Msn używam :P. Wielkie dzieki za pomoc <3