Kolejny problem z virusami

Dla specjalistów Bezpieczeństwo
#1

Znowu mam problem z Virusami… Od początku:

Postanowiłem, iż nie będę instalował żadnego AntyWirusas, tylko będę codziennie/co dwa dni Skanerem On-Line. Dziś wykryło mi sporo wirusów. Te co mogłem, usunąłem. Lecz niektóre zostały, te, których program (mks_vir online) nie mógł usunąć. To takie pliki:

C:...42EE30-072C-1045-1020-041030030030}\system.dll

to niebezpieczny program (trojan) :


Trojan.Downloader.Agent.ara

Zaleca się skasowanie pliku

C:...42EE30-072C-1045-1020-041030030030}\Update.exe

to niebezpieczny program (trojan) :


Adware.Softomate.ac

Zaleca się skasowanie pliku

C:\Program Files\Ipwindows\ipwins.dll

to niebezpieczny program (trojan) :


Adware.CommAd.a

Zaleca się skasowanie pliku

C:\Program Files\Ipwindows\Uninst.exe

to niebezpieczny program (trojan) :


Trojan.DLoader.bqeb

Zaleca się skasowanie pliku

C:\Program Files\MsMovies\MsMovies.exe

to niebezpieczny program (trojan) :


Trojan.Dropper.Winad.H

Zaleca się skasowanie pliku

Co mam zrobić i czy jak dam Wam do sprawdzenia Logi, to coś pomoże?

#2

Daj logi to specjaliści Ci pomogą.

http://forum.dobreprogramy.pl/viewtopic.php?t=36654

Atak swoją drogą brak antywirusa i firewalla można nazwać roztropnością. :smiley:

#3

HijackThis

Logfile of HijackThis v1.99.1

Scan saved at 19:03:44, on 2007-01-21

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RUNDLL32.EXE

H:\STEROWNIKI G\BearShare\BearShare.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\MsMovies\MsMovies.exe

C:\Program Files\Ipwindows\ipwins.exe

H:\Sterowniki\lwemon.exe

C:\Program Files\RALINK\Common\RaUI.exe

H:\STEROWNIKI G\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Common Files\{BC42EE30-072C-1045-1020-041030030030}\Update.exe

C:\PROGRA~1\COMMON~1\STEM~1\chkntfs.exe

C:\Documents and Settings\Rafał\Moje dokumenty\?asks\m?dtc.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\RAFA~1\USTAWI~1\Temp\Rar$EX00.031\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

R3 - URLSearchHook: (no name) - {554EA9A2-351D-3B9F-6B2D-1BE4BBBBEFC8} - C:\WINDOWS\System32\jdj.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Sterowniki G\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - H:\STEROWNIKI G\GetRight\xx2gr.dll

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\STEROWNIKI G\BitComet\tools\BitCometBHO.dll

O2 - BHO: (no name) - {554EA9A2-351D-3B9F-6B2D-1BE4BBBBEFC8} - C:\WINDOWS\System32\jdj.dll

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C42E~1\Bar888.dll

O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~1\BEARSH~1\MediaBar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll

O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C42E~1\Bar888.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [BearShare] "H:\STEROWNIKI G\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto

O4 - HKLM\..\Run: [virtual-ie] winlogi.exe

O4 - HKLM\..\Run: [{BC42EE30-072C-1045-1020-041030030030}] "C:\Program Files\Common Files\{BC42EE30-072C-1045-1020-041030030030}\Update.exe" mc-110-12-0000140

O4 - HKLM\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Start WingMan Profiler] "H:\Sterowniki\lwemon.exe" /noui

O4 - HKCU\..\Run: [Utbl] "C:\PROGRA~1\COMMON~1\STEM~1\chkntfs.exe" -vt yazb

O4 - HKCU\..\Run: [Ocfe] C:\Documents and Settings\Rafał\Moje dokumenty\?asks\m?dtc.exe

O4 - Startup: Stardock ObjectDock.lnk = H:\STEROWNIKI G\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\STEROWNIKI G\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: Download all links using BitComet - res://H:\STEROWNIKI G\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://H:\STEROWNIKI G\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download link using &BitComet - res://H:\STEROWNIKI G\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Download with GetRight - H:\STEROWNIKI G\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - H:\STEROWNIKI G\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000140 (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Sillent Runners

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"Start WingMan Profiler" = ""H:\Sterowniki\lwemon.exe" /noui" ["Logitech Inc."]

"Utbl" = ""C:\PROGRA~1\COMMON~1\STEM~1\chkntfs.exe" -vt yazb" [null data]

"Ocfe" = "C:\Documents and Settings\Rafał\Moje dokumenty\*asks\m*dtc.exe" (unwritable string) [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]

"BearShare" = ""H:\STEROWNIKI G\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"NeroFilterCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]

"MsMovies" = "C:\Program Files\MsMovies\MsMovies.exe /auto" ["Windows Media Video"]

"virtual-ie" = "winlogi.exe" [file not found]

"{BC42EE30-072C-1045-1020-041030030030}" = ""C:\Program Files\Common Files\{BC42EE30-072C-1045-1020-041030030030}\Update.exe" mc-110-12-0000140" [null data]

"IpWins" = "C:\Program Files\Ipwindows\ipwins.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "H:\Sterowniki G\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "bho2gr Class"

                   \InProcServer32\(Default) = "H:\STEROWNIKI G\GetRight\xx2gr.dll" ["Headlight Software, Inc."]

{37B85A21-692B-4205-9CAD-2626E4993404}\(Default) = "My Global Search Bar BHO"

  -> {HKLM...CLSID} = "My Global Search Bar BHO"

                   \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"

  -> {HKLM...CLSID} = "BitComet Helper"

                   \InProcServer32\(Default) = "H:\STEROWNIKI G\BitComet\tools\BitCometBHO.dll" ["BitComet"]

{554EA9A2-351D-3B9F-6B2D-1BE4BBBBEFC8}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\jdj.dll" [null data]

{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{3C42E~1\Bar888.dll" [null data]

{F97DA966-F09D-4cab-BF29-75A0026986EA}\(Default) = "XBTP02634"

  -> {HKLM...CLSID} = "XBTP02634 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\BEARSH~1\BEARSH~1\MediaBar.dll" ["IE Toolbar"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"

  -> {HKLM...CLSID} = "Haali Column Provider"

                   \InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page"

  -> {HKLM...CLSID} = "Haali Matroska Shell Property Page"

                   \InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Exctractor"

  -> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor"

                   \InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"

  -> {HKLM...CLSID} = "Haali Column Provider"

                   \InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "H:\Sterowniki G\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Rafał\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Rafał\Dane aplikacji\Opera\Opera\profile\skin\k11.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Startup items in "Rafał" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\Rafał\Menu Start\Programy\Autostart

"Stardock ObjectDock" -> shortcut to: "H:\STEROWNIKI G\Stardock\ObjectDock\ObjectDock.exe" ["Stardock"]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "H:\STEROWNIKI G\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Ralink Wireless Utility" -> shortcut to: "C:\Program Files\RALINK\Common\RaUI.exe -s" ["Ralink Technology, Corp."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{37B85A29-692B-4205-9CAD-2626E4993404}"

  -> {HKLM...CLSID} = "My Global Search Bar"

                   \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]

"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}"

  -> {HKLM...CLSID} = "BearShare MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" ["IE Toolbar"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" = (no title provided)

  -> {HKLM...CLSID} = "BearShare MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" ["IE Toolbar"]

"{37B85A29-692B-4205-9CAD-2626E4993404}" = (no title provided)

  -> {HKLM...CLSID} = "My Global Search Bar"

                   \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]

"{C1B4DEC2-2623-438E-9CA2-C9043AB28508}" = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{3C42E~1\Bar888.dll" [null data]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" = (no title provided)

  -> {HKLM...CLSID} = "BearShare MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" ["IE Toolbar"]

<> "{554EA9A2-351D-3B9F-6B2D-1BE4BBBBEFC8}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\jdj.dll" [null data]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]



----------

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 16 seconds.

---------- (total run time: 143 seconds)
#4

Na logach się nie znam, ale Co ja mogę doradzić to:

  1. Nie trzymaj w tempie lub innym katalogu tymczasowym Hijacka

  2. Zainstaluj Serwice Packa 2

  3. Antywira + Firewalla

#5

Start => uruchom => cmd => w konsoli wpisz:

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Użyj narzędzia SmitFraudFix (opcja 2). Potem sprawdź co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Pliki i foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Poczytaj o usuwaniu plików i folderów z pytajnikiem - Usuwanie PurityScan.

Po wykonaniu pokaż nowy log z hjt, SilentRunners oraz c:\rapport.txt.

Zwykła wersja programu BearShare posiada w sobie syf dlatego proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.

#6

No wiesz, miałem wszystkie na zielono oprócz jednego, ale wtedy mi Internet nie chodził :cry: Ja zmieniłem, na razie wszystkie na czerwono, to Internet chodzi. A niektórych plików zawirusowanych nie mogę usunąć - np. tego - O4 - HKCU…\Run: [Ocfe] C:\Documents and Settings\Rafał\Moje dokumenty\ ?asks \m?dtc.exe :frowning:

Tylko w tej konsoli już pisać nie mogę :frowning:

P.S. Sorki, że tak długo…

#7

W takim razie niech będą takie znaczki, przy których chodzi Ci dobrze internet.

Niektórych plików lub folderów może już nie być więc jeśli nie będzie to tylko skasuj od nich wpisy w HJT.

I poczytaj o usuwaniu plików i folderów z pytajnikiem - Usuwanie PurityScan.

W takim razie zrób tak:

Start => Uruchom => wpisz services.msc => zatrzymaj i wyłącz usługę COM+ Messages następnie odpalasz HijackThis Misc Tools => Delete NT service => wpisz COM+ Messages => Ok i zresetuj komputer.

#8

Jakby to było, gdybym nie maił problemów…

Przy tej czynności wyskakuje taki komunikat:

komunikat7pz.jpg

Przez ten cały czas kombinowałem, i jak zwykle - nic.

#9

Czy wcześniej zatrzymałeś i wyłączyłeś usługę w Start => Uruchom => services.msc ??

Możesz zrobić tak:

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT >>> kliknij dwa razy na utworzony plik FIX.BAT >>> restart.

#10

Zrobiłem, i dalej w tej konsoli pisać nie mogę… O Matko… :frowning: :cry:

#11

W konsoli już nic nie musisz pisać. Skoro w konsoli nie mogłeś zatrzymać usługi to podałem inny sposób. Ten z kolei też zawiódł to podałem jeszcze inny.

Zrób resztę czynności (usuń pozostały syf) i wklej nowe logi, o które prosiłem.

#12

Usunąłem tylo te, które dało sie usunąć…

Tzn - tylko “BarShare Applications”, “MyGlobalSearch”. Jak usuwam inne, to jest odmowa dostępu…

#13

Czy usuwasz będąc w trybie awaryjnym? Jeśli nie to spróbuj, ewentualnie tym sposobem:

http://forum.strefabezpieczenstwa.pl/viewtopic.php?t=10

I koniecznie wklej nowe logi, o które prosiłem. Bez względu na to czy uda Ci się usunąć którymś z wyżej wymienionych sposobów czy nie.

#14

HJT

Logfile of HijackThis v1.99.1

Scan saved at 17:54:47, on 2007-01-22

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchosts.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\RUNDLL32.EXE

H:\STEROWNIKI G\BearShare\BearShare.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\MsMovies\MsMovies.exe

H:\Sterowniki\lwemon.exe

C:\PROGRA~1\COMMON~1\STEM~1\chkntfs.exe

C:\Documents and Settings\Rafał\Moje dokumenty\?asks\m?dtc.exe

C:\Program Files\RALINK\Common\RaUI.exe

H:\STEROWNIKI G\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Opera\Opera.exe

H:\Sterowniki G\Unlocker\UnlockerAssistant.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\RAFA~1\USTAWI~1\Temp\Rar$EX00.344\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)

R3 - URLSearchHook: (no name) - {554EA9A2-351D-3B9F-6B2D-1BE4BBBBEFC8} - C:\WINDOWS\System32\jdj.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Sterowniki G\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - H:\STEROWNIKI G\GetRight\xx2gr.dll

O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\STEROWNIKI G\BitComet\tools\BitCometBHO.dll

O2 - BHO: (no name) - {554EA9A2-351D-3B9F-6B2D-1BE4BBBBEFC8} - C:\WINDOWS\System32\jdj.dll

O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C42E~2\Bar888.dll (file missing)

O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~1\BEARSH~1\MediaBar.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing)

O3 - Toolbar: My Global Search Bar - {37B85A29-692B-4205-9CAD-2626E4993404} - C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL

O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C42E~2\Bar888.dll (file missing)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [BearShare] "H:\STEROWNIKI G\BearShare\BearShare.exe" /pause

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto

O4 - HKLM\..\Run: [virtual-ie] winlogi.exe

O4 - HKLM\..\Run: [{BC42EE30-072C-1045-1020-041030030030}] "C:\Program Files\Common Files\{BC42EE30-072C-1045-1020-041030030030}\Update.exe" mc-110-12-0000137

O4 - HKLM\..\Run: [{BC42EE30-072D-1045-1020-041030030030}] "C:\Program Files\Common Files\{BC42EE30-072D-1045-1020-041030030030}\Update.exe" mc-110-12-0000140

O4 - HKLM\..\Run: [UnlockerAssistant] "H:\Sterowniki G\Unlocker\UnlockerAssistant.exe"

O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Start WingMan Profiler] "H:\Sterowniki\lwemon.exe" /noui

O4 - HKCU\..\Run: [Utbl] "C:\PROGRA~1\COMMON~1\STEM~1\chkntfs.exe" -vt yazb

O4 - HKCU\..\Run: [Ocfe] C:\Documents and Settings\Rafał\Moje dokumenty\?asks\m?dtc.exe

O4 - Startup: Stardock ObjectDock.lnk = H:\STEROWNIKI G\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\STEROWNIKI G\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

O8 - Extra context menu item: Download all links using BitComet - res://H:\STEROWNIKI G\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://H:\STEROWNIKI G\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download link using &BitComet - res://H:\STEROWNIKI G\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Download with GetRight - H:\STEROWNIKI G\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - H:\STEROWNIKI G\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000140 (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Sillent Runners

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"Start WingMan Profiler" = ""H:\Sterowniki\lwemon.exe" /noui" ["Logitech Inc."]

"Utbl" = ""C:\PROGRA~1\COMMON~1\STEM~1\chkntfs.exe" -vt yazb" [null data]

"Ocfe" = "C:\Documents and Settings\Rafał\Moje dokumenty\*asks\m*dtc.exe" (unwritable string) [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

"NeroCheck" = "C:\WINDOWS\System32\\NeroCheck.exe" ["Ahead Software Gmbh"]

"BearShare" = ""H:\STEROWNIKI G\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"NeroFilterCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]

"MsMovies" = "C:\Program Files\MsMovies\MsMovies.exe /auto" ["Windows Media Video"]

"virtual-ie" = "winlogi.exe" [null data]

"{BC42EE30-072C-1045-1020-041030030030}" = ""C:\Program Files\Common Files\{BC42EE30-072C-1045-1020-041030030030}\Update.exe" mc-110-12-0000137" [file not found]

"{BC42EE30-072D-1045-1020-041030030030}" = ""C:\Program Files\Common Files\{BC42EE30-072D-1045-1020-041030030030}\Update.exe" mc-110-12-0000140" [file not found]

"UnlockerAssistant" = ""H:\Sterowniki G\Unlocker\UnlockerAssistant.exe"" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "H:\Sterowniki G\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{31FF080D-12A3-439A-A2EF-4BA95A3148E8}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "bho2gr Class"

                   \InProcServer32\(Default) = "H:\STEROWNIKI G\GetRight\xx2gr.dll" ["Headlight Software, Inc."]

{37B85A21-692B-4205-9CAD-2626E4993404}\(Default) = "My Global Search Bar BHO"

  -> {HKLM...CLSID} = "My Global Search Bar BHO"

                   \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]

{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = "BitComet ClickCapture"

  -> {HKLM...CLSID} = "BitComet Helper"

                   \InProcServer32\(Default) = "H:\STEROWNIKI G\BitComet\tools\BitCometBHO.dll" ["BitComet"]

{554EA9A2-351D-3B9F-6B2D-1BE4BBBBEFC8}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\jdj.dll" [null data]

{C1B4DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{3C42E~2\Bar888.dll" [file not found]

{F97DA966-F09D-4cab-BF29-75A0026986EA}\(Default) = "XBTP02634"

  -> {HKLM...CLSID} = "XBTP02634 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\BEARSH~1\BEARSH~1\MediaBar.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"

  -> {HKLM...CLSID} = "Haali Column Provider"

                   \InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page"

  -> {HKLM...CLSID} = "Haali Matroska Shell Property Page"

                   \InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Exctractor"

  -> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor"

                   \InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "H:\Sterowniki G\Unlocker\UnlockerCOM.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"

  -> {HKLM...CLSID} = "Haali Column Provider"

                   \InProcServer32\(Default) = "C:\Program Files\Haali\MatroskaSplitter\mmfinfo.dll" [null data]

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "H:\Sterowniki G\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "H:\Sterowniki G\Unlocker\UnlockerCOM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "H:\Sterowniki G\Unlocker\UnlockerCOM.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Rafał\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Rafał\Dane aplikacji\Opera\Opera\profile\skin\k11.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Startup items in "Rafał" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\Rafał\Menu Start\Programy\Autostart

"Stardock ObjectDock" -> shortcut to: "H:\STEROWNIKI G\Stardock\ObjectDock\ObjectDock.exe" ["Stardock"]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "H:\STEROWNIKI G\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"Ralink Wireless Utility" -> shortcut to: "C:\Program Files\RALINK\Common\RaUI.exe -s" ["Ralink Technology, Corp."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{37B85A29-692B-4205-9CAD-2626E4993404}"

  -> {HKLM...CLSID} = "My Global Search Bar"

                   \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]

"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}"

  -> {HKLM...CLSID} = "BearShare MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" [file not found]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" = (no title provided)

  -> {HKLM...CLSID} = "BearShare MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" [file not found]

"{37B85A29-692B-4205-9CAD-2626E4993404}" = (no title provided)

  -> {HKLM...CLSID} = "My Global Search Bar"

                   \InProcServer32\(Default) = "C:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" ["My Global Search"]

"{C1B4DEC2-2623-438E-9CA2-C9043AB28508}" = (no title provided)

  -> {HKLM...CLSID} = "Bar888"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\{3C42E~2\Bar888.dll" [file not found]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" = (no title provided)

  -> {HKLM...CLSID} = "BearShare MediaBar"

                   \InProcServer32\(Default) = "C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll" [file not found]

<> "{554EA9A2-351D-3B9F-6B2D-1BE4BBBBEFC8}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\jdj.dll" [null data]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


COM+ Messages, COM+ Messages, ""C:\WINDOWS\System32\svchosts.exe" -e mc-110-12-0000140" [null data]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]



----------

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 29 seconds.

---------- (total run time: 146 seconds)

c:\rapport za chwileczkę dam :wink:

Kurde, jednak nie dam, bo teraz mi SmitFraudFix nie chodzi :(( Uruchamiam i pisze “Naciśnij dowolny przycisk” - naciskam, i nic…

#15

powtórz instrukcje oraz Skan AVG Anti-Spyware 7.5 po update :wink:

#16

A czy ja mogę nie mieć folderu “System32” ?

#17

Gdybyś go nie miał to byś tu nie pisał. :stuck_out_tongue: