Log z Silenta do interpretacji -czyli co wirus miał na myśli

Witam ,mam bankowo Smitfrauda i chyba jeszcze jakiś syf. Proszę o pomoc - oto log z Silenta .

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “D:\WINDOWS\System32\ctfmon.exe” [MS]

“Komunikator” = “D:\Program Files\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“NvCplDaemon” = “RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]

“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

“NvMediaCenter” = “RunDLL32.exe NvMCTray.dll,NvTaskbarInit” [MS]

“Logitech Utility” = “Logi_MwX.Exe” [“Logitech Inc.”]

“SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“SigmatelSysTrayApp” = “sttray.exe” [file not found]

“avgnt” = ““D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”]

“WooCnxMon” = “D:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“WOOWATCH” = “D:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)

\StubPath = ““D:\WINDOWS\System32\rundll32.exe” “D:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “D:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

-> {HKLM…CLSID} = “DesktopContext Class”

\InProcServer32(Default) = “D:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”]

“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

-> {HKLM…CLSID} = “NVIDIA CPL Extension”

\InProcServer32(Default) = “D:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

-> {HKLM…CLSID} = “Desktop Explorer”

\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

-> {HKLM…CLSID} = “nView Desktop Context Menu”

\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{E0D79300-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

“{E0D79301-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

“{E0D79302-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

“{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> rpcc\DLLName = “D:\WINDOWS\System32\rpcc.dll” [null data]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “D:\Documents and Settings\łuki\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “D:\Documents and Settings\łuki\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

Miscellaneous IE Hijack Points


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided)

-> {HKLM…CLSID} = “Search Class”

\InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):


AntiVir PersonalEdition Classic Guard, AntiVirService, “D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”]

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “D:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”]

NVIDIA Display Driver Service, NVSvc, “D:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt10\Driver = “hpzsnt10.dll” [“HP”]


<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 58 seconds.

---------- (total run time: 117 seconds)

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

D:\WINDOWS\System32\rpcc.dll

Klikasz X czerwony i restart kompa.

Otwórz notatnik i wklej:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.

Po wykonaniu oczywiście proszę wkleić nowy log.

Dodatkowo kosmetycznie możesz przeczyścić rejestr (opis).

Wykonałem wszystkie instrukcje . Oto log z silenta :

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “D:\WINDOWS\System32\ctfmon.exe” [MS]

“Komunikator” = “D:\Program Files\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“NvCplDaemon” = “RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]

“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

“NvMediaCenter” = “RunDLL32.exe NvMCTray.dll,NvTaskbarInit” [MS]

“Logitech Utility” = “Logi_MwX.Exe” [“Logitech Inc.”]

“SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“SigmatelSysTrayApp” = “sttray.exe” [file not found]

“avgnt” = ““D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”]

“WooCnxMon” = “D:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“WOOWATCH” = “D:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)

\StubPath = ““D:\WINDOWS\System32\rundll32.exe” “D:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “D:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

-> {HKLM…CLSID} = “DesktopContext Class”

\InProcServer32(Default) = “D:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”]

“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

-> {HKLM…CLSID} = “NVIDIA CPL Extension”

\InProcServer32(Default) = “D:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

-> {HKLM…CLSID} = “Desktop Explorer”

\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

-> {HKLM…CLSID} = “nView Desktop Context Menu”

\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{E0D79300-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

“{E0D79301-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

“{E0D79302-84BE-11CE-9641-444553540000}” = “WinZip”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

“{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”

-> {HKLM…CLSID} = “Shell Extension for Malware scanning”

\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]

WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”

-> {HKLM…CLSID} = “WinZip”

\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “D:\Documents and Settings\łuki\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “D:\Documents and Settings\łuki\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

Miscellaneous IE Hijack Points


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided)

-> {HKLM…CLSID} = “Search Class”

\InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):


AntiVir PersonalEdition Classic Guard, AntiVirService, “D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”]

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “D:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”]

NVIDIA Display Driver Service, NVSvc, “D:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt10\Driver = “hpzsnt10.dll” [“HP”]


<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 58 seconds.

---------- (total run time: 83 seconds)

Jest ok.

Możesz zajrzeć: Optymalizacja i odchudzanie Windowsa XP.

Wielkie dzięki !

Ps. Genialny serwis ;D

Ahh i jeszcze mam pytanie - czy mam zostawić ten FIX.REG na pulpicie ? I tego windows doom-a ? czy mogę to usunąć ?

Możesz usunąć bo już do niczego nie jest potrzebny.

Możesz.

Ouch. Niestety Spybot - Search and destroy wykrył Smitfrauda -C . :confused:

Co więcej - próbowałem go usunąć SmitfraudFix - co również się nie sprawdziło ( w tybie awaryjnym oczywiście ) .

________________________________________________________________

Chyba za szybko piszę te posty. Wykrył także Tradedoublera . Po czym oba zostały naprawione ( Spybot ).

Wykonam jeszcze 1 skan.

UPDATE !

Spybot wykrył Tradedoublera ponownie i ZNOWU go usunął . Tym razem nie wykrył Smitfraud’a. ( chyba już go usunął na dobre ).

Myślę że Tradedoubler się ciągle pojawia - coś związanego z Cookies i Mozillą.

Złączono Posta : 02.12.2006 (Sob) 16:42

Nie wiem czemu ale po tym wszystkim net zwolnił + ventrillo mi laguje ;S

Złączono Posta : 02.12.2006 (Sob) 16:50

Jakaś pomoc ? ;D

Bor4t - wszystkie logi wklejane na forum powinny być objęte tagami

Proponuję przeskanować http://www.ewido.net/en/ i pokazać raport.

Dodatkowo możesz wkleić log z HijackThis.

Log z hijackthis :

Złączono Posta : 02.12.2006 (Sob) 17:10

Czysto.

Gdzie raporcik ze skanowania?

No już się robi ,chwilunia momento :smiley:

LOG Z EWIDO :

Jest Ok, cisteczka usunięte :slight_smile:

Użyj tylko ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1

Może to głupie ale teraz laguje on line ;D Co więcej ventrilo mi laguje - jak ktoś mówi to mam po prostu przerwy i opóźnienia.

Złączono Posta : 02.12.2006 (Sob) 18:50

SUGESTIE ? ;d

Złączono Posta : 02.12.2006 (Sob) 20:42

Ouch,widzę że temu już panowie nie podołają ;D