Mulący komputer i odłączanie od sieci, restart, błąd systemu

Dla specjalistów Bezpieczeństwo
#1

Proszę o pomoc, od pewnego czasu komputer strasznie zwolnił, długo się zastanawia, wszystkie aplikacje, otwierają sie bardzo wolno, albo w ogóle nie wykonuje poleceń-tak jakby się zawieszał :frowning: Strony interenetowe otwierają się również baaardzo wolno :frowning: Do tego dochodzi zrywanie połączeń z netem… Jest jeszcze coś co mnie niepokoi… ilość wysyłanych danych jest 6-9 krotnie wieksza niż ilość odebranych, mimo, że właściwie nic nie robię, np. zdążę wejść na forum… Przed chwilą próbowałam zeskanować gmerem i pokazał coś, że niby są rookity…spytał czy chcę sprawdzić dokładnie, wcisnęłam tak… trwało to chwilę i nastąpił reset, niebieski pulpit z napisami, że wystąpił poważny błąd i jeśli pierwszy raz to uruchomić normalnie, a jeśli nie to awaryjnie i mam odinstalować wszystkie ostatnio instalowane programy…gmera? Łączę logi z Silent i Hijack, gmera trochę się boję uruchomić ponownie… Proszę o pomoc…

Logfile of HijackThis v1.99.1

Scan saved at 12:43:36, on 2007-05-01

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\System32\alg.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe

D:\Program Files\SiteAdvisor\6066\SAService.exe

D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Analog Devices\SoundMAX\SMTray.exe

D:\PROGRA~1\WANADOO\TaskbarIcon.exe

D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

D:\Program Files\SiteAdvisor\6066\SiteAdv.exe

D:\WINDOWS\System32\ctfmon.exe

D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe

D:\Program Files\VIA\RAID\raid_tool.exe

D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

D:\Program Files\Wanadoo\EspaceWanadoo.exe

D:\Program Files\Wanadoo\ComComp.exe

D:\Program Files\Wanadoo\Watch.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\System32\wuauclt.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\system32\NOTEPAD.EXE

D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [WOOWATCH] D:\PROGRA~1\WANADOO\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\WANADOO\TaskbarIcon.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [SiteAdvisor] D:\Program Files\SiteAdvisor\6066\SiteAdv.exe

O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q

O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe

O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176571394826

O17 - HKLM\System\CCS\Services\Tcpip\..\{8AD810F0-1959-4D43-97F2-EE50546B97BC}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe

O23 - Service: SiteAdvisor Service - McAfee, Inc. - D:\Program Files\SiteAdvisor\6066\SAService.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "D:\WINDOWS\System32\ctfmon.exe" [MS]

"Spyware Doctor" = ""D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Smapp" = "D:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]

"WOOWATCH" = "D:\PROGRA~1\WANADOO\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "D:\PROGRA~1\WANADOO\TaskbarIcon.exe" ["France Télécom R&D"]

"!AVG Anti-Spyware" = ""D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Kasia" & "All Users" startup folders:

-------------------------------------------------------


D:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"VIA RAID TOOL" -> shortcut to: "D:\Program Files\VIA\RAID\raid_tool.exe" ["VIA Technologies"]

"DSLMON" -> shortcut to: "D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

PC Tools Spyware Doctor, SDhelper, "D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe" ["PC Tools Research Pty Ltd"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 374 seconds.

---------- (total run time: 1906 seconds)
#2

Logi ok.

Kosmetyka:

Jeśli nie korzystasz z zaawansowanych usług tekstowych to je wyłącz:

Start > panel sterowania > opcje regionalne > języki > szczegóły > zaawansowane > zaptasz wyłącz zaawansowane usługi tekstowe.

Przejrzyj Neostrada, połączenia, Optymalizacja i odchudzanie Windows XP.

Zainstaluj Service Pack 2

http://www.searchengines.pl/phpbb203/in … ntry345506

Wklej na forum.

#3

dzięki, zrobiłam kosmetykę. Co do “niebieskiego ekranu” to mam problem z użyciem tego programiku, tzn. niby jest, ale okno otwiera się na pół sekundy i znika. Kiedy wpisałam w wiersz poleceń, działo sie to samo :frowning: … przez cmd napisał mi że nie może otworzyć:"DebugClient cannot open DumpFile - error 8007002. Nie mam pojęcia co zrobić…

Wklejam jeszcze log z Gmera, bo wskazał na rookity w procesach…

GMER 1.0.12.12244 - http://www.gmer.net

Rootkit scan 2007-05-01 18:12:43

Windows 5.1.2600 



---- System - GMER 1.0.12 ----


SSDT \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess

SSDT \??\D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess


---- Kernel code sections - GMER 1.0.12 ----


.text ntoskrnl.exe!KeInitializeInterrupt + B79 804D4F8E 1 Byte [06]

.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2F4 804FC80C 4 Bytes [AC, 08, 90, F9]

.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510 804FCA28 4 Bytes [12, 08, 90, F9]

? D:\WINDOWS\TEMP\mc21.tmp Nie można odnaleźć określonego pliku.

? D:\WINDOWS\System32\drivers\runtime.sys Nie można odnaleźć określonego pliku.


---- User code sections - GMER 1.0.12 ----


.text D:\Program Files\Internet Explorer\iexplore.exe[168] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\Internet Explorer\iexplore.exe[168] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\Internet Explorer\iexplore.exe[168] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\Internet Explorer\iexplore.exe[168] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\Internet Explorer\iexplore.exe[168] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\Internet Explorer\iexplore.exe[168] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\PROGRA~1\WANADOO\TaskbarIcon.exe[232] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\PROGRA~1\WANADOO\TaskbarIcon.exe[232] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\PROGRA~1\WANADOO\TaskbarIcon.exe[232] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\PROGRA~1\WANADOO\TaskbarIcon.exe[232] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\PROGRA~1\WANADOO\TaskbarIcon.exe[232] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\PROGRA~1\WANADOO\TaskbarIcon.exe[232] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[240] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[240] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[240] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[240] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[240] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe[240] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\Program Files\SiteAdvisor\6066\SiteAdv.exe[248] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\SiteAdvisor\6066\SiteAdv.exe[248] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\SiteAdvisor\6066\SiteAdv.exe[248] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\SiteAdvisor\6066\SiteAdv.exe[248] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\SiteAdvisor\6066\SiteAdv.exe[248] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\SiteAdvisor\6066\SiteAdv.exe[248] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\WINDOWS\System32\wuauclt.exe[268] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\System32\wuauclt.exe[268] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\System32\wuauclt.exe[268] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\System32\wuauclt.exe[268] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\System32\wuauclt.exe[268] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\System32\wuauclt.exe[268] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe[308] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe[308] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe[308] USER32.dll!DispatchMessageA 77D341F2 6 Bytes JMP 5F040F5A 

.text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[336] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[336] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[336] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[336] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[336] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[336] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\Program Files\Wanadoo\EspaceWanadoo.exe[492] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\Wanadoo\EspaceWanadoo.exe[492] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\Wanadoo\EspaceWanadoo.exe[492] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\Wanadoo\EspaceWanadoo.exe[492] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\Wanadoo\EspaceWanadoo.exe[492] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\Wanadoo\EspaceWanadoo.exe[492] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\WINDOWS\system32\csrss.exe[628] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\csrss.exe[628] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\csrss.exe[628] KERNEL32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\csrss.exe[628] KERNEL32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\csrss.exe[628] KERNEL32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\winlogon.exe[652] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\winlogon.exe[652] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\winlogon.exe[652] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\system32\services.exe[700] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\services.exe[700] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\services.exe[700] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\services.exe[700] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\lsass.exe[720] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\lsass.exe[720] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\lsass.exe[720] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\svchost.exe[892] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\svchost.exe[892] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\svchost.exe[928] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\svchost.exe[928] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\svchost.exe[928] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\system32\spoolsv.exe[1176] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\system32\spoolsv.exe[1176] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\system32\spoolsv.exe[1176] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\system32\spoolsv.exe[1176] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\system32\spoolsv.exe[1176] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\System32\alg.exe[1272] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\System32\alg.exe[1272] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\System32\alg.exe[1272] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\System32\alg.exe[1272] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\System32\alg.exe[1272] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1328] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1328] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1328] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1328] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1328] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\SiteAdvisor\6066\SAService.exe[1464] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\SiteAdvisor\6066\SAService.exe[1464] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\SiteAdvisor\6066\SAService.exe[1464] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\SiteAdvisor\6066\SAService.exe[1464] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\SiteAdvisor\6066\SAService.exe[1464] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\SiteAdvisor\6066\SAService.exe[1464] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\Program Files\Wanadoo\Watch.exe[1556] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\Wanadoo\Watch.exe[1556] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\Wanadoo\Watch.exe[1556] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\Wanadoo\Watch.exe[1556] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\Wanadoo\Watch.exe[1556] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\Wanadoo\Watch.exe[1556] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1612] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1612] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1612] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1612] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1612] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe[1612] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\WINDOWS\Explorer.EXE[1752] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\WINDOWS\Explorer.EXE[1752] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\WINDOWS\Explorer.EXE[1752] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\WINDOWS\Explorer.EXE[1752] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\WINDOWS\Explorer.EXE[1752] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\WINDOWS\Explorer.EXE[1752] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]

.text D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla gmer.zip\gmer.exe[19364] ntdll.dll!NtTerminateProcess 77F7F3C3 3 Bytes [FF, 25, 1E]

.text D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla gmer.zip\gmer.exe[19364] ntdll.dll!NtTerminateProcess + 4 77F7F3C7 2 Bytes [0E, 5F]

.text D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla gmer.zip\gmer.exe[19364] kernel32.dll!CreateProcessW 77E61B8A 6 Bytes JMP 5F0A0F5A 

.text D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla gmer.zip\gmer.exe[19364] kernel32.dll!CreateProcessA 77E61BB8 6 Bytes JMP 5F040F5A 

.text D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla gmer.zip\gmer.exe[19364] kernel32.dll!LoadLibraryExW 77E8049B 6 Bytes JMP 5F070F5A 

.text D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla gmer.zip\gmer.exe[19364] kernel32.dll!FreeLibrary + 11 77E80629 4 Bytes [0F, FA, 17, E7]


---- Devices - GMER 1.0.12 ----


Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F97CBA92] runtime.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F97CBA92] runtime.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F97CBA92] runtime.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F97CBA92] runtime.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F97CBA92] runtime.sys


---- Processes - GMER 1.0.12 ----


Process D:\Program Files\Internet Explorer\iexplore.exe ( ***hidden*** ) 1020                                   

Process D:\Program Files\Internet Explorer\iexplore.exe ( ***hidden*** ) 2040                                   


---- Registry - GMER 1.0.12 ----


Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{29B1E8E2-B1D0-4CDC-2C39-F170004CF4A4}@dbdijhljddbcfdhbndolcnclameahcaegchgenjj 0x6A 0x61 0x70 0x65 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{29B1E8E2-B1D0-4CDC-2C39-F170004CF4A4}@cbnhhlblojcpagbameglbdklmpiamnabfiagce 0x6A 0x61 0x70 0x65 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{29B1E8E2-B1D0-4CDC-2C39-F170004CF4A4}@abpcjlbjleblkofiapgndmnopcamggbpem 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{29B1E8E2-B1D0-4CDC-2C39-F170004CF4A4}@mamcendncnlodhccdogmffefpb 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@bbbkodamflpapiloojbngcilffjmlckkmhkg 0x6A 0x61 0x6E 0x61 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@abhnedbbjhklkkcjbjmdlcjnlnghppelhj 0x6A 0x61 0x6E 0x61 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@abnkkafmpihcgeibnlfadnidciphabbpje 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@maoknanflkimlfckibgpbchokf 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@iabkodamflpapilooj 0x61 0x61 0x00 0x01 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@hahnedbbjhklkkcj 0x61 0x61 0x00 0x01 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@iankkhgpmoonkbgccf 0x61 0x61 0x00 0x01 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@bbbkodamflpapiloojbngcilffjmgbfofkbf 0x6A 0x61 0x6E 0x61 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3560621D-8A84-8BC6-ECD2-E1DC9A56FCCA}@abhnedbbjhklkkcjbjmdlcjnlnpjedpima 0x6A 0x61 0x6E 0x61 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8EC58BB7-F5A9-1797-E8F3-9114A9B45A40}@dbcgnijoampoldcfddfpmjibgaebaongmhkcopbb 0x6A 0x61 0x67 0x64 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8EC58BB7-F5A9-1797-E8F3-9114A9B45A40}@cbifhflimenbflbcalcammhcampihoblfcjeon 0x6A 0x61 0x67 0x64 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8EC58BB7-F5A9-1797-E8F3-9114A9B45A40}@iacgnijoampoldcfdd 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8EC58BB7-F5A9-1797-E8F3-9114A9B45A40}@haifhflimenbflbc 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8EC58BB7-F5A9-1797-E8F3-9114A9B45A40}@iagjffmcicjcpefhcg 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8EC58BB7-F5A9-1797-E8F3-9114A9B45A40}@abgjfgfggdbcgomnafomimjbcgddncffch 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8EC58BB7-F5A9-1797-E8F3-9114A9B45A40}@mahjacajjiocibpbhbnjbhbbhk 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EBB71504-5E49-CEFD-6213-ED87B1DCF6F6}@cbfidogciigjcdbignhnkboocjjljaflpchcam 0x6A 0x61 0x6A 0x64 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EBB71504-5E49-CEFD-6213-ED87B1DCF6F6}@bbhhfofodhkanbgploepkaffhdbijibpalfd 0x6A 0x61 0x6A 0x64 ...

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EBB71504-5E49-CEFD-6213-ED87B1DCF6F6}@abjjdoklgkhioeehhjdmffmoadaeafnkfk 0x61 0x61 0x00 0x00 

Reg \Registry\USER\S-1-5-21-507921405-1383384898-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EBB71504-5E49-CEFD-6213-ED87B1DCF6F6}@maijgoccbfpcbkfpofkbchphpi 0x61 0x61 0x00 0x00 


---- EOF - GMER 1.0.12 ----
#4

Czyszczenie TEMP:

ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1

#5

dzięki, to pomogło, ale pojawił się kolejny problem :frowning: Usunęłam program przez panel sterowania, potem robiłam przywracanie systemu z powodu problemów z instalacją połączenia internetowego po deinstalacji neostrady (chciałam odchudzić windowsa) ale jakoś mi nie wyszło… i teraz mam w programach ten usunięty plik, jak chcę go odistalować przez panel to pokazuje się, ze on juz nie istnieje…ale widoczny jest… można coś z tym zrobić? Proszę o pomoc, wklejam logi z HT i Silents

Logfile of HijackThis v1.99.1

Scan saved at 17:03:58, on 2007-05-02

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\System32\alg.exe

D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe

D:\Program Files\SiteAdvisor\6066\SAService.exe

D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\Analog Devices\SoundMAX\SMTray.exe

D:\Program Files\SiteAdvisor\6066\SiteAdv.exe

D:\PROGRA~1\WANADOO\TaskbarIcon.exe

D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe

D:\Program Files\VIA\RAID\raid_tool.exe

D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

D:\WINDOWS\System32\wuauclt.exe

D:\Program Files\Wanadoo\EspaceWanadoo.exe

D:\Program Files\Wanadoo\ComComp.exe

D:\Program Files\Wanadoo\Watch.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O4 - HKLM\..\Run: [Smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [SiteAdvisor] D:\Program Files\SiteAdvisor\6066\SiteAdv.exe

O4 - HKLM\..\Run: [WOOWATCH] D:\PROGRA~1\WANADOO\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\WANADOO\TaskbarIcon.exe

O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q

O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe

O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176571394826

O17 - HKLM\System\CCS\Services\Tcpip\..\{8AD810F0-1959-4D43-97F2-EE50546B97BC}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe

O23 - Service: SiteAdvisor Service - McAfee, Inc. - D:\Program Files\SiteAdvisor\6066\SAService.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Spyware Doctor" = ""D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Smapp" = "D:\Program Files\Analog Devices\SoundMAX\SMTray.exe" ["Analog Devices, Inc."]

"SiteAdvisor" = "D:\Program Files\SiteAdvisor\6066\SiteAdv.exe" ["McAfee, Inc."]

"WOOWATCH" = "D:\PROGRA~1\WANADOO\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "D:\PROGRA~1\WANADOO\TaskbarIcon.exe" ["France Télécom R&D"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\SiteAdvisor\6066\SiteAdv.dll" ["McAfee, Inc."]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Kasia" & "All Users" startup folders:

-------------------------------------------------------


D:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"VIA RAID TOOL" -> shortcut to: "D:\Program Files\VIA\RAID\raid_tool.exe" ["VIA Technologies"]

"DSLMON" -> shortcut to: "D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"

  -> {HKLM...CLSID} = "McAfee SiteAdvisor"

                   \InProcServer32\(Default) = "D:\Program Files\SiteAdvisor\6066\SiteAdv.dll" ["McAfee, Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

PC Tools Spyware Doctor, SDhelper, "D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe" ["PC Tools Research Pty Ltd"]

SiteAdvisor Service, SiteAdvisor Service, "D:\Program Files\SiteAdvisor\6066\SAService.exe" ["McAfee, Inc."]

SoundMAX Agent Service, SoundMAX Agent Service (default), "D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 353 seconds.

---------- (total run time: 1826 seconds)
#6

Start > uruchom > regedit > ok > przejdź do

Znajdź ten program i usuń go z prawokliku.

Logi ok.

#7

Dzięki, pomogło, wpis zniknął :slight_smile: Zastanawiam się, czy tylko ja mam takie “szczęście” ale znów mi coś nie gra… Niedawno wymieniałam wiatrak,bo oprócz tego, że warczał to nie załączał sie przy starcie. Przez trzy dni po instalacji nowego było ok, ale dziś komputer zaczął mi się często wieszać, aż w końcu przy skanowaniu ewido wyłączył się zupełnie. Po dłuższej chwili udało mi się go uruchomić ponownie, sprawdziłam temp w BIOSIE było 59st. domyślam się, że znów przy starcie (po kolejnej zawieszce) nie załączył wiatrak. Czy może to mieć coś wspólnego z jakimś paskudztwem, czy to sprawy raczej czysto techniczne? Proszę o pomoc…

Złączono Posta : 04.05.2007 (Pią) 14:16

Właśnie '“złapałam” mój komputer na tym, ze wiatrak,przestaje działać sam w trakcie pracy komputera, pewnie wtedy następuje skok temperatury i stąd te zawieszenia (?) Ale dlaczego on się sam zatrzymuje? poradźcie coś proszę… Dziś dzieje sie to niedługo po włączeniu, nawet nie mogę nic zeskanować (ewido,czy ad-aware)…

Złączono Posta : 04.05.2007 (Pią) 14:20

wklejam logi

Logfile of HijackThis v1.99.1

Scan saved at 14:16:43, on 2007-05-04

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\csrss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\System32\alg.exe

D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe

D:\Program Files\SiteAdvisor\6066\SAService.exe

D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\SiteAdvisor\6066\SiteAdv.exe

D:\PROGRA~1\WANADOO\TaskbarIcon.exe

D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe

D:\Program Files\VIA\RAID\raid_tool.exe

D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

D:\Program Files\Wanadoo\EspaceWanadoo.exe

D:\Program Files\Wanadoo\ComComp.exe

D:\Program Files\Wanadoo\Watch.exe

D:\WINDOWS\System32\wuauclt.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Documents and Settings\Kasia\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O4 - HKLM\..\Run: [SiteAdvisor] D:\Program Files\SiteAdvisor\6066\SiteAdv.exe

O4 - HKLM\..\Run: [WOOWATCH] D:\PROGRA~1\WANADOO\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\WANADOO\TaskbarIcon.exe

O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q

O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe

O4 - Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176571394826

O17 - HKLM\System\CCS\Services\Tcpip\..\{8AD810F0-1959-4D43-97F2-EE50546B97BC}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - D:\Program Files\SiteAdvisor\6066\SiteAdv.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe

O23 - Service: SiteAdvisor Service - McAfee, Inc. - D:\Program Files\SiteAdvisor\6066\SAService.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Złączono Posta : 04.05.2007 (Pią) 14:50

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Spyware Doctor" = ""D:\Program Files\Spyware Doctor wer2.0\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SiteAdvisor" = "D:\Program Files\SiteAdvisor\6066\SiteAdv.exe" ["McAfee, Inc."]

"WOOWATCH" = "D:\PROGRA~1\WANADOO\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "D:\PROGRA~1\WANADOO\TaskbarIcon.exe" ["France Télécom R&D"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{089FD14D-132B-48FC-8861-0048AE113215}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\SiteAdvisor\6066\SiteAdv.dll" ["McAfee, Inc."]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Kasia" & "All Users" startup folders:

-------------------------------------------------------


D:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"VIA RAID TOOL" -> shortcut to: "D:\Program Files\VIA\RAID\raid_tool.exe" ["VIA Technologies"]

"DSLMON" -> shortcut to: "D:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{0BF43445-2F28-4351-9252-17FE6E806AA0}" = "McAfee SiteAdvisor"

  -> {HKLM...CLSID} = "McAfee SiteAdvisor"

                   \InProcServer32\(Default) = "D:\Program Files\SiteAdvisor\6066\SiteAdv.dll" ["McAfee, Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]

Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

PC Tools Spyware Doctor, SDhelper, "D:\Program Files\Spyware Doctor wer2.0\sdhelp.exe" ["PC Tools Research Pty Ltd"]

SiteAdvisor Service, SiteAdvisor Service, "D:\Program Files\SiteAdvisor\6066\SAService.exe" ["McAfee, Inc."]

SoundMAX Agent Service, SoundMAX Agent Service (default), "D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 369 seconds.

---------- (total run time: 1969 seconds)
#8

Logi są ok.

Spróbuj przeczyścić niedziałający wiatraczek przy pomocy pędzelka lub delikatnie przy pomocy oleju transformatorowego.