Mulacy sie komp,mnostwo dziwnych procesow, zawiechy-Log

YaSiErS · 15 Kwiecień 2007 16:59

A wiec po krotce. Komputer straszliwie muli, chyba co kazde wlaczenie pojawiaja sie jakies nowe prcesy w menagerze. Czesto errory sa, zawiechy itd. Probowalem skanowac, ad ware itd ale nic nie wykrywa.

Czy moze ktos mi pomoc i poiwedziec co mam zrobic (badz co zrobilem zle :P) by przywrocic moja maszyne do stanu uzywalnosci??

Oto Log z HijackThis:

Logfile of HijackThis v1.99.1

Scan saved at 19:15:55, on 2007-04-15

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\LEXBCES.EXE

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\LEXPPS.EXE

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\sistray.EXE

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\khooker.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINNT\system32\ombamnqk.exe

C:\WINNT\system32\spoolsvc.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINNT\system32\dbph.exe

C:\WINNT\system32\explorer.exe

C:\WINNT\system32\internat.exe

C:\WINNT\system32\ywbn.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

D:\Programs\hijackthis_199\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\gpnpdlke.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {9DED2B32-743B-47EB-874C-28AECF2A268D} - C:\WINNT\system32\yayxvwu.dll

O2 - BHO: (no name) - {D5665C3B-DD74-45E7-B91C-1BF71E382735} - C:\WINNT\system32\ljjhh.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\system32\sistray.EXE

O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\system32\khooker.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKLM\..\Run: [Services] C:\WINNT\system32\ombamnqk.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe

O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\system32\spoolsvc.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [Windows Logon Application] C:\WINNT\system32\winIogon.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINNT\system32\ywbn.exe

O4 - HKLM\..\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe

O4 - HKLM\..\Run: [Microsoft Internet Explorer] C:\WINNT\system32\iexplore.exe

O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINNT\system32\algs.exe

O4 - HKLM\..\Run: [Winamp Agent] C:\WINNT\system32\winamp.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINNT\system32\msconfig.exe /auto

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O17 - HKLM\System\CCS\Services\Tcpip\..\{07DA49ED-2BCB-4735-A652-F0B0C7CC5911}: NameServer = 217.30.129.149,217.30.137.200

O17 - HKLM\System\CS1\Services\Tcpip\..\{07DA49ED-2BCB-4735-A652-F0B0C7CC5911}: NameServer = 217.30.129.149,217.30.137.200

O17 - HKLM\System\CS2\Services\Tcpip\..\{07DA49ED-2BCB-4735-A652-F0B0C7CC5911}: NameServer = 217.30.129.149,217.30.137.200

O20 - Winlogon Notify: ljjhh - C:\WINNT\system32\ljjhh.dll

O20 - Winlogon Notify: rqrqrpp - C:\WINNT\SYSTEM32\rqrqrpp.dll

O20 - Winlogon Notify: yayxvwu - C:\WINNT\SYSTEM32\yayxvwu.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Pomocy

adam9870 · 15 Kwiecień 2007 18:18

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Ściągnij program KillBox, zaznacz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINNT\system32\gpnpdlke.dll

C:\WINNT\system32\yayxvwu.dll

C:\WINNT\system32\ljjhh.dll

C:\WINNT\system32\ombamnqk.exe

C:\WINNT\system32\spoolsvc.exe

C:\WINNT\system32\winIogon.exe

C:\WINNT\system32\ywbn.exe

C:\WINNT\system32\explorer.exe

C:\WINNT\system32\iexplore.exe

C:\WINNT\system32\algs.exe

C:\WINNT\system32\winamp.exe

C:\WINNT\SYSTEM32\rqrqrpp.dll

Po wklejeniu każdej ścieżki z osobna kliknij na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgódź się na restart. Jeśli po wklejeniu którejś ze ścieżek pojawi się jakiś błąd, nie przejmuj się nim tylko przejdź do wykonywania dalszych czynności.

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINNT\system32\gpnpdlke.dll O2 - BHO: (no name) - {9DED2B32-743B-47EB-874C-28AECF2A268D} - C:\WINNT\system32\yayxvwu.dll O2 - BHO: (no name) - {D5665C3B-DD74-45E7-B91C-1BF71E382735} - C:\WINNT\system32\ljjhh.dll O4 - HKLM…\Run: [services] C:\WINNT\system32\ombamnqk.exe O4 - HKLM…\Run: [spooler SubSystem App] C:\WINNT\system32\spoolsvc.exe O4 - HKLM…\Run: [Windows Logon Application] C:\WINNT\system32\winIogon.exe O4 - HKLM…\Run: [Advanced DHTML Enable] C:\WINNT\system32\ywbn.exe O4 - HKLM…\Run: [Windows Explorer] C:\WINNT\system32\explorer.exe O4 - HKLM…\Run: [Microsoft Internet Explorer] C:\WINNT\system32\iexplore.exe O4 - HKLM…\Run: [Application Layer Gateway Service] C:\WINNT\system32\algs.exe O4 - HKLM…\Run: [Winamp Agent] C:\WINNT\system32\winamp.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O20 - Winlogon Notify: ljjhh - C:\WINNT\system32\ljjhh.dll O20 - Winlogon Notify: rqrqrpp - C:\WINNT\SYSTEM32\rqrqrpp.dll O20 - Winlogon Notify: yayxvwu - C:\WINNT\SYSTEM32\yayxvwu.dll

Usuń wpisy HJT.

Proponuję usunąć Megaupload Toolbar ponieważ jest to Toolbar wątpliwej reputacji. Bowiem zbiera dane o użytkowniki i gdzieś je wysyła, nie wiadomo gdzie.

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić w trybie awaryjnym.

Po wykonaniu pokaż nowy log z hjt, SilentRunners + log numer 1 z L2Mfix.

YaSiErS · 16 Kwiecień 2007 15:19

No wiec zrobilem to co kazaliscie.

Oto Logi:

L2mfix:

L2MFIX find log 051206 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 “Logoff”=“ChainWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Logoff”=“CryptnetWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] “DLLName”=“cscdll.dll” “Logon”=“WinlogonLogonEvent” “Logoff”=“WinlogonLogoffEvent” “ScreenSaver”=“WinlogonScreenSaverEvent” “Startup”=“WinlogonStartupEvent” “Shutdown”=“WinlogonShutdownEvent” “StartShell”=“WinlogonStartShellEvent” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] “Logoff”=“WLEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 “DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] “DLLName”=“WlNotify.dll” “Lock”=“SensLockEvent” “Logon”=“SensLogonEvent” “Logoff”=“SensLogoffEvent” “Safe”=dword:00000001 “MaxWait”=dword:00000258 “StartScreenSaver”=“SensStartScreenSaverEvent” “StopScreenSaver”=“SensStopScreenSaverEvent” “Startup”=“SensStartupEvent” “Shutdown”=“SensShutdownEvent” “StartShell”=“SensStartShellEvent” “Unlock”=“SensUnlockEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] “DLLName”=“wzcdlg.dll” “Logon”=“WZCEventLogon” “Logoff”=“WZCEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000000 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] “{00022613-0000-0000-C000-000000000046}”=“Karta waciwoci pliku multimedialnego” “{176d6597-26d3-11d1-b350-080036a75b03}”=“ZarzĄdzanie skanerem ICM” “{1F2E5C40-9550-11CE-99D2-00AA006E086C}”=“Strona zabezpieczeä NTFS” “{3EA48300-8CF6-101B-84FB-666CCB9BCD32}”=“Strona waciwoci OLE Docfile” “{40dd6e20-7c17-11ce-a804-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{41E300E0-78B6-11ce-849B-444553540000}”=“Rozszerzenie CPL pakietu PlusPack” “{42071712-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL karty graficznej” “{42071713-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL monitora wywietlania” “{42071714-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL kadrowania wywietlania” “{4E40F770-369C-11d0-8922-00A024AB2DBB}”=“Strona zabezpieczeä usugi DS” “{56117100-C0CD-101B-81E2-00AA004AE837}”=“Program obsugi danych wycinkowych powoki” “{59099400-57FF-11CE-BD94-0020AF85B590}”=“Rozszerzenie Disc Copy” “{59be4990-f85c-11ce-aff7-00aa003ca9f6}”=“Rozszerzenia powoki dla obiekt˘w Microsoft Windows Network” “{5DB2625A-54DF-11D0-B6C4-0800091AA605}”=“ZarzĄdzanie monitorem ICM” “{675F097E-4C4D-11D0-B6C1-0800091AA605}”=“ZarzĄdzanie drukarkĄ ICM” “{764BF0E1-F219-11ce-972D-00AA00A14F56}”=“Rozszerzenia powoki dla kompresji plik˘w” “{77597368-7b15-11d0-a0c2-080036af3f03}”=“Rozszerzenie powoki drukarek sieci Web” “{7988B573-EC89-11cf-9C00-00AA00A14F56}”=“Disk Quota UI” “{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}”=“Menu kontekstowe szyfrowania” “{85BBD920-42A0-1069-A2E4-08002B30309D}”=“Akt˘wka” “{88895560-9AA2-1069-930E-00AA0030EBC8}”=“Rozszerzenie ikony HyperTerminalu” “{BD84B380-8CA2-1069-AB1D-08000948F534}”=“Fonts” “{DBCE2480-C732-101B-BE72-BA78E9AD5B27}”=“Profil ICC” “{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}”=“Strona zabezpieczeä drukarek” “{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{f92e8c40-3d33-11d2-b1aa-080036a75b03}”=“Display TroubleShoot CPL Extension” “{60254CA5-953B-11CF-8C96-00AA00B8708C}”=“Rozszerzenia powoki dla hosta skrypt˘w systemu Windows” “{7444C717-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto PKO” “{7444C719-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto Sign” “{7007ACC7-3202-11D1-AAD2-00805FC1270E}”=“PoĄczenia sieciowe i telefoniczne” “{EFA24E61-B078-11d0-89E4-00C04FC9E26E}”=“Favorites Band” “{0A89A860-D7B1-11CE-8350-444553540000}”=“Shell Automation Inproc Service” “{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}”=“Shell DocObject Viewer” “{FBF23B40-E3F0-101B-8488-00AA003E56F8}”=“InternetShortcut” “{3C374A40-BAE4-11CF-BF7D-00AA006946EE}”=“Microsoft Url History Service” “{FF393560-C2A7-11CF-BFF4-444553540000}”=“Historia” “{7BD29E00-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=“Microsoft Url Search Hook” “{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}”=“Ekran powitalny pakietu IE4” “{67EA19A0-CCEF-11d0-8024-00C04FD75D13}”=“CDF Extension Copy Hook” “{131A6951-7F78-11D0-A979-00C04FD705A2}”=“ISFBand OC” “{9461b922-3c5a-11d2-bf8b-00c04fb93661}”=“Search Assistant OC” “{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}”=“Internet” “{871C5380-42A0-1069-A2EA-08002B30309D}”=“Internet Name Space” “{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Icon Handler” “{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Shell Extension” “{D6277990-4C6A-11CF-8D87-00AA0060F5BF}”=“Zaplanowane zadania” “{1A9BA3A0-143A-11CF-8350-444553540000}”=“Folder Ulubione powoki” “{20D04FE0-3AEA-1069-A2D8-08002B30309D}”=“M˘j komputer” “{86747AC0-42A0-1069-A2E6-08002B30309D}”=“Folder Akt˘wka” “{0AFACED1-E828-11D1-9187-B532F1E9575D}”=“Skr˘t folderu” “{12518493-00B2-11d2-9FA5-9E3420524153}”=“Wolumin zainstalowany” “{21B22460-3AEA-1069-A2DC-08002B30309D}”=“Rozszerzenie strony waciwoci pliku” “{B091E540-83E3-11CF-A713-0020AFD79762}”=“Strona typ˘w plik˘w” “{FBF23B41-E3F0-101B-8488-00AA003E56F8}”=“Przechwytywanie plik˘w typu MIME” “{C2FBB630-2971-11d1-A18C-00C04FD75D13}”=“Usuga Microsoft CopyTo” “{C2FBB631-2971-11d1-A18C-00C04FD75D13}”=“Usuga Microsoft MoveTo” “{13709620-C279-11CE-A49E-444553540000}”=“Usuga automatyzacji powoki” “{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}”=“Widok folderu automatyzacji powoki” “{4622AD11-FF23-11d0-8D34-00A0C90F2719}”=“Menu Start” “{7BA4C740-9E81-11CF-99D3-00AA004AE837}”=“Usuga Microsoft SendTo” “{D969A300-E7FF-11d0-A93B-00A0C90F2719}”=“Usuga Microsoft New Object” “{09799AFB-AD67-11d1-ABCD-00C04FC30936}”=“Obsuga menu kontekstowego “Otw˘rz z”” “{3FC0B520-68A9-11D0-8D77-00C04FD70822}”=“Wywietlaj rozszerzenia HTML Panelu sterowania” “{75048700-EF1F-11D0-9888-006097DEACF9}”=“ActiveDesktop” “{6D5313C0-8C62-11D1-B2CD-006097DF8C11}”=“Rozszerzenie strony waciwoci Opcje folder˘w” “{57651662-CE3E-11D0-8D77-00C04FC99D61}”=“CmdFileIcon” “{4657278A-411B-11d2-839A-00C04FD918D0}”=“Pomocnik dla operacji przeciĄgania i upuszczania powoki” “{A470F8CF-A1E8-4f65-8335-227475AA5C46}”=“Dodaj opcj© szyfrowania do menu kontekstowych w Eksploratorze” “{5E6AB780-7743-11CF-A12B-00AA004AE837}”=“Microsoft Internet Toolbar” “{22BF0C20-6DA7-11D0-B373-00A0C9034938}”=“Download Status” “{568804CA-CBD7-11d0-9816-00C04FD91972}”=“Menu Shell Folder” “{5b4dae26-b807-11d0-9815-00c04fd91972}”=“Menu Band” “{8278F931-2A3E-11d2-838F-00C04FD918D0}”=“Tracking Shell Menu” “{E13EF4E4-D2F2-11d0-9816-00C04FD91972}”=“Menu Site” “{ECD4FC4F-521C-11D0-B792-00A0C90312E1}”=“Menu Desk Bar” “{91EA3F8B-C99B-11d0-9815-00C04FD91972}”=“Augmented Shell Folder” “{6413BA2C-B461-11d1-A18A-080036B11A03}”=“Augmented Merge Shell Folder” “{F61FFEC1-754F-11d0-80CA-00AA005B4383}”=“BandProxy” “{D82BE2B0-5764-11D0-A96E-00C04FD705A2}”=“IShellFolderBand” “{7BA4C742-9E81-11CF-99D3-00AA004AE837}”=“Microsoft BrowserBand” “{30D02401-6A81-11d0-8274-00C04FD5AE38}”=“Microsoft SearchBand” “{169A0691-8DF9-11d1-A1C4-00C04FD75D13}”=“In-pane search” “{07798131-AF23-11d1-9111-00A0C98BA67D}”=“Web Search” “{0E5CBF21-D15F-11d0-8301-00AA005B4383}”="&Links" “{AF4F6510-F982-11d0-8595-00AA004CD6D8}”=“Registry Tree Options Utility” “{01E04581-4EEE-11d0-BFE9-00AA005B4383}”="&Address" “{A08C11D2-A228-11d0-825B-00AA005B4383}”=“Address EditBox” “{00BB2763-6A77-11D0-A535-00C04FD7D062}”=“Microsoft AutoComplete” “{7487cd30-f71a-11d0-9ea7-00805f714772}”=“Thumbnail Image” “{7376D660-C583-11d0-A3A5-00C04FD706EC}”=“TridentImageExtractor” “{6756A641-DE71-11d0-831B-00AA005B4383}”=“MRU AutoComplete List” “{00BB2764-6A77-11D0-A535-00C04FD7D062}”=“Microsoft History AutoComplete List” “{03C036F1-A186-11D0-824A-00AA005B4383}”=“Microsoft Shell Folder AutoComplete List” “{00BB2765-6A77-11D0-A535-00C04FD7D062}”=“Microsoft Multiple AutoComplete List Container” “{ECD4FC4E-521C-11D0-B792-00A0C90312E1}”=“Shell Band Site Menu” “{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}”=“Shell DeskBarApp” “{ECD4FC4C-521C-11D0-B792-00A0C90312E1}”=“Shell DeskBar” “{ECD4FC4D-521C-11D0-B792-00A0C90312E1}”=“Shell Rebar BandSite” “{DD313E04-FEFF-11d1-8ECD-0000F87A470C}”=“User Assist” “{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}”=“Global Folder Settings” “{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{88C6C381-2E85-11D0-94DE-444553540000}”=“Folder pami©ci podr©cznej ActiveX” “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”=“WebCheck” “{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}”=“Subscription Mgr” “{F5175861-2688-11d0-9C5E-00AA00A45957}”=“Subscription Folder” “{08165EA0-E946-11CF-9C87-00AA005127ED}”=“WebCheckWebCrawler” “{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}”=“WebCheckChannelAgent” “{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}”=“TrayAgent” “{7D559C10-9FE9-11d0-93F7-00AA0059CE02}”=“Code Download Agent” “{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}”=“ConnectionAgent” “{D8BD2030-6FC9-11D0-864F-00AA006809D9}”=“PostAgent” “{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}”=“WebCheck SyncMgr Handler” “{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}”=“Miniatury” “{EAB841A0-9550-11CF-8C16-00805F1408F3}”=“Rozpakowywacz miniatur HTML” “{1AEB1360-5AFC-11D0-B806-00C04FD706EC}”=“Rozpakowywacz miniatur filtr˘w graficznych Office” “{9DBD2C50-62AD-11D0-B806-00C04FD706EC}”=“Informacje podsumowujĄce obsugi miniatur (DOCFILES)” “{500202A0-731E-11D0-B829-00C04FD706EC}”=“Obsuga interfejsu miniatur plik˘w typu LNK” “{352EC2B7-8B9A-11D1-B8AE-006008059382}”=“Menedľer aplikacji powoki” “{0B124F8C-91F0-11D1-B8B5-006008059382}”=“Wyliczanie zainstalowanych aplikacji” “{CFCCC7A0-A282-11D1-9082-006008059382}”=“Darwin App Publisher” “{f39a0dc0-9cc8-11d0-a599-00c04fd64433}”=“Plik kanau” “{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}”=“Skr˘t kanau” “{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}”=“Obiekt obsugi kanau” “{f3da0dc0-9cc8-11d0-a599-00c04fd64437}”=“Channel Menu” “{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}”=“Channel Properties” “{fe1290f0-cfbd-11cf-a330-00aa00c16e65}”=“Directory Namespace” “{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}”=“Shell properties for a DS object” “{8A23E65E-31C2-11d0-891C-00A024AB2DBB}”=“Directory Query UI” “{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}”=“Directory Object Find” “{F020E586-5264-11d1-A532-0000F8757D7E}”=“Directory Start/Search Find” “{0D45D530-764B-11d0-A1CA-00AA00C16E65}”=“Directory Property UI” “{62AE1F9A-126A-11D0-A14B-0800361B1103}”=“Directory Context Menu Verbs” “{450D8FBA-AD25-11D0-98A8-0800361B1103}”=“MyDocs Folder” “{ECF03A33-103D-11d2-854D-006008059367}”=“MyDocs Copy Hook” “{ECF03A32-103D-11d2-854D-006008059367}”=“MyDocs Drop Target” “{4a7ded0a-ad25-11d0-98a8-0800361b1103}”=“MyDocs Properties” “{750fdf0e-2a26-11d1-a3ea-080036587f03}”=“Menu plik˘w trybu offline” “{10CFC467-4392-11d2-8DB4-00C04FA31A66}”=“Opcje folderu plik˘w trybu offline” “{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}”=“Folder plik˘w trybu offline” “{7A80E4A8-8005-11D2-BCF8-00C04F72C717}”=“MMC Icon Handler” “{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}”=".CAB file viewer" “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”=“WinRAR shell extension” “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”=“Shell Extension for Malware scanning” ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ cmdlin~1.dll Mon 2007-04-16 7:12:06 A… 43 520 42,50 K divx.dll Thu 2007-02-01 6:56:06 A… 639 066 624,09 K dpl100.dll Tue 2007-01-30 6:56:58 A… 73 728 72,00 K dtu100.dll Tue 2007-01-30 6:56:58 A… 196 608 192,00 K edhkumno.dll Mon 2007-04-16 6:27:06 A… 76 412 74,62 K gpnpdlke.dll Sun 2007-04-15 16:03:28 … 48 708 47,57 K hvnhjxoa.dll Mon 2007-04-16 15:38:24 A… 123 972 121,07 K jfavnnvb.dll Sun 2007-04-15 16:03:32 A… 76 412 74,62 K libdivx.dll Tue 2007-01-30 7:03:28 A… 1 044 480 1020,00 K opnkjkh.dll Sun 2007-04-15 16:21:36 A… 26 694 26,07 K qt-dx331.dll Tue 2007-01-30 7:03:42 A… 3 596 288 3,43 M sfc.dll Sun 2007-02-25 17:58:00 A… 96 048 93,80 K sqvijfxw.dll Mon 2007-04-16 6:26:26 A… 123 972 121,07 K ssldivx.dll Tue 2007-01-30 7:03:28 A… 200 704 196,00 K vtuvvvu.dll Sun 2007-04-15 16:39:02 A… 26 694 26,07 K wqdwwsni.dll Sun 2007-04-15 16:04:28 A… 123 972 121,07 K 16 items found: 16 files, 0 directories. Total of file sizes: 6 517 278 bytes 6,21 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Wolumin w stacji C nie ma etykiety. Numer seryjny woluminu: B451-F89D Katalog: C:\WINNT\System32 2007-02-25 16:38 0 plik(˘w) 0 bajt˘w 1 katalog(˘w) 33˙256˙849˙408 bajt˘w wolnych

HijackThis

Logfile of HijackThis v1.99.1 Scan saved at 16:58:28, on 2007-04-16 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\ZoneLabs\vsmon.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\sistray.EXE C:\WINNT\system32\khooker.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\internat.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\NOTEPAD.EXE D:\Programs\hijackthis_199\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM…\Run: [siS Tray] C:\WINNT\system32\sistray.EXE O4 - HKLM…\Run: [siS KHooker] C:\WINNT\system32\khooker.exe O4 - HKLM…\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM…\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe O4 - HKLM…\Run: [synchronization Manager] mobsync.exe /logon O4 - HKLM…\Run: [avgnt] “C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKCU…\Run: [internat.exe] internat.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O17 - HKLM\System\CCS\Services\Tcpip…{07DA49ED-2BCB-4735-A652-F0B0C7CC5911}: NameServer = 217.30.129.149,217.30.137.200 O17 - HKLM\System\CS1\Services\Tcpip…{07DA49ED-2BCB-4735-A652-F0B0C7CC5911}: NameServer = 217.30.129.149,217.30.137.200 O17 - HKLM\System\CS2\Services\Tcpip…{07DA49ED-2BCB-4735-A652-F0B0C7CC5911}: NameServer = 217.30.129.149,217.30.137.200 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Silent Runners:

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “internat.exe” = “internat.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SiS Tray” = “C:\WINNT\system32\sistray.EXE” [“Silicon Integrated Systems Corporation”] “SiS KHooker” = “C:\WINNT\system32\khooker.exe” [“Silicon Integrated Systems Corporation”] “Zone Labs Client” = “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [“Zone Labs, LLC”] “PrinTray” = “C:\WINNT\system32\spool\DRIVERS\W32X86\2\printray.exe” [“Lexmark”] “Synchronization Manager” = “mobsync.exe /logon” [MS] “avgnt” = ““C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Default User\Pulpit\39.jpg” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Program Files\SiS630_730_V2.08d\utility\setup.bmp” Startup items in “pogromca” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\pogromca\Menu Start\Programy\Autostart “Adobe Gamma” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] Miscellaneous IE Hijack Points ------------------------------ C:\WINNT\INF\IERESET.INF (used to “Reset Web Settings”) Missing lines (compared with English-language version): [DeleteAutosearch.reg]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, “C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “C:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] LexBce Server, LexBceS, “C:\WINNT\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] System zdarzeń COM+, EventSystem, “C:\WINNT\system32\svchost.exe -k netsvcs” {“C:\WINNT\system32\es.dll” [null data]} TrueVector Internet Monitor, vsmon, “C:\WINNT\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 107 seconds. ---------- (total run time: 189 seconds)

Mam nadzieje, ze wszystko dobrze;)

Pozdrawiam i Dziekuje

YaSiErS

adam9870 · 16 Kwiecień 2007 15:46

Ściągnij program KillBox, zaznacz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINNT\SYSTEM32\edhkumno.dll

C:\WINNT\SYSTEM32\gpnpdlke.dll

C:\WINNT\SYSTEM32\hvnhjxoa.dll

C:\WINNT\SYSTEM32\jfavnnvb.dll

C:\WINNT\SYSTEM32\opnkjkh.dll

C:\WINNT\SYSTEM32\sqvijfxw.dll

C:\WINNT\SYSTEM32\vtuvvvu.dll

C:\WINNT\SYSTEM32\wqdwwsni.dll

Po wklejeniu każdej ścieżki z osobna kliknij na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgódź się na restart. Jeśli po wklejeniu którejś ze ścieżek pojawi się jakiś błąd, nie przejmuj się nim tylko przejdź do wykonywania dalszych czynności.

Po wykonaniu pokaż nowy log z l2mfix robiony z opcji 1.

YaSiErS · 16 Kwiecień 2007 16:23

L2MFIX find log 051206 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 “Logoff”=“ChainWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Logoff”=“CryptnetWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] “DLLName”=“cscdll.dll” “Logon”=“WinlogonLogonEvent” “Logoff”=“WinlogonLogoffEvent” “ScreenSaver”=“WinlogonScreenSaverEvent” “Startup”=“WinlogonStartupEvent” “Shutdown”=“WinlogonShutdownEvent” “StartShell”=“WinlogonStartShellEvent” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] “Logoff”=“WLEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 “DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] “DLLName”=“WlNotify.dll” “Lock”=“SensLockEvent” “Logon”=“SensLogonEvent” “Logoff”=“SensLogoffEvent” “Safe”=dword:00000001 “MaxWait”=dword:00000258 “StartScreenSaver”=“SensStartScreenSaverEvent” “StopScreenSaver”=“SensStopScreenSaverEvent” “Startup”=“SensStartupEvent” “Shutdown”=“SensShutdownEvent” “StartShell”=“SensStartShellEvent” “Unlock”=“SensUnlockEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] “DLLName”=“wzcdlg.dll” “Logon”=“WZCEventLogon” “Logoff”=“WZCEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000000 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] “{00022613-0000-0000-C000-000000000046}”=“Karta waciwoci pliku multimedialnego” “{176d6597-26d3-11d1-b350-080036a75b03}”=“ZarzĄdzanie skanerem ICM” “{1F2E5C40-9550-11CE-99D2-00AA006E086C}”=“Strona zabezpieczeä NTFS” “{3EA48300-8CF6-101B-84FB-666CCB9BCD32}”=“Strona waciwoci OLE Docfile” “{40dd6e20-7c17-11ce-a804-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{41E300E0-78B6-11ce-849B-444553540000}”=“Rozszerzenie CPL pakietu PlusPack” “{42071712-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL karty graficznej” “{42071713-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL monitora wywietlania” “{42071714-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL kadrowania wywietlania” “{4E40F770-369C-11d0-8922-00A024AB2DBB}”=“Strona zabezpieczeä usugi DS” “{56117100-C0CD-101B-81E2-00AA004AE837}”=“Program obsugi danych wycinkowych powoki” “{59099400-57FF-11CE-BD94-0020AF85B590}”=“Rozszerzenie Disc Copy” “{59be4990-f85c-11ce-aff7-00aa003ca9f6}”=“Rozszerzenia powoki dla obiekt˘w Microsoft Windows Network” “{5DB2625A-54DF-11D0-B6C4-0800091AA605}”=“ZarzĄdzanie monitorem ICM” “{675F097E-4C4D-11D0-B6C1-0800091AA605}”=“ZarzĄdzanie drukarkĄ ICM” “{764BF0E1-F219-11ce-972D-00AA00A14F56}”=“Rozszerzenia powoki dla kompresji plik˘w” “{77597368-7b15-11d0-a0c2-080036af3f03}”=“Rozszerzenie powoki drukarek sieci Web” “{7988B573-EC89-11cf-9C00-00AA00A14F56}”=“Disk Quota UI” “{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}”=“Menu kontekstowe szyfrowania” “{85BBD920-42A0-1069-A2E4-08002B30309D}”=“Akt˘wka” “{88895560-9AA2-1069-930E-00AA0030EBC8}”=“Rozszerzenie ikony HyperTerminalu” “{BD84B380-8CA2-1069-AB1D-08000948F534}”=“Fonts” “{DBCE2480-C732-101B-BE72-BA78E9AD5B27}”=“Profil ICC” “{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}”=“Strona zabezpieczeä drukarek” “{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{f92e8c40-3d33-11d2-b1aa-080036a75b03}”=“Display TroubleShoot CPL Extension” “{60254CA5-953B-11CF-8C96-00AA00B8708C}”=“Rozszerzenia powoki dla hosta skrypt˘w systemu Windows” “{7444C717-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto PKO” “{7444C719-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto Sign” “{7007ACC7-3202-11D1-AAD2-00805FC1270E}”=“PoĄczenia sieciowe i telefoniczne” “{EFA24E61-B078-11d0-89E4-00C04FC9E26E}”=“Favorites Band” “{0A89A860-D7B1-11CE-8350-444553540000}”=“Shell Automation Inproc Service” “{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}”=“Shell DocObject Viewer” “{FBF23B40-E3F0-101B-8488-00AA003E56F8}”=“InternetShortcut” “{3C374A40-BAE4-11CF-BF7D-00AA006946EE}”=“Microsoft Url History Service” “{FF393560-C2A7-11CF-BFF4-444553540000}”=“Historia” “{7BD29E00-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=“Microsoft Url Search Hook” “{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}”=“Ekran powitalny pakietu IE4” “{67EA19A0-CCEF-11d0-8024-00C04FD75D13}”=“CDF Extension Copy Hook” “{131A6951-7F78-11D0-A979-00C04FD705A2}”=“ISFBand OC” “{9461b922-3c5a-11d2-bf8b-00c04fb93661}”=“Search Assistant OC” “{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}”=“Internet” “{871C5380-42A0-1069-A2EA-08002B30309D}”=“Internet Name Space” “{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Icon Handler” “{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Shell Extension” “{D6277990-4C6A-11CF-8D87-00AA0060F5BF}”=“Zaplanowane zadania” “{1A9BA3A0-143A-11CF-8350-444553540000}”=“Folder Ulubione powoki” “{20D04FE0-3AEA-1069-A2D8-08002B30309D}”=“M˘j komputer” “{86747AC0-42A0-1069-A2E6-08002B30309D}”=“Folder Akt˘wka” “{0AFACED1-E828-11D1-9187-B532F1E9575D}”=“Skr˘t folderu” “{12518493-00B2-11d2-9FA5-9E3420524153}”=“Wolumin zainstalowany” “{21B22460-3AEA-1069-A2DC-08002B30309D}”=“Rozszerzenie strony waciwoci pliku” “{B091E540-83E3-11CF-A713-0020AFD79762}”=“Strona typ˘w plik˘w” “{FBF23B41-E3F0-101B-8488-00AA003E56F8}”=“Przechwytywanie plik˘w typu MIME” “{C2FBB630-2971-11d1-A18C-00C04FD75D13}”=“Usuga Microsoft CopyTo” “{C2FBB631-2971-11d1-A18C-00C04FD75D13}”=“Usuga Microsoft MoveTo” “{13709620-C279-11CE-A49E-444553540000}”=“Usuga automatyzacji powoki” “{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}”=“Widok folderu automatyzacji powoki” “{4622AD11-FF23-11d0-8D34-00A0C90F2719}”=“Menu Start” “{7BA4C740-9E81-11CF-99D3-00AA004AE837}”=“Usuga Microsoft SendTo” “{D969A300-E7FF-11d0-A93B-00A0C90F2719}”=“Usuga Microsoft New Object” “{09799AFB-AD67-11d1-ABCD-00C04FC30936}”=“Obsuga menu kontekstowego “Otw˘rz z”” “{3FC0B520-68A9-11D0-8D77-00C04FD70822}”=“Wywietlaj rozszerzenia HTML Panelu sterowania” “{75048700-EF1F-11D0-9888-006097DEACF9}”=“ActiveDesktop” “{6D5313C0-8C62-11D1-B2CD-006097DF8C11}”=“Rozszerzenie strony waciwoci Opcje folder˘w” “{57651662-CE3E-11D0-8D77-00C04FC99D61}”=“CmdFileIcon” “{4657278A-411B-11d2-839A-00C04FD918D0}”=“Pomocnik dla operacji przeciĄgania i upuszczania powoki” “{A470F8CF-A1E8-4f65-8335-227475AA5C46}”=“Dodaj opcj© szyfrowania do menu kontekstowych w Eksploratorze” “{5E6AB780-7743-11CF-A12B-00AA004AE837}”=“Microsoft Internet Toolbar” “{22BF0C20-6DA7-11D0-B373-00A0C9034938}”=“Download Status” “{568804CA-CBD7-11d0-9816-00C04FD91972}”=“Menu Shell Folder” “{5b4dae26-b807-11d0-9815-00c04fd91972}”=“Menu Band” “{8278F931-2A3E-11d2-838F-00C04FD918D0}”=“Tracking Shell Menu” “{E13EF4E4-D2F2-11d0-9816-00C04FD91972}”=“Menu Site” “{ECD4FC4F-521C-11D0-B792-00A0C90312E1}”=“Menu Desk Bar” “{91EA3F8B-C99B-11d0-9815-00C04FD91972}”=“Augmented Shell Folder” “{6413BA2C-B461-11d1-A18A-080036B11A03}”=“Augmented Merge Shell Folder” “{F61FFEC1-754F-11d0-80CA-00AA005B4383}”=“BandProxy” “{D82BE2B0-5764-11D0-A96E-00C04FD705A2}”=“IShellFolderBand” “{7BA4C742-9E81-11CF-99D3-00AA004AE837}”=“Microsoft BrowserBand” “{30D02401-6A81-11d0-8274-00C04FD5AE38}”=“Microsoft SearchBand” “{169A0691-8DF9-11d1-A1C4-00C04FD75D13}”=“In-pane search” “{07798131-AF23-11d1-9111-00A0C98BA67D}”=“Web Search” “{0E5CBF21-D15F-11d0-8301-00AA005B4383}”="&Links" “{AF4F6510-F982-11d0-8595-00AA004CD6D8}”=“Registry Tree Options Utility” “{01E04581-4EEE-11d0-BFE9-00AA005B4383}”="&Address" “{A08C11D2-A228-11d0-825B-00AA005B4383}”=“Address EditBox” “{00BB2763-6A77-11D0-A535-00C04FD7D062}”=“Microsoft AutoComplete” “{7487cd30-f71a-11d0-9ea7-00805f714772}”=“Thumbnail Image” “{7376D660-C583-11d0-A3A5-00C04FD706EC}”=“TridentImageExtractor” “{6756A641-DE71-11d0-831B-00AA005B4383}”=“MRU AutoComplete List” “{00BB2764-6A77-11D0-A535-00C04FD7D062}”=“Microsoft History AutoComplete List” “{03C036F1-A186-11D0-824A-00AA005B4383}”=“Microsoft Shell Folder AutoComplete List” “{00BB2765-6A77-11D0-A535-00C04FD7D062}”=“Microsoft Multiple AutoComplete List Container” “{ECD4FC4E-521C-11D0-B792-00A0C90312E1}”=“Shell Band Site Menu” “{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}”=“Shell DeskBarApp” “{ECD4FC4C-521C-11D0-B792-00A0C90312E1}”=“Shell DeskBar” “{ECD4FC4D-521C-11D0-B792-00A0C90312E1}”=“Shell Rebar BandSite” “{DD313E04-FEFF-11d1-8ECD-0000F87A470C}”=“User Assist” “{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}”=“Global Folder Settings” “{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{88C6C381-2E85-11D0-94DE-444553540000}”=“Folder pami©ci podr©cznej ActiveX” “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”=“WebCheck” “{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}”=“Subscription Mgr” “{F5175861-2688-11d0-9C5E-00AA00A45957}”=“Subscription Folder” “{08165EA0-E946-11CF-9C87-00AA005127ED}”=“WebCheckWebCrawler” “{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}”=“WebCheckChannelAgent” “{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}”=“TrayAgent” “{7D559C10-9FE9-11d0-93F7-00AA0059CE02}”=“Code Download Agent” “{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}”=“ConnectionAgent” “{D8BD2030-6FC9-11D0-864F-00AA006809D9}”=“PostAgent” “{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}”=“WebCheck SyncMgr Handler” “{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}”=“Miniatury” “{EAB841A0-9550-11CF-8C16-00805F1408F3}”=“Rozpakowywacz miniatur HTML” “{1AEB1360-5AFC-11D0-B806-00C04FD706EC}”=“Rozpakowywacz miniatur filtr˘w graficznych Office” “{9DBD2C50-62AD-11D0-B806-00C04FD706EC}”=“Informacje podsumowujĄce obsugi miniatur (DOCFILES)” “{500202A0-731E-11D0-B829-00C04FD706EC}”=“Obsuga interfejsu miniatur plik˘w typu LNK” “{352EC2B7-8B9A-11D1-B8AE-006008059382}”=“Menedľer aplikacji powoki” “{0B124F8C-91F0-11D1-B8B5-006008059382}”=“Wyliczanie zainstalowanych aplikacji” “{CFCCC7A0-A282-11D1-9082-006008059382}”=“Darwin App Publisher” “{f39a0dc0-9cc8-11d0-a599-00c04fd64433}”=“Plik kanau” “{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}”=“Skr˘t kanau” “{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}”=“Obiekt obsugi kanau” “{f3da0dc0-9cc8-11d0-a599-00c04fd64437}”=“Channel Menu” “{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}”=“Channel Properties” “{fe1290f0-cfbd-11cf-a330-00aa00c16e65}”=“Directory Namespace” “{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}”=“Shell properties for a DS object” “{8A23E65E-31C2-11d0-891C-00A024AB2DBB}”=“Directory Query UI” “{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}”=“Directory Object Find” “{F020E586-5264-11d1-A532-0000F8757D7E}”=“Directory Start/Search Find” “{0D45D530-764B-11d0-A1CA-00AA00C16E65}”=“Directory Property UI” “{62AE1F9A-126A-11D0-A14B-0800361B1103}”=“Directory Context Menu Verbs” “{450D8FBA-AD25-11D0-98A8-0800361B1103}”=“MyDocs Folder” “{ECF03A33-103D-11d2-854D-006008059367}”=“MyDocs Copy Hook” “{ECF03A32-103D-11d2-854D-006008059367}”=“MyDocs Drop Target” “{4a7ded0a-ad25-11d0-98a8-0800361b1103}”=“MyDocs Properties” “{750fdf0e-2a26-11d1-a3ea-080036587f03}”=“Menu plik˘w trybu offline” “{10CFC467-4392-11d2-8DB4-00C04FA31A66}”=“Opcje folderu plik˘w trybu offline” “{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}”=“Folder plik˘w trybu offline” “{7A80E4A8-8005-11D2-BCF8-00C04F72C717}”=“MMC Icon Handler” “{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}”=".CAB file viewer" “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”=“WinRAR shell extension” “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”=“Shell Extension for Malware scanning” ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ cmdlin~1.dll Mon 2007-04-16 7:12:06 A… 43 520 42,50 K divx.dll Thu 2007-02-01 6:56:06 A… 639 066 624,09 K dpl100.dll Tue 2007-01-30 6:56:58 A… 73 728 72,00 K dtu100.dll Tue 2007-01-30 6:56:58 A… 196 608 192,00 K libdivx.dll Tue 2007-01-30 7:03:28 A… 1 044 480 1020,00 K qt-dx331.dll Tue 2007-01-30 7:03:42 A… 3 596 288 3,43 M sfc.dll Sun 2007-02-25 17:58:00 A… 96 048 93,80 K ssldivx.dll Tue 2007-01-30 7:03:28 A… 200 704 196,00 K 8 items found: 8 files, 0 directories. Total of file sizes: 5 890 442 bytes 5,62 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Wolumin w stacji C nie ma etykiety. Numer seryjny woluminu: B451-F89D Katalog: C:\WINNT\System32 2007-02-25 16:38 0 plik(˘w) 0 bajt˘w 1 katalog(˘w) 33˙248˙153˙600 bajt˘w wolnych

adam9870 · 16 Kwiecień 2007 18:27

Już jest Ok.