nobinioo
(Nobinioo)
15 Styczeń 2007 11:00
#1
Od jakiegoś czasu mój net zaczoł chodzi bardzo wolno skan robilem wszystkim chyba czym można lecz to nic nie daje. jakie mam łącze napisane jest na dole. Dlatego postanowiłem wysłać do was loga.
Złączono Posty : 15.01.2007 (Pon) 12:00
Logfile of HijackThis v1.99.1 Scan saved at 12:01:26, on 2007-01-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\aa.exe C:\WINDOWS\system32\ctfmon.exe D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\wdfmgr.exe D:\PROGRAMY\zainstalowane\mozilla firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\alg.exe D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqSTE08.exe D:\PROGRAMY\aqq\AQQ.exe D:\PROGRAMY\zainstalowane\winamp\winamp.exe C:\WINDOWS\System32\svchost.exe D:\PROGRAMY\zainstalowane\Spybot - Search & Destroy\SpybotSD.exe C:\DOCUME~1\Nobinioo\USTAWI~1\Temp\Rar$EX03.725\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/intl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\PROGRAMY\zainstalowane\DAP\dapbho.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programy\zainstalowane\RYDEN\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMY\ZAINST~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{34C4B~1\Bar888.dll O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRAMY\zainstalowane\fxp\IEFlash.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - (no file) O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: Peer2Mail Toolbar - {43F2A7F9-06F6-48a5-B0DC-8530BF29CE66} - C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file) O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{34C4B~1\Bar888.dll O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [HP Software Update] D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: PLANET WL-8310 Configuration Utility.lnk = ? O4 - Global Startup: Reg.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Clean Traces - D:\PROGRAMY\zainstalowane\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - D:\PROGRAMY\zainstalowane\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\PROGRAMY\zainstalowane\DAP\dapextie2.htm O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\PROGRAMY\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\PROGRAMY\FlashGet\jc_all.htm O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRAMY\FLASHGET\flashget.exe (file missing) O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRAMY\FLASHGET\flashget.exe (file missing) O9 - Extra button: Ň×ȤąşÎď - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing) O9 - Extra ‘Tools’ menuitem: Ň×ȤąşÎď - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.pl/resources/virusscan … nicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GR99D3~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
Złączono Posty : 15.01.2007 (Pon) 12:16
Transfer z 24-30 spadl do max 8
adam9870
(adam9870)
15 Styczeń 2007 13:37
#2
Nie trzymaj hijacka w TEMPie bądź innym katalogu tymczasowym. Umieść go np. na pulpicie.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/intl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{34C4B~1\Bar888.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - (no file) O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file) O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1{34C4B~1\Bar888.dll O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRAMY\FLASHGET\flashget.exe (file missing) O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRAMY\FLASHGET\flashget.exe (file missing) O9 - Extra button: Ň×ȤąşÎď - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing) O9 - Extra ‘Tools’ menuitem: Ň×ȤąşÎď - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all.net/url2/urlmanage/url.asp?id=1 (file missing)
Folder usuń ręcznie w trybie awaryjnym, a wpisy w HJT.
Przeskanuj plik:
na stronie http://virusscan.jotti.org/ ,a jeśli okaże się szkodnikiem - także usuń.
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
nobinioo
(Nobinioo)
15 Styczeń 2007 16:14
#3
Logfile of HijackThis v1.99.1 Scan saved at 17:17:52, on 2007-01-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\aa.exe D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\alg.exe D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqSTE08.exe D:\PROGRAMY\ZAINST~1\MOZILL~1\FIREFOX.EXE D:\PROGRAMY\zainstalowane\G6 FTP Server\G6FTPSrv.exe D:\PROGRAMY\aqq\AQQ.exe D:\PROGRAMY\zainstalowane\winamp\winamp.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\wbem\wmiprvse.exe C:\WINDOWS\System32\WScript.exe C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\Nobinioo\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\PROGRAMY\zainstalowane\DAP\dapbho.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programy\zainstalowane\RYDEN\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMY\ZAINST~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRAMY\zainstalowane\fxp\IEFlash.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: Peer2Mail Toolbar - {43F2A7F9-06F6-48a5-B0DC-8530BF29CE66} - C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [HP Software Update] D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: PLANET WL-8310 Configuration Utility.lnk = ? O4 - Global Startup: Reg.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Clean Traces - D:\PROGRAMY\zainstalowane\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - D:\PROGRAMY\zainstalowane\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\PROGRAMY\zainstalowane\DAP\dapextie2.htm O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\PROGRAMY\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\PROGRAMY\FlashGet\jc_all.htm O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.pl/resources/virusscan … nicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GR99D3~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “(Default)” = (unknown data type) “D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe” = “D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “(Default)” = (unknown data type) HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HP Software Update” = “D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “(Default)” = (unknown data type) HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0000CC75-ACF3-4cac-A0A9-DD3868E06852}(Default) = (no title provided) -> {HKLM…CLSID} = “DAPHelper Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\DAP\dapbho.dll” [“Speedbit Ltd.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “d:\programy\zainstalowane\RYDEN\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}(Default) = (no title provided) -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] {E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashFXP Helper for Internet Explorer” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\fxp\IEFlash.dll” [“IniCom Networks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}” = “SnagIt” -> {HKLM…CLSID} = “SnagIt” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll” [“TechSmith Corporation”] “{CF74B903-3389-469c-B3B6-0204D204FCBD}” = “SnagIt Shell Extension” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] “{FED7043D-346A-414D-ACD7-550D052499A7}” = “dBpowerAMP Music Converter 1” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\konwertacja do koma\dBpowerAMP\dBShell.dll” [empty string] “{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}” = “dBpowerAMP Music Converter” -> {HKLM…CLSID} = “dMCIShell Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\konwertacja do koma\dBpowerAMP\dMCShell.dll” [empty string] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\stery do koma\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\uxtuneup.dll” [“TuneUp Software GmbH”] “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” = “TuneUp Shredder Shell Context Menu Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] “{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” = “Groove GFS Browser Helper” -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}” = “Groove GFS Explorer Bar” -> {HKLM…CLSID} = “Groove Folder Synchronization” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{A449600E-1DC6-4232-B948-9BD794D62056}” = “Groove GFS Stub Icon Handler” -> {HKLM…CLSID} = “Groove GFS Stub Icon Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{6C467336-8281-4E60-8204-430CED96822D}” = “Groove GFS Context Menu Handler” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{387E725D-DC16-4D76-B310-2C93ED4752A0}” = “Groove XML Icon Handler” -> {HKLM…CLSID} = “Groove XML Icon Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{16F3DD56-1AF5-4347-846D-7C10C4192619}” = “Groove Explorer Icon Overlay 3 (GFS Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 3 (GFS Folder)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}” = “Groove Explorer Icon Overlay 2 (GFS Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2 (GFS Stub)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}” = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{99FD978C-D287-4F50-827F-B2C658EDA8E7}” = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{920E6DB1-9907-4370-B3A0-BAFC03D81399}” = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\OLKFSTUB.DLL” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\MLSHEXT.DLL” [MS] “{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” -> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONFILTER.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\ofice 07\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“OODBS” [“O&O Software GmbH”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\DAP\Privacy Package\DAPCtxMenuShell.dll” [“Speedbit Ltd.”] MyPhoneExplorer(Default) = “{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E}” -> {HKLM…CLSID} = “MyPhoneExplorer_ShellEx.ShellExt” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\phone exploer\MyPhoneExplorer\DLL\ShellMgr.dll” [“F.J. Wechselberger”] SnagItMainShellExt(Default) = “{CF74B903-3389-469c-B3B6-0204D204FCBD}” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] TuneUp Shredder(Default) = “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] VIDEOTRANS(Default) = “{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}” -> {HKLM…CLSID} = “AmvTransform Class” \InProcServer32(Default) = “C:\Program Files\MP3 Player Utilities 3.68\AMVTools\AmvTransform.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ SnagItMainShellExt(Default) = “{CF74B903-3389-469c-B3B6-0204D204FCBD}” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] TuneUp Shredder(Default) = “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] Default executables: -------------------- HKCU\Software\Classes\batfile\ HKCU\Software\Classes\cmdfile\ Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Nobinioo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Nobinioo” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “PLANET WL-8310 Configuration Utility” -> shortcut to: “C:\Program Files\PLANET WL-8310\WLANPRO.exe” [empty string] “Reg” -> shortcut to: “C:\Program Files\PLANET WL-8310\Reg.exe” [empty string] “HP Digital Imaging Monitor” -> shortcut to: “D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “D:\PROGRAMY\zainstalowane\tuneupiec\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{43F2A7F9-06F6-48A5-B0DC-8530BF29CE66}” -> {HKLM…CLSID} = “Peer2Mail Toolbar” \InProcServer32(Default) = “C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll” [null data] “{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}” -> {HKLM…CLSID} = “Google Web Accelerator” \InProcServer32(Default) = “C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}” = (no title provided) -> {HKLM…CLSID} = “SnagIt” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll” [“TechSmith Corporation”] “{43F2A7F9-06F6-48A5-B0DC-8530BF29CE66}” = “Peer2Mail Toolbar” -> {HKLM…CLSID} = “Peer2Mail Toolbar” \InProcServer32(Default) = “C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll” [null data] “{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}” = (no title provided) -> {HKLM…CLSID} = “Google Web Accelerator” \InProcServer32(Default) = “C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}(Default) = “Groove Folder Synchronization” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2670000A-7350-4F3C-8081-5663EE0C6C49}\ “ButtonText” = “Wyślij do programu OneNote” “MenuText” = “Wyślij &do programu OneNote” “CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}” -> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] TuneUp Design Expansion, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ LIDIL Language Monitor\Driver = “hpzll3xu.dll” [“Hewlett-Packard Company”] Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 129 seconds, including 4 seconds for message boxes)
Złączono Posty : 15.01.2007 (Pon) 17:17
jak to tej pory pozytywnych rezultatów nie ma, a wręcz przeciwnie.
acha i jeszcze co do tego pliku aa.exe przeskanowalem go na podanej stronce widzi go jako wirus, spoko no to zabieram się za skasowanie tego pliku ręcznie oczywiście i jest problem ten plik jest ale nie moge go znaleść w podanym katalogu ;/
adam9870
(adam9870)
15 Styczeń 2007 16:20
#4
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
C:\WINDOWS\system32\aa.exe
Klikasz X czerwony i restart kompa.
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Po wykonaniu możesz pokazać nowy log z Silenta.
nobinioo
(Nobinioo)
15 Styczeń 2007 16:29
#5
co do aa.exe file is could not be deleted
Joan
(Joan Sunshine)
15 Styczeń 2007 16:50
#6
Ściągnij i zainstaluj UnHookExec.inf (po ściągnięciu prawym na plik, wybierasz opcję “zainstaluj”)
Wklej nowe logi.
nobinioo
(Nobinioo)
15 Styczeń 2007 16:57
#7
a i chcialem coś dodać weszlem w msconfig i zauważyłem jakieś aplikacje aa
cos mi sie wydaje ze to jest podejrzane i to chyba główny sprawca tego problemu. Wyłączelym ale to nic nie dało nadal net muli jak… już nie mam głowy. zaraz zapodam loga z tego ostatniego porgramu
Joan
(Joan Sunshine)
15 Styczeń 2007 17:01
#8
Nie loga z tego programu, to jest fix do rejestru
Nowe logi z HJT i Silenta daj.
nobinioo
(Nobinioo)
15 Styczeń 2007 17:03
#9
Logfile of HijackThis v1.99.1 Scan saved at 18:07:01, on 2007-01-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqSTE08.exe C:\WINDOWS\system32\ctfmon.exe D:\PROGRAMY\zainstalowane\opera09,2\Opera.exe D:\PROGRAMY\aqq\AQQ.exe D:\PROGRAMY\zainstalowane\mozilla firefox\firefox.exe C:\Documents and Settings\Nobinioo\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - D:\PROGRAMY\zainstalowane\DAP\dapbho.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\programy\zainstalowane\RYDEN\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMY\ZAINST~1\SPYBOT~1\SDHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - D:\PROGRAMY\zainstalowane\fxp\IEFlash.dll O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: Peer2Mail Toolbar - {43F2A7F9-06F6-48a5-B0DC-8530BF29CE66} - C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM…\Run: [HP Software Update] D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [D] D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: PLANET WL-8310 Configuration Utility.lnk = ? O4 - Global Startup: Reg.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: &Clean Traces - D:\PROGRAMY\zainstalowane\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - D:\PROGRAMY\zainstalowane\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - D:\PROGRAMY\zainstalowane\DAP\dapextie2.htm O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - D:\PROGRAMY\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - D:\PROGRAMY\FlashGet\jc_all.htm O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll O9 - Extra ‘Tools’ menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.pl/resources/virusscan … nicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GR99D3~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe” = “D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe” [null data] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “1qaw3edr5” = “C:\WINDOWS\system32\aa.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HP Software Update” = “D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0000CC75-ACF3-4cac-A0A9-DD3868E06852}(Default) = (no title provided) -> {HKLM…CLSID} = “DAPHelper Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\DAP\dapbho.dll” [“Speedbit Ltd.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “d:\programy\zainstalowane\RYDEN\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}(Default) = (no title provided) -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] {E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashFXP Helper for Internet Explorer” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\fxp\IEFlash.dll” [“IniCom Networks, Inc.”]
Złączono Posty : 15.01.2007 (Pon) 18:08
sorry ten jest dluzszy “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe” = “D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe” [null data] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “1qaw3edr5” = “C:\WINDOWS\system32\aa.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HP Software Update” = “D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0000CC75-ACF3-4cac-A0A9-DD3868E06852}(Default) = (no title provided) -> {HKLM…CLSID} = “DAPHelper Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\DAP\dapbho.dll” [“Speedbit Ltd.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “d:\programy\zainstalowane\RYDEN\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}(Default) = (no title provided) -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] {E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashFXP Helper for Internet Explorer” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\fxp\IEFlash.dll” [“IniCom Networks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}” = “SnagIt” -> {HKLM…CLSID} = “SnagIt” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll” [“TechSmith Corporation”] “{CF74B903-3389-469c-B3B6-0204D204FCBD}” = “SnagIt Shell Extension” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] “{FED7043D-346A-414D-ACD7-550D052499A7}” = “dBpowerAMP Music Converter 1” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\konwertacja do koma\dBpowerAMP\dBShell.dll” [empty string] “{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}” = “dBpowerAMP Music Converter” -> {HKLM…CLSID} = “dMCIShell Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\konwertacja do koma\dBpowerAMP\dMCShell.dll” [empty string] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\stery do koma\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\uxtuneup.dll” [“TuneUp Software GmbH”] “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” = “TuneUp Shredder Shell Context Menu Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] “{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” = “Groove GFS Browser Helper” -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}” = “Groove GFS Explorer Bar” -> {HKLM…CLSID} = “Groove Folder Synchronization” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{A449600E-1DC6-4232-B948-9BD794D62056}” = “Groove GFS Stub Icon Handler” -> {HKLM…CLSID} = “Groove GFS Stub Icon Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{6C467336-8281-4E60-8204-430CED96822D}” = “Groove GFS Context Menu Handler” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{387E725D-DC16-4D76-B310-2C93ED4752A0}” = “Groove XML Icon Handler” -> {HKLM…CLSID} = “Groove XML Icon Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{16F3DD56-1AF5-4347-846D-7C10C4192619}” = “Groove Explorer Icon Overlay 3 (GFS Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 3 (GFS Folder)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}” = “Groove Explorer Icon Overlay 2 (GFS Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2 (GFS Stub)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}” = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{99FD978C-D287-4F50-827F-B2C658EDA8E7}” = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{920E6DB1-9907-4370-B3A0-BAFC03D81399}” = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\OLKFSTUB.DLL” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\MLSHEXT.DLL” [MS] “{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” -> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONFILTER.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\ofice 07\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“OODBS” [“O&O Software GmbH”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\DAP\Privacy Package\DAPCtxMenuShell.dll” [“Speedbit Ltd.”] MyPhoneExplorer(Default) = “{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E}” -> {HKLM…CLSID} = “MyPhoneExplorer_ShellEx.ShellExt” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\phone exploer\MyPhoneExplorer\DLL\ShellMgr.dll” [“F.J. Wechselberger”] SnagItMainShellExt(Default) = “{CF74B903-3389-469c-B3B6-0204D204FCBD}” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] TuneUp Shredder(Default) = “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] VIDEOTRANS(Default) = “{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}” -> {HKLM…CLSID} = “AmvTransform Class” \InProcServer32(Default) = “C:\Program Files\MP3 Player Utilities 3.68\AMVTools\AmvTransform.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ SnagItMainShellExt(Default) = “{CF74B903-3389-469c-B3B6-0204D204FCBD}” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] TuneUp Shredder(Default) = “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] Default executables: -------------------- HKCU\Software\Classes\batfile\ HKCU\Software\Classes\cmdfile\ <> HKLM\Software\Classes\scrfile\shell\open\command(Default) = “”%1" %*" [file not found] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Nobinioo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Nobinioo” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “PLANET WL-8310 Configuration Utility” -> shortcut to: “C:\Program Files\PLANET WL-8310\WLANPRO.exe” [empty string] “Reg” -> shortcut to: “C:\Program Files\PLANET WL-8310\Reg.exe” [empty string] “HP Digital Imaging Monitor” -> shortcut to: “D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “D:\PROGRAMY\zainstalowane\tuneupiec\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{43F2A7F9-06F6-48A5-B0DC-8530BF29CE66}” -> {HKLM…CLSID} = “Peer2Mail Toolbar” \InProcServer32(Default) = “C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll” [null data] “{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}” -> {HKLM…CLSID} = “Google Web Accelerator” \InProcServer32(Default) = “C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}” = (no title provided) -> {HKLM…CLSID} = “SnagIt” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll” [“TechSmith Corporation”] “{43F2A7F9-06F6-48A5-B0DC-8530BF29CE66}” = “Peer2Mail Toolbar” -> {HKLM…CLSID} = “Peer2Mail Toolbar” \InProcServer32(Default) = “C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll” [null data] “{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}” = (no title provided) -> {HKLM…CLSID} = “Google Web Accelerator” \InProcServer32(Default) = “C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}(Default) = “Groove Folder Synchronization” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2670000A-7350-4F3C-8081-5663EE0C6C49}\ “ButtonText” = “Wyślij do programu OneNote” “MenuText” = “Wyślij &do programu OneNote” “CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}” -> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] TuneUp Design Expansion, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ LIDIL Language Monitor\Driver = “hpzll3xu.dll” [“Hewlett-Packard Company”] Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 66 seconds, including 1 second for message boxes)
adam9870
(adam9870)
15 Styczeń 2007 17:09
#10
Start => uruchom => wpisz regedit i kliknij OK => przejdź do klucza:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
i skasuj z prawokliku znajdującą się tam wartość 1qaw3edr5
Po wykonaniu możesz pokazać nowy log z Silenta.
nobinioo
(Nobinioo)
15 Styczeń 2007 17:18
#11
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe” = “D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HP Software Update” = “D:\PROGRAMY\zainstalowane\hp\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0000CC75-ACF3-4cac-A0A9-DD3868E06852}(Default) = (no title provided) -> {HKLM…CLSID} = “DAPHelper Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\DAP\dapbho.dll” [“Speedbit Ltd.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “d:\programy\zainstalowane\RYDEN\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}(Default) = (no title provided) -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] {E5A1691B-D188-4419-AD02-90002030B8EE}(Default) = (no title provided) -> {HKLM…CLSID} = “FlashFXP Helper for Internet Explorer” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\fxp\IEFlash.dll” [“IniCom Networks, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}” = “SnagIt” -> {HKLM…CLSID} = “SnagIt” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll” [“TechSmith Corporation”] “{CF74B903-3389-469c-B3B6-0204D204FCBD}” = “SnagIt Shell Extension” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] “{FED7043D-346A-414D-ACD7-550D052499A7}” = “dBpowerAMP Music Converter 1” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\konwertacja do koma\dBpowerAMP\dBShell.dll” [empty string] “{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}” = “dBpowerAMP Music Converter” -> {HKLM…CLSID} = “dMCIShell Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\konwertacja do koma\dBpowerAMP\dMCShell.dll” [empty string] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\stery do koma\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\uxtuneup.dll” [“TuneUp Software GmbH”] “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” = “TuneUp Shredder Shell Context Menu Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] “{72853161-30C5-4D22-B7F9-0BBC1D38A37E}” = “Groove GFS Browser Helper” -> {HKLM…CLSID} = “Groove GFS Browser Helper” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}” = “Groove GFS Explorer Bar” -> {HKLM…CLSID} = “Groove Folder Synchronization” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{A449600E-1DC6-4232-B948-9BD794D62056}” = “Groove GFS Stub Icon Handler” -> {HKLM…CLSID} = “Groove GFS Stub Icon Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{6C467336-8281-4E60-8204-430CED96822D}” = “Groove GFS Context Menu Handler” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{387E725D-DC16-4D76-B310-2C93ED4752A0}” = “Groove XML Icon Handler” -> {HKLM…CLSID} = “Groove XML Icon Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{16F3DD56-1AF5-4347-846D-7C10C4192619}” = “Groove Explorer Icon Overlay 3 (GFS Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 3 (GFS Folder)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}” = “Groove Explorer Icon Overlay 2 (GFS Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2 (GFS Stub)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}” = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 4 (GFS Unread Mark)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{99FD978C-D287-4F50-827F-B2C658EDA8E7}” = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 1 (GFS Unread Stub)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{920E6DB1-9907-4370-B3A0-BAFC03D81399}” = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” -> {HKLM…CLSID} = “Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\OLKFSTUB.DLL” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\MLSHEXT.DLL” [MS] “{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” -> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONFILTER.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\ofice 07\Office12\msohevi.dll” [MS] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{B5A7F190-DDA6-4420-B3BA-52453494E6CD}” = “Groove GFS Stub Execution Hook” -> {HKLM…CLSID} = “Groove GFS Stub Execution Hook” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“OODBS” [“O&O Software GmbH”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\DAP\Privacy Package\DAPCtxMenuShell.dll” [“Speedbit Ltd.”] MyPhoneExplorer(Default) = “{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E}” -> {HKLM…CLSID} = “MyPhoneExplorer_ShellEx.ShellExt” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\phone exploer\MyPhoneExplorer\DLL\ShellMgr.dll” [“F.J. Wechselberger”] SnagItMainShellExt(Default) = “{CF74B903-3389-469c-B3B6-0204D204FCBD}” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] TuneUp Shredder(Default) = “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] VIDEOTRANS(Default) = “{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}” -> {HKLM…CLSID} = “AmvTransform Class” \InProcServer32(Default) = “C:\Program Files\MP3 Player Utilities 3.68\AMVTools\AmvTransform.dll” [empty string] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ SnagItMainShellExt(Default) = “{CF74B903-3389-469c-B3B6-0204D204FCBD}” -> {HKLM…CLSID} = “SnagItShellExt Class” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll” [“TechSmith Corporation”] TuneUp Shredder(Default) = “{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Context Menu Extension” \InProcServer32(Default) = ““D:\PROGRAMY\zainstalowane\tuneupiec\sdshelex.dll”” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ XXX Groove GFS Context Menu Handler XXX(Default) = “{6C467336-8281-4E60-8204-430CED96822D}” -> {HKLM…CLSID} = “Groove GFS Context Menu Handler” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] Default executables: -------------------- HKCU\Software\Classes\batfile\ HKCU\Software\Classes\cmdfile\ <> HKLM\Software\Classes\scrfile\shell\open\command(Default) = “”%1" %*" [file not found] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “ClearRecentDocsOnExit” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Nobinioo\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Nobinioo” & “All Users” startup folders: ---------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “PLANET WL-8310 Configuration Utility” -> shortcut to: “C:\Program Files\PLANET WL-8310\WLANPRO.exe” [empty string] “Reg” -> shortcut to: “C:\Program Files\PLANET WL-8310\Reg.exe” [empty string] “HP Digital Imaging Monitor” -> shortcut to: “D:\PROGRAMY\zainstalowane\hp\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “D:\PROGRAMY\zainstalowane\tuneupiec\SystemOptimizer.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{43F2A7F9-06F6-48A5-B0DC-8530BF29CE66}” -> {HKLM…CLSID} = “Peer2Mail Toolbar” \InProcServer32(Default) = “C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll” [null data] “{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}” -> {HKLM…CLSID} = “Google Web Accelerator” \InProcServer32(Default) = “C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}” = (no title provided) -> {HKLM…CLSID} = “SnagIt” \InProcServer32(Default) = “C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll” [“TechSmith Corporation”] “{43F2A7F9-06F6-48A5-B0DC-8530BF29CE66}” = “Peer2Mail Toolbar” -> {HKLM…CLSID} = “Peer2Mail Toolbar” \InProcServer32(Default) = “C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll” [null data] “{DB87BFA2-A2E3-451E-8E5A-C89982D87CBF}” = (no title provided) -> {HKLM…CLSID} = “Google Web Accelerator” \InProcServer32(Default) = “C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}(Default) = “Groove Folder Synchronization” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\GRA8E1~1.DLL” [MS] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {2670000A-7350-4F3C-8081-5663EE0C6C49}\ “ButtonText” = “Wyślij do programu OneNote” “MenuText” = “Wyślij &do programu OneNote” “CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}” -> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button” \InProcServer32(Default) = “D:\PROGRAMY\ZAINST~1\OFICE0~1\Office12\ONBttnIE.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Research” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “TuneUp” = “file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] TuneUp Design Expansion, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ LIDIL Language Monitor\Driver = “hpzll3xu.dll” [“Hewlett-Packard Company”] Send To Microsoft OneNote Monitor\Driver = “msonpmon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 85 seconds, including 8 seconds for message boxes)
Złączono Posty : 15.01.2007 (Pon) 18:24
i nic
Złączono Posty : 15.01.2007 (Pon) 20:37
nie macie juz zadnych porad czy mam robić format??
Złączono Posty : 16.01.2007 (Wto) 13:41
Właśnie zakocznylem prace nad formatem partycji c. Problem jak był tak jest transfer nadal max 8. Popatrzcie jeszcze raz, może ktoś coś znajdzie.
Logfile of HijackThis v1.99.1 Scan saved at 13:43:13, on 2007-01-16 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\acs.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe D:\PROGRAMY\zainstalowane\PLANET WL-8310\WLANPRO.exe C:\WINDOWS\system32\wuauclt.exe D:\PROGRAMY\zainstalowane\Internet Download Manager\IEMonitor.exe D:\PROGRAMY\zainstalowane\AQQ\AQQ.exe D:\PROGRAMY\zainstalowane\winamp\winamp.exe D:\PROGRAMY\ZAINST~1\FIREFO~1.0\MOZILL~1\FIREFOX.EXE D:\PROGRAMY\zainstalowane\NetMeter\NetMeter.exe C:\WINDOWS\system32\wuauclt.exe D:\PROGRAMY\zainstalowane\Internet Download Manager\IDMan.exe C:\Documents and Settings\Kossu\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\PROGRAMY\zainstalowane\Internet Download Manager\IDMIECC.dll O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Global Startup: PLANET WL-8310 Configuration Utility.lnk = ? O4 - Global Startup: Reg.lnk = ? O8 - Extra context menu item: Download All Links with IDM - D:\PROGRAMY\zainstalowane\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Download with IDM - D:\PROGRAMY\zainstalowane\Internet Download Manager\IEExt.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\acs.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0055C089-8582-441B-A0BF-17B458C2A3A8}(Default) = “IDM Helper” -> {HKLM…CLSID} = “IDMIEHlprObj Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\Internet Download Manager\IDMIECC.dll” [“Tonec Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{FED7043D-346A-414D-ACD7-550D052499A7}” = “dBpowerAMP Music Converter 1” -> {HKLM…CLSID} = “dBpShell Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\do koma\dBpowerAMP\dBShell.dll” [empty string] “{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}” = “dBpowerAMP Music Converter” -> {HKLM…CLSID} = “dMCIShell Class” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\do koma\dBpowerAMP\dMCShell.dll” [empty string] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ MyPhoneExplorer(Default) = “{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E}” -> {HKLM…CLSID} = “MyPhoneExplorer_ShellEx.ShellExt” \InProcServer32(Default) = “D:\PROGRAMY\zainstalowane\MPexploer\MyPhoneExplorer\DLL\ShellMgr.dll” [“F.J. Wechselberger”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Kossu\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Kossu” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “PLANET WL-8310 Configuration Utility” -> shortcut to: “D:\PROGRAMY\zainstalowane\PLANET WL-8310\WLANPRO.exe” [empty string] “Reg” -> shortcut to: “D:\PROGRAMY\zainstalowane\PLANET WL-8310\Reg.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Atheros Configuration Service, ACS, “C:\WINDOWS\System32\acs.exe” [null data] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 26 seconds. ---------- (total run time: 77 seconds)
zastanawiam sie jeszcze nad instalacja zapory