Otwiera się strona z reklamami

Dla specjalistów Bezpieczeństwo
#1

Mam problem… otwiera mi sie strona z jakimis reklamami… przeskanowalem kompa kaspersky’im nic niewykrywa… a AVG tylko tracking cookies. jeszcze net zwolnil juz niewiem czym przeskanowac kompa ani co robic pomozcie! !!

wklejam log

z gory dzieki za pomoc :smiley:

#2

Wydzielono z innego tematu.

The PropheT - na przyszłość proszę, abyś nie podpinał się pod cudze tematy, bo robi się bałagan. Warto zakładać osobne, własne wątki.

Proszę o lekturę poniższych tematów:

:arrow: http://forum.dobreprogramy.pl/viewtopic.php?t=36654

:arrow: http://forum.dobreprogramy.pl/viewtopic.php?t=66889

Logi wstawiamy w tagach quote. Powyższe już sformatowałem, następne wklejaj już poprawnie.

#3

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Pliki usuń ręcznie w trybie awaryjnym z wyłączonym przywracaniem systemu natomiast wpisy HijackThis.

Poczytaj o usuwaniu plików i folderów z pytajnikiem - Usuwanie PurityScan.

Po wykonaniu pokaż nowy log z HijackThis i ComboFix. Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.

#4

U mnie pomogło to: http://cybertrash.pl/images/tata/Vundo/Usuwanie%20Trojana%20Vundo.html + Spyware Doctor. Powodzenia

#5

w wwdc wszytkie 5 opcji na zielona tylko pisze ze svhosty sa zaraznowe wirusem bo zaduzo ramu zuzywaja czy cos takiego. a pliki pousuwacv wszystkie z cytatu czy tylko te czerwone ?

#6

Przeczytaj uważnie stronę którą ci podałem, jeżeli to ten przypadek zastosuj programy tam podane, u mnie jak ręką odjął.

#7

mikpik Skąd wiesz, że Autor tematu ma trojana Vundo? W logu nie widać żadnego wpisu, który mógłby go sygnalizować. W logu widać kilka nieznanych jeszcze śmieci plus PurityScan. Tak więc @The PropheT niech wykona na razie to, co napisałem i wklei nowe logi, o które prosiłem. One powinny rozjaśnić sytuację.

W takim razie na razie nie używaj WWDC. Być może ten komunikat jest spowodowany obecnością szkodników. Jeśli jednak po usunięciu szkodników nadal będzie się pojawiał, dam konkretną radę.

Pliki (i foldery) usuwasz tylko i wyłączenie te, które są zaznaczone na czerwono. Żadnych innych.

#8

z tych plikow znalazlem tylko ten

C:\WINDOWS\system32\gbiu.dll

ta metoda jak usuwac puritysacn nieznalazlem zadnbych plikow z zapytanikami:

04-09-19 14:18 1 --a------ C:\Qoobox\Quarantine\07-04-04\WINDOWS\HOSTS.vir 

06-12-11 17:45 70144 -r-hs---- C:\Qoobox\purity\DOCUME~1\Mamusia\DANEAP~1\SKS~1\spool32.exe 

07-03-19 20:31 228864 -r-hs---- C:\Qoobox\purity\WINDOWS\RACLE~1\n?tepad.exe 

07-04-04 23:29 112 --a------ C:\Qoobox\purity\DOCUME~1\Mamusia\DANEAP~1\from.txt 

07-04-04 23:29 116 --a------ C:\Qoobox\purity\Program Files\Common Files\from.txt 

07-04-04 23:29 12320 --a------ C:\Qoobox\Quarantine\07-04-04\Registry_backups\services_nm.reg.cf 

07-04-04 23:29 1314 --a------ C:\Qoobox\Quarantine\07-04-04\Registry_backups\LEGACY_NM.reg.cf 

07-04-04 23:29 27 --a------ C:\Qoobox\purity\WINDOWS\system32\from.txt 

07-04-04 23:29 37 --a------ C:\Qoobox\purity\WINDOWS\from.txt 

07-04-04 23:29 52 --a------ C:\Qoobox\purity\Program Files\from.txt 

07-04-04 23:29 75 --a------ C:\Qoobox\purity\DOCUME~1\Mamusia\MOJEDO~1\from.txt 

07-04-04 23:29 884 --a------ C:\Qoobox\Quarantine\07-04-04\Registry_backups\LEGACY_MCHINJDRV.reg.cf 



Zmienna PATH folderu

Numer seryjny woluminu: B400-567D

C:\QOOBOX

+---purity

| +---DOCUME~1

| | \---Mamusia

| | +---DANEAP~1

| | | | from.txt

| | | |   

| | | +---DOBE~1

| | | +---ICROSO~1

| | | \---SKS~1

| | | \---SKS~1

| | \---MOJEDO~1

| | | from.txt

| | |   

| | +---ASKS~1

| | \---PPPATC~1

| +---Program Files

| | | from.txt

| | |   

| | +---Common Files

| | | | from.txt

| | | |   

| | | +---ICROSO~1

| | | +---SKS~1

| | | \---STEM~1

| | +---SMANTE~1

| | \---WNSXS~1

| \---WINDOWS

| | from.txt

| |   

| +---FNTS~1

| +---RACLE~1

| \---system32

| | from.txt

| |   

| \---DOBE~1

\---Quarantine

    \---07-04-04

        +---Registry_backups

        | LEGACY_MCHINJDRV.reg.cf

        | LEGACY_NM.reg.cf

        | services_nm.reg.cf

        |       

        \---WINDOWS

                HOSTS.vir
#9

Nic nie zrobiłeś, miałeś dać log z combofix-a :frowning:

Skan AVG Anti-Spyware 7.5 po update :wink:

#10

scan byl po update:/ a tamtych plikow nijak niemoge znalesc:/

a tu ten log z combofixa

#11

Pliki i folder (jeśli będą) usuń ręcznie w trybie awaryjnym natomiast wpisy HijackThis.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Proponuję usunąć Kazę oraz BearShare i zastanowić się nad jakimiś czystszymi programami p2p.

http://cybertrash.netarteria.pl/cyber/i … 198.0.html

http://forum.dobreprogramy.pl/viewtopic.php?t=79611

Usuń z dysku ręcznie folder C:\qoobox

Po wykonaniu wklej nowe logi.

BTW. Z jakiej wersji Hijacka dajesz logi?

Proszę zaopatrzyć się w najnowszą i z niej dawać logi:

http://dobreprogramy.pl/index.php?dz=2&t=55&id=730

#12

tylko jedno znalazlem…

a to log

Logfile of HijackThis v1.99.1

Scan saved at 21:22:36, on 2007-04-05

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

F:\K U B A\kuba\programy\ewido\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mouse Driver\MouseDrv.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\SEC\MagicTune3.6\GammaTray.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

C:\Program Files\WinRAR\WinRAR.exe

F:\K U B A\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {FF0C56CD-972E-BC88-7A41-9DECAA9015CF} - C:\WINDOWS\system32\dqrq.dll (file missing)

R3 - URLSearchHook: (no name) - {ACDA9D2A-0393-7A6C-991F-08E52A184095} - C:\WINDOWS\system32\alk.dll (file missing)

R3 - URLSearchHook: (no name) - {A913C6F8-7F6F-05BF-15D6-03F2CA254DB8} - C:\WINDOWS\system32\eyhnuhnn.dll (file missing)

R3 - URLSearchHook: (no name) - {F563D04C-1CA0-6007-A299-104490F14EC3} - C:\WINDOWS\system32\yjrxek.dll (file missing)

R3 - URLSearchHook: (no name) - {A0432BE0-B502-9FA1-0023-EB1BB574109D} - C:\WINDOWS\system32\oonbfnn.dll (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1CE3AA13-61F4-1B02-F24C-6DE34A99A99A} - C:\WINDOWS\system32\gbiu.dll (file missing)

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\K U B A\kuba\programy\bit comet\BitComet\tools\BitCometBHO_1.1.2.7.dll

O2 - BHO: (no name) - {8F9CCDC6-7508-0182-7E30-5DD7487E61E2} - C:\WINDOWS\system32\ufjtzg.dll (file missing)

O2 - BHO: (no name) - {A0432BE0-B502-9FA1-0023-EB1BB574109D} - C:\WINDOWS\system32\oonbfnn.dll (file missing)

O2 - BHO: (no name) - {A913C6F8-7F6F-05BF-15D6-03F2CA254DB8} - C:\WINDOWS\system32\eyhnuhnn.dll (file missing)

O2 - BHO: (no name) - {ACDA9D2A-0393-7A6C-991F-08E52A184095} - C:\WINDOWS\system32\alk.dll (file missing)

O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll

O2 - BHO: (no name) - {D64FCB6C-5781-7E79-DD4B-5D90EDA169C8} - C:\WINDOWS\system32\mcug.dll (file missing)

O2 - BHO: (no name) - {E5687D4A-B8FF-C757-A4D9-B4DEC9C20AC6} - C:\WINDOWS\system32\uoecsc.dll (file missing)

O2 - BHO: (no name) - {F563D04C-1CA0-6007-A299-104490F14EC3} - C:\WINDOWS\system32\yjrxek.dll (file missing)

O2 - BHO: (no name) - {FF0C56CD-972E-BC88-7A41-9DECAA9015CF} - C:\WINDOWS\system32\dqrq.dll (file missing)

O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM…\Run: [CreativeMouse] C:\Program Files\Mouse Driver\MouseDrv.exe

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [QuickTime Task] “D:\QuickTime\qttask.exe” -atboottime

O4 - HKLM…\Run: [Outpost Firewall] F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe /waitservice

O4 - HKLM…\Run: [OutpostFeedBack] F:\K U B A\kuba\programy\firewall\Outpost Firewall\feedback.exe /dump:os_startup

O4 - HKLM…\Run: [sunServer] F:\K U B A\kuba\programy\centerspy\sunserver.exe

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”

O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background

O4 - Global Startup: Color Calibration.lnk = ?

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: MagicTune 3.6.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = G:\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NCProTray.lnk = ?

O8 - Extra context menu item: Download all links using BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download link using &BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\K U B A\kuba\programy\firewall\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: F:\KUBA~1\kuba\programy\firewall\OUTPOS~1\wl_hook.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\K U B A\kuba\programy\ewido\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

a to jeszcze z kombofix’a

#13

Uruchamiasz HijackThis => klikasz Do a system scan only => pokaże się lista wpisów => stawiasz ptaszek przy wpisach:

=> klikasz Fix checked i potwierdzasz usunięcie.

Po wykonaniu wklej nowe logi. Dorzuć dodatkowo log z SilentRunners.

#14

ok zrobilem

Hijack this

combofix:

i tu ten z silentrubers

tylko mam problem co do tego folderu qoobox niemozna go usunac:/ co go usune to sie znowu pojawia i tak w kolko:/

Złączono Posta : 06.04.2007 (Pią) 7:38

#15

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Proponuję zastanowić się nad zmianą programy XoftSpy na jakiś inny. Bowiem jest to program wątpliwej reputacji. Proponuję go usunąć, a zamiast niego zostawić AVG Anti-Spyware.

Możesz usunąć z dysku folder C:\VundoFix Backups

Po wykonaniu możesz wkleić dla pewności nowy log z Silenta.

#16

avg tez ma dokladnie ta wersje i niewykrywal nic poza drobnymi tracking cookies:/

log:

#17

Jest Ok :slight_smile:

#18

ja tez niewidze zadnych problemow, dzieki za pomoc!!

Złączono Posta : 13.04.2007 (Pią) 7:19

i znowu net zwolnil a wwdc pisze ze cosd jast nietak z svhostami bo zaduzo ramu bierze:/. a ten folder qoobox ciagle sie pojawia:(

jeszcvze raz prosze o pomoc

hijack

Logfile of HijackThis v1.99.1

Scan saved at 07:12:08, on 2007-04-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mouse Driver\MouseDrv.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\SEC\MagicTune3.6\GammaTray.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\SEC\Natural Color Pro\NCProTray.exe

D:\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\NOTEPAD.EXE

F:\K U B A\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - F:\K U B A\kuba\programy\bit comet\BitComet\tools\BitCometBHO_1.1.2.7.dll

O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll

O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [CreativeMouse] C:\Program Files\Mouse Driver\MouseDrv.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Outpost Firewall] F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe /waitservice

O4 - HKLM\..\Run: [OutpostFeedBack] F:\K U B A\kuba\programy\firewall\Outpost Firewall\feedback.exe /dump:os_startup

O4 - HKLM\..\Run: [SunServer] F:\K U B A\kuba\programy\centerspy\sunserver.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Color Calibration.lnk = ?

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O4 - Global Startup: MagicTune 3.6.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = G:\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: NCProTray.lnk = ?

O8 - Extra context menu item: Download all links using BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download all videos using BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: Download link using &BitComet - res://F:\K U B A\kuba\programy\bit comet\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll

O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\K U B A\kuba\programy\firewall\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{51717EC1-1248-4843-9222-294C54336689}: NameServer = 194.204.159.1 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: F:\KUBA~1\kuba\programy\firewall\OUTPOS~1\wl_hook.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\K U B A\kuba\programy\ewido\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

combofix

"Mamusia" - 07-04-13 7:17:50 Dodatek Service Pack 2

ComboFix 07-04-04.5 - Running from: "F:\K U B A"



((((((((((((((((((((((((((((((( Files Created from 2007-03-13 to 2007-04-13 ))))))))))))))))))))))))))))))))))



2007-04-05 21:08	398	--a------	C:\FIX.REG

2007-04-04 22:59	524,288	--ah-----	C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-04-04 22:59	




i silent

[code] “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “Ptipbmf” = “rundll32.exe ptipbmf.dll,SetWriteCacheMode” [MS] "CreativeMouse " = “C:\Program Files\Mouse Driver\MouseDrv.exe” [empty string] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “QuickTime Task” = ““D:\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “Outpost Firewall” = “F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe /waitservice” [“Agnitum Ltd.”] “OutpostFeedBack” = “F:\K U B A\kuba\programy\firewall\Outpost Firewall\feedback.exe /dump:os_startup” [“Agnitum Ltd.”] “(Default)” = “(empty string)” [file not found] “SunServer” = “F:\K U B A\kuba\programy\centerspy\sunserver.exe” [file not found] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [file not found] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “HP Component Manager” = ““C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)” -> {HKLM…CLSID} = “Skype add-on (mastermind)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “F:\K U B A\kuba\programy\bit comet\BitComet\tools\BitCometBHO_1.1.2.7.dll” [“BitComet”] {C451C08A-EC37-45DF-AAAD-18B51AB5E837}(Default) = (no title provided) -> {HKLM…CLSID} = “PDFCreator Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “F:\K U B A\kuba\programy\POWERISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Ochrona WWW” -> {HKLM…CLSID} = “Ochrona WWW” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “F:\K U B A\kuba\programy\ewido\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “F:\KUBA~1\kuba\programy\firewall\OUTPOS~1\wl_hook.dll” [“Agnitum Ltd.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ <> Logo1_.exe\Debugger = “nircmd execmd del /a/f c:\windows\Logo1_.exe” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “F:\K U B A\kuba\programy\firewall\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “F:\K U B A\kuba\programy\ewido\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “F:\K U B A\kuba\programy\POWERISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “F:\K U B A\kuba\programy\firewall\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “F:\K U B A\kuba\programy\ewido\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “F:\K U B A\kuba\programy\POWERISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “F:\K U B A\kuba\programy\firewall\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\shellex.dll” [“Kaspersky Lab”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “F:\K U B A\kuba\programy\POWERISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Mamusia\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Mamusia” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Color Calibration” -> shortcut to: “C:\Program Files\SEC\MagicTune3.6\GammaTray.exe” [empty string] “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] “MagicTune 3.6” -> shortcut to: “C:\Program Files\SEC\MagicTune3.6\MagicTuneTray.exe” [empty string] “Microsoft Office” -> shortcut to: “G:\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “NCProTray” -> shortcut to: “C:\Program Files\SEC\Natural Color Pro\NCProTray.exe” [“Samsung”] Enabled Scheduled Tasks: ------------------------ “WebReg 20041113213215” -> launches: "D:\HP\Digital Imaging\bin\hpqwrg.exe /TaskName 20041113213215 /N “psc 1310 series” /M Q5765A /S MY47FBD2BZO2 /AP 303 /F /T " [“Hewlett-Packard Co.”] “XoftSpy” -> launches: “C:\Program Files\XoftSpy\XoftSpy.exe -t” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 39 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}” -> {HKLM…CLSID} = “PDFCreator Toolbar” \InProcServer32(Default) = “C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll” [null data] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}” -> {HKLM…CLSID} = “PDFCreator Toolbar” \InProcServer32(Default) = “C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll” [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}” = “PDFCreator Toolbar” -> {HKLM…CLSID} = “PDFCreator Toolbar” \InProcServer32(Default) = “C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [file not found] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [file not found] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [file not found] HKLM\Software\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Ochrona WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Classes\CLSID{A1A7E22D-1587-4230-8F16-081C68D21448}(Default) = “Outpost Firewall Pro Quick Tune” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “F:\K U B A\kuba\programy\firewall\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll” [“Agnitum Ltd.”] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Ochrona WWW” {44627E97-789B-40D4-B5C2-58BD171129A1}\ “ButtonText” = “Outpost Firewall Pro Quick Tune” {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] Outpost Firewall Service, OutpostFirewall, “F:\K U B A\kuba\programy\firewall\Outpost Firewall\outpost.exe /service” [“Agnitum Ltd.”] Usługa Pomocnik IPv6, 6to4, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\6to4svc.dll” [MS]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt09\Driver = “hpzsnt09.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] PDFCreator\Driver = “pdfcmnnt.dll” [null data] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 31 seconds, including 7 seconds for message boxes)