Pojawił się plik svcchost.exe

matixon · 9 Marzec 2007 16:06

cześć

Spybot, Kaspersky, Ad-Aware wykryły mi jakieś wirusy w smitdraufix ;o

np. żaden skaner on-line nie działa

a AVG Anti-Spyware po naciśnięciu skanuj nic nie robi ;/!

oto logi: Z KASPRA

GMER

GMER 1.0.12.12027 - http://www.gmer.net Rootkit scan 2007-03-09 16:54:49 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.12 ---- SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwClose SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcess SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateProcessEx SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSection SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateSymbolicLinkObject SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwCreateThread SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwDeleteValueKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwDuplicateObject SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwEnumerateValueKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwFlushKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwInitializeRegistry SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwLoadKey2 SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwNotifyChangeKey SSDT kl1.sys ZwOpenFile SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenKey SSDT ??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwOpenSection SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryMultipleValueKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwQuerySystemInformation SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwQueryValueKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwReplaceKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwRestoreKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwResumeThread SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwSaveKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwSetContextThread SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationFile SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwSetInformationProcess SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwSetSecurityObject SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwSetValueKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwSuspendThread SSDT ??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwUnloadKey SSDT ??\C:\WINDOWS\system32\drivers\klif.sys ZwWriteVirtualMemory SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[284] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[285] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[286] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[287] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[288] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[289] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[290] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[291] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[292] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[293] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[294] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[295] SSDT ??\C:\WINDOWS\system32\drivers\klif.sys SSDT[296] Code ??\C:\WINDOWS\system32\drivers\klif.sys FsRtlCheckLockForReadAccess Code ??\C:\WINDOWS\system32\drivers\klif.sys IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.12 ---- .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9E14 5 Bytes JMP AAE9B760 ??\C:\WINDOWS\system32\drivers\klif.sys .text ntkrnlpa.exe!IoIsOperationSynchronous 804EE54E 5 Bytes JMP AAE9BC50 ??\C:\WINDOWS\system32\drivers\klif.sys .text ntkrnlpa.exe!KiDispatchInterrupt + BA 80540ABA 7 Bytes JMP AAE9ECD0 ??\C:\WINDOWS\system32\drivers\klif.sys ---- User code sections - GMER 1.0.12 ---- .text C:\WINDOWS\explorer.exe[1816] RPCRT4.dll!NdrComplexArrayMemorySize + 1C9 77E895D8 4 Bytes [BA, 0A, EB, 00] .text C:\WINDOWS\explorer.exe[1816] SHELL32.dll!StrStrW + FFE2DA3E 7C9C8920 4 Bytes [D2, 04, EB, 00] .text C:\WINDOWS\explorer.exe[1816] SHELL32.dll!StrStrW + FFE2DAB6 7C9C8998 4 Bytes [FC, 04, EB, 00] .text C:\WINDOWS\explorer.exe[1816] SHELL32.dll!StrStrW + FFE33B16 7C9CE9F8 4 Bytes [04, 03, EB, 00] .text C:\WINDOWS\explorer.exe[1816] SHELL32.dll!StrStrW + FFE33B26 7C9CEA08 4 Bytes [00, 04, EB, 00] .text C:\WINDOWS\explorer.exe[1816] SHELL32.dll!StrStrW + FFE34A66 7C9CF948 4 Bytes [54, 04, EB, 00] .text … .text C:\WINDOWS\explorer.exe[1816] SHELL32.dll!ILLoadFromStream + 54F 7CA06334 4 Bytes [50, 05, EB, 00] .text C:\WINDOWS\explorer.exe[1816] SHELL32.dll!ILLoadFromStream + 65F 7CA06444 4 Bytes [26, 05, EB, 00] .text C:\WINDOWS\explorer.exe[1816] SHELL32.dll!DAD_ShowDragImage + 2384 7CA09E7C 4 Bytes [16, 09, EB, 00] .text C:\Program Files\Winamp\winamp.exe[2756] USER32.dll!SetScrollInfo 77D39056 7 Bytes JMP 01B8AAA2 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[2756] USER32.dll!GetScrollInfo 77D417F8 7 Bytes JMP 01B8AA2A C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[2756] USER32.dll!ShowScrollBar 77D4F2CA 5 Bytes JMP 01B8AB26 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[2756] USER32.dll!GetScrollPos 77D4F6DC 5 Bytes JMP 01B8AA52 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[2756] USER32.dll!SetScrollPos 77D4F728 5 Bytes JMP 01B8AACD C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[2756] USER32.dll!GetScrollRange 77D4F75F 5 Bytes JMP 01B8AA77 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[2756] USER32.dll!SetScrollRange 77D4F973 5 Bytes JMP 01B8AAF8 C:\Program Files\Winamp\Plugins\gen_jumpex.dll .text C:\Program Files\Winamp\winamp.exe[2756] USER32.dll!EnableScrollBar 77D87BC5 7 Bytes JMP 01B8AA02 C:\Program Files\Winamp\Plugins\gen_jumpex.dll ---- Threads - GMER 1.0.12 ---- Thread 4:120 86CAF8E0 Thread 4:124 86CAF8E0 Thread 4:128 86B9F8D0 Thread 4:132 86B9F8D0 Thread 4:136 86B9F8D0 Thread 4:416 86CAF8E0 Thread 4:560 86CAF8E0 Thread 4:1796 855134A0 ---- EOF - GMER 1.0.12 ----

HJ

Logfile of HijackThis v1.99.1 Scan saved at 16:58:36, on 2007-03-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Winamp\winamp.exe C:\DOCUME~1\User\USTAWI~1\Temp\7zO58E.tmp\gmer.exe C:\WINDOWS\System32\WScript.exe C:\DOCUME~1\User\USTAWI~1\Temp\7zO5CB.tmp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: http://mks.com.pl O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O20 - AppInit_DLLs: “C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll” O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”] “!AVG Anti-Spyware” = ““C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“Anti-Malware Development a.s.”] “AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”” [“Kaspersky Lab”] “BearShare” = ““C:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Web Anti-Virus” -> {HKLM…CLSID} = “Web Anti-Virus” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = ““C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll”” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll” [“Kaspersky Lab”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll” [“Kaspersky Lab”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\User\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Web Anti-Virus” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_08” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_08” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll” [“Sun Microsystems, Inc.”] {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Web Anti-Virus” {85D1F590-48F4-11D9-9669-0800200C9A66}\ “MenuText” = “Uninstall BitDefender Online Scanner v8” “Exec” = “%windir%\bdoscandel.exe” [null data] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Kaspersky Internet Security 6.0, AVP, ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” -r” [“Kaspersky Lab”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ LIDIL hpzll4pi\Driver = “hpzll4pi.dll” [“Hewlett-Packard Company”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 33 seconds, including 2 seconds for message boxes)

Spybot wykrył Zlob.VideoAccessActiveXObject

leży w HKEY_CLASSES_ROOT\videoaccessactivex.Chl\

pozdrawiam

adam9870 · 9 Marzec 2007 16:16

Zajrzyj tutaj:

http://forum.dobreprogramy.pl/viewtopic.php?t=119881

Plik usuń ręcznie będąc w trybie awaryjnym natomiast wpisy HijackThis.

Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.

Przyczyną szkodników może być BearShare:

Zwykła wersja tego programu posiada w sobie syf proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.

Po wykonaniu wklej nowy log z HijackThis, ComboFix oraz zawartość pliku c:\rapport.txt

matixon · 9 Marzec 2007 16:30

adam9870 link nie działa ;/ do ComboFix

bearshare jest w wersji lite

zrobiłem co kazałeś z SmitfraudFix oto log z HJ:

Logfile of HijackThis v1.99.1 Scan saved at 17:32:47, on 2007-03-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\7-Zip\7zFM.exe C:\DOCUME~1\User\USTAWI~1\Temp\7zO633.tmp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: http://mks.com.pl O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O20 - AppInit_DLLs: “C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll” O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

skanery on-line nadal nie działają natomiast AVG zaczął pracować

adam9870 · 9 Marzec 2007 16:39

Log czysty.

Skoro ComboFix nie działa to pokaż log z Comboscan:

http://www.searchengines.pl/phpbb203/in … opic=86306

matixon · 9 Marzec 2007 16:42

Proactive Defense Alert Kasperky:

Detected

Riskware RootShell

D:\DK\comboscan.exe

kwarantanna, zniszczenie, przepuśc…

co wybrać ;/?

adam9870 · 9 Marzec 2007 16:43

Oczywiście przepuść, a jeśli któryś z programów zabezpieczających które masz zainstalowane bardzo będzie przeszkadzał - wyłącz go na czas pracy Comboscana.

matixon · 9 Marzec 2007 18:01

udało się.

ComboScan v20070306.20 run by User on 2007-03-09 at 17:40:16 Computer is in Normal Mode. -------------------------------------------------------------------------------- – System Restore -------------------------------------------------------------- Successfully created ComboScan Restore Point. – Last 2 Restore Point(s) – 2: 2007-03-09 16:40:18 UTC - RP24 - ComboScan Restore Point 1: 2007-03-09 15:00:17 UTC - RP23 - Punkt kontrolny systemu Performed disk cleanup. – HijackThis (run as User.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 17:40:29, on 2007-03-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Winamp\winamp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Winamp\winamp.exe D:\DK\comboscan.exe C:\PROGRA~1\HIJACK~1\User.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: http://mks.com.pl O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O20 - AppInit_DLLs: “C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll” O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe – File Associations ----------------------------------------------------------- .bat - batfile - “%1” %* .chm - chm.file - “C:\WINDOWS\hh.exe” %1 .cmd - cmdfile - “%1” %* .com - comfile - “%1” %* .exe - exefile - “%1” %* .hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1 .inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1 .ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1 .js - JSFile - %SystemRoot%\System32\WScript.exe “%1” %* .lnk - lnkfile - {00021401-0000-0000-C000-000000000046} .pif - piffile - “%1” %* .reg - regfile - regedit.exe “%1” .scr - scrfile - “%1” /s .txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1 .vbs - VBSFile - %SystemRoot%\System32\WScript.exe “%1” %* – Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- 1R AmdK8 (Sterownik procesora AMD) - C:\WINDOWS\system32\drivers\AmdK8.sys 3R Arp1394 (Protokół klienta 1394 ARP) - C:\WINDOWS\system32\drivers\arp1394.sys 3R ati2mtag - C:\WINDOWS\system32\drivers\ati2mtag.sys 1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys 1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys 3R gmer - C:\WINDOWS\system32\drivers\gmer.sys 3R HDAudBus (Sterownik magistrali Microsoft UAA dla High Definition Audio) - C:\WINDOWS\system32\drivers\Hdaudbus.sys 3R IntcAzAudAddService (Service for Realtek HD Audio (WDM)) - C:\WINDOWS\system32\drivers\RtkHDAud.Sys 0R kl1 - C:\WINDOWS\system32\drivers\kl1.sys 1R klif - C:\WINDOWS\system32\drivers\klif.sys 3R NIC1394 (Sterownik sieci 1394) - C:\WINDOWS\system32\drivers\nic1394.sys 0R nvata - C:\WINDOWS\system32\drivers\nvata.sys 3R NVENETFD (NVIDIA nForce Networking Controller Driver) - C:\WINDOWS\system32\drivers\NVENETFD.sys 3R nvnetbus (NVIDIA Network Bus Enumerator) - C:\WINDOWS\system32\drivers\nvnetbus.sys 0R ohci1394 (Kontroler hosta Texas Instruments IEEE 1394 zgodny z OHCI) - C:\WINDOWS\system32\drivers\ohci1394.sys 0R PxHelp20 - C:\WINDOWS\system32\drivers\PxHelp20.sys 3S usbccgp (Rodzajowy sterownik nadrzędny USB Microsoft) - C:\WINDOWS\system32\drivers\usbccgp.sys 3R usbehci (Sterownik Miniport rozszerzonego kontrolera hosta USB 2.0 Microsoft) - C:\WINDOWS\system32\drivers\usbehci.sys 3R usbohci (Sterownik Miniport otwartego kontrolera hosta USB Microsoft) - C:\WINDOWS\system32\drivers\usbohci.sys 3R usbprint (Klasa PRINTER USB Microsoft) - C:\WINDOWS\system32\drivers\usbprint.sys 3S usbscan (Sterownik skanera USB) - C:\WINDOWS\system32\drivers\usbscan.sys 3S USBSTOR (Sterownik magazynu masowego USB) - C:\WINDOWS\system32\drivers\USBSTOR.SYS 4S WS2IFSL (Środowisko wspomagające dostawcę usług innych niż IFS - Windows Socket 2.0) - C:\WINDOWS\system32\drivers\ws2ifsl.sys – Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- 3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe 2R Ati HotKey Poller - C:\WINDOWS\system32\Ati2evxx.exe 2S ATI Smart - C:\WINDOWS\system32\ati2sgag.exe 2S AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe 2R AVP (Kaspersky Internet Security 6.0) - “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” -r 3S ose (Office Source Engine) - “C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE” 2S Pml Driver HPZ12 - C:\WINDOWS\system32\HPZipm12.exe 2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe – Files created between 2007-02-09 and 2007-03-09 ----------------------------- 2007-03-02 18:07:39 0 d-------- C:\Program Files\MSXML 4.0 2007-03-02 17:40:30 0 d-------- C:\WINDOWS\system32\PreInstall 2007-03-02 17:14:46 80 --a------ C:\WINDOWS\gmer_uninstall.cmd 2007-02-23 17:52:25 15104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-02-23 17:37:14 0 d-------- C:\WINDOWS\Microsoft.NET 2007-02-23 17:37:14 0 dr–s---- C:\WINDOWS\assembly 2007-02-23 17:37:12 0 d-------- C:\WINDOWS\system32\URTTemp 2007-02-23 17:33:33 48403 --a------ C:\WINDOWS\hpiins01.dat 2007-02-23 09:29:36 247 --a------ C:\UnInstall.dat 2007-02-23 09:29:28 16896 --a------ C:\WINDOWS\system32\grwinsthlp.exe 2007-02-18 11:27:15 0 d-------- C:\WINDOWS\system32\VITrans 2007-02-18 11:26:45 111104 --a------ C:\WINDOWS\system32\Uharc.exe 2007-02-18 11:26:44 19968 --a------ C:\WINDOWS\system32\reico.exe 2007-02-18 11:26:44 69632 --a------ C:\WINDOWS\system32\moveex.exe 2007-02-18 11:26:44 8636 --a------ C:\WINDOWS\system32\modifype.exe 2007-02-17 18:05:54 0 d-------- C:\Program Files\BearShare 2007-02-11 22:43:21 2686 --a------ C:\WINDOWS\system32\tmp.reg 2007-02-10 21:17:57 0 d-------- C:\Program Files\Screamer Radio 2007-02-10 13:59:27 0 d-------- C:\WINDOWS\speech – Find3M Report --------------------------------------------------------------- 2007-03-04 09:24:37 0 d-------- C:\Program Files\Gadu-Gadu 2007-03-03 16:09:04 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-03-02 18:15:24 439538 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-02 18:15:24 68554 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-02 17:39:22 4184 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-03-02 17:39:13 88 -r-hs---- C:\WINDOWS\system32\020FBC1210.sys<020FBC~1.SYS> 2007-02-26 14:56:10 0 d-------- C:\Documents and Settings\User\Dane aplikacji\CyberLink 2007-02-23 18:34:29 0 d-------- C:\Program Files\HP 2007-02-23 18:27:21 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Image Zone Express 2007-02-23 17:50:26 0 d—s---- C:\Documents and Settings\User\Dane aplikacji\Microsoft 2007-02-23 17:44:30 0 d-------- C:\Program Files\Common Files\HP 2007-02-23 17:42:08 0 d-------- C:\Program Files\Hewlett-Packard 2007-02-18 15:00:56 0 d-------- C:\Program Files\Skype 2007-02-18 14:52:21 219648 --a------ C:\WINDOWS\system32\uxtheme.dll 2007-02-15 15:56:27 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Real 2007-02-14 12:25:02 0 d-------- C:\Program Files\Opera 2007-02-10 12:59:58 0 d-------- C:\Program Files\Deluxe Ski Jump 3 2007-02-10 11:32:53 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Ahead 2007-02-09 19:13:17 0 d-------- C:\Program Files\Winamp 2007-02-09 08:55:37 0 d-------- C:\Program Files\Paradox Interactive 2007-02-08 10:49:55 0 d-------- C:\Program Files\SkanerOnline 2007-02-05 15:55:53 0 d-------- C:\Program Files\II Wojna Światowa 2007-02-03 10:04:03 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Google 2007-01-30 14:33:21 5 --ahs---- C:\WINDOWS\system32\bafbeaa2_s.dll 2007-01-30 14:10:18 5231 --a------ C:\WINDOWS\mozver.dat 2007-01-29 09:58:06 60416 -----n— C:\WINDOWS\system32\tzchange.exe 2007-01-27 22:13:38 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Sun 2007-01-27 19:44:12 0 d-------- C:\Program Files\Common Files\InstallShield 2007-01-22 13:18:36 4096 --a------ C:\WINDOWS\d3dx.dat 2007-01-20 19:22:29 0 d-------- C:\Program Files\Kaspersky Lab 2007-01-19 17:23:00 0 d-------- C:\Documents and Settings\User\Dane aplikacji\AdobeUM 2007-01-18 10:55:58 0 d-------- C:\Program Files\Grisoft 2007-01-18 07:53:51 0 d-------- C:\Documents and Settings\User\Dane aplikacji\HP 2007-01-17 22:56:03 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Lavasoft 2007-01-17 22:55:59 0 d-------- C:\Program Files\Lavasoft 2007-01-17 20:41:05 0 d-------- C:\Program Files\CCleaner 2007-01-17 20:36:04 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Opera 2007-01-17 20:13:32 0 d-------- C:\Program Files\MadOnion.com 2007-01-17 19:12:54 0 d-------- C:\Program Files\ATI Technologies 2007-01-17 18:05:40 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Macromedia 2007-01-17 17:15:15 126800 --a------ C:\WINDOWS\HPHins12.dat 2006-12-19 22:51:04 135168 --a------ C:\WINDOWS\system32\shsvcs.dll 2006-12-19 19:18:25 334336 --a------ C:\WINDOWS\system32\wiaservc.dll 2006-12-13 13:25:16 69952 --a------ C:\WINDOWS\system32\SkanerOnlineUninstall.exe 2006-12-13 13:24:56 715048 --a------ C:\WINDOWS\system32\SkanerOnline.dll – Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “RTHDCPL”=“RTHDCPL.EXE” “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” “RemoteControl”="“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”" “ATIPTA”="“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”" “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" “AVP”="“C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”" “BearShare”="“C:\Program Files\BearShare\BearShare.exe” /pause" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk” “backup”=“C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe " “item”=“HP Digital Imaging Monitor” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“C:\Program Files\BearShare\BearShare.exe” /pause” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“ctfmon” “hkey”=“HKCU” “command”=“C:\WINDOWS\system32\ctfmon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DialerKiller] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“DialKill” “hkey”=“HKLM” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“gg” “hkey”=“HKCU” “command”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“HPWuSchd2” “hkey”=“HKLM” “command”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“dumprep 0 -k” “hkey”=“HKLM” “command”="%systemroot%\system32\dumprep 0 -k" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SkyTel” “hkey”=“HKLM” “command”=“SkyTel.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “appinit_dlls”="“C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “DisableRegistryTools”=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 – End of ComboScan: finished at 2007-03-09 at 17:50:33 ------------------------

adam9870 · 9 Marzec 2007 20:13

W logu:

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\system32\grwinsthlp.exe

C:\WINDOWS\system32\bafbeaa2_s.dll

Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Pierwszy plik wygląda na plik od HP ale wykrywany jest jako Adware.SearchPage.

A ten drugi sam tam umieszczałeś/wiesz od czego on jest? Jeśli nie to sprawdź ich właściwości lub przeskanuj na stronie http://virusscan.jotti.org/ a jeśli okażą się szkodliwe to ścieżki do nich również wklej w killboxie.

matixon · 10 Marzec 2007 09:51

przeskanowałem ten drugi i pierwszy :

u obu wynik negatywny

Złączono Posta : 09.03.2007 (Pią) 22:11

jeszcze logi:

ComboScan v20070306.20 run by User on 2007-03-09 at 22:07:46 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as User.exe) ------------------------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 22:07:47, on 2007-03-09 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Screamer Radio\screamer.exe C:\Program Files\Winamp\winamp.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Opera\Opera.exe D:\DK\comboscan.exe C:\PROGRA~1\HIJACK~1\User.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe” O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” O4 - HKLM…\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O15 - Trusted Zone: http://mks.com.pl O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O20 - AppInit_DLLs: “C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll” O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing) O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe – Files created between 2007-02-09 and 2007-03-09 ----------------------------- 2007-03-09 22:01:17 0 d-------- C:!KillBox 2007-03-02 18:07:39 0 d-------- C:\Program Files\MSXML 4.0 2007-03-02 17:40:30 0 d-------- C:\WINDOWS\system32\PreInstall 2007-03-02 17:14:46 80 --a------ C:\WINDOWS\gmer_uninstall.cmd 2007-02-23 17:52:25 15104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys 2007-02-23 17:37:14 0 d-------- C:\WINDOWS\Microsoft.NET 2007-02-23 17:37:14 0 dr–s---- C:\WINDOWS\assembly 2007-02-23 17:37:12 0 d-------- C:\WINDOWS\system32\URTTemp 2007-02-23 17:33:33 48403 --a------ C:\WINDOWS\hpiins01.dat 2007-02-23 09:29:36 247 --a------ C:\UnInstall.dat 2007-02-18 11:27:15 0 d-------- C:\WINDOWS\system32\VITrans 2007-02-18 11:26:45 111104 --a------ C:\WINDOWS\system32\Uharc.exe 2007-02-18 11:26:44 19968 --a------ C:\WINDOWS\system32\reico.exe 2007-02-18 11:26:44 69632 --a------ C:\WINDOWS\system32\moveex.exe 2007-02-18 11:26:44 8636 --a------ C:\WINDOWS\system32\modifype.exe 2007-02-17 18:05:54 0 d-------- C:\Program Files\BearShare 2007-02-11 22:43:21 2686 --a------ C:\WINDOWS\system32\tmp.reg 2007-02-10 21:17:57 0 d-------- C:\Program Files\Screamer Radio 2007-02-10 13:59:27 0 d-------- C:\WINDOWS\speech – Find3M Report --------------------------------------------------------------- 2007-03-04 09:24:37 0 d-------- C:\Program Files\Gadu-Gadu 2007-03-03 16:09:04 0 d–h----- C:\Program Files\InstallShield Installation Information 2007-03-02 18:15:24 439538 --a------ C:\WINDOWS\system32\perfh015.dat 2007-03-02 18:15:24 68554 --a------ C:\WINDOWS\system32\perfc015.dat 2007-03-02 17:39:22 4184 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys 2007-03-02 17:39:13 88 -r-hs---- C:\WINDOWS\system32\020FBC1210.sys<020FBC~1.SYS> 2007-02-26 14:56:10 0 d-------- C:\Documents and Settings\User\Dane aplikacji\CyberLink 2007-02-23 18:34:29 0 d-------- C:\Program Files\HP 2007-02-23 18:27:21 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Image Zone Express 2007-02-23 17:50:26 0 d—s---- C:\Documents and Settings\User\Dane aplikacji\Microsoft 2007-02-23 17:44:30 0 d-------- C:\Program Files\Common Files\HP 2007-02-23 17:42:08 0 d-------- C:\Program Files\Hewlett-Packard 2007-02-18 15:00:56 0 d-------- C:\Program Files\Skype 2007-02-18 14:52:21 219648 --a------ C:\WINDOWS\system32\uxtheme.dll 2007-02-15 15:56:27 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Real 2007-02-14 12:25:02 0 d-------- C:\Program Files\Opera 2007-02-10 12:59:58 0 d-------- C:\Program Files\Deluxe Ski Jump 3 2007-02-10 11:32:53 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Ahead 2007-02-09 19:13:17 0 d-------- C:\Program Files\Winamp 2007-02-09 08:55:37 0 d-------- C:\Program Files\Paradox Interactive 2007-02-08 10:49:55 0 d-------- C:\Program Files\SkanerOnline 2007-02-05 15:55:53 0 d-------- C:\Program Files\II Wojna Światowa 2007-02-03 10:04:03 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Google 2007-01-30 14:10:18 5231 --a------ C:\WINDOWS\mozver.dat 2007-01-29 09:58:06 60416 -----n— C:\WINDOWS\system32\tzchange.exe 2007-01-27 22:13:38 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Sun 2007-01-27 19:44:12 0 d-------- C:\Program Files\Common Files\InstallShield 2007-01-22 13:18:36 4096 --a------ C:\WINDOWS\d3dx.dat 2007-01-20 19:22:29 0 d-------- C:\Program Files\Kaspersky Lab 2007-01-19 17:23:00 0 d-------- C:\Documents and Settings\User\Dane aplikacji\AdobeUM 2007-01-18 10:55:58 0 d-------- C:\Program Files\Grisoft 2007-01-18 07:53:51 0 d-------- C:\Documents and Settings\User\Dane aplikacji\HP 2007-01-17 22:56:03 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Lavasoft 2007-01-17 22:55:59 0 d-------- C:\Program Files\Lavasoft 2007-01-17 20:41:05 0 d-------- C:\Program Files\CCleaner 2007-01-17 20:36:04 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Opera 2007-01-17 20:13:32 0 d-------- C:\Program Files\MadOnion.com 2007-01-17 19:12:54 0 d-------- C:\Program Files\ATI Technologies 2007-01-17 18:05:40 0 d-------- C:\Documents and Settings\User\Dane aplikacji\Macromedia 2007-01-17 17:15:15 126800 --a------ C:\WINDOWS\HPHins12.dat 2006-12-19 22:51:04 135168 --a------ C:\WINDOWS\system32\shsvcs.dll 2006-12-19 19:18:25 334336 --a------ C:\WINDOWS\system32\wiaservc.dll 2006-12-13 13:25:16 69952 --a------ C:\WINDOWS\system32\SkanerOnlineUninstall.exe 2006-12-13 13:24:56 715048 --a------ C:\WINDOWS\system32\SkanerOnline.dll – Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “RTHDCPL”=“RTHDCPL.EXE” “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” “RemoteControl”="“C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”" “ATIPTA”="“C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”" “!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized" “AVP”="“C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”" “BearShare”="“C:\Program Files\BearShare\BearShare.exe” /pause" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “Installed”=“1” “NoChange”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk” “backup”=“C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe " “item”=“HP Digital Imaging Monitor” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“BearShare” “hkey”=“HKLM” “command”=”“C:\Program Files\BearShare\BearShare.exe” /pause” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“ctfmon” “hkey”=“HKCU” “command”=“C:\WINDOWS\system32\ctfmon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DialerKiller] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“DialKill” “hkey”=“HKLM” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“gg” “hkey”=“HKCU” “command”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“HPWuSchd2” “hkey”=“HKLM” “command”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“dumprep 0 -k” “hkey”=“HKLM” “command”="%systemroot%\system32\dumprep 0 -k" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“SkyTel” “hkey”=“HKLM” “command”=“SkyTel.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] “appinit_dlls”="“C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll”" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “DisableRegistryTools”=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 – End of ComboScan: finished at 2007-03-09 at 22:08:18 ------------------------

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”] “NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”] “RemoteControl” = ““C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”] “ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”] “!AVG Anti-Spyware” = ““C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“Anti-Malware Development a.s.”] “AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”” [“Kaspersky Lab”] “BearShare” = ““C:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Web Anti-Virus” -> {HKLM…CLSID} = “Web Anti-Virus” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = ““C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll”” [“Kaspersky Lab”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll” [“Kaspersky Lab”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll” [“Kaspersky Lab”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\User\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Web Anti-Virus” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll” [“Kaspersky Lab”] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_08” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_08” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll” [“Sun Microsystems, Inc.”] {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Web Anti-Virus” {85D1F590-48F4-11D9-9669-0800200C9A66}\ “MenuText” = “Uninstall BitDefender Online Scanner v8” “Exec” = “%windir%\bdoscandel.exe” [null data] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Kaspersky Internet Security 6.0, AVP, ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe” -r” [“Kaspersky Lab”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Pml Driver HPZ12, Pml Driver HPZ12, “C:\WINDOWS\system32\HPZipm12.exe” [“HP”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ LIDIL hpzll4pi\Driver = “hpzll4pi.dll” [“Hewlett-Packard Company”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 29 seconds, including 2 seconds for message boxes)

adam9870 · 10 Marzec 2007 10:07

Skoro te dwa pliki okazały się jednak w porządku to wszystko jest OK. Możesz jedynie skasować ten folder: