Pomocy :/ "your privacy is in danger"


(Kliner) #1

Witam

Domyślam się, że takich tematów już kilka było, postanowiłem założyć nowy bo każdy log jest inny... Mnie spotkał podobny problem - czerwona tapeta z super napisaem "your privacy is in danger"... dodatkowo wyskakujace reklamy przeróżnych programów antyspyware, antyaware... itd itd itd

na poczatku odpalilem ad-aware, cos tam pousuwal... f-secure tez cos znalazl. Na koniec odpalilem FixWareOut'a, ktory tez usunal rzekomo jakies pliki.

na koniec dodaje logi z HJT i SilentRunners, proszę o pomoc gdyż problem nie zniknal :confused:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:10:42, on 2007-11-18

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\WINDOWS\System32\CTsvcCDA.exe

C:\F-Secure 2006\Anti-Virus\fsgk32st.exe

C:\F-Secure 2006\Anti-Virus\FSGK32.EXE

C:\F-Secure 2006\backweb\4476822\program\fsbwsys.exe

C:\F-Secure 2006\Common\FSMA32.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\F-Secure 2006\Common\FSMB32.EXE

C:\WINDOWS\System32\svchost.exe

C:\F-Secure 2006\Anti-Virus\fssm32.exe

C:\F-Secure 2006\Common\FCH32.EXE

C:\F-Secure 2006\Anti-Virus\fsqh.exe

C:\F-Secure 2006\Common\FAMEH32.EXE

C:\F-Secure 2006\Anti-Virus\fsrw.exe

C:\WINDOWS\Explorer.EXE

C:\F-Secure 2006\FWES\Program\fsdfwd.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe

C:\F-Secure 2006\Common\FSM32.EXE

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\F-Secure 2006\Anti-Virus\fsav32.exe

C:\F-Secure 2006\backweb\4476822\Program\fspex.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

C:\F-SECU~1\ANTI-S~1\fsaw.exe

C:\F-Secure 2006\FSGUI\fsguidll.exe

E:\Firefox\firefox.exe

C:\WINDOWS\System32\WScript.exe

C:\WINDOWS\System32\WScript.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


--

End of file - 2368 bytes

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"CTSyncU.exe" = ""C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"" [empty string]

"Windows Firewall" = "C:\WINDOWS\System32\drivers\svchost.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe" ["HP"]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

"F-Secure Manager" = ""C:\F-Secure 2006\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]

"F-Secure TNB" = ""C:\F-Secure 2006\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]

"F-Secure Startup Wizard" = ""C:\F-Secure 2006\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{6A78E352-B1FA-4C18-9C48-96DD03979770}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "MSVPS System"

                   \InProcServer32\(Default) = "C:\WINDOWS\popnetmtq.dll" [empty string]

{8036D4D7-AAD3-4793-AB49-329E437155A8}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Mario Forever Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Mario Forever Toolbar\v2.0.0.3\Mario_Forever_Toolbar.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Eksplorator pulpitów"

  -> {HKLM...CLSID} = "Eksplorator pulpitów"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WinRarPL\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "E:\PC Suite\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"

  -> {HKLM...CLSID} = "dBpShell Class"

                   \InProcServer32\(Default) = "E:\dBpowerAMP\dBShell.dll" [empty string]

"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"

  -> {HKLM...CLSID} = "dMCIShell Class"

                   \InProcServer32\(Default) = "E:\dBpowerAMP\dMCShell.dll" [empty string]

"{4FED14EE-8086-4b0c-A0DE-C27042ED1296}" = "PDFTransformer2ContextMenu"

  -> {HKLM...CLSID} = "PDFTransformer2.PDFTContextMenu.1"

                   \InProcServer32\(Default) = "E:\Abby PDF Transformer\PDFTContextMenu.dll" ["ABBYY Software"]

"{24849E2F-0A86-40CD-A62A-B12F161882DB}" = "ZEN V Series Media Explorer"

  -> {HKLM...CLSID} = "ZEN V Series Media Explorer"

                   \InProcServer32\(Default) = "E:\Creative Zen V\ZEN V Series Media Explorer\SHCTMTP.dll" ["Creative Technology Ltd"]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Context Menu Extension"

  -> {HKLM...CLSID} = "BackupData Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\VZCONT~1.DLL" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"sapnet" = "{5C6A7398-3121-4D6A-AA0B-3DB07504C321}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\sapnet.dll" [null data]

"rmvgor" = "{EBDE1102-D57C-4A81-8981-285A3F63A662}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\rmvgor.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

"AppInit_DLLs" = (value not set)


HKLM\System\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"aswBoot.exe /M:5a36685a /A:"*" /L:"Polish"" [file not found]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

BackupData\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"

  -> {HKLM...CLSID} = "BackupData Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\VZCONT~1.DLL" [null data]

CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"

  -> {HKLM...CLSID} = "CtMtpContextMenu Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]

PandoShellExt\(Default) = "{9C150845-2A2D-44CC-90B3-AA03480AA3D2}"

  -> {HKLM...CLSID} = "PDShellExt Class"

                   \InProcServer32\(Default) = "E:\Pando\PandoShellExt.dll" ["TODO: "]

PDFTransformer2ContextMenu\(Default) = "{4FED14EE-8086-4b0c-A0DE-C27042ED1296}"

  -> {HKLM...CLSID} = "PDFTransformer2.PDFTContextMenu.1"

                   \InProcServer32\(Default) = "E:\Abby PDF Transformer\PDFTContextMenu.dll" ["ABBYY Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WinRarPL\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

BackupData\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"

  -> {HKLM...CLSID} = "BackupData Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\VZCONT~1.DLL" [null data]

PandoShellExt\(Default) = "{9C150845-2A2D-44CC-90B3-AA03480AA3D2}"

  -> {HKLM...CLSID} = "PDShellExt Class"

                   \InProcServer32\(Default) = "E:\Pando\PandoShellExt.dll" ["TODO: "]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WinRarPL\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

BackupData\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"

  -> {HKLM...CLSID} = "BackupData Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\VZCONT~1.DLL" [null data]

CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"

  -> {HKLM...CLSID} = "CtMtpContextMenu Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" ["Creative Technology Ltd"]

FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"

  -> {HKLM...CLSID} = "FineReaderExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "e:\finereader\fecmenu.dll" ["ABBYY (BIT Software)"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WinRarPL\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoSMBalloonTip" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoSaveSettings" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Desktop|

Don't save settings at exit}


"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"CDRAutoRun" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"MemCheckBoxInRunDlg" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoClose" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoAutoTrayNotify" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoResolveTrack" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoResolveSearch" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"LinkResolveIgnoreLinkInfo" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoStartBanner" = (REG_BINARY) hex:01 00 00 00

{Remove "Click here to begin" from Start button}


"NoWelcomeScreen" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoRecentDocsNetHood" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoSharedDocuments" = (REG_DWORD) hex:0x00000001

{User Configuration|Administrative Templates|Windows Components|Windows Explorer|

Remove Shared Documents from My Computer}


"NoThemesTab" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoStrCmpLogical" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"NoClose" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"NoDispAppearancePage" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoColorChoice" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Control Panel|Display|

Hide Desktop tab}


"NoDispCPL" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|Control Panel|Display|

Remove Display in Control Panel}


"NoDispSettingsPage" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoDispScrSavPage" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoVisualStyleChoice" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"NoSizeChoice" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\


"NoUpdateCheck" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}


"RunStartupScriptSync" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"SynchronousMachineGroupPolicy" = (REG_DWORD) hex:0x00000000

{unrecognized setting}


"SynchronousUserGroupPolicy" = (REG_DWORD) hex:0x00000000

{unrecognized setting}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Dom\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"


Active Desktop web content (hidden if disabled):


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

"FriendlyName" = "Privacy Protection"

"Source" = "file:///C:\WINDOWS\privacy_danger\index.htm"

"SubscribedURL" = ""



Startup items in "Dom" & "All Users" startup folders:

-----------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"F-Secure Anti-Virus 2006" -> shortcut to: "C:\F-Secure 2006\backweb\4476822\Program\fspex.exe -startup" ["F-Secure Internet Security 2005"]

"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]



Enabled Scheduled Tasks:

------------------------


"HP Usg Daily" -> launches: "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe" [empty string]

"AE53DE3E91844EDE" -> launches: "c:\docume~1\dom\daneap~1\armysi~1\FunkCurbThis.exe" [file not found]

"Scheduled scanning task" -> launches: "C:\F-SECU~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\F-SECU~1\ANTI-V~1\report.txt " ["F-Secure Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{463DF6D5-BEC1-4D67-B217-59DB692DFC53}"

  -> {HKLM...CLSID} = "Mario Forever Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Mario Forever Toolbar\v2.0.0.3\Mario_Forever_Toolbar.dll" [file not found]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"

  -> {HKLM...CLSID} = "Megaupload Toolbar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" [file not found]

"{07B18EA9-A523-4961-B6BB-170DE4475CCA}"

  -> {HKLM...CLSID} = "My Web Search"

                   \InProcServer32\(Default) = "C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL" ["MyWebSearch.com"]

"{463DF6D5-BEC1-4D67-B217-59DB692DFC53}"

  -> {HKLM...CLSID} = "Mario Forever Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Mario Forever Toolbar\v2.0.0.3\Mario_Forever_Toolbar.dll" [file not found]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{463DF6D5-BEC1-4D67-B217-59DB692DFC53}" = "Mario Forever Toolbar"

  -> {HKLM...CLSID} = "Mario Forever Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Mario Forever Toolbar\v2.0.0.3\Mario_Forever_Toolbar.dll" [file not found]

"{6BA27973-068D-4F85-BE84-1251E0B20FD3}" = (no title provided)

  -> {HKLM...CLSID} = "The jokwmp"

                   \InProcServer32\(Default) = "C:\WINDOWS\jokwmp.dll" [null data]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}\(Default) = "My Web Search Quick View"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


{215940F1-E7E0-4801-BEE3-44D045534106}\

"ButtonText" = "Wyslij SMS'a"

"Script" = "C:\Program Files\Common Files\moje.js" [null data]


{300DB664-75B5-47C0-8B45-A44ACCF73C00}\

"ButtonText" = "Osłona programu IE"

"MenuText" = "Osłona programu IE..."

"CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}"

  -> {HKLM...CLSID} = "F-Secure IE Shield COM button"

                   \InProcServer32\(Default) = "C:\F-Secure 2006\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]

F-Secure Anti-Virus 2006, BackWeb Plug-in - 4476822, "C:\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE" ["F-Secure Internet Security 2005"]

F-Secure Anti-Virus Firewall Daemon, FSDFWD, ""C:\F-Secure 2006\FWES\Program\fsdfwd.exe"" ["F-Secure Corporation"]

F-Secure Management Agent, FSMA, ""C:\F-Secure 2006\Common\FSMA32.EXE"" ["F-Secure Corporation"]

fsbwsys, fsbwsys, ""C:\F-Secure 2006\backweb\4476822\program\fsbwsys.exe"" ["F-Secure Corp."]

FSGKHS, F-Secure Gatekeeper Handler Starter, ""C:\F-Secure 2006\Anti-Virus\fsgk32st.exe"" ["F-Secure Corporation"]

Netropa NHK Server, nhksrv, "C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe" [null data]

NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



Keyboard Driver Filters:

------------------------


HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\

"UpperFilters" = <> "msikbd2k" ["Netropa Corporation"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt11\Driver = "hpzlnt11.dll" ["HP"]

PDF-XChange\Driver = "C:\WINDOWS\System32\pxc25pm.dll" ["Tracker Software"]



---------- (launch time: 2007-11-18 11:04:59)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 2506 seconds, including 15 seconds for message boxes)

(Lost World) #2

Pobierz : SmitFraudFix

Tryb numer 2 i wklejasz raport (C:\SmitfraudFix.txt).Oczywiście w trybie awaryjnym.

Potem Daj log z Combofix

Opis użycia ComboFix jest na tej stronie z linku.

Log może być długi, więc zapisz go sobie gdzieś, a potem wklej na http://wklej.org/, a tu daj tylko link.