Pomocyy!


(Frytathug4) #1

Mam Trojanan gdy Skanuje Przez NOD32 Pokazuje mi Logi z Trojanami ;/ wkleje tu log z Hijacka


Logfile of HijackThis v1.99.1

Scan saved at 22:26:42, on 2007-01-27

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\System32\csrs.exe

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Eset\nod32.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Wapster\AQQ\AQQ.exe

C:\Program Files\BitSpirit\BitSpirit.exe

C:\WINDOWS\System32\irdvxc.exe

C:\Program Files\Winamp\Winamp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Fryta\Pulpit\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe

O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O17 - HKLM\System\CCS\Services\Tcpip..{858C6961-5642-4394-B5E2-F135B20A972A}: NameServer = 213.241.79.37 83.238.255.76

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Z Gory Dzieki! !!


(adam9870) #2

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT i uruchom go w trybie awaryjnym.

Usuń HJT jeśli będą.

Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners.


(Frytathug4) #3

sorry ale nie rozumiem;/


(adam9870) #4

Czego dokładnie nie rozumiesz? Podaj proszę, a wyjaśnię na Forum.


(Frytathug4) #5

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT i uruchom go w trybie awaryjnym.

Tego ;/


(adam9870) #6

W lewym dolnym rogu ekranu klikasz start => wybierasz Uruchom => w okienku, które się otworzy wpisujesz notepad i klikasz OK => po chwili otworzy się okienko Notatnika, do którego wklejasz to co podałem => wybierz z menu notatnika plik => następnie Zapisz jako => ustawiasz tak jak jest to przedstawione na poniższym obrazku i klikasz na Zapisz.

fixbo1.png

Plik zapisujesz np. na pulpit.

Uruchamiasz system w trybie awaryjnym:

Gdy już będziesz w trybie awaryjnym klikasz dwa razy na utworzony plik FIX.BAT. Mignie ekran przez chwilkę i tyle.

Następnie uruchamiasz HijackThis = klikasz Do a system scan only = pokaże się lista wpisów = stawiasz ptaszek przy wpisach:

= klikasz Fix checked i potwierdzasz usunięcie.

Potem zamykasz system i uruchamiasz go w trybie normalnym.


(Frytathug4) #7

Cos Zrobilem Pokaze teraz log z hijacka


Logfile of HijackThis v1.99.1

Scan saved at 23:01:36, on 2007-01-27

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\WINDOWS\System32\config.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Fryta\Pulpit\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY

O4 - HKLM..\Run: [Windows Config System] config.exe

O4 - HKLM..\RunServices: [Windows Config System] config.exe

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O17 - HKLM\System\CCS\Services\Tcpip..{858C6961-5642-4394-B5E2-F135B20A972A}: NameServer = 213.241.79.37 83.238.255.76

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe


i jak to wyglada??

Złączono Posty : 27.01.2007 (Sob) 22:59

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

Tej Linijki nie bylo ;/


(adam9870) #8

Stary plik FIX.BAT usuwasz, a robisz nowy o takiej zawartości:

Będąc w trybie awaryjnym klikasz dwa razy na plik.

Uruchamiasz HijackThis => klikasz Do a system scan only => pokaże się lista wpisów => stawiasz ptaszek przy wpisach:

=> klikasz Fix checked i potwierdzasz usunięcie.

Pozamykaj porty robakom. W tym celu użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .


(Frytathug4) #9

Hijack

Logfile of HijackThis v1.99.1

Scan saved at 23:16:24, on 2007-01-27

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Fryta\Pulpit\hijackthis_199\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

O4 - HKLM..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe

O4 - HKLM..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM..\Run: [Ashampoo FireWall] "C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY

O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O10 - Unknown file in Winsock LSP: c:\program files\ashampoo\ashampoo firewall\spi.dll

O17 - HKLM\System\CCS\Services\Tcpip..{858C6961-5642-4394-B5E2-F135B20A972A}: NameServer = 213.241.79.37 83.238.255.76

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe


"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"(Default)" = "(empty string)" [file not found]

"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]

Złączono Posty : 27.01.2007 (Sob) 23:18

i jak to wyglada??

Wszystki ikonki sa na zielono;]


(adam9870) #10

Hijack czysty.

Log z silenta jest ucięty. Proszę poczekać aż program skończy robić log - poinformuje wtedy odpowiednim komunikatem (Done) i dopiero wtedy wkleić go na forum.


(Frytathug4) #11

:evil:


(adam9870) #12

Nadal ucięty, czekaj cierpliwie na komunikat All done.


(Frytathug4) #13

i jak?


(adam9870) #14

Jest bardzo minimalnie ucięty ale czysty.


(Frytathug4) #15

z edytowalem poprzedniego;/


"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"(Default)" = "(empty string)" [file not found]

"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime" [null data]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"NeroFilterCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"Ashampoo FireWall" = ""C:\Program Files\Ashampoo\Ashampoo FireWall\FireWall.exe" -TRAY" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

-> {HKLM...CLSID} = "SimpleShlExt Class"

\InProcServer32(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {HKLM...CLSID} = "AlcoholShellEx"

\InProcServer32(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

-> {HKLM...CLSID} = "RealOne Player Context Menu Class"

\InProcServer32(Default) = "C:\Program Files\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

\InProcServer32(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

\InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\web\wallpaper\Idylla.bmp"

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Fryta" & "All Users" startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"ATI CATALYST System Tray" -> shortcut to: "C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\System32\imon.dll ["Eset "], 01 - 05, 11

C:\Program Files\Ashampoo\Ashampoo FireWall\spi.dll [null data], 06 - 10, 22

%SystemRoot%\system32\mswsock.dll [MS], 12 - 21, 23 - 25

%SystemRoot%\system32\rsvpsp.dll [MS], 26 - 27

Running Services (Display Name, Service Name, Path {Service DLL}):


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]


<>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 61 seconds, including 3 seconds for message boxes)

[quote][/quote]

(Asterisk) #16

Proszę poprawić temat zgodnie z wymogami tego działu


(Frytathug4) #17

Przepraszam ale nie czytalem regulaminu;/


Adamo i jak z tym logiem?? ;/


(boczi) #18

Więc wszystko w tej chwili popraw, przeczytaj Regulamin, mówię to po raz ostatni :evil: