Temat postu nie daje pełni problemu ale wygląda to tak: przez nie uwagę uruchomiłem instalke w której był szkodliwy program. Co prawda avast wykrył kilka koni trojańskich , a- squared anti-malware nie wykryło nic szczególnego. Z zablokowaniem wyświetlania menadżera zdarzeń poradziłem sobie. Ale pomimo przeskanowania systemu, coś jeszcze siedzi bo mi co kilkanaście minut włącza IE i próbuje otworzyć stronę z niby antywirusem http:// scanner. adwareremover2007. com/4/scan.php?id=1216 lub http:// securepccleaner.com/ privacy/index.php? 045a420d46164a52096a5302 073d48093a465c6d04524a0245080b41 0b54585856155156475c48433b0706565555 0053500404140444050545145f01004702 0c58021655405c50471045115525470a234 00476530540595e000106505a04000f004 11e535a0c1d01221b570a010356001713027444057e4046572602065256445705595454440b7717424607093d5f0106 53484a54071d02550807571352 25545c0a031507575955161007 22141267575706010559000d0257 (dodałem spacje aby nikt nie klikał) jak się tego pozbyć bo to mnie denerwuje bo wiem ze to podpucha jest .
snajp tu się zgadzam adwareremover2007 jest fałszywy
Patrz na wyniki testu -> KLIK
Pokazuje mnóstwo fałszywych wyników skanu
Uzyj w trybie awaryjnym Smitfraudfixp
w trybie nr.2 i daj raport
Daj log z Combofix
to jest log z hijakthis prosze o porade
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:32:51, on 2007-12-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
d:\Program Files2\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
d:\Program Files2\Alwil Software\Avast4\ashServ.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\Program Files\cFos\cFosDNT.exe
D:\Program Files2\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HHVcdV7Sys\VC7Play.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
D:\Program Files2\Zone Labs\ZoneAlarm\zlclient.exe
C:\DOCUME~1\PAWE~1\USTAWI~1\Temp\{50D39DE4-CDD1-4802-BFC9-8D345AEEBE04}\Blaero Start Orb.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
d:\Program Files2\a-squared Anti-Malware\a2service.exe
D:\program files2\CpuIdle\cpuidle.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Tlen.pl\tlen.exe
D:\Program Files2\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\Program Files\Keymaestro\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Keymaestro\Onscreen Display\OSD.exe
d:\Program Files2\Virtual CD v7\System\VC7Tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\HHVcdV7Sys\VC7SecS.exe
C:\DOCUME~1\PAWE~1\USTAWI~1\Temp\{88C79371-3016-4D14-A4D2-B558EA459A28}\sidebar.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
d:\Program Files2\Alwil Software\Avast4\ashMaiSv.exe
d:\Program Files2\Alwil Software\Avast4\ashWebSv.exe
D:\program files2\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\gry\CABAL Online (Europe)\update.exe
D:\program files2\TC PowerPack\totalcmd.exe
D:\gry\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe
D:\gry\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe
d:\Program Files2\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: BDEX System - {83CDEF6B-98D2-4C60-84FC-00C44606A4F8} - C:\WINDOWS\domnftwpto.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: The emlkdvo - {940EBD8D-A3B7-44F9-A850-F60E76BE3B22} - C:\WINDOWS\emlkdvo.dll
O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe" "ZTE Corporation\ZXDSL852"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [Appwarp] d:\PROGRA~1\APPLIC~1\ApplicationWarp.exe
O4 - HKLM\..\Run: [WheelMouse] d:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [cFosDNT] C:\Program Files\cFos\cFosDNT.exe
O4 - HKLM\..\Run: [SmartDefrag] "D:\Program Files2\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup
O4 - HKLM\..\Run: [a-squared] "d:\Program Files2\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\Program Files2\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [CpuIdle] D:\program files2\CpuIdle\cpuidle.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [RemoteCenter] d:\Program Files2\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - D:\program files2\WINnerTweak3\PopUp Blocker.exe
O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - D:\program files2\WINnerTweak3\PopUp Blocker.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169315927226
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{778A9244-29C9-4498-B38A-CD38DA293D02}: NameServer = 194.204.152.34 217.98.63.164
O21 - SSODL: alxvdvm - {A5D659D8-5FF3-441F-92AA-21691E23F56B} - C:\WINDOWS\alxvdvm.dll
O21 - SSODL: bvtqfvx - {A760C4C1-4842-4412-B5D0-DED40BE7EAF5} - (no file)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - d:\Program Files2\a-squared Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files2\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files2\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files2\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files2\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Usługa SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 12645 bytes
snajp , byłeś o coś proszony
ComboFix 07-12-21.4 - Paweł 2007-12-27 20:56:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.114 [GMT 1:00]
Running from: D:\download\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\dat.txt
C:\WINDOWS\search_res.txt
.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.
2007-12-27 20:53 . 2007-12-27 20:53
[color=green]// Połączono posty.[/color]
[code]“Silent Runners.vbs”, revision 55, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Komunikator” = “C:\Program Files\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”] “RemoteCenter” = “d:\Program Files2\Creative\MediaSource\RemoteControl\RCMan.EXE” [“Creative Technology Ltd”] “LClock” = “C:\Program Files\LClock\lclock.exe” [null data] “StartCCC” = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [null data] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Odkurzacz-MCD” = “C:\Program Files\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “AtiTrayTools” = ““C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe”” [“Ray Adams”] “Directory Opus Desktop Dblclk” = ““C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe” /dblclk” [“GP Software”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”] “MULTIMEDIA KEYBOARD” = “C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe” [“Netropa Corp.”] “CTxfiHlp” = “CTXFIHLP.EXE” [“Creative Technology Ltd”] “WinFast Schedule” = “C:\Program Files\WinFast\WFTVFM\WFWIZ.exe” [“Leadtek Research Inc.”] “Appwarp” = “d:\PROGRA~1\APPLIC~1\ApplicationWarp.exe” [null data] “WheelMouse” = “d:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”] “LClock” = “C:\Program Files\LClock\LClock.exe” [null data] “Vista Sidebar” = “C:\Program Files\Vista Sidebar\sidebar.exe” [null data] “VisualTooltip” = “C:\Program Files\VisualTooltip\VisualToolTip.exe” [“Christian Salmon”] “Blaero Start Orb” = “C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe” [null data] “Styler” = “C:\Program Files\Styler\Styler.exe” [“ta2027”] “cFosDNT” = “C:\Program Files\cFos\cFosDNT.exe” [“cFos Software GmbH”] “SmartDefrag” = ““D:\Program Files2\IObit\IObit SmartDefrag\IObit SmartDefrag.exe” /startup” [null data] “a-squared” = ““d:\Program Files2\a-squared Anti-Malware\a2guard.exe”” [“Emsi Software GmbH”] “StartCCC” = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [null data] “VC7Player” = “C:\Program Files\HHVcdV7Sys\VC7Play.exe” [“H+H Software GmbH”] “SiteAdvisor” = “C:\Program Files\SiteAdvisor\6253\SiteAdv.exe” [“McAfee, Inc.”] “ZoneAlarm Client” = ““d:\Program Files2\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “CpuIdle” = “D:\program files2\CpuIdle\cpuidle.exe” [“Andreas Goetz”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++} “Flag” = dword:0x00000002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {089FD14D-132B-48FC-8861-0048AE113215}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\SiteAdvisor\6253\SiteAdv.dll” [“McAfee, Inc.”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {83CDEF6B-98D2-4C60-84FC-00C44606A4F8}(Default) = (no title provided) -> {HKLM…CLSID} = “BDEX System” \InProcServer32(Default) = “C:\WINDOWS\domnftwpto.dll” [empty string] {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}(Default) = “ZoneAlarm Spy Blocker BHO” -> {HKLM…CLSID} = “ZoneAlarm Spy Blocker BHO” \InProcServer32(Default) = “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [“ZoneAlarm”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “d:\Program Files2\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files2\WinRAR\rarext.dll” [null data] “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” = “OODefrag” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “D:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” = “a-squared Anti-Malware Shell Extension” -> {HKLM…CLSID} = “a-squared Anti-Malware Shell Extension” \InProcServer32(Default) = “d:\Program Files2\a-squared Anti-Malware\a2contmenu.dll” [“Emsi Software GmbH”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll” [empty string] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”] “{3CF9ECE0-1A9F-11d2-8C73-00C06C2005DE}” = “Directory Opus Shell Execute Hook” -> {HKLM…CLSID} = “Directory Opus Shell Execute Hook” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{E9FE4040-3C93-11d4-8006-00201860E88A}” = “Directory Opus Context Menu” -> {HKLM…CLSID} = “Directory Opus Context Menu” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{B9DD4945-1BED-4cb7-994C-F40B72B7725A}” = “Directory Opus Desktop Context Menu” -> {HKLM…CLSID} = “Directory Opus Desktop Context Menu” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{42BEF283-A10E-472D-B105-9F2B59AFBFC8}” = “Directory Opus Find Extension” -> {HKLM…CLSID} = “Directory Opus Find Extension” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{2DF394BA-1955-4a52-900E-303836135F67}” = “Directory Opus Info Tip Handler” -> {HKLM…CLSID} = “Directory Opus Info Tip Handler” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{BBD5F00E-26A6-4fb2-BAE1-31543C0BEA47}” = “Directory Opus Icon Handler” -> {HKLM…CLSID} = “Directory Opus Icon Handler” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{F85D7E1E-9662-4b38-B1AE-3CF1E9581A3C}” = “Directory Opus Drop Target” -> {HKLM…CLSID} = “Directory Opus Drop Target” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{D2FCA36D-93CD-46f2-8324-6308F6E31B53}” = “Directory Opus File Collection Shell Extension” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” = “Multiscan” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “d:\Program Files2\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}” = (no title provided) -> {HKLM…CLSID} = “Directory Opus Shell Execute Hook” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] “alxvdvm” = “{A5D659D8-5FF3-441F-92AA-21691E23F56B}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\alxvdvm.dll” [null data] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“OODBS” [“O&O Software GmbH”]|“lsdelete” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “d:\Program Files2\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] OODefrag(Default) = “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “D:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files2\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “d:\Program Files2\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files2\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ a-squared Anti-Malware Shell Extension(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” -> {HKLM…CLSID} = “a-squared Anti-Malware Shell Extension” \InProcServer32(Default) = “d:\Program Files2\a-squared Anti-Malware\a2contmenu.dll” [“Emsi Software GmbH”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “d:\Program Files2\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] OODefrag(Default) = “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “D:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files2\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “d:\Program Files2\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a-squared Anti-Malware Shell Extension(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” -> {HKLM…CLSID} = “a-squared Anti-Malware Shell Extension” \InProcServer32(Default) = “d:\Program Files2\a-squared Anti-Malware\a2contmenu.dll” [“Emsi Software GmbH”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Paweł” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “EPSON Status Monitor 3 Environment Check 2” -> shortcut to: “C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE” [“SEIKO EPSON CORPORATION”] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task” [“Apple Inc.”] “Uniblue SpeedUpMyPC Nag” -> launches: “d:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s” [file not found] “Uniblue SpeedUpMyPC” -> launches: “d:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SYSTEMROOT%\system32\nvappfilter.dll [“NVIDIA”], 01 - 03, 10 %SystemRoot%\system32\mswsock.dll [MS], 04 - 07, 11 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}” -> {HKLM…CLSID} = “ZoneAlarm Spy Blocker” \InProcServer32(Default) = “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [“ZoneAlarm”] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ “{D2F8F919-690B-4EA2-9FA7-A203D1E04F75}” = (no title provided) -> {HKLM…CLSID} = “StylerToolBar” \InProcServer32(Default) = “C:\Program Files\Styler\TB\StylerTB.dll” [“StyleFantasist”] “{0BF43445-2F28-4351-9252-17FE6E806AA0}” = “McAfee SiteAdvisor” -> {HKLM…CLSID} = “McAfee SiteAdvisor” \InProcServer32(Default) = “C:\Program Files\SiteAdvisor\6253\SiteAdv.dll” [“McAfee, Inc.”] “{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}” = (no title provided) -> {HKLM…CLSID} = “ZoneAlarm Spy Blocker” \InProcServer32(Default) = “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [“ZoneAlarm”] “{940EBD8D-A3B7-44F9-A850-F60E76BE3B22}” = (no title provided) -> {HKLM…CLSID} = “The emlkdvo” \InProcServer32(Default) = “C:\WINDOWS\emlkdvo.dll” [null data] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{916C1EF1-CA89-4F1B-AFDA-3CA85BD0F831}(Default) = “ZoneAlarm PopBlocker” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {84536FE2-ABCD-3586-DCAB-40E286323737}\ “ButtonText” = “Pop-Up Blocker” “MenuText” = “Pop-Up Blocker” “Exec” = “D:\program files2\WINnerTweak3\PopUp Blocker.exe” [“WINner Tweak Software Development Team”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ a-squared Anti-Malware Service, a2AntiMalware, ““d:\Program Files2\a-squared Anti-Malware\a2service.exe”” [“Emsi Software GmbH”] Apple Mobile Device, Apple Mobile Device, ““C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe”” [“Apple, Inc.”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““d:\Program Files2\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““d:\Program Files2\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““d:\Program Files2\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““d:\Program Files2\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTSvcCDA.EXE” [“Creative Technology Ltd”] EPSON Printer Status Agent2, EPSONStatusAgent2, “C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe” [“SEIKO EPSON CORPORATION”] ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent Application Manager (IAM), “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe” [empty string] ForceWare IP service, nSvcIp, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe” [“NVIDIA Corporation”] ForceWare user log service, nSvcLog, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe” [“NVIDIA”] Forceware Web Interface, ForcewareWebInterface, ““C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe” -k runservice” [“Apache Software Foundation”] Netropa NHK Server, nhksrv, “C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe” [null data] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Usługa SiteAdvisor, SiteAdvisor Service, “C:\Program Files\SiteAdvisor\6253\SAService.exe” [“McAfee, Inc.”] Virtual CD v7 Management Service, VC7SecS, “C:\Program Files\HHVcdV7Sys\VC7SecS.exe” [“H+H Software GmbH”] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\system32\MsPMSPSv.exe” [MS] Keyboard Driver Filters: ------------------------ HKLM\SYSTEM\CurrentControlSet\Control\Class{4D36E96B-E325-11CE-BFC1-08002BE10318}\ “UpperFilters” = <> “msikbd2k” [“Netropa Corporation”] ---------- (launch time: 2007-12-28 00:43:28) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 122 seconds, including 24 seconds for message boxes)
skanowałem awastem, a-squared anti-malware, online kaspersky,panda,mks, potem combofix, hijakthis,SmitfraudFix,Fixwareout i jak problem jest tak jest. jak tylko uruchomię system to obrazu cos mi chce uruchomić IE i podaje komunikat czy ma być offline czy ponowić próbę. później co jakiś czas samo uruchamia mi IE (Firefoksa używam)jak jest połączenie z netem już i wczytuje strony wyżej podane. Co użyć aby naprawić problem.??? ![-o<
Ostatni raz prośba - Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowy log z Combofix
nie denerwujcie ale zrobiłem w trybie awaryjnym i nic nie usunęło wiec szukam rootkitem. logi dam jutro zrobię jesze raz . jeszcze mam rootkit Hook analyzer. ale znalazła tylko vsdatant.sys z zone alarm. w 28 hakach
log z programu RootkitRevealer
HKU\.DEFAULT\Control Panel\International 2007-12-28 01:00 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 2007-12-28 01:00 0 bytes Security mismatch.
HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Control Panel\International 2007-12-28 01:18 0 bytes Security mismatch.
HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Control Panel\International\Geo 2007-12-27 21:15 0 bytes Security mismatch.
HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Control Panel\International\Time 2007-12-27 21:15 0 bytes Security mismatch.
HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2DDCD750-13F3-A817-ABB7-F2E380A716C7}* 2007-03-21 19:38 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{89D7E27D-B778-F6D4-54EB-094E0DA319C9}* 2007-04-25 16:40 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E37A654A-13D4-BA8B-008C-9D03EEE5C987}* 2007-03-21 19:33 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International 2007-12-28 01:00 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 2007-12-28 01:00 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 2007-01-20 12:57 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2007-01-20 12:57 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\Component Categories\{6F625EB1-D1B1-11D2-8B29-0050041850C1}\409 2007-01-20 19:58 37 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 2007-12-28 21:07 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\VideoPlugin\used-tags 2007-12-28 20:23 436 bytes Windows API length not consistent with raw hive data.
HKLM\SOFTWARE\Microsoft\VideoPlugin\cpv-click-count 2007-12-28 20:23 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex 2007-12-28 21:07 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 2007-01-21 11:44 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 2007-12-28 21:06 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 2007-12-28 21:06 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\ProgramSecuredCount 2007-12-28 21:07 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 2007-12-28 21:07 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 2007-12-28 21:07 4 bytes Data mismatch between Windows API and raw hive data.
Zrób to o co Ciebie proszę, czekam na logi
chronologicznie wklejam co było w trybie awaryjnym
Username "Administrator" - 2007-12-28 1:11:30 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="d:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"CnxDslTaskBar"="\"C:\\Program Files\\ZTE Corporation\\ZXDSL852\\CnxDslTb.exe\" \"ZTE Corporation\\ZXDSL852\""
"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Keymaestro\\Multimedia Keyboard\\MMKeybd.exe"
"CTxfiHlp"="CTXFIHLP.EXE"
"WinFast Schedule"="C:\\Program Files\\WinFast\\WFTVFM\\WFWIZ.exe"
"Appwarp"="d:\\PROGRA~1\\APPLIC~1\\ApplicationWarp.exe"
"WheelMouse"="d:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"
"LClock"="C:\\Program Files\\LClock\\LClock.exe"
"Vista Sidebar"="C:\\Program Files\\Vista Sidebar\\sidebar.exe"
"VisualTooltip"="C:\\Program Files\\VisualTooltip\\VisualToolTip.exe"
"Blaero Start Orb"="C:\\Program Files\\Blaero Start Orb\\Blaero Start Orb.exe"
"Styler"="C:\\Program Files\\Styler\\Styler.exe"
"cFosDNT"="C:\\Program Files\\cFos\\cFosDNT.exe"
"SmartDefrag"="\"D:\\Program Files2\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"
"a-squared"="\"d:\\Program Files2\\a-squared Anti-Malware\\a2guard.exe\""
"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"
"VC7Player"="C:\\Program Files\\HHVcdV7Sys\\VC7Play.exe"
"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"
"ZoneAlarm Client"="\"d:\\Program Files2\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"AtiPTA"="atiptaxx.exe"
"CpuIdle"="D:\\program files2\\CpuIdle\\cpuidle.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
....
Hosts file was reset, If you use a custom hosts file please replace it...
C:\WINDOWS\repair\autoexec.nt missing
C:\WINDOWS\repair\Config.nt missing
~~~~~End report~~~~~
potem
SmitFraudFix v2.274
Scan done at 15:54:16,67, 2007-12-29
Run from D:\Antywiry\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
IEDFix.exe by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
[/code]
i combofix
[code]ComboFix 07-12-21.4 - Administrator 2007-12-29 15:55:34.4 - NTFSx86 MINIMAL
Wklej do Notatnika:
File::
C:\WINDOWS\system32\drivers\lirsgt.rar
C:\WINDOWS\system32\drivers\atksgt.rar
C:\WINDOWS\domnftwpto.dll
C:\WINDOWS\emlkdvo.dll
C:\WINDOWS\alxvdvm.dll
C:\WINDOWS\fvkwdrt.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83CDEF6B-98D2-4C60-84FC-00C44606A4F8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D2F8F919-690B-4EA2-9FA7-A203D1E04F75}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"alxvdvm"= -
>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )
Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )
– podobnie jak na tym obrazku –>
(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)
Po restarcie usuń ręcznie folder C: ** Qoobox**.
Po tym nowy log z Combo
pierwszy log po uzyciu skryptu
ComboFix 07-12-21.4 - Paweł 2007-12-29 18:16:34.6 - NTFSx86
Przeczytaj co napisałem wyżej i to zrób, nic nie usunieto
no samego może katalogu nie ale cała zawartość tak. Pusty katalog tez ma znaczenie?.
Zostały pliki!
wiec tak usunąłem katalog zrobiłem nowy scan combofix. porównałem z tym poprzednim . ww 99% to to samo. zmienia się tylko w tych dwóch plikach co podalem
ComboFix 07-12-21.4 - Paweł 2007-12-29 21:22:07.8 - NTFSx86
dodaje w załaczniku log z gmer ,polki program do usuwania rootkitów[attachment=0]gmer log.rar[/attachment]
Pobierz The Avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:
Files to delete:
C:\WINDOWS\domnftwpto.dll
C:\WINDOWS\emlkdvo.dll
C:\WINDOWS\alxvdvm.dll
C:\WINDOWS\fvkwdrt.exe
C:\WINDOWS\system32\drivers\lirsgt.rar
C:\WINDOWS\system32\drivers\atksgt.rar
Folders to delete:
C:\Program Files\MediaSupplyCodec
kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
dziękuje za pomoc. chyba problem rozwiązany. zobacze do końca dnia czy coś nie wyskoczy.