Powazny problem z fałszywym antywirusem

snajp · 27 Grudzień 2007 17:54

Temat postu nie daje pełni problemu ale wygląda to tak: przez nie uwagę uruchomiłem instalke w której był szkodliwy program. Co prawda avast wykrył kilka koni trojańskich , a- squared anti-malware nie wykryło nic szczególnego. Z zablokowaniem wyświetlania menadżera zdarzeń poradziłem sobie. Ale pomimo przeskanowania systemu, coś jeszcze siedzi bo mi co kilkanaście minut włącza IE i próbuje otworzyć stronę z niby antywirusem http:// scanner. adwareremover2007. com/4/scan.php?id=1216 lub http:// securepccleaner.com/ privacy/index.php? 045a420d46164a52096a5302 073d48093a465c6d04524a0245080b41 0b54585856155156475c48433b0706565555 0053500404140444050545145f01004702 0c58021655405c50471045115525470a234 00476530540595e000106505a04000f004 11e535a0c1d01221b570a010356001713027444057e4046572602065256445705595454440b7717424607093d5f0106 53484a54071d02550807571352 25545c0a031507575955161007 22141267575706010559000d0257 (dodałem spacje aby nikt nie klikał) jak się tego pozbyć bo to mnie denerwuje bo wiem ze to podpucha jest .

sebos_krk · 27 Grudzień 2007 17:56

Zapoznaj sie z tym tematem i wrzuć logi viewtopic.php?f=16&t=36654

arekmalek · 27 Grudzień 2007 19:31

snajp tu się zgadzam adwareremover2007 jest fałszywy

Patrz na wyniki testu -> KLIK

Pokazuje mnóstwo fałszywych wyników skanu

Uzyj w trybie awaryjnym Smitfraudfixp

w trybie nr.2 i daj raport

Daj log z Combofix

snajp · 27 Grudzień 2007 19:45

to jest log z hijakthis prosze o porade

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:32:51, on 2007-12-27

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

d:\Program Files2\Alwil Software\Avast4\aswUpdSv.exe

C:\WINDOWS\Explorer.EXE

d:\Program Files2\Alwil Software\Avast4\ashServ.exe

D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe

C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe

C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

D:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\VisualTooltip\VisualToolTip.exe

C:\Program Files\Styler\Styler.exe

C:\Program Files\cFos\cFosDNT.exe

D:\Program Files2\IObit\IObit SmartDefrag\IObit SmartDefrag.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\HHVcdV7Sys\VC7Play.exe

C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

D:\Program Files2\Zone Labs\ZoneAlarm\zlclient.exe

C:\DOCUME~1\PAWE~1\USTAWI~1\Temp\{50D39DE4-CDD1-4802-BFC9-8D345AEEBE04}\Blaero Start Orb.exe

C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe

d:\Program Files2\a-squared Anti-Malware\a2service.exe

D:\program files2\CpuIdle\cpuidle.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Tlen.pl\tlen.exe

D:\Program Files2\Creative\MediaSource\RemoteControl\RCMan.EXE

C:\WINDOWS\system32\CTSvcCDA.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe

C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

C:\Program Files\SiteAdvisor\6253\SAService.exe

C:\Program Files\Keymaestro\Multimedia Keyboard\TrayMon.exe

C:\Program Files\Keymaestro\Onscreen Display\OSD.exe

d:\Program Files2\Virtual CD v7\System\VC7Tray.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\Program Files\HHVcdV7Sys\VC7SecS.exe

C:\DOCUME~1\PAWE~1\USTAWI~1\Temp\{88C79371-3016-4D14-A4D2-B558EA459A28}\sidebar.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

d:\Program Files2\Alwil Software\Avast4\ashMaiSv.exe

d:\Program Files2\Alwil Software\Avast4\ashWebSv.exe

D:\program files2\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\gry\CABAL Online (Europe)\update.exe

D:\program files2\TC PowerPack\totalcmd.exe

D:\gry\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe

D:\gry\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe

d:\Program Files2\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: BDEX System - {83CDEF6B-98D2-4C60-84FC-00C44606A4F8} - C:\WINDOWS\domnftwpto.dll

O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll

O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll

O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

O3 - Toolbar: The emlkdvo - {940EBD8D-A3B7-44F9-A850-F60E76BE3B22} - C:\WINDOWS\emlkdvo.dll

O4 - HKLM\..\Run: [avast!] d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [CnxDslTaskBar] "C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe" "ZTE Corporation\ZXDSL852"

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

O4 - HKLM\..\Run: [Appwarp] d:\PROGRA~1\APPLIC~1\ApplicationWarp.exe

O4 - HKLM\..\Run: [WheelMouse] d:\PROGRA~1\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKLM\..\Run: [Vista Sidebar] C:\Program Files\Vista Sidebar\sidebar.exe

O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe

O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe

O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe

O4 - HKLM\..\Run: [cFosDNT] C:\Program Files\cFos\cFosDNT.exe

O4 - HKLM\..\Run: [SmartDefrag] "D:\Program Files2\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /startup

O4 - HKLM\..\Run: [a-squared] "d:\Program Files2\a-squared Anti-Malware\a2guard.exe"

O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe

O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe

O4 - HKLM\..\Run: [ZoneAlarm Client] "d:\Program Files2\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [CpuIdle] D:\program files2\CpuIdle\cpuidle.exe

O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU\..\Run: [RemoteCenter] d:\Program Files2\Creative\MediaSource\RemoteControl\RCMan.EXE

O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe

O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe

O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"

O4 - HKCU\..\Run: [Directory Opus Desktop Dblclk] "C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe" /dblclk

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - D:\program files2\WINnerTweak3\PopUp Blocker.exe

O9 - Extra 'Tools' menuitem: Pop-Up Blocker - {84536FE2-ABCD-3586-DCAB-40E286323737} - D:\program files2\WINnerTweak3\PopUp Blocker.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169315927226

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{778A9244-29C9-4498-B38A-CD38DA293D02}: NameServer = 194.204.152.34 217.98.63.164

O21 - SSODL: alxvdvm - {A5D659D8-5FF3-441F-92AA-21691E23F56B} - C:\WINDOWS\alxvdvm.dll

O21 - SSODL: bvtqfvx - {A760C4C1-4842-4412-B5D0-DED40BE7EAF5} - (no file)

O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - d:\Program Files2\a-squared Anti-Malware\a2service.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - d:\Program Files2\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)

O23 - Service: avast! Antivirus - ALWIL Software - d:\Program Files2\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - d:\Program Files2\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - d:\Program Files2\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE

O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe

O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

O23 - Service: Usługa SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe

O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--

End of file - 12645 bytes

matio · 27 Grudzień 2007 19:51

snajp , byłeś o coś proszony

snajp · 27 Grudzień 2007 20:18

ComboFix 07-12-21.4 - Paweł 2007-12-27 20:56:21.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.114 [GMT 1:00]

Running from: D:\download\ComboFix.exe

 * Created a new restore point

.


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.


C:\WINDOWS\dat.txt

C:\WINDOWS\search_res.txt


.

((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))

.


2007-12-27 20:53 . 2007-12-27 20:53	






[color=green]// Połączono posty.[/color]

[code]“Silent Runners.vbs”, revision 55, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Komunikator” = “C:\Program Files\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”] “RemoteCenter” = “d:\Program Files2\Creative\MediaSource\RemoteControl\RCMan.EXE” [“Creative Technology Ltd”] “LClock” = “C:\Program Files\LClock\lclock.exe” [null data] “StartCCC” = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [null data] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Odkurzacz-MCD” = “C:\Program Files\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “AtiTrayTools” = ““C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe”” [“Ray Adams”] “Directory Opus Desktop Dblclk” = ““C:\Program Files\GPSoftware\Directory Opus\dopusrt.exe” /dblclk” [“GP Software”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “d:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “CnxDslTaskBar” = "“C:\Program Files\ZTE Corporation\ZXDSL852\CnxDslTb.exe” “ZTE Corporation\ZXDSL852"” [“Conexant Systems, Inc.”] “MULTIMEDIA KEYBOARD” = “C:\Program Files\Keymaestro\Multimedia Keyboard\MMKeybd.exe” [“Netropa Corp.”] “CTxfiHlp” = “CTXFIHLP.EXE” [“Creative Technology Ltd”] “WinFast Schedule” = “C:\Program Files\WinFast\WFTVFM\WFWIZ.exe” [“Leadtek Research Inc.”] “Appwarp” = “d:\PROGRA~1\APPLIC~1\ApplicationWarp.exe” [null data] “WheelMouse” = “d:\PROGRA~1\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co.,Ltd.”] “LClock” = “C:\Program Files\LClock\LClock.exe” [null data] “Vista Sidebar” = “C:\Program Files\Vista Sidebar\sidebar.exe” [null data] “VisualTooltip” = “C:\Program Files\VisualTooltip\VisualToolTip.exe” [“Christian Salmon”] “Blaero Start Orb” = “C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe” [null data] “Styler” = “C:\Program Files\Styler\Styler.exe” [“ta2027”] “cFosDNT” = “C:\Program Files\cFos\cFosDNT.exe” [“cFos Software GmbH”] “SmartDefrag” = ““D:\Program Files2\IObit\IObit SmartDefrag\IObit SmartDefrag.exe” /startup” [null data] “a-squared” = ““d:\Program Files2\a-squared Anti-Malware\a2guard.exe”” [“Emsi Software GmbH”] “StartCCC” = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” [null data] “VC7Player” = “C:\Program Files\HHVcdV7Sys\VC7Play.exe” [“H+H Software GmbH”] “SiteAdvisor” = “C:\Program Files\SiteAdvisor\6253\SiteAdv.exe” [“McAfee, Inc.”] “ZoneAlarm Client” = ““d:\Program Files2\Zone Labs\ZoneAlarm\zlclient.exe”” [“Zone Labs, LLC”] “AtiPTA” = “atiptaxx.exe” [“ATI Technologies, Inc.”] “CpuIdle” = “D:\program files2\CpuIdle\cpuidle.exe” [“Andreas Goetz”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++} “Flag” = dword:0x00000002 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {089FD14D-132B-48FC-8861-0048AE113215}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\SiteAdvisor\6253\SiteAdv.dll” [“McAfee, Inc.”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {83CDEF6B-98D2-4C60-84FC-00C44606A4F8}(Default) = (no title provided) -> {HKLM…CLSID} = “BDEX System” \InProcServer32(Default) = “C:\WINDOWS\domnftwpto.dll” [empty string] {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}(Default) = “ZoneAlarm Spy Blocker BHO” -> {HKLM…CLSID} = “ZoneAlarm Spy Blocker BHO” \InProcServer32(Default) = “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [“ZoneAlarm”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “d:\Program Files2\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files2\WinRAR\rarext.dll” [null data] “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” = “OODefrag” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “D:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” = “a-squared Anti-Malware Shell Extension” -> {HKLM…CLSID} = “a-squared Anti-Malware Shell Extension” \InProcServer32(Default) = “d:\Program Files2\a-squared Anti-Malware\a2contmenu.dll” [“Emsi Software GmbH”] “{5E2121EE-0300-11D4-8D3B-444553540000}” = “Catalyst Context Menu extension” -> {HKLM…CLSID} = “SimpleShlExt Class” \InProcServer32(Default) = “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll” [empty string] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”] “{3CF9ECE0-1A9F-11d2-8C73-00C06C2005DE}” = “Directory Opus Shell Execute Hook” -> {HKLM…CLSID} = “Directory Opus Shell Execute Hook” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{E9FE4040-3C93-11d4-8006-00201860E88A}” = “Directory Opus Context Menu” -> {HKLM…CLSID} = “Directory Opus Context Menu” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{B9DD4945-1BED-4cb7-994C-F40B72B7725A}” = “Directory Opus Desktop Context Menu” -> {HKLM…CLSID} = “Directory Opus Desktop Context Menu” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{42BEF283-A10E-472D-B105-9F2B59AFBFC8}” = “Directory Opus Find Extension” -> {HKLM…CLSID} = “Directory Opus Find Extension” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{2DF394BA-1955-4a52-900E-303836135F67}” = “Directory Opus Info Tip Handler” -> {HKLM…CLSID} = “Directory Opus Info Tip Handler” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{BBD5F00E-26A6-4fb2-BAE1-31543C0BEA47}” = “Directory Opus Icon Handler” -> {HKLM…CLSID} = “Directory Opus Icon Handler” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{F85D7E1E-9662-4b38-B1AE-3CF1E9581A3C}” = “Directory Opus Drop Target” -> {HKLM…CLSID} = “Directory Opus Drop Target” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{D2FCA36D-93CD-46f2-8324-6308F6E31B53}” = “Directory Opus File Collection Shell Extension” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” = “Multiscan” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “d:\Program Files2\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{3CF9ECE0-1A9F-11D2-8C73-00C06C2005DE}” = (no title provided) -> {HKLM…CLSID} = “Directory Opus Shell Execute Hook” \InProcServer32(Default) = “C:\Program Files\GPSoftware\Directory Opus\dopuslib.dll” [“GP Software”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] “alxvdvm” = “{A5D659D8-5FF3-441F-92AA-21691E23F56B}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\alxvdvm.dll” [null data] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“OODBS” [“O&O Software GmbH”]|“lsdelete” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.ux.pl 2.2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “d:\Program Files2\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] OODefrag(Default) = “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “D:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files2\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “d:\Program Files2\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files2\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ a-squared Anti-Malware Shell Extension(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” -> {HKLM…CLSID} = “a-squared Anti-Malware Shell Extension” \InProcServer32(Default) = “d:\Program Files2\a-squared Anti-Malware\a2contmenu.dll” [“Emsi Software GmbH”] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “d:\Program Files2\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] OODefrag(Default) = “{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}” -> {HKLM…CLSID} = “OODShellExtObj Class” \InProcServer32(Default) = “D:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll” [“O&O Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “d:\Program Files2\WinRAR\rarext.dll” [null data] ZLAVShExt(Default) = “{D9872D13-7651-4471-9EEE-F0A00218BEBB}” -> {HKLM…CLSID} = “ZLAVShExt Class” \InProcServer32(Default) = “d:\Program Files2\Zone Labs\ZoneAlarm\zlavscan.dll” [“Zone Labs, LLC”] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ a-squared Anti-Malware Shell Extension(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” -> {HKLM…CLSID} = “a-squared Anti-Malware Shell Extension” \InProcServer32(Default) = “d:\Program Files2\a-squared Anti-Malware\a2contmenu.dll” [“Emsi Software GmbH”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Paweł” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “EPSON Status Monitor 3 Environment Check 2” -> shortcut to: “C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE” [“SEIKO EPSON CORPORATION”] Enabled Scheduled Tasks: ------------------------ “AppleSoftwareUpdate” -> launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task” [“Apple Inc.”] “Uniblue SpeedUpMyPC Nag” -> launches: “d:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s” [file not found] “Uniblue SpeedUpMyPC” -> launches: “d:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s” [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SYSTEMROOT%\system32\nvappfilter.dll [“NVIDIA”], 01 - 03, 10 %SystemRoot%\system32\mswsock.dll [MS], 04 - 07, 11 - 26 %SystemRoot%\system32\rsvpsp.dll [MS], 08 - 09 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}” -> {HKLM…CLSID} = “ZoneAlarm Spy Blocker” \InProcServer32(Default) = “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [“ZoneAlarm”] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ “{D2F8F919-690B-4EA2-9FA7-A203D1E04F75}” = (no title provided) -> {HKLM…CLSID} = “StylerToolBar” \InProcServer32(Default) = “C:\Program Files\Styler\TB\StylerTB.dll” [“StyleFantasist”] “{0BF43445-2F28-4351-9252-17FE6E806AA0}” = “McAfee SiteAdvisor” -> {HKLM…CLSID} = “McAfee SiteAdvisor” \InProcServer32(Default) = “C:\Program Files\SiteAdvisor\6253\SiteAdv.dll” [“McAfee, Inc.”] “{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}” = (no title provided) -> {HKLM…CLSID} = “ZoneAlarm Spy Blocker” \InProcServer32(Default) = “C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL” [“ZoneAlarm”] “{940EBD8D-A3B7-44F9-A850-F60E76BE3B22}” = (no title provided) -> {HKLM…CLSID} = “The emlkdvo” \InProcServer32(Default) = “C:\WINDOWS\emlkdvo.dll” [null data] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{916C1EF1-CA89-4F1B-AFDA-3CA85BD0F831}(Default) = “ZoneAlarm PopBlocker” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {84536FE2-ABCD-3586-DCAB-40E286323737}\ “ButtonText” = “Pop-Up Blocker” “MenuText” = “Pop-Up Blocker” “Exec” = “D:\program files2\WINnerTweak3\PopUp Blocker.exe” [“WINner Tweak Software Development Team”] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ <> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ a-squared Anti-Malware Service, a2AntiMalware, ““d:\Program Files2\a-squared Anti-Malware\a2service.exe”” [“Emsi Software GmbH”] Apple Mobile Device, Apple Mobile Device, ““C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe”” [“Apple, Inc.”] Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] avast! Antivirus, avast! Antivirus, ““d:\Program Files2\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““d:\Program Files2\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““d:\Program Files2\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““d:\Program Files2\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\system32\CTSvcCDA.EXE” [“Creative Technology Ltd”] EPSON Printer Status Agent2, EPSONStatusAgent2, “C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe” [“SEIKO EPSON CORPORATION”] ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent Application Manager (IAM), “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe” [empty string] ForceWare IP service, nSvcIp, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe” [“NVIDIA Corporation”] ForceWare user log service, nSvcLog, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe” [“NVIDIA”] Forceware Web Interface, ForcewareWebInterface, ““C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe” -k runservice” [“Apache Software Foundation”] Netropa NHK Server, nhksrv, “C:\Program Files\Keymaestro\Multimedia Keyboard\nhksrv.exe” [null data] TrueVector Internet Monitor, vsmon, “C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service” [“Zone Labs, LLC”] Usługa SiteAdvisor, SiteAdvisor Service, “C:\Program Files\SiteAdvisor\6253\SAService.exe” [“McAfee, Inc.”] Virtual CD v7 Management Service, VC7SecS, “C:\Program Files\HHVcdV7Sys\VC7SecS.exe” [“H+H Software GmbH”] WMDM PMSP Service, WMDM PMSP Service, “C:\WINDOWS\system32\MsPMSPSv.exe” [MS] Keyboard Driver Filters: ------------------------ HKLM\SYSTEM\CurrentControlSet\Control\Class{4D36E96B-E325-11CE-BFC1-08002BE10318}\ “UpperFilters” = <> “msikbd2k” [“Netropa Corporation”] ---------- (launch time: 2007-12-28 00:43:28) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 122 seconds, including 24 seconds for message boxes)

snajp · 28 Grudzień 2007 18:07

skanowałem awastem, a-squared anti-malware, online kaspersky,panda,mks, potem combofix, hijakthis,SmitfraudFix,Fixwareout i jak problem jest tak jest. jak tylko uruchomię system to obrazu cos mi chce uruchomić IE i podaje komunikat czy ma być offline czy ponowić próbę. później co jakiś czas samo uruchamia mi IE (Firefoksa używam)jak jest połączenie z netem już i wczytuje strony wyżej podane. Co użyć aby naprawić problem.??? ![-o<

Gutek · 28 Grudzień 2007 19:54

Ostatni raz prośba - Użyj SmitFraudFix wybierz opcji nr 2 , oczywiście w trybie awaryjnym i po tym nowy log z Combofix

snajp · 28 Grudzień 2007 21:02

nie denerwujcie ale zrobiłem w trybie awaryjnym i nic nie usunęło wiec szukam rootkitem. logi dam jutro zrobię jesze raz . jeszcze mam rootkit Hook analyzer. ale znalazła tylko vsdatant.sys z zone alarm. w 28 hakach

log z programu RootkitRevealer

HKU\.DEFAULT\Control Panel\International	2007-12-28 01:00	0 bytes	Security mismatch.

HKU\.DEFAULT\Control Panel\International\Geo	2007-12-28 01:00	0 bytes	Security mismatch.

HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Control Panel\International	2007-12-28 01:18	0 bytes	Security mismatch.

HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Control Panel\International\Geo	2007-12-27 21:15	0 bytes	Security mismatch.

HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Control Panel\International\Time	2007-12-27 21:15	0 bytes	Security mismatch.

HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2DDCD750-13F3-A817-ABB7-F2E380A716C7}*	2007-03-21 19:38	0 bytes	Key name contains embedded nulls (*)

HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{89D7E27D-B778-F6D4-54EB-094E0DA319C9}*	2007-04-25 16:40	0 bytes	Key name contains embedded nulls (*)

HKU\S-1-5-21-1275210071-1637723038-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E37A654A-13D4-BA8B-008C-9D03EEE5C987}*	2007-03-21 19:33	0 bytes	Key name contains embedded nulls (*)

HKU\S-1-5-18\Control Panel\International	2007-12-28 01:00	0 bytes	Security mismatch.

HKU\S-1-5-18\Control Panel\International\Geo	2007-12-28 01:00	0 bytes	Security mismatch.

HKLM\SECURITY\Policy\Secrets\SAC*	2007-01-20 12:57	0 bytes	Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI*	2007-01-20 12:57	0 bytes	Key name contains embedded nulls (*)

HKLM\SOFTWARE\Classes\Component Categories\{6F625EB1-D1B1-11D2-8B29-0050041850C1}\409	2007-01-20 19:58	37 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed	2007-12-28 21:07	80 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\VideoPlugin\used-tags	2007-12-28 20:23	436 bytes	Windows API length not consistent with raw hive data.

HKLM\SOFTWARE\Microsoft\VideoPlugin\cpv-click-count	2007-12-28 20:23	4 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS\StateIndex	2007-12-28 21:07	4 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System*	2007-01-21 11:44	0 bytes	Key name contains embedded nulls (*)

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed	2007-12-28 21:06	4 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful	2007-12-28 21:06	4 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Zone Labs\ZoneAlarm\ProgramSecuredCount	2007-12-28 21:07	4 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount	2007-12-28 21:07	4 bytes	Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount	2007-12-28 21:07	4 bytes	Data mismatch between Windows API and raw hive data.

Gutek · 28 Grudzień 2007 21:40

Zrób to o co Ciebie proszę, czekam na logi

snajp · 29 Grudzień 2007 16:12

chronologicznie wklejam co było w trybie awaryjnym

Username "Administrator" - 2007-12-28 1:11:30 [Fixwareout edited 9/01/2007]


~~~~~ Prerun check



System was rebooted successfully. 


~~~~~ Postrun check 

HKLM\SOFTWARE\~\Winlogon\ "System"="" 

....

....

~~~~~ Misc files. 

....

~~~~~ Checking for older varients.

....


~~~~~ Current runs (hklm hkcu "run" Keys Only)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="d:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

"CnxDslTaskBar"="\"C:\\Program Files\\ZTE Corporation\\ZXDSL852\\CnxDslTb.exe\" \"ZTE Corporation\\ZXDSL852\""

"MULTIMEDIA KEYBOARD"="C:\\Program Files\\Keymaestro\\Multimedia Keyboard\\MMKeybd.exe"

"CTxfiHlp"="CTXFIHLP.EXE"

"WinFast Schedule"="C:\\Program Files\\WinFast\\WFTVFM\\WFWIZ.exe"

"Appwarp"="d:\\PROGRA~1\\APPLIC~1\\ApplicationWarp.exe"

"WheelMouse"="d:\\PROGRA~1\\A4Tech\\Mouse\\Amoumain.exe"

"LClock"="C:\\Program Files\\LClock\\LClock.exe"

"Vista Sidebar"="C:\\Program Files\\Vista Sidebar\\sidebar.exe"

"VisualTooltip"="C:\\Program Files\\VisualTooltip\\VisualToolTip.exe"

"Blaero Start Orb"="C:\\Program Files\\Blaero Start Orb\\Blaero Start Orb.exe"

"Styler"="C:\\Program Files\\Styler\\Styler.exe"

"cFosDNT"="C:\\Program Files\\cFos\\cFosDNT.exe"

"SmartDefrag"="\"D:\\Program Files2\\IObit\\IObit SmartDefrag\\IObit SmartDefrag.exe\" /startup"

"a-squared"="\"d:\\Program Files2\\a-squared Anti-Malware\\a2guard.exe\""

"StartCCC"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"

"VC7Player"="C:\\Program Files\\HHVcdV7Sys\\VC7Play.exe"

"SiteAdvisor"="C:\\Program Files\\SiteAdvisor\\6253\\SiteAdv.exe"

"ZoneAlarm Client"="\"d:\\Program Files2\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

"AtiPTA"="atiptaxx.exe"

"CpuIdle"="D:\\program files2\\CpuIdle\\cpuidle.exe"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

....

Hosts file was reset, If you use a custom hosts file please replace it...

C:\WINDOWS\repair\autoexec.nt missing 

C:\WINDOWS\repair\Config.nt missing 

~~~~~End report~~~~~

potem

SmitFraudFix v2.274


Scan done at 15:54:16,67, 2007-12-29

Run from D:\Antywiry\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost 


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix


S!Ri's WS2Fix: LSP not Found.



»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix


IEDFix.exe by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» DNS




»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End

[/code]

i combofix

[code]ComboFix 07-12-21.4 - Administrator 2007-12-29 15:55:34.4 - NTFSx86 MINIMAL

Gutek · 29 Grudzień 2007 16:33

Wklej do Notatnika:

File::

C:\WINDOWS\system32\drivers\lirsgt.rar

C:\WINDOWS\system32\drivers\atksgt.rar

C:\WINDOWS\domnftwpto.dll

C:\WINDOWS\emlkdvo.dll

C:\WINDOWS\alxvdvm.dll

C:\WINDOWS\fvkwdrt.exe


Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83CDEF6B-98D2-4C60-84FC-00C44606A4F8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{D2F8F919-690B-4EA2-9FA7-A203D1E04F75}"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"alxvdvm"= -

>>Plik>>Zapisz jako… >>> CFScript (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe (czyli ikonkę CFScript.txt na ikonkę ComboFix.exe )

– podobnie jak na tym obrazku –>

(jeśli pojawi się pytanie " 1 or 2" - to wpisz 1 i naciśnij ENTER) Ma się rozpocząć usuwanie. (i powstanie log)

Po restarcie usuń ręcznie folder C: ** Qoobox**.

Po tym nowy log z Combo

snajp · 29 Grudzień 2007 18:18

pierwszy log po uzyciu skryptu

ComboFix 07-12-21.4 - Paweł 2007-12-29 18:16:34.6 - NTFSx86

Gutek · 29 Grudzień 2007 18:41

Przeczytaj co napisałem wyżej i to zrób, nic nie usunieto

snajp · 29 Grudzień 2007 18:49

no samego może katalogu nie ale cała zawartość tak. Pusty katalog tez ma znaczenie?.

Gutek · 29 Grudzień 2007 18:53

Zostały pliki!

snajp · 29 Grudzień 2007 20:34

wiec tak usunąłem katalog zrobiłem nowy scan combofix. porównałem z tym poprzednim . ww 99% to to samo. zmienia się tylko w tych dwóch plikach co podalem

ComboFix 07-12-21.4 - Paweł 2007-12-29 21:22:07.8 - NTFSx86

snajp · 29 Grudzień 2007 23:26

dodaje w załaczniku log z gmer ,polki program do usuwania rootkitów[attachment=0]gmer log.rar[/attachment]

Gutek · 30 Grudzień 2007 00:28

Pobierz The Avenger. Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:

Files to delete:


C:\WINDOWS\domnftwpto.dll

C:\WINDOWS\emlkdvo.dll

C:\WINDOWS\alxvdvm.dll

C:\WINDOWS\fvkwdrt.exe

C:\WINDOWS\system32\drivers\lirsgt.rar

C:\WINDOWS\system32\drivers\atksgt.rar


Folders to delete:


C:\Program Files\MediaSupplyCodec

kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).

snajp · 30 Grudzień 2007 10:43

dziękuje za pomoc. chyba problem rozwiązany. zobacze do końca dnia czy coś nie wyskoczy.