Powolny komp, trojany, błędy


(Drynda) #1

log z dziennika nod32

Pojawiające się okienko:

ie.jpg

log z Silent Runners

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS]

"UPSMON" = "C:\Program Files\UPSMON\UPSMON.exe" [file not found]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"SvcManager" = "svhostl0.exe" [file not found]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  - {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{20C36E65-8A73-4DCF-A1BF-725FEFE9A3F5}\(Default) = (no title provided)

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ssqpq.dll" [null data]

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)

  - {HKLM...CLSID} = "IeCatch5 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["FlashGet"]

{40CBCC7F-63C3-4D94-B4D6-A0ED77B9EEB7}\(Default) = (no title provided)

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\fccbxvv.dll" [null data]

{68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50}\(Default) = (no title provided)

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\patgfhiv.dll" [file not found]

{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)

  - {HKLM...CLSID} = "gFlash Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\getflash.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  - {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  - {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"

  - {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]

"{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive"

  - {HKLM...CLSID} = "GMail Drive"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet"

  - {HKLM...CLSID} = "GMailFS Property Sheet"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler"

  - {HKLM...CLSID} = "GMailFS Drop Handler"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu"

  - {HKLM...CLSID} = "GMailFS Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  - {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"

  - {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

 "{40CBCC7F-63C3-4D94-B4D6-A0ED77B9EEB7}" = "*g" (unwritable string)

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\fccbxvv.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

 fccbxvv\DLLName = "fccbxvv.dll" [null data]

 rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [file not found]

 ssqpq\DLLName = "C:\WINDOWS\system32\ssqpq.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

  - {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  - {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  - {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  - {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

  - {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

  - {HKLM...CLSID} = "7-Zip Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  - {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

  - {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]



Group Policies {policy setting}:

--------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\


"HomePage" = (REG_DWORD) hex:0x00000001

{Disable changing home page settings}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Startup items in "user" "All Users" startup folders:

------------------------------------------------------


C:\Documents and Settings\user\Menu Start\Programy\Autostart

"OpenOffice.org 2.1" - shortcut to: "C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Service Manager" - shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]

"TB-Tray" - shortcut to: "C:\Program Files\Thunderbird-Tray\TBTray.exe" ["Felix 'SniperBeamer' Geyer"]

"Utility Tray" - shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  - {HKLM...CLSID} = "FlashGet Bar"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\fgiebar.dll" ["Amaze Soft"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "FlashGet"

"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["FlashGet.com"]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

MSSQLSERVER, MSSQLSERVER, "C:\Mssql8\Binn\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"]

SysEnforce, SysEnforce, "C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE" [null data]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

HP LaserJet 5 Language Monitor\Driver = "hpdcmon.dll" ["Hewlett-Packard"]

Monitor języka PJL\Driver = "PJLMON.DLL" [MS]



----------

: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 54 seconds.

---------- (total run time: 150 seconds)

log z HijackThis

Logfile of HijackThis v1.99.1

Scan saved at 11:26:10, on 2007-02-12

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Mssql8\Binn\MSSQL\Binn\sqlservr.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Eset\nod32kui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\Thunderbird-Tray\TBTray.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\TC PowerPack\totalcmd.exe

c:\!\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

F2 - REG:system.ini: Shell=explorer.exe 

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [SvcManager] svhostl0.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://C:\Documents and Settings\user\Ustawienia lokalne\Temp\GPpodatki200701\IB\swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4960/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E81C4791-2461-40C8-8A6B-0684E5CD2F51}: NameServer = 194.204.159.1

O23 - Service: COM+ Messages - Unknown owner - -e,mc-110-12-0000272, (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe (file missing)

(Gutek) #2

, a pliki ręcznie

Skan AVG Anti-Spyware 7.5 po update :wink:

Użyj ATF-Cleaner - http://www.atribune.org/ccount/click.php?id=1

Czyszczenie rejestru:

RegCleaner - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=177

możesz rejestr przelecieć albo

jv16 PowerTools - http://www.dobreprogramy.pl/index.php?dz=2&t=29&id=509


(Drynda) #3

nowy log

Logfile of HijackThis v1.99.1

Scan saved at 11:35:23, on 2007-02-13

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Mssql8\Binn\MSSQL\Binn\sqlservr.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Thunderbird-Tray\TBTray.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.exe

C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

C:\Currenda\Kom\kom.exe

C:\Program Files\TC PowerPack\totalcmd.exe

C:\Program Files\Mozilla Firefox\firefox.exe

c:\!\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent

O4 - HKLM\..\Run: [UPSMON] C:\Program Files\UPSMON\UPSMON.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Global Startup: TB-Tray.lnk = C:\Program Files\Thunderbird-Tray\TBTray.exe

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - file://C:\Documents and Settings\user\Ustawienia lokalne\Temp\GPpodatki200701\IB\swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,4960/mcfscan.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E81C4791-2461-40C8-8A6B-0684E5CD2F51}: NameServer = 194.204.159.1

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

O23 - Service: UPSMONService - Unknown owner - C:\Program Files\UPSMON\UPSMON_Service.Exe (file missing)

przeskanowane avg znalazlo kilka objektow, zostały usunięte. Niestety okienko w błędem explorer.exe pokazuje sie dalej.

plik c:\widows\explorer.exe usunac? jest jeszcze w c:\widows\system32\dllcache

svhostl0.exe niemam nigdzie takiego pliku


(adam9870) #4

Pokaż log z SilentRunners + log numer 1 z L2Mfix.

Ale przed tym użyj VundoFix + Trojan.Vundo Removal Tool + VirtumundoBeGone.


(Drynda) #5
L2MFIX find log 051206

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

  6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc]

"DllName"="C:\\WINDOWS\\system32\\rpcc.dll"

"Asynchronous"=dword:00000001

"Impersonate"=dword:00000001

"Startup"="Startup"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

"Logon"="WLEventLogon"

"Logoff"="WLEventLogoff"

"Startup"="WLEventStartup"

"Shutdown"="WLEventShutdown"

"StartScreenSaver"="WLEventStartScreenSaver"

"StopScreenSaver"="WLEventStopScreenSaver"

"Lock"="WLEventLock"

"Unlock"="WLEventUnlock"

"StartShell"="WLEventStartShell"

"PostShell"="WLEventPostShell"

"Disconnect"="WLEventDisconnect"

"Reconnect"="WLEventReconnect"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000000

"SafeMode"=dword:00000001

"MaxWait"=dword:ffffffff

"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Event"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]

"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\

  00,00,89,ab,e0,f0,60,69,46,42,9d,c5,de,b0,4a,6a,cc,b5,04,00,00,00,04,00,00,\

  00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,6d,c7,3b,8b,87,2a,02,8c,\

  e4,9c,4c,07,f4,c9,2a,ad,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,6d,\

  da,03,da,95,93,dc,49,d0,d0,eb,00,ce,6a,a4,7e,e0,02,00,00,4b,ac,e4,09,0d,3a,\

  e2,a4,de,84,f1,05,99,54,e7,68,99,b6,f7,e1,a2,83,4d,42,a8,db,6e,63,4e,64,8d,\

  e0,6e,d3,06,fa,33,bf,aa,7d,3e,ca,5a,81,76,1d,91,07,5b,06,d0,5c,f6,a9,5b,ea,\

  48,d0,8e,61,af,9d,86,b4,18,5d,f2,45,60,ed,9d,0b,d4,95,e5,c9,f8,b7,1f,42,0c,\

  e4,f6,f7,7d,f2,00,71,75,97,59,5b,84,23,43,d9,7a,4b,d8,c5,3b,ce,bc,86,ed,90,\

  a9,67,2b,54,0e,b5,d4,30,3b,9e,d4,c4,17,41,8e,4e,73,e1,69,f2,0c,04,ad,65,45,\

  4b,ab,a5,ee,dd,af,8a,0b,02,71,83,06,f3,e6,5e,13,7f,3e,39,3a,f0,59,de,f2,0d,\

  01,8f,49,9b,a9,64,e4,f9,b9,c1,da,bd,d6,8f,a2,d2,28,1c,07,89,23,5d,92,c3,29,\

  7b,47,95,d7,85,51,16,17,0d,9c,a4,6e,c0,80,43,dc,e8,1e,5f,9c,57,6d,7e,15,f8,\

  e2,86,98,c0,24,b3,21,d6,2a,96,ee,9c,c9,11,7e,58,95,2f,47,d6,76,2a,25,5d,c9,\

  b0,0f,0d,b5,2e,3e,60,81,56,c5,28,34,d8,8d,b6,0a,f5,79,6b,68,fa,07,3f,ab,9c,\

  2d,44,bc,00,90,21,ad,f7,f4,93,aa,5d,e1,20,c4,69,27,16,b6,4f,f0,21,af,fe,0c,\

  77,5c,62,f7,dc,4a,e0,72,ef,dd,cc,e3,9a,d2,08,a1,78,77,eb,d1,d7,82,e3,a3,86,\

  70,ff,a5,af,2c,fb,c5,fc,ea,39,6a,ba,47,b9,f9,a3,99,16,c2,e8,74,05,18,e6,ae,\

  c9,5b,9f,43,9e,47,b8,93,68,8f,cc,ac,b2,8b,93,7f,2b,b3,31,7e,d7,a0,37,bf,24,\

  db,42,80,82,20,3d,a5,c8,37,a4,68,1e,e6,64,8c,51,df,d0,1a,d5,b9,b7,09,f0,5b,\

  24,82,fc,28,0e,98,7e,a1,bd,63,fa,58,f0,b4,4c,8e,4e,8f,87,cf,15,9b,01,26,d8,\

  67,a9,b5,4b,b0,11,3e,70,9e,57,07,a3,0a,af,fa,b9,da,c8,f6,6e,38,37,9c,7c,f8,\

  a2,9b,4d,8a,58,44,3a,a7,d1,ef,24,a2,bc,38,94,30,3e,54,68,91,aa,14,ac,9b,e3,\

  1a,dd,09,3a,1c,16,da,5e,20,f5,d6,ab,18,6b,58,1b,21,77,a5,e3,11,ec,9e,bf,00,\

  7b,9a,43,51,f3,cc,e4,bb,bc,d1,76,ce,4b,6c,a0,d7,98,06,ec,04,5d,6b,ae,e4,d5,\

  e2,75,e0,e3,bd,c9,aa,ce,d7,3c,9e,93,7d,ca,b7,6c,92,87,53,79,f3,3f,d8,59,06,\

  fc,6d,7b,74,99,79,49,62,1c,46,09,ee,72,ab,56,99,67,0c,58,6e,0c,0d,d5,6d,7e,\

  65,8d,0a,43,a2,18,02,e1,c2,6a,86,1b,60,31,6b,53,33,23,9e,01,66,92,b5,36,9a,\

  7c,e4,c1,7f,65,26,f0,bf,e3,ca,86,e0,be,6b,f2,cc,d9,26,0c,75,9e,27,5e,54,25,\

  39,1b,3e,d9,10,34,3e,ce,8f,5d,2a,ee,9f,33,c6,a7,47,4a,7d,8e,a5,fc,c4,e8,ad,\

  2e,d8,6d,21,c3,8c,8f,2d,44,4f,a5,73,77,3f,31,1c,66,51,ef,1e,c9,c9,b1,fb,a3,\

  e0,4e,80,37,41,da,3b,c3,59,d9,1a,8b,06,64,9c,e7,12,d8,69,ae,35,e9,20,9b,e5,\

  00,e7,84,b7,07,30,25,a1,cc,09,d1,d0,b3,7f,72,09,e4,0f,6c,18,ba,a8,cd,15,90,\

  d4,33,0d,94,01,b3,8d,4f,7d,37,3a,e7,5d,88,d7,21,75,81,55,24,36,74,d7,c6,e4,\

  29,6a,61,db,8c,14,00,00,00,81,e3,ea,16,19,96,a4,97,cb,d8,f6,6a,ec,2a,83,f9,\

  7e,9e,93,ef


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


**********************************************************************************

useragent:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""


**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Karta waciwoci pliku multimedialnego"

"{176d6597-26d3-11d1-b350-080036a75b03}"="ZarzĄdzanie skanerem ICM"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Strona zabezpieczeä NTFS"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Strona waciwoci OLE Docfile"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Rozszerzenia powoki dla udost©pniania zasob˘w"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL karty graficznej"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL monitora wywietlania"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL kadrowania wywietlania"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Strona zabezpieczeä usugi DS"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Strona zgodnoci"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Program obsugi danych wycinkowych powoki"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Rozszerzenie Disc Copy"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Rozszerzenia powoki dla obiekt˘w Microsoft Windows Network"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ZarzĄdzanie monitorem ICM"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ZarzĄdzanie drukarkĄ ICM"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Rozszerzenia powoki dla kompresji plik˘w"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Rozszerzenie powoki drukarek sieci Web"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu kontekstowe szyfrowania"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Akt˘wka"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Rozszerzenie ikony HyperTerminalu"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Strona zabezpieczeä drukarek"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Rozszerzenia powoki dla udost©pniania zasob˘w"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Rozszerzenie Crypto PKO"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Rozszerzenie Crypto Sign"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="PoĄczenia sieciowe"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="PoĄczenia sieciowe"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Skanery i aparaty fotograficzne"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Skanery i aparaty fotograficzne"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Skanery i aparaty fotograficzne"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Skanery i aparaty fotograficzne"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Skanery i aparaty fotograficzne"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Rozszerzenia powoki dla hosta skrypt˘w systemu Windows"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Zaplanowane zadania"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Pasek zadaä i menu Start"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Wyszukaj"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Pomoc i obsuga techniczna"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Pomoc i obsuga techniczna"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Uruchom..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Czcionki"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Narz©dzia administracyjne"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Strona waciwoci Poprzednie wersje"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Poprzednie wersje"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Pasek narz©dzi programu Microsoft Internet"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Stan pobierania"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Folder powoki zwi©kszonej"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Folder powoki zwi©kszonej 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Pasek przeglĄdarki Microsoft"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Pasek wyszukiwania"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Wyszukiwanie w okienku"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Wyszukiwanie w sieci Web"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Narz©dzie opcji drzewa rejestru"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adres"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Pole edycji adresu"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Autouzupenianie Microsoft"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="Wyodr©bnianie obraz˘w Trident"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista autouzupeniania MRU"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Niestandardowa lista autouzupeniania MRU"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Dost©pny"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Pasek podr©czny ledzenia"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista autouzupeniania historii Microsoft"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista autouzupeniania folderu powoki Microsoft"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Kontener wielu list autouzupeniania Microsoft"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu witryny paska powoki"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Pasek pulpitu powoki"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Pomoc dla uľytkownika"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globalne ustawienia folder˘w"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historia"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tymczasowe pliki internetowe"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tymczasowe pliki internetowe"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Ekran powitalny pakietu IE4"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Pasek eksploratora"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="Folder pami©ci podr©cznej ActiveX"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Folder subskrypcji"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Menedľer aplikacji powoki"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Wyliczanie zainstalowanych aplikacji"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publikator aplikacji Darwin"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+program wyodr©bniajĄcy miniatury plik˘w"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Informacje podsumowujĄce obsugi miniatur (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Wyodr©bnianie miniatur HTML"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Kreator publikacji w sieci Web"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Zamawianie odbitek w sieci Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Obiekt powoki kreatora publikacji"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Kreator uzyskiwania profilu usugi Passport"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Konta uľytkownik˘w"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Folder plik˘w trybu offline"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Do os˘b..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{23170F69-40C1-278A-1000-000100020000}"="7-Zip Shell Extension"

"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Foldery w sieci Web"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Plik kanau"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Skr˘t kanau"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Obiekt obsugi kanau"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{2B3453E4-49DF-11D3-8229-0080BE509050}"="GMail Drive"

"{2B3453E4-49DF-11D3-8229-0080BE509052}"="GMailFS Property Sheet"

"{2B3453E4-49DF-11D3-8229-0080BE509054}"="GMailFS Drop Handler"

"{2B3453E4-49DF-11D3-8229-0080BE509056}"="GMailFS Context Menu"

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"="OpenOffice.org Column Handler"

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}"="OpenOffice.org Infotip Handler"

"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice.org Property Sheet Handler"

"{3B092F0C-7696-40E3-A80F-68D74DA84210}"="OpenOffice.org Thumbnail Viewer"

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}"="NOD32 Context Menu Shell Extension"

"{52B87208-9CCF-42C9-B88E-069281105805}"="Trojan Remover Shell Extension"


**********************************************************************************

HKEY ROOT CLASSIDS:

**********************************************************************************

Files Found are not all bad files:


C:\WINDOWS\SYSTEM32\

   imon.dll Tue 2007-02-06 13:37:30 A.... 298 104 291,12 K

   skaner~1.dll Wed 2006-12-13 13:24:56 A.... 715 048 698,29 K


2 items found: 2 files, 0 directories.

   Total of file sizes: 1 013 152 bytes 989,41 K

Locate .tmp files:


No matches found.

**********************************************************************************

Directory Listing of system files:

 Wolumin w stacji C nie ma etykiety.

 Numer seryjny woluminu: B846-3F89


 Katalog: C:\WINDOWS\System32


2007-02-16 08:14

[code]"Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] "Spyware Doctor" = ""C:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PC Tools Research Pty Ltd"] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "SiSPower" = "Rundll32.exe SiSPower.dll,ModeAgent" [MS] "UPSMON" = "C:\Program Files\UPSMON\UPSMON.exe" [file not found] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "] "TrojanScanner" = "C:\Program Files\Trojan Remover\Trjscan.exe" ["Simply Super Software"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM...CLSID} = "IeCatch5 Class" \InProcServer32(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["FlashGet"] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM...CLSID} = "gFlash Class" \InProcServer32(Default) = "C:\PROGRA~1\FlashGet\getflash.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] "{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive" -> {HKLM...CLSID} = "GMail Drive" \InProcServer32(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet" -> {HKLM...CLSID} = "GMailFS Property Sheet" \InProcServer32(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler" -> {HKLM...CLSID} = "GMailFS Drop Handler" \InProcServer32(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu" -> {HKLM...CLSID} = "GMailFS Context Menu" \InProcServer32(Default) = "C:\WINDOWS\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"] "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] "{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension" -> {HKLM...CLSID} = "Trojan Remover Shell Extension" \InProcServer32(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] Trojan Remover(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}" -> {HKLM...CLSID} = "Trojan Remover Shell Extension" \InProcServer32(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] Trojan Remover(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}" -> {HKLM...CLSID} = "Trojan Remover Shell Extension" \InProcServer32(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ "HomePage" = (REG_DWORD) hex:0x00000001 {Disable changing home page settings} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS] Startup items in "user" & "All Users" startup folders: ------------------------------------------------------ C:\Documents and Settings\user\Menu Start\Programy\Autostart "OpenOffice.org 2.1" -> shortcut to: "C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe" [null data] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart "Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS] "TB-Tray" -> shortcut to: "C:\Program Files\Thunderbird-Tray\TBTray.exe" ["Felix 'SniperBeamer' Geyer"] "Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 17 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar" -> {HKLM...CLSID} = "FlashGet Bar" \InProcServer32(Default) = "C:\PROGRA~1\FlashGet\fgiebar.dll" ["Amaze Soft"] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ "ButtonText" = "FlashGet" "MenuText" = "&FlashGet" "Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["FlashGet.com"] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] MSSQLSERVER, MSSQLSERVER, "C:\Mssql8\Binn\MSSQL\Binn\sqlservr.exe -sMSSQLSERVER" [MS] NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "] PC Tools Spyware Doctor, SDhelper, "C:\Program Files\Spyware Doctor\sdhelp.exe" ["PC Tools Research Pty Ltd"] SysEnforce, SysEnforce, "C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE" [null data] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP LaserJet 5 Language Monitor\Driver = "hpdcmon.dll" ["Hewlett-Packard"] Monitor języka PJL\Driver = "PJLMON.DLL" [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 48 seconds. ---------- (total run time: 150 seconds)

użyłem, lecz przed chwilą zrobilem to jeszcze raz i znalazlo znow

qpqss.ini, qpqss.bak1 i zostały usunięte.


(adam9870) #6

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\System32\qpqss.ini

C:\WINDOWS\System32\qpqss.bak1

C:\WINDOWS\System32\qqgpbmts.ini

C:\WINDOWS\System32\fccbxvv.dll.vir

po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Po wykonaniu wklej komplet logów (hijack + silent + log numer 1 z l2mfix).