Tutaj również czysto. W mojej stromnej opini, nie jest to wina syfu, lecz bardzo możliwe, że avast daje fałszywe informacje. Spróbuj przeinstalować avasta i może transfer w jego opini zmaleje
Avast jest wyłączony a ruch w sieci jest spory mimo,że nic nie robię.I dodam,że ten ruch jest znaczny.To nie jest kilka bajtów,które się wysyłają co jakiś czas tylko kilobajty wysyłające się w sposób ciągły.A avasta od wczoraj już chyba 5 razy przeinstalowywałem
Jednego jestem pewien: po logach widać, że nie jest to wina syfu. Używasz jakiegoś klienta pocztowego? Widzę (po GMail Drive), że używasz tej poczty - bardzo możliwe, że Drive też ma jakiś wpływ na takie działanie sieci. Nie jestes w żadnej sieci wewnętrznej, gdzie inne komputery również mają na to wpływ?
Klienta pocztowego nie używam a GMail Drive już odinstalowałem(przed chwilą) i jest dalej to samo.Jestem podłączony do prywatnej sieci na terenie całego miasta ale nie mam możliwości wymiany plików z innymi.Jakieś pomysły?Może znasz jeszcze jakiś programik,który coś by może znalazł?Sorry za,że jestem taki uparty ale to jest uciążliwe i chcę się tego jak najszybciej pozbyć.
Skoro logi są czyste, AVG nic nie wykrywa, to z pewnością nie jest to wina syfu. Probówałeś skontaktować się z providerem (wiem, że przez święta nie jest to takie łatwe, ale próbować zawsze można), przestaw mu problem i może oni wiedzą coś więcej na ten temat
Nastąpiła zmiana!AVG wykrył 22 zainfekowane obiekty jakimś trojanem.Ale wykrył je tylko w trybie normalnym bo jak go użyłem w trybie awaryjnym to nic nie wykrył.Więc jednak coś siedzi bo poczta się nadal wysyła.I co teraz zrobić?
Wklej raport z AVG
Oto raport:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 21:54:04 2006-12-25
+ Scan result:
[1036] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1136] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1248] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1384] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1508] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1704] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1840] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1908] VM_13140000 -> Trojan.Agent.zq : No action taken.
[1924] VM_13140000 -> Trojan.Agent.zq : No action taken.
[2848] VM_13140000 -> Trojan.Agent.zq : No action taken.
[320] VM_13140000 -> Trojan.Agent.zq : No action taken.
[3220] VM_13140000 -> Trojan.Agent.zq : No action taken.
[3232] VM_13140000 -> Trojan.Agent.zq : No action taken.
[440] VM_13140000 -> Trojan.Agent.zq : No action taken.
[468] VM_13140000 -> Trojan.Agent.zq : No action taken.
[812] VM_13140000 -> Trojan.Agent.zq : No action taken.
[872] VM_13140000 -> Trojan.Agent.zq : No action taken.
[900] VM_13140000 -> Trojan.Agent.zq : No action taken.
[928] VM_13140000 -> Trojan.Agent.zq : No action taken.
[960] VM_13140000 -> Trojan.Agent.zq : No action taken.
[968] VM_13140000 -> Trojan.Agent.zq : No action taken.
::Report end
Jest Ok
Zajrzyj tutaj i poczytaj o nim.
Z tego co wyszukałem to usuwają go dwa programy Counter Spy firmy Sunbelt i antywirus Avira. Darmową wersją jest Personal Classic. Powinna usunąć tego trojana. Usuń oczywiście Avasta przed zainstalowaniem Aviry.
Niestety Spybot tej wersji Agenta nie wykrywa.
andgird bez komentarza :x
Log może jest ok ale jest ten problem:AVG niby usuwa ale po następnym uruchomieniu kompa ten trojan wraca i AVG znowu go wykrywa.Jak się go pozbyć na zawsze?
Jak widać nie została wybrana opcją postępowania z daną infekcja. Zrób raz jeszcze skan AVG i usuń wszystko, co znajdzie
No ale ja za każdym razem dawałem żeby się z tym rozprawił.Za pierwszym razem dałem Delete on reboot,zrobiłem restart i znowu skan i wykrył to samo i dałem delete i jak widać on tego nie może usunąć.
Zrób jeszcze skan innymi skanerami:
http://www.kaspersky.pl/virusscanner.html
http://www.pandasoftware.com/activescan … ncipal.htm
I również wklej z nich raporty
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
26 grudzień 2006 17:39:46
System operacyjny: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600)
Kaspersky Online Scanner wersja: 5.0.83.0
Ostatnia aktualizacja Kaspersky Anti-Virus26/12/2006
Liczba wpisów w bazie danych Kaspersky Anti-Virus240105
-------------------------------------------------------------------------------
Ustawienia skanowania:
Skanowanie przy użyciu następujących baz danych: standardowe
Skanuj archiwa: tak
Skanuj pocztowe bazy danych: tak
Obszar skanowania - Foldery:
C:\
Statystyki skanowania:
Liczba skanowanych obiektów: 30096
Liczba wykrytych wirusów: 2
Liczba zainfekowanych obiektów: 1 / 0
Liczba podejrzanych obiektów: 1
Czas trwania skanowania: 00:29:45
Nazwa zainfekowanego obiektu / Nazwa wirusa / Ostatnie działanie
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr0.dat Object is locked pominięty
C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\Network\Downloader\qmgr1.dat Object is locked pominięty
C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Quarantine\70B024AE.dll Zainfekowanych: Trojan-PSW.Win32.Sinowal.h pominięty
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked pominięty
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked pominięty
C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\LocalService\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked pominięty
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\Roman\Cookies\index.dat Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\allpeers\log\allpeers-00000045.log Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\allpeers\resources.db Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\cert8.db Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\flashgot.log Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\formhistory.dat Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\history.dat Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\key3.db Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\parent.lock Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\search.sqlite Object is locked pominięty
C:\Documents and Settings\Roman\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\urlclassifier2.sqlite Object is locked pominięty
C:\Documents and Settings\Roman\NTUSER.DAT Object is locked pominięty
C:\Documents and Settings\Roman\ntuser.dat.LOG Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\Cache\_CACHE_001_ Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\Cache\_CACHE_002_ Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\Cache\_CACHE_003_ Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\s0lua94z.default\Cache\_CACHE_MAP_ Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Temp\~DFAF3.tmp Object is locked pominięty
C:\Documents and Settings\Roman\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
C:\Program Files\Konnekt\data\log\konnekt_live_06-12-26.log Object is locked pominięty
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked pominięty
C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty
C:\WINDOWS\SchedLgU.Txt Object is locked pominięty
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked pominięty
C:\WINDOWS\Sti_Trace.log Object is locked pominięty
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked pominięty
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\config\default Object is locked pominięty
C:\WINDOWS\system32\config\default.LOG Object is locked pominięty
C:\WINDOWS\system32\config\SAM Object is locked pominięty
C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\config\SECURITY Object is locked pominięty
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty
C:\WINDOWS\system32\config\software Object is locked pominięty
C:\WINDOWS\system32\config\software.LOG Object is locked pominięty
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty
C:\WINDOWS\system32\config\system Object is locked pominięty
C:\WINDOWS\system32\config\system.LOG Object is locked pominięty
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked pominięty
C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\index.dat Object is locked pominięty
C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Temporary Internet Files\Content.IE5\index.dat Object is locked pominięty
C:\WINDOWS\system32\h323log.txt Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty
C:\WINDOWS\system32\winlogon.exe Podejrzanych: Type_Win32 wysłany do KL
C:\WINDOWS\temp\Perflib_Perfdata_9cc.dat Object is locked pominięty
C:\WINDOWS\wiadebug.log Object is locked pominięty
C:\WINDOWS\wiaservc.log Object is locked pominięty
C:\WINDOWS\WindowsUpdate.log Object is locked pominięty
Proces skanowania został zakończony.
Jak widać te skanery nie znalazły tych plików.
Użyj tego narzędzia -> http://dobreprogramy.pl/index.php?dz=2&id=1188&t=59 -> i usuń nim wszystko, co znajdzie
Pomijając już tę wysyłającąsie pocztę mam coś gorszego.Strasznie zasyfił się komputer.Pomóżcie to wszystko usunąć.Oto logi:
Logfile of HijackThis v1.99.1
Scan saved at 17:02:24, on 2006-12-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Mixer.exe
E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe
C:\WINDOWS\Integrator.exe
E:\Programy\Maxthon\Maxthon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\services.exe
E:\Programy\FlashGet\flashget.exe
C:\Program Files\Konnekt\konnekt.exe
E:\Programy\Winamp\winamp.exe
c:\hpuhjf.exe
C:\DOCUME~1\Roman\USTAWI~1\Temp\TioPGachg
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\autosys.exe
E:\Programy\Maxthon2\Maxthon.exe
E:\Bezpieczeństwo\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels1118.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows installer" = "C:\winstall.exe" [file not found]
"SpySheriff" = "C:\Program Files\SpySheriff\SpySheriff.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]
"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot" [file not found]
"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"System" = "C:\WINDOWS\system32\kernels1118.exe" [null data]
"AutoSys" = "C:\WINDOWS\system32\autosys.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IeCatch2 Class"
\InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"
-> {HKLM...CLSID} = "AmvTransform Class"
\InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"
Startup items in "Roman" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\Roman\Menu Start\Programy\Autostart
"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]
"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Tłumacz na angielski"
"MenuText" = "Tłumacz na angielski"
"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Tłumacz na polski"
"MenuText" = "Tłumacz na polski"
"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Zachowaj przetłumaczoną stronę"
"MenuText" = "Zachowaj przetłumaczoną stronę"
"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 130 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 47 seconds.
---------- (total run time: 239 seconds)
Złączono Posta _: 27.12.2006 (Sro) 17:22_Pomijając już tę wysyłającąsie pocztę mam coś gorszego.Strasznie zasyfił się komputer.Pomóżcie to wszystko usunąć.Oto logi:
Logfile of HijackThis v1.99.1
Scan saved at 17:02:24, on 2006-12-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Mixer.exe
E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe
C:\WINDOWS\Integrator.exe
E:\Programy\Maxthon\Maxthon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\services.exe
E:\Programy\FlashGet\flashget.exe
C:\Program Files\Konnekt\konnekt.exe
E:\Programy\Winamp\winamp.exe
c:\hpuhjf.exe
C:\DOCUME~1\Roman\USTAWI~1\Temp\TioPGachg
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\autosys.exe
E:\Programy\Maxthon2\Maxthon.exe
E:\Bezpieczeństwo\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels1118.exe
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels1118.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows installer" = "C:\winstall.exe" [file not found]
"SpySheriff" = "C:\Program Files\SpySheriff\SpySheriff.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]
"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot" [file not found]
"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"System" = "C:\WINDOWS\system32\kernels1118.exe" [null data]
"AutoSys" = "C:\WINDOWS\system32\autosys.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IeCatch2 Class"
\InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"
-> {HKLM...CLSID} = "AmvTransform Class"
\InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"
Startup items in "Roman" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\Roman\Menu Start\Programy\Autostart
"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]
"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Tłumacz na angielski"
"MenuText" = "Tłumacz na angielski"
"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Tłumacz na polski"
"MenuText" = "Tłumacz na polski"
"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Zachowaj przetłumaczoną stronę"
"MenuText" = "Zachowaj przetłumaczoną stronę"
"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 130 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 47 seconds.
---------- (total run time: 239 seconds)
Ściągasz narzędzie KillBox, zaznaczasz Delete on Reboot, potem klikasz All Files i wklejasz do pola Full Path of File to Delete ścieżki:
C:\WINDOWS\system32\msasvc.exe
c:\hpuhjf.exe
C:\WINDOWS\system32\rpcc.dll
Klikasz X i reset sysa.
Użyj narzędzia WWDC (pozwoli Ci to zamknąć robaczywe porty), zmień znaczki z Disable na Enable (wszystkie mają być zielone lub żółte) i zresetuj sysa.
Wchodzisz w Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe Microsoft authenticate service
Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz MsaSvc i ok
Użyj SmitFraudFix z opcji 2 w trybie awaryjnym.
Wyłączasz przywracanie systemu (Panel sterowania -> System -> Przywracanie systemu -> zaznaczasz „Wyłącz przywracanie systemu” ).
W HJT odpalonym z trybie awaryjnym zaznaczasz wpisy i klikasz na dole “Fix checked” , to co na czerwono usuwasz ręcznie z dysku:
Po zabiegach nowe logi z HiJacka oraz Silent Runners (zaznaczasz No i czekasz aż skończy pracować w tle) oraz plik c:\rapport.txt.
Były komplikacje przy robieniu tego.Po pierwsze KillBox nie dał rady usunąć C:\WINDOWS\system32\msasvc.exe.Następnie jak chciałem usunąć z HJ te wpisy to były z tego co pamiętam tylko dwa a reszty nie było.Ale zrobiłem teraz log i widzę,że rzeczy,których nie było wróciły.Np SpySheriff-nie było go jak chciałem usunąć w HJ a teraz widzę,że znowu jest.Oto logi:
Logfile of HijackThis v1.99.1
Scan saved at 14:57:22, on 2006-12-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\802.11g Wireless LAN\Monitor.exe
C:\Program Files\REALTEK Semiconductor Corp\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe
C:\WINDOWS\SYSTEM32\systems_.exe
C:\WINDOWS\Integrator.exe
E:\Bezpieczeństwo\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\jccatch.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Hare.lnk = E:\Programy\Dachshund Software\Hare\Hare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\802.11g Wireless LAN\Monitor.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_link.htm
O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - E:\Programy\FlashGet\jc_all.htm
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Tłumacz na angielski - {CCCE5D70-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Tłumacz na polski - {CCCE5D71-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra button: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O9 - Extra 'Tools' menuitem: Zachowaj przetłumaczoną stronę - {CCCE5D72-9AA2-40F1-9C6B-12A255F08500} - E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {30A3CCA5-F34C-4E87-BB57-5A2F2C935E14} (AMI DicomDir TreeView Control 2.0) - file://F:\CDVIEWER\CdViewer.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Windows installer" = "C:\winstall.exe" [file not found]
"SpySheriff" = "C:\Program Files\SpySheriff\SpySheriff.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [file not found]
"QuickTime Task" = ""C:\WINDOWS\system32\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"TkBellExe" = ""E:\Programy\Real Alternative\Update_OB\realsched.exe" -osboot" [file not found]
"!AVG Anti-Spyware" = ""E:\Programy\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]
"AutoSys" = "C:\WINDOWS\system32\autosys.exe" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IeCatch2 Class"
\InProcServer32\(Default) = "E:\Programy\FlashGet\jccatch.dll" ["Amaze Soft"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" [file not found]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "E:\Programy\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! rpcc\DLLName = "C:\WINDOWS\system32\rpcc.dll" [null data]
HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "E:\Programy\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
VIDEOTRANS\(Default) = "{C8CA0A66-AF32-4D5E-879E-F0809ACEDC55}"
-> {HKLM...CLSID} = "AmvTransform Class"
\InProcServer32\(Default) = "E:\Programy\MP4 Player Utilities 4.03\AMVConverter\AmvTransform.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
\InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"
Startup items in "Roman" & "All Users" startup folders:
-------------------------------------------------------
C:\Documents and Settings\Roman\Menu Start\Programy\Autostart
"Hare" -> shortcut to: "E:\Programy\Dachshund Software\Hare\Hare.exe" [null data]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "E:\Programy\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Monitor" -> shortcut to: "C:\Program Files\802.11g Wireless LAN\Monitor.exe" [empty string]
"RtlWake" -> shortcut to: "C:\Program Files\REALTEK Semiconductor Corp.\REALTEK RTL8180 Wireless LAN Driver and Utility\RtlWake.exe" [empty string]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Programy\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{CCCE5D70-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Tłumacz na angielski"
"MenuText" = "Tłumacz na angielski"
"CLSIDExtension" = "{CC4371C0-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
{CCCE5D71-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Tłumacz na polski"
"MenuText" = "Tłumacz na polski"
"CLSIDExtension" = "{CC4371C1-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
{CCCE5D72-9AA2-40F1-9C6B-12A255F08500}\
"ButtonText" = "Zachowaj przetłumaczoną stronę"
"MenuText" = "Zachowaj przetłumaczoną stronę"
"CLSIDExtension" = "{CC4371C2-D2F6-11D7-BDC4-00605209B788}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Programy\poleng\translatica\bin\win\int\browser\iepolengextension.dll" ["POLENG"]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "E:\Programy\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
StarWind iSCSI Service, StarWindService, "E:\Programy\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON V5 2KMonitor\Driver = "EBPMON2.DLL" ["SEIKO EPSON CORPORATION"]
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 125 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 41 seconds.
---------- (total run time: 221 seconds)
SmitFraudFix v2.131
Scan done at 3:17:11,37, 2006-12-28
Run from E:\Bezpieczeästwo\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\DOCUME~1\Roman\MENUST~1\Programy\SpySheriff Deleted
C:\Program Files\SpySheriff\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
[/code]