Problem z BootExecute


(Wiechura) #1

Prosiłbym o sprawdzenie moich logów mam kłopot z

INFECTION WARNING! "BootExecute, edytuję na "autocheck autochk *, ale za każdym razem dodaje się samoczynnie OODBS

Logfile of HijackThis v1.99.1

Scan saved at 20:03:35, on 2006-11-06

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\oodag.exe

C:\WINNT\system32\HPZipm12.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINNT\system32\ZoneLabs\vsmon.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\dmadmin.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\progra~1\alwils~1\avast4\ashdisp.exe

C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\CZASOWY\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\MSDXM.OCX

O4 - HKLM\..\Run: [avast!] c:\progra~1\alwils~1\avast4\ashdisp.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [hpfsched] c:\winnt\hpfsched.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pobierz wszystko z Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Pobierz z Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O8 - Extra context menu item: Pobierz zaznaczenie z Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\shdocvw.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152214866328

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINNT\system32\oodag.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ChelloInfo" = "c:\program files\chellopl\chelloinfo\chelloinfo.exe" ["Wortal chelloPL (http://chelloPL.one.pl)"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"avast!" = "c:\progra~1\alwils~1\avast4\ashdisp.exe" [null data]

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]

"SoundMAX" = ""C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]

"hpfsched" = "c:\winnt\hpfsched.exe" [null data]

"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"ClamWin" = ""C:\Program Files\ClamWin\bin\ClamTray.exe" --logon" ["alch"]


HKLM\Software\Microsoft\Active Setup\Installed Components\

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Dostęp do programu Outlook Express"

                                        \StubPath = ""C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" = "OODefrag"

  -> {HKLM...CLSID} = "OODShellExtObj Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}" = "XnView Shell Extension"

  -> {HKLM...CLSID} = "XnViewShell Class"

                   \InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

  -> {HKLM...CLSID} = "ShellLink for Application References"

                   \InProcServer32\(Default) = "C:\WINNT\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"

                   \InProcServer32\(Default) = "C:\WINNT\system32\dfshim.dll" [MS]

"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension"

  -> {HKLM...CLSID} = "a-squared Free Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

"{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}" = "ABBYYPDFContextMenuExtension"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"

  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * OODBS" [file not found], [MS], [file not found], [file not found]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ABBYYPDFContextMenuExtension\(Default) = "{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

ClamWin\(Default) = "{65713842-C410-4f44-8383-BFE01A398C90}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\ClamWin\bin\ExpShell.dll" ["alch"]

IXnView\(Default) = "{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}"

  -> {HKLM...CLSID} = "XnViewShell Class"

                   \InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]

OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}"

  -> {HKLM...CLSID} = "OODShellExtObj Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"

  -> {HKLM...CLSID} = "Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\WINNT\system32\context.dll" ["SuperLogix"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

  -> {HKLM...CLSID} = "a-squared Free Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

ClamWin\(Default) = "{65713842-C410-4f44-8383-BFE01A398C90}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\ClamWin\bin\ExpShell.dll" ["alch"]

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}"

  -> {HKLM...CLSID} = "OODShellExtObj Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"

  -> {HKLM...CLSID} = "Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\WINNT\system32\context.dll" ["SuperLogix"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Wroński\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 22

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

NVIDIA Display Driver Service, NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]

O&O Defrag, O&O Defrag, "C:\WINNT\system32\oodag.exe" ["O&O Software GmbH"]

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINNT\system32\HPZipm12.exe" ["HP"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

System zdarzeń COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]

Usługa administracyjna Menedżera dysków logicznych, dmadmin, "C:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]

hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

PDFCreator\Driver = "pdfcmnnt.dll" [null data]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 20 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 8 seconds.

---------- (total run time: 50 seconds)

Z GóRY DZIęKUJę ZA WSZELKIE SUGESTIE.


(Bbieniol) #2

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa :slight_smile:


(Wiechura) #3

Dziękuję za pomoc, pomogło, a co myślisz o:

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

(Bbieniol) #4

To jest od Office'a :slight_smile: Wszystko już jest OK :slight_smile:


(Wiechura) #5

SERDECZNE DZIęKI. :slight_smile:


(Gutek) #6

Zastosuj się do tego Tematu i zmień tytuł tematu na konkretny inaczej KOSZ

Pisownia! !!

Pozdrawiam Gutek2222


(Wiechura) #7

Przepraszam, już się poprawiam. :oops:

Złączono Posta : 07.11.2006 (Wto) 19:06

Dzisiaj uruchomiłem kompa i znowu to samo, czy może to powodować O&ODefrag??

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/

Operating System: Windows 2000

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"avast!" = "c:\progra~1\alwils~1\avast4\ashdisp.exe" [null data]

"Synchronization Manager" = "mobsync.exe /logon" [MS]

"SoundMAXPnP" = "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]

"SoundMAX" = ""C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray" ["Analog Devices, Inc."]

"hpfsched" = "c:\winnt\hpfsched.exe" [null data]

"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Active Setup\Installed Components\

>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Dostęp do programu Outlook Express"

                                        \StubPath = ""C:\WINNT\system32\shmgrate.exe" OCInstallUserConfigOE" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}" = "OODefrag"

  -> {HKLM...CLSID} = "OODShellExtObj Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}" = "XnView Shell Extension"

  -> {HKLM...CLSID} = "XnViewShell Class"

                   \InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

  -> {HKLM...CLSID} = "ShellLink for Application References"

                   \InProcServer32\(Default) = "C:\WINNT\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"

                   \InProcServer32\(Default) = "C:\WINNT\system32\dfshim.dll" [MS]

"{A155339D-CCCD-4714-85EB-3754B804C9DF}" = "a-squared Free Context Menu Shell Extension"

  -> {HKLM...CLSID} = "a-squared Free Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

"{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}" = "ABBYYPDFContextMenuExtension"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

"{52B87208-9CCF-42C9-B88E-069281105805}" = "Trojan Remover Shell Extension"

  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * OODBS" [file not found], [MS], [file not found], [file not found]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ABBYYPDFContextMenuExtension\(Default) = "{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

IXnView\(Default) = "{A5D35F9F-6A11-4EAA-B70B-7BB6FE32663A}"

  -> {HKLM...CLSID} = "XnViewShell Class"

                   \InProcServer32\(Default) = "C:\Program Files\XnView\XnViewShellExt.dll" [empty string]

OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}"

  -> {HKLM...CLSID} = "OODShellExtObj Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"

  -> {HKLM...CLSID} = "Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\WINNT\system32\context.dll" ["SuperLogix"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

a2FreeContMenu\(Default) = "{A155339D-CCCD-4714-85EB-3754B804C9DF}"

  -> {HKLM...CLSID} = "a-squared Free Context Menu"

                   \InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2FREE~1.DLL" ["Emsi Software GmbH"]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

jetAudio\(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"

  -> {HKLM...CLSID} = "JetFlExt"

                   \InProcServer32\(Default) = "C:\Program Files\JetAudio\JetFlExt.dll" ["JetAudio, Inc."]

OODefrag\(Default) = "{48EAD1E1-ECF2-4a85-AA09-1C44FBEED451}"

  -> {HKLM...CLSID} = "OODShellExtObj Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\OOSOFT~1\DEFRAG~1\oodsh.dll" ["O&O Software GmbH"]

Trojan Remover\(Default) = "{52B87208-9CCF-42C9-B88E-069281105805}"

  -> {HKLM...CLSID} = "Trojan Remover Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" ["Simply Super Software"]

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

WinExpert\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"

  -> {HKLM...CLSID} = "Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\WINNT\system32\context.dll" ["SuperLogix"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Wroński\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

NVIDIA Display Driver Service, NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]

O&O Defrag, O&O Defrag, "C:\WINNT\system32\oodag.exe" ["O&O Software GmbH"]

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINNT\system32\HPZipm12.exe" ["HP"]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

System zdarzeń COM+, EventSystem, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\es.dll" [null data]}

TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]

Usługa administracyjna Menedżera dysków logicznych, dmadmin, "C:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]

hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

PDFCreator\Driver = "pdfcmnnt.dll" [null data]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 28 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 8 seconds.

---------- (total run time: 58 seconds)