Pawson91
(Pawson911)
29 Kwiecień 2007 21:42
#1
Witam.
Wczoraj wszedłem na jakąś stronke która wymagała tego właśnie oprogramowania które było bardzo łatwe do ściągnięcia. Jak się potem okazało jest to Toolbar w IE oraz trojan przesyłający pornochy i reklamy :evil:
Żeby tego było mało :/… kiedy chciałem włączyć tryb awaryjny to wyskoczył jakiś błąd, widać było co napisane jest przez 2-3 sekundy i komp się restartuje i wraca do normalnego trybu.
Ciągle wyświetlają mi sie pornolce jakieś durne, ciągle przesyła mi reklamy jakiegoś kasyna, ale głównie pornochy - jakiś zbok pewnie Co robić ?
nowy10
(Nowy10)
29 Kwiecień 2007 21:46
#2
Joan
(Joan Sunshine)
29 Kwiecień 2007 22:11
#3
Użyj SmitFraudFix z opcji 2 w trybie awaryjnym i potem daj logi oraz plik c:\rapport.txt.
Pawson91
(Pawson911)
29 Kwiecień 2007 22:18
#4
Joan - NIE MOGE W TRYBIE AWARYJNYM NIC ROBIĆ !
Log z Hijacka:
Logfile of HijackThis v1.99.1 Scan saved at 00:09:29, on 2007-04-30 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Image AX Object\smmain.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\system32\Rundll32.exe F:\Program Files\D-Tools\daemon.exe C:\Program Files\Image AX Object\smmon.exe F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe F:\Program Files\BearShare\BearShare.exe C:\WINDOWS\system32\nvsvc32.exe F:\Program Files\DAP\DAP.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Messenger\msmsgs.exe F:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\KRÓLIK~1\USTAWI~1\Temp\Katalog tymczasowy 3 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [DAEMON Tools-1033] “F:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Anti-Blaxx Manager] F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM…\Run: [KAVPersonal50] F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize O4 - HKLM…\Run: [bearShare] “F:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [DownloadAccelerator] “F:\Program Files\DAP\DAP.EXE” /STARTUP O4 - HKLM…\Run: [Onet.pl AutoUpdate] C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsr O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [NBJ] “F:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [Gadu-Gadu] “F:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: IMVU.lnk = F:\Program Files\IMVU\gui1.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Królikowscy\Menu Start\Programy\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{3445E670-8F52-402A-9A87-813A7D1C7F19}: NameServer = 172.16.6.1 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\KRÓLIK~1\USTAWI~1\Temp\hpdj.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
A to z Silent Runnersa :
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Creative Detector” = “C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R” [“Creative Technology Ltd”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “NBJ” = ““F:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “Gadu-Gadu” = ““F:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “user32.dll” = “C:\Program Files\Image AX Object\bpmon.exe” [file not found] “rare” = “C:\Program Files\Image AX Object\smmain.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTSysVol” = “C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r” [“Creative Technology Ltd”] “P17Helper” = “Rundll32 P17.dll,P17Helper” [MS] “UpdReg” = “C:\WINDOWS\UpdReg.EXE” [“Creative Technology Ltd.”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “DAEMON Tools-1033” = ““F:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “Anti-Blaxx Manager” = “F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe” [null data] “HP Software Update” = “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe” [null data] “HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe” [“HP”] “DeviceDiscovery” = “C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” [“Hewlett-Packard”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “Share-to-Web Namespace Daemon” = “C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” [“Hewlett-Packard”] “KAVPersonal50” = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize” [“Kaspersky Lab”] “BearShare” = ““F:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “DownloadAccelerator” = ““F:\Program Files\DAP\DAP.EXE” /STARTUP” [“Speedbit Ltd.”] “Onet.pl AutoUpdate” = “C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsr” [file not found] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “F:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\SHDOCVW.DLL” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSMBalloonTip” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “NoRecentDocsHistory” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “CDRAutoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “MemCheckBoxInRunDlg” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoAutoTrayNotify” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveTrack” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveSearch” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoStartBanner” = (REG_BINARY) hex:01 00 00 00 {Remove “Click here to begin” from Start button} “NoWelcomeScreen” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoRecentDocsNetHood” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoDesktopCleanupWizard” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSharedDocuments” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Remove Shared Documents from My Computer} “NoThemesTab” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoStrCmpLogical” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “NoDispAppearancePage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Hide Desktop tab} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Remove Display in Control Panel} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ “NoUpdateCheck” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “RunStartupScriptSync” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousMachineGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousUserGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Królikowscy\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\ssstars.scr” [MS] Startup items in “Królikowscy” & “All Users” startup folders: ------------------------------------------------------------- C:\Documents and Settings\Królikowscy\Menu Start\Programy\Autostart “IMVU” -> shortcut to: “F:\Program Files\IMVU\gui1.exe” [file not found] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{F0993251-2512-4710-AF6E-0A13EA199D02}” -> {HKLM…CLSID} = “Protection Bar” \InProcServer32(Default) = “C:\Program Files\Image AX Object\splug.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{F0993251-2512-4710-AF6E-0A13EA199D02}(Default) = “Protection Bar” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Image AX Object\splug.dll” [null data] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D9288080-1BAA-4BC4-9CF8-A92D743DB949}\ “ButtonText” = “Run IMVU” “Exec” = “C:\Documents and Settings\Królikowscy\Menu Start\Programy\IMVU\Run IMVU.lnk” [file not found] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\System32\CTsvcCDA.EXE” [“Creative Technology Ltd”] kavsvc, kavsvc, “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe” [“Kaspersky Lab”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] PnkBstrA, PnkBstrA, “C:\WINDOWS\system32\PnkBstrA.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt08\Driver = “hpzsnt08.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 47 seconds. ---------- (total run time: 125 seconds)
Złączono Posta : 30.04.2007 (Pon) 0:19
Joan - NIE MOGE W TRYBIE AWARYJNYM NIC ROBIĆ !
Log z Hijacka:
Logfile of HijackThis v1.99.1 Scan saved at 00:09:29, on 2007-04-30 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Image AX Object\smmain.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\WINDOWS\system32\Rundll32.exe F:\Program Files\D-Tools\daemon.exe C:\Program Files\Image AX Object\smmon.exe F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe F:\Program Files\BearShare\BearShare.exe C:\WINDOWS\system32\nvsvc32.exe F:\Program Files\DAP\DAP.EXE C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Messenger\msmsgs.exe F:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\KRÓLIK~1\USTAWI~1\Temp\Katalog tymczasowy 3 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [DAEMON Tools-1033] “F:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Anti-Blaxx Manager] F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM…\Run: [KAVPersonal50] F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize O4 - HKLM…\Run: [bearShare] “F:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [DownloadAccelerator] “F:\Program Files\DAP\DAP.EXE” /STARTUP O4 - HKLM…\Run: [Onet.pl AutoUpdate] C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsr O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [NBJ] “F:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [Gadu-Gadu] “F:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: IMVU.lnk = F:\Program Files\IMVU\gui1.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Królikowscy\Menu Start\Programy\IMVU\Run IMVU.lnk (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{3445E670-8F52-402A-9A87-813A7D1C7F19}: NameServer = 172.16.6.1 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\KRÓLIK~1\USTAWI~1\Temp\hpdj.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
A to z Silent Runnersa :
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Creative Detector” = “C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R” [“Creative Technology Ltd”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “NBJ” = ““F:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “Gadu-Gadu” = ““F:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “user32.dll” = “C:\Program Files\Image AX Object\bpmon.exe” [file not found] “rare” = “C:\Program Files\Image AX Object\smmain.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTSysVol” = “C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r” [“Creative Technology Ltd”] “P17Helper” = “Rundll32 P17.dll,P17Helper” [MS] “UpdReg” = “C:\WINDOWS\UpdReg.EXE” [“Creative Technology Ltd.”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “DAEMON Tools-1033” = ““F:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “Anti-Blaxx Manager” = “F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe” [null data] “HP Software Update” = “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe” [null data] “HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe” [“HP”] “DeviceDiscovery” = “C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” [“Hewlett-Packard”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “Share-to-Web Namespace Daemon” = “C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” [“Hewlett-Packard”] “KAVPersonal50” = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize” [“Kaspersky Lab”] “BearShare” = ““F:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “DownloadAccelerator” = ““F:\Program Files\DAP\DAP.EXE” /STARTUP” [“Speedbit Ltd.”] “Onet.pl AutoUpdate” = “C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsr” [file not found] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “F:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\SHDOCVW.DLL” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSMBalloonTip” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “NoRecentDocsHistory” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “CDRAutoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “MemCheckBoxInRunDlg” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoAutoTrayNotify” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveTrack” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveSearch” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoStartBanner” = (REG_BINARY) hex:01 00 00 00 {Remove “Click here to begin” from Start button} “NoWelcomeScreen” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoRecentDocsNetHood” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoDesktopCleanupWizard” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSharedDocuments” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Remove Shared Documents from My Computer} “NoThemesTab” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoStrCmpLogical” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “NoDispAppearancePage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Hide Desktop tab} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Remove Display in Control Panel} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ “NoUpdateCheck” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “RunStartupScriptSync” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousMachineGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousUserGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Królikowscy\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\ssstars.scr” [MS] Startup items in “Królikowscy” & “All Users” startup folders: ------------------------------------------------------------- C:\Documents and Settings\Królikowscy\Menu Start\Programy\Autostart “IMVU” -> shortcut to: “F:\Program Files\IMVU\gui1.exe” [file not found] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{F0993251-2512-4710-AF6E-0A13EA199D02}” -> {HKLM…CLSID} = “Protection Bar” \InProcServer32(Default) = “C:\Program Files\Image AX Object\splug.dll” [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{F0993251-2512-4710-AF6E-0A13EA199D02}(Default) = “Protection Bar” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Image AX Object\splug.dll” [null data] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D9288080-1BAA-4BC4-9CF8-A92D743DB949}\ “ButtonText” = “Run IMVU” “Exec” = “C:\Documents and Settings\Królikowscy\Menu Start\Programy\IMVU\Run IMVU.lnk” [file not found] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\System32\CTsvcCDA.EXE” [“Creative Technology Ltd”] kavsvc, kavsvc, “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe” [“Kaspersky Lab”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] PnkBstrA, PnkBstrA, “C:\WINDOWS\system32\PnkBstrA.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt08\Driver = “hpzsnt08.dll” [“HP”] Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 47 seconds. ---------- (total run time: 125 seconds)
adam9870
(adam9870)
30 Kwiecień 2007 12:47
#5
Zobacz - Przywracanie Trybu awaryjnego , a jeśli jednak nie uda Ci się uruchomić systemu w trybie awaryjnym to spróbuj skorzystać z darmowego programu Gmer .
w zakładce Procesy kliknij Gmer awaryjny. Komputer zostanie uruchomiony ponownie i zostanie samo okienko Gmer’a
w zakładce Procesy przez … (trzy kropki) wskaż SmitFraudFix i zastosuj go z opcji numer 2
zrestartuj komputer przyciskiem na obudowie
Po wykonaniu zdaj relacje i wklej nowe logi. Jeśli jednak metoda z Gmerem nie zadziała, to spróbujemy usuwania ręcznego.
Pawson91
(Pawson911)
30 Kwiecień 2007 20:23
#6
Przywracanie Trybu awaryjnego - nie udało mi się ;]
Gmer… wszystko było OK aż do tego włączenia się komputera. Kliknąłem OK że wszystko jest OK, że Gmer Awaryjny będzie i OK. A tu nagle wyskakuje niebieski ekran z napisem cośtam że źle zainstalowałem sprzęt i że zostało to źle zrobione i żebym poprosił administratora o jakieś pliki :roll: nic z tego nie zrozumiałem - prościej mówiąc.
Jeśli możesz to powiedz mi jak usunąć ręcznie to /cenzura/ ?
P.S. – superowa ilość postów
adam9870
(adam9870)
30 Kwiecień 2007 20:29
#7
Proszę wkleić komplet nowych logów - HijackThis i SilentRunners.
adam9870
(adam9870)
30 Kwiecień 2007 21:42
#9
Start -> uruchom -> wpisz polecenie taskmgr i kliknij OK -> na zakładce Procesy zakończ proces explorer.exe, po czym zniknie pulpit.
Na zakładce Aplikacje kliknij Nowe zadanie -> w okienku, które się otworzy wpisz polecenie cmd i kliknij OK
W konsoli, która się otworzy wydaj następujące polecenie:
Na zakładce Aplikacje kliknij Nowe zadanie -> w okienku, które się otworzy wpisz explorer.exe i kliknij OK.
Uruchom ponownie komputer
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Usuń wpis HJT.
Zwykła wersja programu BearShare posiada w sobie syf dlatego proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.
Przeskanuj system tym skanerem on-line:
http://www.ewido.net/en/onlinescan/
Po wykonaniu wklej nowe logi.
Pawson91
(Pawson911)
30 Kwiecień 2007 22:09
#10
Takie coś otrzymałem po zrobieniu pierwszych 3 punktów jakie wpisałeś.
Próbowałem również usunięcia ręcznego z dysku (prawy przycisk myszki—>usuń) jednakże również otrzymałem komunikat o braku dostępu.
Reszty nie robiłem bo chyba tu jedno wynika z drugiego.
Co robić ?
Gutek
(Gutek)
30 Kwiecień 2007 22:28
#11
Gutek
(Gutek)
30 Kwiecień 2007 23:03
#13
Pobierz The Avenger . Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:
kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
Pawson91
(Pawson911)
1 Maj 2007 07:54
#14
NO !
W końcu coś zadziałało Teraz dam logi z HJT, Silent Runners i ComboFixa - czyli dla każdego coś małego
HJT:
Logfile of HijackThis v1.99.1 Scan saved at 09:45:05, on 2007-05-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE F:\Program Files\D-Tools\daemon.exe F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe C:\WINDOWS\System32\CTsvcCDA.EXE C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe F:\Program Files\BearShare\BearShare.exe F:\Program Files\DAP\DAP.EXE C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\svchost.exe F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\KRÓLIK~1\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM…\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM…\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [DAEMON Tools-1033] “F:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Anti-Blaxx Manager] F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM…\Run: [KAVPersonal50] F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize O4 - HKLM…\Run: [bearShare] “F:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [DownloadAccelerator] “F:\Program Files\DAP\DAP.EXE” /STARTUP O4 - HKLM…\Run: [Onet.pl AutoUpdate] C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsr O4 - HKCU…\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [NBJ] “F:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [Gadu-Gadu] “F:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - Startup: IMVU.lnk = F:\Program Files\IMVU\gui1.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{3445E670-8F52-402A-9A87-813A7D1C7F19}: NameServer = 172.16.6.1 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\KRÓLIK~1\USTAWI~1\Temp\hpdj.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: kavsvc - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
Silent Runners:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Creative Detector” = “C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R” [“Creative Technology Ltd”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “NBJ” = ““F:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “Gadu-Gadu” = ““F:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTSysVol” = “C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r” [“Creative Technology Ltd”] “P17Helper” = “Rundll32 P17.dll,P17Helper” [MS] “UpdReg” = “C:\WINDOWS\UpdReg.EXE” [“Creative Technology Ltd.”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “DAEMON Tools-1033” = ““F:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “Anti-Blaxx Manager” = “F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe” [null data] “HP Software Update” = “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe” [null data] “HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe” [“HP”] “DeviceDiscovery” = “C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” [“Hewlett-Packard”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “Share-to-Web Namespace Daemon” = “C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” [“Hewlett-Packard”] “KAVPersonal50” = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize” [“Kaspersky Lab”] “BearShare” = ““F:\Program Files\BearShare\BearShare.exe” /pause” [“Free Peers, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “DownloadAccelerator” = ““F:\Program Files\DAP\DAP.EXE” /STARTUP” [“Speedbit Ltd.”] “Onet.pl AutoUpdate” = “C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsr” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “F:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\SHDOCVW.DLL” [MS] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “F:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “F:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSMBalloonTip” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “NoRecentDocsHistory” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “CDRAutoRun” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “MemCheckBoxInRunDlg” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoAutoTrayNotify” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveTrack” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoResolveSearch” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “LinkResolveIgnoreLinkInfo” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoStartBanner” = (REG_BINARY) hex:01 00 00 00 {Remove “Click here to begin” from Start button} “NoWelcomeScreen” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoRecentDocsNetHood” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoDesktopCleanupWizard” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSharedDocuments” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Remove Shared Documents from My Computer} “NoThemesTab” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoStrCmpLogical” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoClose” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “NoDispAppearancePage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Hide Desktop tab} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Remove Display in Control Panel} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions\ “NoUpdateCheck” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “RunStartupScriptSync” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousMachineGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “SynchronousUserGroupPolicy” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Królikowscy\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp” Startup items in “Królikowscy” & “All Users” startup folders: ------------------------------------------------------------- C:\Documents and Settings\Królikowscy\Menu Start\Programy\Autostart “IMVU” -> shortcut to: “F:\Program Files\IMVU\gui1.exe” [file not found] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “Adobe Gamma Loader” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{F0993251-2512-4710-AF6E-0A13EA199D02}” -> {HKLM…CLSID} = “Protection Bar” \InProcServer32(Default) = “C:\Program Files\Image AX Object\splug.dll” [file not found] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{F0993251-2512-4710-AF6E-0A13EA199D02}(Default) = “Protection Bar” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Image AX Object\splug.dll” [file not found] HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “F:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” -> {HKLM…CLSID} = “Web Browser Applet Control” \InProcServer32(Default) = “C:\WINDOWS\system32\msjava.dll” [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Creative Service for CDROM Access, Creative Service for CDROM Access, “C:\WINDOWS\System32\CTsvcCDA.EXE” [“Creative Technology Ltd”] kavsvc, kavsvc, “F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe” [“Kaspersky Lab”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] PnkBstrA, PnkBstrA, “C:\WINDOWS\system32\PnkBstrA.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt08\Driver = “hpzsnt08.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 35 seconds. ---------- (total run time: 99 seconds)
ComboFix
“Kr˘likowscy” - 07-05-01 9:49:22 Dodatek Service Pack 2 ComboFix 07-04-25.4V - Running from: “C:\Documents and Settings\Kr˘likowscy\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 )))))))))))))))))))))))))))))))))) 2007-05-01 09:42 2007-05-01 09:41 2007-05-01 00:41 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-04-29 22:28 2007-04-29 09:36 2007-04-29 08:53 2007-04-29 08:34 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-04-29 08:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-04-29 08:34 4,050 --a------ C:\WINDOWS\system32\tmp.reg 2007-04-29 08:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-04-09 16:00 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-04-30 19:31 99904 --a------ C:\WINDOWS\system32\pnkbstrb.exe 2007-03-16 19:12 63040 --a------ C:\WINDOWS\system32\pnkbstra.exe 2007-03-03 22:51 8988 --a------ C:\WINDOWS\extend.dat (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “CTSysVol”=“C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r” “P17Helper”=“Rundll32 P17.dll,P17Helper” “UpdReg”=“C:\WINDOWS\UpdReg.EXE” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “DAEMON Tools-1033”="“F:\Program Files\D-Tools\daemon.exe” -lang 1033" “Anti-Blaxx Manager”=“F:\Program Files\Anti-Blaxx\Anti-Blaxx.exe” “HP Software Update”=“C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe” “HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe” “DeviceDiscovery”=“C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “Share-to-Web Namespace Daemon”=“C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe” “KAVPersonal50”=“F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize” “BearShare”="“F:\Program Files\BearShare\BearShare.exe” /pause" “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “DownloadAccelerator”="“F:\Program Files\DAP\DAP.EXE” /STARTUP" “Onet.pl AutoUpdate”=“C:\Program Files\Common Files\Onet.pl\AutoUpdate.exe /tsr” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “Creative Detector”=“C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R” “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" “NBJ”="“F:\Program Files\Ahead\Nero BackItUp\NBJ.exe”" “Gadu-Gadu”="“F:\Program Files\Gadu-Gadu\gg.exe” /tray" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “RunStartupScriptSync”=dword:00000000 “SynchronousMachineGroupPolicy”=dword:00000000 “SynchronousUserGroupPolicy”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “NoDispAppearancePage”=dword:00000000 “NoColorChoice”=dword:00000000 “NoDispBackgroundPage”=dword:00000000 “NoDispCPL”=dword:00000000 “NoDispSettingsPage”=dword:00000000 “NoDispScrSavPage”=dword:00000000 “NoVisualStyleChoice”=dword:00000000 “NoSizeChoice”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] “NoRemoteRecursiveEvents”=dword:00000001 “NoStrCmpLogical”=dword:00000001 “NoClose”=dword:00000000 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoSMBalloonTip”=dword:00000001 “NoSaveSettings”=dword:00000000 “NoRecentDocsHistory”=dword:00000001 “NoLowDiskSpaceChecks”=dword:00000001 “MemCheckBoxInRunDlg”=dword:00000000 “NoClose”=dword:00000000 “NoAutoTrayNotify”=dword:00000000 “NoResolveTrack”=dword:00000000 “NoResolveSearch”=dword:00000001 “LinkResolveIgnoreLinkInfo”=dword:00000001 “NoStartBanner”=hex:01,00,00,00 “NoWelcomeScreen”=dword:00000001 “NoRecentDocsNetHood”=dword:00000001 “NoDesktopCleanupWizard”=dword:00000001 “NoSharedDocuments”=dword:00000001 “NoThemesTab”=dword:00000000 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run] HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages REG_MULTI_SZ msv1_0\0\0 Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages REG_MULTI_SZ scecli\0\0 [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2{38dfd0a8-2c6c-11db-8493-806d6172696f}] Shell\AutoRun\command H:\Autorun.exe ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-01 09:52:03 Windows 5.1.2600 Dodatek Service Pack 2 FAT scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 07-05-01 9:52:06 C:\ComboFix-quarantined-files.txt … 07-05-01 09:52 C:\ComboFix2.txt … 07-05-01 00:41
adam9870
(adam9870)
1 Maj 2007 08:16
#15
Wybierz start -> uruchom -> wpisz cmd i kliknij OK -> w konsoli, która się otworzy wydaj następujące polecenia:
Użyj programu ATF Cleaner i przeczyść Current User Temp oraz All Users Temp .
Pawson91
(Pawson911)
1 Maj 2007 19:00
#16
Po kilku próbach ten sam efekt:
C:\Documents and Settings\Królikowscy>rd /s /q “C:\Documents and Settings\KRÓLIK ~1\Ustawienia lokalne\Temp” C:\Documents and Settings\KRÓLIK~1\Ustawienia lokalne\Temp~DFCA18.tmp - Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. C:\Documents and Settings\KRÓLIK~1\Ustawienia lokalne\Temp\hpotdd002.log - Proce s nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.
O jaki proces może chodzić ?
adam9870
(adam9870)
1 Maj 2007 19:13
#17
Na liście wyboru systemu po wciśnięciu klawisza F5 lub F8 podczas uruchamia systemu sprawdź czy możesz wybrać pozycję Tryb awaryjny z obsługą sieci, a jeśli tak to wydaj spod niego następujące komendy:
Pawson91
(Pawson911)
2 Maj 2007 08:46
#18
Po włączeniu tego trybu i starcie Windowsa pokazuje mi się ekran wyboru profilu. Wybrałem “Administrator” i system się zrestartował :?