mirg
(Mir100)
8 Maj 2006 13:00
#1
Witam i tak jak w temacie mam problem z tym syfkiem.Objawy-strona startowa IE-safetydefender ,oraz częste wywalanie z IE
prosze o sprawdzenie loga
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\No-IP\DUC20.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\system32\atmclk.exe
D:\WINDOWS\system32\dcomcfg.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\WINDOWS\system32\CTHELPER.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\gry\half life2\steam.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\Mirek\USTAWI~1\Temp\Rar$EX00.781\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.icm.edu.pl:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - D:\WINDOWS\system32\hp855C.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\Program Files\FMV5\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [startxpclean] \program files\xpcleaner\cxprerun.cmd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Spyware Stormer] D:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\RunOnce: [startxpclean] \program files\xpcleaner\cxp.cmd
O4 - HKCU\..\Run: [Steam] "e:\gry\half life2\steam.exe" -silent
O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra 'Tools' menuitem: Net2Phone - {4B30061A-5B39-11D3-80F8-0090276F843F} - C:\Program Files\Net2Phone\Net2fone.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://195.67.71.132/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F64B4A4-C074-45BA-8C88-17AD34CE4AC4}: NameServer = 194.204.159.1,194.204.152.34
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NoIPDUCService - Vitalwerks LLC - D:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
Log obejmuj znacznikami
Zedytowano i przeniesiono do działu Bezpieczeństwo
Sdar[/color]
kuz5
(Kuz5)
8 Maj 2006 13:25
#2
Usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
Plik na czerwono usun ręcznie z dysku
Te pliki również usuń z dysku recznie:
Resztki Javy i Yahoo! Messenger (jak ich juz nie masz na kompie to ciachnij)
Ten wpis z kreseczką “_” usuniesz edytorem rejestru Registrar Lite
Uruchom edytor w pole Address wklej ścieżke
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks i kliknij Go poczym zostaniesz przeniesiony do tego klucza. Po prawej stronie będzie widoczny wpis _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} wszystkie inne wpisy z taką samą kreseczką także kasujesz i z prawokliku kasujesz wpisy.
Pobierz program Ewido zrób update i przeskanuj
Użyj Smitrem
Wklej loga SilentRunners
Bieniol
(Bbieniol)
8 Maj 2006 14:14
#4
kuz5:
Wklej loga SilentRunners
Nie zastosowałes się do tego :roll: A to ważna częśc przy usuwaniu tego śmiecia
mirg
(Mir100)
8 Maj 2006 16:37
#5
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = ""e:\gry\half life2\steam.exe" -silent" ["Valve Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"kernel32.dll" = "D:\WINDOWS\system32\atmclk.exe" [file not found]
"dcomcfg.exe" = "dcomcfg.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]
"SunJavaUpdateSched" = "D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"WINDVDPatch" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"UpdReg" = "D:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"Jet Detection" = ""D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"" [empty string]
"CTStartup" = "D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run" ["Creative Technology Ltd."]
"avast!" = "D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"startxpclean" = "\program files\xpcleaner\cxprerun.cmd" [null data]
"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Spyware Stormer" = "D:\Program Files\Spyware Stormer\SpywareStormer.Exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"startxpclean" = "\program files\xpcleaner\cxp.cmd" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{b0398eca-0bcd-4645-8261-5e9dc70248d0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Nothing"
\InProcServer32\(Default) = "D:\WINDOWS\system32\hpEE38.tmp" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "D:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a˛ Context Menu Shell Extension"
-> {HKLM...CLSID} = "a˛ Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\a-squared\a2contmenu.dll" [null data]
"{CCA60260-A2C9-11D2-BA62-0020188191B2}" = "Registrar Registry Manager SHell Extension"
-> {HKLM...CLSID} = "Registrar Registry Manager SHell Extension"
\InProcServer32\(Default) = "rrShellX.dll" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: "]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {HKLM...CLSID} = "Ctest Object"
\InProcServer32\(Default) = "D:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a˛ Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\a-squared\a2contmenu.dll" [null data]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Mirek\Moje dokumenty\Moje obrazy\fin4.bmp"
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "d:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "d:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" [file not found]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{4B30061A-5B39-11D3-80F8-0090276F843F}\
"ButtonText" = "Net2Phone"
"MenuText" = "Net2Phone"
"Exec" = "C:\Program Files\Net2Phone\Net2fone.exe" ["Net2Phone"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
D:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
avast! Antivirus, avast! Antivirus, ""D:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
NoIPDUCService, NoIPDUCService, "D:\Program Files\No-IP\DUC20.exe -service" ["Vitalwerks LLC"]
NVIDIA Display Driver Service, NVSvc, "D:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
WMDM PMSP Service, WMDM PMSP Service, "D:\WINDOWS\System32\MsPMSPSv.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
OLFax Ports\Driver = "OLFMNT40.DLL" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 70 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 107 seconds)
Bieniol
(Bbieniol)
8 Maj 2006 16:47
#6
Otwórz notatnik i wklej w nim to:
Plik --> zapisz jako --> zmień rozszerzenie na wszystkie pliki --> zapisz pid nazwą FIX.REG
Uruchamiasz narzędzie KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
D:\WINDOWS\system32\hpEE38.tmp
D:\WINDOWS\system32\dcomcfg.exe
Klikasz X i restart kompa (restart dopiero po usunięciu ostatniego pliku)
W trybie awaryjnym odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa
Po zabiegu nowy log z Silenta
PS> Masz jeszcze Spyware Stormer ?
mirg
(Mir100)
8 Maj 2006 16:47
#7
safetydefender dalej się wcina narazie nie pomogło,może coś żle zrobiłem
“Silent Runners.vbs”, revision 45, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Steam” = ““e:\gry\half life2\steam.exe” -silent” [“Valve Corporation”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “kernel32.dll” = “D:\WINDOWS\system32\atmclk.exe” [file not found] “dcomcfg.exe” = “dcomcfg.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Logitech Utility” = “Logi_MwX.Exe” [“Logitech Inc.”] “SunJavaUpdateSched” = “D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “WINDVDPatch” = “CTHELPER.EXE” [“Creative Technology Ltd”] “UpdReg” = “D:\WINDOWS\UpdReg.EXE” [“Creative Technology Ltd.”] “Jet Detection” = ““D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”” [empty string] “CTStartup” = “D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run” [“Creative Technology Ltd.”] “avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “startxpclean” = “\program files\xpcleaner\cxprerun.cmd” [null data] “NvCplDaemon” = “RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “QuickTime Task” = ““D:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “Spyware Stormer” = “D:\Program Files\Spyware Stormer\SpywareStormer.Exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “startxpclean” = “\program files\xpcleaner\cxp.cmd” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {b0398eca-0bcd-4645-8261-5e9dc70248d0}(Default) = (no title provided) -> {HKLM…CLSID} = “Nothing” \InProcServer32(Default) = “D:\WINDOWS\system32\hpFB96.tmp” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind” -> {HKLM…CLSID} = “Microsoft Office Binder Unbind” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “D:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “D:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “D:\WINDOWS\system32\browseui.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” = “a˛ Context Menu Shell Extension” -> {HKLM…CLSID} = “a˛ Context Menu Shell Extension” \InProcServer32(Default) = “D:\PROGRA~1\a-squared\a2contmenu.dll” [null data] “{CCA60260-A2C9-11D2-BA62-0020188191B2}” = “Registrar Registry Manager SHell Extension” -> {HKLM…CLSID} = “Registrar Registry Manager SHell Extension” \InProcServer32(Default) = “rrShellX.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “D:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {HKLM…CLSID} = “Ctest Object” \InProcServer32(Default) = “D:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {HKLM…CLSID} = “Ctest Object” \InProcServer32(Default) = “D:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2ContMenu(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” -> {HKLM…CLSID} = “a˛ Context Menu Shell Extension” \InProcServer32(Default) = “D:\PROGRA~1\a-squared\a2contmenu.dll” [null data] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\Mirek\Moje dokumenty\Moje obrazy\fin4.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “d:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “d:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}(Default) = (no title provided) -> {HKLM…CLSID} = “&Yahoo! Messenger” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}(Default) = (no title provided) -> {HKLM…CLSID} = “&Yahoo! Messenger” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {4B30061A-5B39-11D3-80F8-0090276F843F}\ “ButtonText” = “Net2Phone” “MenuText” = “Net2Phone” “Exec” = “C:\Program Files\Net2Phone\Net2fone.exe” [“Net2Phone”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ D:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Missing lines (compared with English-language version): [strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““D:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““D:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] ewido security suite control, ewido security suite control, “D:\Program Files\ewido anti-malware\ewidoctrl.exe” [“ewido networks”] ewido security suite guard, ewido security suite guard, “D:\Program Files\ewido anti-malware\ewidoguard.exe” [“ewido networks”] NoIPDUCService, NoIPDUCService, “D:\Program Files\No-IP\DUC20.exe -service” [“Vitalwerks LLC”] NVIDIA Display Driver Service, NVSvc, “D:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] WMDM PMSP Service, WMDM PMSP Service, “D:\WINDOWS\System32\MsPMSPSv.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ OLFax Ports\Driver = “OLFMNT40.DLL” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 75 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 11 seconds. ---------- (total run time: 110 seconds)
:!: :!: :shock:
Help nie zostawiajcie mnie z tym syfem
Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE
Była prośba
Pozdrawiam Gutek2222
Gutek
(Gutek)
8 Maj 2006 18:47
#8
Nie zrobiłeś tego co napisał Bieniol z rejestrem
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa
Użyj SmitfraudFix
mirg
(Mir100)
8 Maj 2006 23:07
#9
Wygląda na to ,że zabiegi już pomogły(narazie jest dobrze)Przepraszam jeżeli coś żle robię-jestem jeszcze "zielonyw tych tematach.Podaję następny LOG
“Silent Runners.vbs”, revision 45, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Steam” = ““e:\gry\half life2\steam.exe” -silent” [“Valve Corporation”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Logitech Utility” = “Logi_MwX.Exe” [“Logitech Inc.”] “SunJavaUpdateSched” = “D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “WINDVDPatch” = “CTHELPER.EXE” [“Creative Technology Ltd”] “UpdReg” = “D:\WINDOWS\UpdReg.EXE” [“Creative Technology Ltd.”] “Jet Detection” = ““D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe”” [empty string] “CTStartup” = “D:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run” [“Creative Technology Ltd.”] “avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data] “startxpclean” = “\program files\xpcleaner\cxprerun.cmd” [null data] “NvCplDaemon” = “RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “QuickTime Task” = ““D:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “Spyware Stormer” = “D:\Program Files\Spyware Stormer\SpywareStormer.Exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “startxpclean” = “\program files\xpcleaner\cxp.cmd” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Unbind” -> {HKLM…CLSID} = “Microsoft Office Binder Unbind” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “D:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “D:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “D:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “D:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “D:\WINDOWS\system32\browseui.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” = “a˛ Context Menu Shell Extension” -> {HKLM…CLSID} = “a˛ Context Menu Shell Extension” \InProcServer32(Default) = “D:\PROGRA~1\a-squared\a2contmenu.dll” [null data] “{CCA60260-A2C9-11D2-BA62-0020188191B2}” = “Registrar Registry Manager SHell Extension” -> {HKLM…CLSID} = “Registrar Registry Manager SHell Extension” \InProcServer32(Default) = “rrShellX.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “D:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {HKLM…CLSID} = “Ctest Object” \InProcServer32(Default) = “D:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}” -> {HKLM…CLSID} = “Ctest Object” \InProcServer32(Default) = “D:\Program Files\ewido anti-malware\context.dll” [“ewido networks”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ a2ContMenu(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}” -> {HKLM…CLSID} = “a˛ Context Menu Shell Extension” \InProcServer32(Default) = “D:\PROGRA~1\a-squared\a2contmenu.dll” [null data] avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\Mirek\Moje dokumenty\Moje obrazy\fin4.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “d:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “d:\program files\google\googletoolbar1.dll” [“Google Inc.”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}(Default) = (no title provided) -> {HKLM…CLSID} = “&Yahoo! Messenger” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {4528BBE0-4E08-11D5-AD55-00010333D0AD}(Default) = (no title provided) -> {HKLM…CLSID} = “&Yahoo! Messenger” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {4B30061A-5B39-11D3-80F8-0090276F843F}\ “ButtonText” = “Net2Phone” “MenuText” = “Net2Phone” “Exec” = “C:\Program Files\Net2Phone\Net2fone.exe” [“Net2Phone”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS] Miscellaneous IE Hijack Points ------------------------------ D:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Missing lines (compared with English-language version): [strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““D:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““D:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] ewido security suite control, ewido security suite control, “D:\Program Files\ewido anti-malware\ewidoctrl.exe” [“ewido networks”] ewido security suite guard, ewido security suite guard, “D:\Program Files\ewido anti-malware\ewidoguard.exe” [“ewido networks”] NoIPDUCService, NoIPDUCService, “D:\Program Files\No-IP\DUC20.exe -service” [“Vitalwerks LLC”] NVIDIA Display Driver Service, NVSvc, “D:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] WMDM PMSP Service, WMDM PMSP Service, “D:\WINDOWS\System32\MsPMSPSv.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ OLFax Ports\Driver = “OLFMNT40.DLL” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 77 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 11 seconds. ---------- (total run time: 109 seconds)
kuz5
(Kuz5)
8 Maj 2006 23:17
#10
No i cacy log jest czysty
mirg
(Mir100)
8 Maj 2006 23:21
#11
Dzięki za pomoc i pozdrawiam