Przez ponad rok nie miałem żadnych problemów z trojanami, raz na 2 miechy wyskakiwało ostrzeżenie że trojan itd, ale były to sporadyczne przypadki. Za to ostatnio, od czasu zrzucenia obrazu -codziennie wyskoczy mi kilka, kilkanaście ostrzeżeń dot. zagrożenia, trojanów itd. Posiadam orginalnego windowsa xp i noda 32. Nie mam żadnych firewolli, bo wcześniej nie miałem nigdy takiej sytuacji. Ostrzeżenia o robakach pokazują się jak jestem na jakiejkolwiek stronie internetowej, nie zawsze ale średnio z 10 i więcej razy na dzień. O co biega?

z góry dzieki

Wrzuc nam logi z HijackThis 8)

Tylko jeszcze powiedz jak to się robi. Nie to żebym nie wiedział, po prostu zapomniałem ;pp

http://forum.dobreprogramy.pl/viewtopic.php?t=36654 - czytamy przyklejone

Logfile of HijackThis v1.99.1

Scan saved at 17:05:20, on 2006-11-02

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\DOCUME~1\KONTOM~1\USTAWI~1\Temp\Rar$EX00.844\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [Registry Defrag] C:\WINDOWS\system32\ooctrlfd.exe

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - HKCU…\Run: [Registry Defrag] C:\WINDOWS\system32\ooctrlfd.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winmqx32 - C:\WINDOWS\SYSTEM32\winmqx32.dll

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

mnie więcej cuś takiego…

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):

Zrób skan EWIDO po update

Po zabiegach nowy log z Hijacka + log z Silent Runners

Witam. Wszystko chyba w porządku:

Logfile of HijackThis v1.99.1

Scan saved at 18:50:46, on 2006-11-02

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Kamil\filmiczki i programiki i gierki\Programiki i inne\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM…\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

a to skrypt z silenta:

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

---

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

“RemoteControl” = ““C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“Zone Labs Client” = “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [“Zone Labs, LLC”]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{9B71D88C-C598-4935-C5D1-43AA4DB90836}(Default) = (no title provided)

\StubPath = “C:\WINDOWS\system32\ooctrlfd.exe s” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”

-> {HKLM…CLSID} = “DAPMenuShellExt Class”

\InProcServer32(Default) = “C:\Program Files\DAP\Privacy Package\DAPCtxMenuShell.dll” [“Speedbit Ltd.”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {policy setting}:

---

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

---

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Startup items in “Konto Młodzieży” & “All Users” startup folders:

---

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

Winsock2 Service Provider DLLs:

---

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:

---

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{62999427-33FC-4BAF-9C9C-BCE6BD127F08}” = “DAP Bar”

-> {HKLM…CLSID} = “DAP Bar”

\InProcServer32(Default) = “C:\Program Files\DAP\DAPIEBar.dll” [empty string]

Hijack czysty Silent lekko ucięty, dlatego poczekaj cierpliwie na komunikat, że log skończony i całego loga wklej na forum

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

---

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

“Registry Defrag” = “C:\WINDOWS\system32\ooctrlfd.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

“RemoteControl” = ““C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“Registry Defrag” = “C:\WINDOWS\system32\ooctrlfd.exe” [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\

{9B71D88C-C598-4935-C5D1-43AA4DB90836}(Default) = (no title provided)

\StubPath = “C:\WINDOWS\system32\ooctrlfd.exe s” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”

-> {HKLM…CLSID} = “DAPMenuShellExt Class”

\InProcServer32(Default) = “C:\Program Files\DAP\Privacy Package\DAPCtxMenuShell.dll” [“Speedbit Ltd.”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {policy setting}:

---

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

---

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Startup items in “Konto Młodzieży” & “All Users” startup folders:

---

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

Winsock2 Service Provider DLLs:

---

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:

---

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{62999427-33FC-4BAF-9C9C-BCE6BD127F08}” = “DAP Bar”

-> {HKLM…CLSID} = “DAP Bar”

\InProcServer32(Default) = “C:\Program Files\DAP\DAPIEBar.dll” [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

---

Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”]

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

PC Tools Spyware Doctor, SDhelper, “C:\Program Files\Spyware Doctor\sdhelp.exe” [“PC Tools Research Pty Ltd”]

Speed Disk service, Speed Disk service, “C:\Program Files\Speed Disk\nopdb.exe” [“Symantec Corporation”]

User Profile Hive Cleanup, UPHClean, “C:\Program Files\UPHClean\uphclean.exe” [MS]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:

---

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor i560\Driver = “CNMLM58.DLL” [“CANON INC.”]

---

<>: Suspicious data at a malware launch point.

• This report excludes default entries except where indicated.

• To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

• The search for DESKTOP.INI DLL launch points on all local fixed drives

took 15 seconds.

---------- (total run time: 58 seconds)

ok : )

Został jeden pliczek.

Usuwanie:

1. Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\system32\ooctrlfd.exe

Klikasz X czerwony i restart kompa.

2. Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym

Po wykonaniu w/w nie powinno być żadnych resztek po tym pliku. Oczywiście potem wklej nowy log z Silenta.

Ok. Zrobiłem jak radziliście. Tak dla upewnienia się:

Logfile of HijackThis v1.99.1

Scan saved at 10:59:01, on 2006-11-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Eset\nod32krn.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\Program Files\Speed Disk\nopdb.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Kamil\filmiczki i programiki i gierki\Programiki i inne\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll

O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE

O4 - HKLM…\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”

O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

Teraz chyba większość w porządku?

Zapomniałem o silencie:

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

---

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

“RemoteControl” = ““C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”

-> {HKLM…CLSID} = “DAPMenuShellExt Class”

\InProcServer32(Default) = “C:\Program Files\DAP\Privacy Package\DAPCtxMenuShell.dll” [“Speedbit Ltd.”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {policy setting}:

---

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

---

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Startup items in “Konto Młodzieży” & “All Users” startup folders:

---

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

Winsock2 Service Provider DLLs:

---

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:

---

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{62999427-33FC-4BAF-9C9C-BCE6BD127F08}” = “DAP Bar”

-> {HKLM…CLSID} = “DAP Bar”

\InProcServer32(Default) = “C:\Program Files\DAP\DAPIEBar.dll” [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

---

Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”]

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

PC Tools Spyware Doctor, SDhelper, “C:\Program Files\Spyware Doctor\sdhelp.exe” [“PC Tools Research Pty Ltd”]

Speed Disk service, Speed Disk service, “C:\Program Files\Speed Disk\nopdb.exe” [“Symantec Corporation”]

User Profile Hive Cleanup, UPHClean, “C:\Program Files\UPHClean\uphclean.exe” [MS]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:

---

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor i560\Driver = “CNMLM58.DLL” [“CANON INC.”]

---

<>: Suspicious data at a malware launch point.

• This report excludes default entries except where indicated.

• To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

• The search for DESKTOP.INI DLL launch points on all local fixed drives

took 13 seconds.

---------- (total run time: 48 seconds)

Już OK

Dziękuła za pomoc. Proszę o jeszcze jedno luknięcie na silloga: sciągałem program, wyskoczyło ostrzeżenie że wirus, a ściągniety plik został i nie mogę go usunąć. Zobaczcie sami:

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

---

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

“RemoteControl” = ““C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]

“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]

“DAEMON Tools” = ““C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033” [“DT Soft Ltd.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{B089FE88-FB52-11d3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}”

-> {HKLM…CLSID} = “DAPMenuShellExt Class”

\InProcServer32(Default) = “C:\Program Files\DAP\Privacy Package\DAPCtxMenuShell.dll” [“Speedbit Ltd.”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11d3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” ["Eset "]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies {policy setting}:

---

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

---

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\web\wallpaper\Idylla.bmp”

Startup items in “Konto Młodzieży” & “All Users” startup folders:

---

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

“Kalendarz XP” -> shortcut to: “C:\Program Files\Kalendarz XP\Kalendarz.exe” [null data]

Winsock2 Service Provider DLLs:

---

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:

---

Toolbars

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{62999427-33FC-4BAF-9C9C-BCE6BD127F08}” = “DAP Bar”

-> {HKLM…CLSID} = “DAP Bar”

\InProcServer32(Default) = “C:\Program Files\DAP\DAPIEBar.dll” [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

“ButtonText” = “Messenger”

“MenuText” = “Windows Messenger”

“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

---

Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]

Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”]

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

PC Tools Spyware Doctor, SDhelper, “C:\Program Files\Spyware Doctor\sdhelp.exe” [“PC Tools Research Pty Ltd”]

Speed Disk service, Speed Disk service, “C:\Program Files\Speed Disk\nopdb.exe” [“Symantec Corporation”]

User Profile Hive Cleanup, UPHClean, “C:\Program Files\UPHClean\uphclean.exe” [MS]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:

---

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Canon BJ Language Monitor i560\Driver = “CNMLM58.DLL” [“CANON INC.”]

---

<>: Suspicious data at a malware launch point.

• This report excludes default entries except where indicated.

• To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

• To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer “No” at the

first message box and “Yes” at the second message box.

---------- (total run time: 27 seconds, including 2 seconds for message boxes)

taki wstrętny p2p …

:evil:

Log jest ok.

Proszę podać gdzie znajduje się ten zainfekowany plik którego nie da się usunąć.

Proponuję pozamykać porty robakom. Zmniejszysz dzięki temu prawdopodobieństwo złapania jakiegoś. W tym celu użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jezeli któryś z nich bedzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Ściągnąłem plik na pulpit, ale gdy chce go skasować wyskakuje okienko że “jeden lub więcej programów/osób na komputerze używa tego pliku. Zamknij programy i usuń plik”. Mniej więcej cuś takiego :-x Ciem go skasować?

Spróbuj skasować go killboxem. Metodę usuwania chyba znasz (Delete on reboot, w polu full path of file, klikasz czerwonego iksa i zgadzasz się na reset).

No, przyjacielu, o mały włos…Ten program który mi poradziłeś blokujący porty źle mi się przysłużył. Na szczęście działało (choć z oporami) przywracanie systemu (pozbyłem się więc i jednego i drugiego). Ten program od portów zablokował mi dostęp do neta (zapewne na skutego mego nie umiejętnego użytkowania) a reszta chodziła bardzo wolno albo wcale. Na szczęście ma się oryginalną windę…Niemniej jednak dzięki