Nie wiedziałem gdzie zamieścić ten temat więc zamieszczam go tutaj
Mam problem program antywirusowy wykrył u mnie 4 wirusy jakieś HEUR/MALWARE podaje screana http://www.fotosik.pl/pokaz_obrazek/pel … b9485.html
i nie wiem jak go usunąć bo on znajduje się w takich plikach
http://www.fotosik.pl/pokaz_obrazek/pel … a1d39.html
czy ten wirus jejst groźny ? i czy da się go usunąć prosze o pomoc
Joan
(Joan Sunshine)
15 Grudzień 2006 15:06
#2
Avira usunęła coś?
Ściągasz narzędzie KillBox , zaznaczasz Delete on Reboot, potem klikasz All Files i wklejasz do pola Full Path of File to Delete ścieżki:
C:\WINDOWS\System32\svchqs.exe
Klikasz X i reset sysa.
Wklej logi: http://forum.dobreprogramy.pl/viewtopic.php?t=36654
Dobra daje loga
Logfile of HijackThis v1.99.1 Scan saved at 16:50:41, on 2006-12-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\AntiVir PersonalEdition Classic\sched.exe D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe D:\WINDOWS\system32\HPZipm12.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe D:\PROGRA~1\Wapster\AQQ\AQQ.exe D:\Program Files\Messenger\msmsgs.exe D:\Program Files\Avant Browser\avant.exe D:\Documents and Settings\mati\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file) O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [avgnt] “D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min O4 - HKLM…\Run: [jiahus] d:\windows\system32\svchqs.exe O4 - HKCU…\Run: [AQQ] D:\PROGRA~1\Wapster\AQQ\AQQ.exe O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip…{59048A67-E376-46BA-B603-E5F08F5B9382}: NameServer = 194.204.152.34 217.98.63.164 O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
i co mam coś ??
I jeszcze jedno czy ten antywirus jest dobry http://www.dobreprogramy.pl/index.php?dz=2&id=1759&t=30 i ten firewall http://www.dobreprogramy.pl/index.php?dz=2&id=140&t=84 dobre będzie to zestawienie ??
adam9870
(adam9870)
15 Grudzień 2006 15:52
#4
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:
d:\windows\system32\svchqs.exe
Klikasz X czerwony i restart kompa.
usuń w hjt.
Odpowiedz na pytanie:
Joan:
Avira usunęła coś?
Po wykonaniu proszę pokazać nowy log z HijackThis plus z SilentRunners .
Nic nie usuneła avira bo jak skanował system to dawałem wszystko do kwarantanny chyba że faktycznie mógł coś usunąć bez mojej wiedzy
squeet
(squeet)
15 Grudzień 2006 16:29
#6
Proszę o lekturę poniższych tematów:
http://forum.dobreprogramy.pl/viewtopic.php?t=66889
http://forum.dobreprogramy.pl/viewtopic.php?t=36654
I zastosowanie ich w praktyce w Twoim poście:
Proszę zmienić temat na konkretny, mówiący o problemie.
adam9870
(adam9870)
15 Grudzień 2006 16:44
#7
Otóż avira wykryła śmiecia w pliku ntldr.exe . Z tego co wiem, jest to plik systemowy występujący na partycjach, które mają system plików NTFS .
Możesz przeskanować http://www.ewido.net/en/ i pokazać raport.
Plik ntldr.exe spróbuj podmienić na nowy spod Konsoli odzyskiwania CD. Będąc tam wpisujesz:
a jeśli wystąpi błąd to spróbuj:
Jakby coś to masz kopię starego pliku pod nazwą ntldr.old więc w razie jakiś większych problemów mógłbyś powrócić do starego dzięki poleceniom:
Dziękuje bardzo wszystkim za pomoc ? Usunołem killboxem ten zarażony plik i 2 pliki z loga wywaliłem ANTIVIRA i zainstalowałem AOL i Sygate personal Firewall 5.6 Przeskanowałem kompa AOL , ADWARE , i skanerem online SYNGATE i nic nie wykryły żadnego wirusa
Bieniol
(Bbieniol)
15 Grudzień 2006 18:10
#9
Dla pewności wrzuć nowy log z Hijacka + log z Silent Runners
Przepraszam jeżeli znowu zrobie błąd z wklejeniem loga ale nigdy tego wcześniej nie robiłem.
Logfile of HijackThis v1.99.1 Scan saved at 19:39:12, on 2006-12-15 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\Sygate\SPF\smc.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\Explorer.EXE D:\WINDOWS\system32\spoolsv.exe D:\Program Files\AOL\Active Virus Shield\avp.exe D:\WINDOWS\system32\HPZipm12.exe D:\WINDOWS\system32\svchost.exe D:\Program Files\AOL\Active Virus Shield\avp.exe D:\PROGRA~1\Wapster\AQQ\AQQ.exe D:\Program Files\Messenger\msmsgs.exe D:\Program Files\Avant Browser\avant.exe D:\Documents and Settings\mati\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: XBTP06568 - {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6} - D:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AOL Security Toolbar - {3BB63FD4-3C00-44D7-94A9-5DE211900DEF} - D:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll O4 - HKLM…\Run: [smcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM…\Run: [aol] “D:\Program Files\AOL\Active Virus Shield\avp.exe” O4 - HKCU…\Run: [AQQ] D:\PROGRA~1\Wapster\AQQ\AQQ.exe O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - D:\Program Files\Avant Browser\AddAllToADBlackList.htm O8 - Extra context menu item: Dodaj do listy blokowanych reklam - D:\Program Files\Avant Browser\AddToADBlackList.htm O8 - Extra context menu item: Otwórz w nowym Avant Browser - D:\Program Files\Avant Browser\OpenInNewBrowser.htm O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony… - D:\Program Files\Avant Browser\OpenAllLinks.htm O8 - Extra context menu item: Podświetl - D:\Program Files\Avant Browser\Highlight.htm O8 - Extra context menu item: Szukaj - D:\Program Files\Avant Browser\Search.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O17 - HKLM\System\CCS\Services\Tcpip…{59048A67-E376-46BA-B603-E5F08F5B9382}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: klogon - D:\WINDOWS\system32\klogon.dll O23 - Service: Active Virus Shield (AVP) - Unknown owner - D:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing) O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - D:\Program Files\Sygate\SPF\smc.exe
Tutaj daje drugiego loga z SILENT RUNERS
Silent Runners.vbs", revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AQQ” = “D:\PROGRA~1\Wapster\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”] “MSMSGS” = ““D:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SmcService” = “D:\PROGRA~1\Sygate\SPF\smc.exe -startgui” [“Sygate Technologies, Inc.”] “aol” = ““D:\Program Files\AOL\Active Virus Shield\avp.exe”” [“AOL”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6}(Default) = “XBTP06568” -> {HKLM…CLSID} = “XBTP06568 Class” \InProcServer32(Default) = “D:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll” [null data] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> klogon\DLLName = “D:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\AOL\Active Virus Shield\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\AOL\Active Virus Shield\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\mati\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] “{3BB63FD4-3C00-44D7-94A9-5DE211900DEF}” -> {HKLM…CLSID} = “AOL Security Toolbar” \InProcServer32(Default) = “D:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll” [null data] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{3BB63FD4-3C00-44D7-94A9-5DE211900DEF}” = (no title provided) -> {HKLM…CLSID} = “AOL Security Toolbar” \InProcServer32(Default) = “D:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll” [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Active Virus Shield, AVP, ““D:\Program Files\AOL\Active Virus Shield\avp.exe” -r” [“AOL”] Pml Driver HPZ12, Pml Driver HPZ12, “D:\WINDOWS\system32\HPZipm12.exe” [“HP”] Sygate Personal Firewall, SmcService, “D:\Program Files\Sygate\SPF\smc.exe” [“Sygate Technologies, Inc.”] Windows User Mode Driver Framework, UMWdf, “D:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] hpzsnt12\Driver = “hpzsnt12.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 30 seconds. ---------- (total run time: 66 seconds)
Złączono Posta : 15.12.2006 (Pią) 19:48
Tutaj daje drugiego loga z SILENT RUNERS
Silent Runners.vbs", revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “AQQ” = “D:\PROGRA~1\Wapster\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”] “MSMSGS” = ““D:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SmcService” = “D:\PROGRA~1\Sygate\SPF\smc.exe -startgui” [“Sygate Technologies, Inc.”] “aol” = ““D:\Program Files\AOL\Active Virus Shield\avp.exe”” [“AOL”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {02478D38-C3F9-4EFB-9B51-7695ECA05670}(Default) = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar Helper” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {311F9DE8-6126-4EEE-B15F-65CBB3B4F9F6}(Default) = “XBTP06568” -> {HKLM…CLSID} = “XBTP06568 Class” \InProcServer32(Default) = “D:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll” [null data] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> klogon\DLLName = “D:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\AOL\Active Virus Shield\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\AOL\Active Virus Shield\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “D:\Documents and Settings\mati\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] “{3BB63FD4-3C00-44D7-94A9-5DE211900DEF}” -> {HKLM…CLSID} = “AOL Security Toolbar” \InProcServer32(Default) = “D:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll” [null data] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “Megaupload Toolbar” \InProcServer32(Default) = “D:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] “{3BB63FD4-3C00-44D7-94A9-5DE211900DEF}” = (no title provided) -> {HKLM…CLSID} = “AOL Security Toolbar” \InProcServer32(Default) = “D:\Program Files\AOL Security Toolbar\AOL_security_toolbar.dll” [null data] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Active Virus Shield, AVP, ““D:\Program Files\AOL\Active Virus Shield\avp.exe” -r” [“AOL”] Pml Driver HPZ12, Pml Driver HPZ12, “D:\WINDOWS\system32\HPZipm12.exe” [“HP”] Sygate Personal Firewall, SmcService, “D:\Program Files\Sygate\SPF\smc.exe” [“Sygate Technologies, Inc.”] Windows User Mode Driver Framework, UMWdf, “D:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] hpzsnt12\Driver = “hpzsnt12.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 30 seconds. ---------- (total run time: 66 seconds)
Dzięki Beniol Prosze admina o zamknięcie tego tematu .