Prośba o sprawdzenie loga


(Kubiniak) #1
Logfile of HijackThis v1.99.1

Scan saved at 21:11:19, on 2006-01-04

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\System32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

D:\Program Files\ArcaVir\Bin\ABmenu.exe

D:\Program Files\ArcaVir\Bin\ABregmon.exe

D:\Program Files\Skype\Phone\Skype.exe

D:\Program Files\Tlen.pl\tlen.exe

D:\Program Files\Gadu-Gadu\gg.exe

D:\Program Files\ArcaVir\Bin\NetMonSv.exe

D:\PROGRA~1\INCRED~1\bin\IMApp.exe

D:\Program Files\ArcaVir\Bin\avmonsv.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\ArcaVir\Bin\arcascan.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\PROGRA~1\DAP\DAP.EXE

D:\Documents and Settings\A\Pulpit\pobrane z DAP\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.ols.vectranet.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: D:\WINDOWS\system32\st3.dll - {1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5} - D:\WINDOWS\system32\st3.dll (file missing)

O2 - BHO: D:\WINDOWS\system32\adsldpbe.dll - {7507739F-BC2E-4DC3-B233-816783C25DC9} - D:\WINDOWS\system32\adsldpbe.dll (file missing)

O2 - BHO: D:\WINDOWS\adsldpbd.dll - {826B2228-BC09-49F2-B5F8-42CE26B1B712} - D:\WINDOWS\adsldpbd.dll (file missing)

O2 - BHO: (no name) - {C7CF1142-0785-4B12-A280-B64681E4D45E} - D:\WINDOWS\prflbmsgp32.dll (file missing)

O2 - BHO: ZToolbar Activator Class - {da7ff3f8-08be-4cac-bc00-94d91c6ae7f4} - D:\WINDOWS\system32\azesearch4.ocx (file missing)

O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - D:\WINDOWS\system32\iasada.dll (file missing)

O3 - Toolbar: Search - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - D:\WINDOWS\system32\azesearch4.ocx (file missing)

O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ABmenu] D:\Program Files\ArcaVir\Bin\ABmenu.exe

O4 - HKLM\..\Run: [ABREGMON] D:\Program Files\ArcaVir\Bin\ABregmon.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [IncrediMail] D:\Program Files\IncrediMail\bin\IncMail.exe /c

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - D:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://arcaonline.arcabit.com

O15 - Trusted Zone: http://skaner.mks.com.pl

O15 - Trusted Zone: *.coolwebsearch.com

O15 - Trusted Zone: *.searchmeup.com

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.tbcode.com/ist/softwares/v4.0/0006_cracks.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O18 - Protocol: pcl - {182D0C85-206F-4103-B4FA-DCC1FB0A0A44} - D:\Program Files\Autodesk\Inventor Professional 9\bin\HSPCLPRO10.dll

O20 - Winlogon Notify: gs - D:\WINDOWS\adsldpbd.dll (file missing)

O20 - Winlogon Notify: msctl32.dll - D:\WINDOWS\system32\msctl32.dll (file missing)

O20 - Winlogon Notify: st3 - D:\WINDOWS\system32\st3.dll (file missing)

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - D:\Program Files\ArcaVir\Bin\NetMonSv.exe

O23 - Service: ArcaVir Monitor (ArcaMonSvc) - ArcaBit - D:\Program Files\ArcaVir\Bin\avmonsv.exe

O23 - Service: ArcaScan - ArcaBit - D:\Program Files\ArcaVir\Bin\arcascan.exe

O23 - Service: arcaserv - ArcaBit Sp. z o. o. - D:\Program Files\ArcaVir\bin\arcaserv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

Miałem problem z SpySheriff usuwałem już sporo plików ale jeszcze komp coś slabo chodzi.

Zrobiłem też wpis do rejestru jak pisał kolega picasso. Co dalej


(Gutek) #2
  1. Wyłączyć Przywracanie systemu w XP TU

  2. Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).

  3. Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte. Dodatkowo O15 może będzie stawiać opór więc ściągnij KillTrusted 0.7

  4. Skasować z dysku pliki, które podkreśliłem na czerwono

  5. Dokończyć skanerami online - Scanery do wyboru

  6. Pokazać nowy log :stuck_out_tongue:

Prosze o log z Silenta- Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989


(Kubiniak) #3

Mówisz że O15 moze stawiać problemy ale nie zaznaczyłeś go do usunięcia zapodajue tutaj loga z Silenta stan obecny taj jak w logu z HijackThis czyli jeszcze nic nie ruszałem

Jak chcesz mom jeszcze loga z AdAware

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Skype" = ""D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"Komunikator" = "D:\Program Files\Tlen.pl\tlen.exe" [null data]

"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"IncrediMail" = "D:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"ABmenu" = "D:\Program Files\ArcaVir\Bin\ABmenu.exe" ["ArcaBit"]

"ABREGMON" = "D:\Program Files\ArcaVir\Bin\ABregmon.exe" ["ArcaBit"]

"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}

"Flag" = 2


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}\(Default) = "D:\WINDOWS\system32\st3.dll" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\st3.dll" [file not found]

{7507739F-BC2E-4DC3-B233-816783C25DC9}\(Default) = "D:\WINDOWS\system32\adsldpbe.dll" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\adsldpbe.dll" [file not found]

{826B2228-BC09-49F2-B5F8-42CE26B1B712}\(Default) = "D:\WINDOWS\adsldpbd.dll" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\adsldpbd.dll" [file not found]

{C7CF1142-0785-4B12-A280-B64681E4D45E}\(Default) = (no title provided)

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\prflbmsgp32.dll" [file not found]

{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}\(Default) = "ZToolbar Activator Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\azesearch4.ocx" [file not found]

{f65b197f-8260-4d52-909a-f70118e646eb}\(Default) = "AddressBar Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\iasada.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [file not found]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Uchwyt nakładania ikony podpisu cyfrowego"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]

"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 DragDrop Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Property Sheet Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! "{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}" = "st3"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\st3.dll" [file not found]

INFECTION WARNING! "{C7CF1142-0785-4B12-A280-B64681E4D45E}" = "z"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\prflbmsgp32.dll" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

INFECTION WARNING! gs\DLLName = "D:\WINDOWS\adsldpbd.dll" [file not found]

INFECTION WARNING! msctl32.dll\DLLName = "D:\WINDOWS\system32\msctl32.dll" [file not found]

INFECTION WARNING! st3\DLLName = "D:\WINDOWS\system32\st3.dll" [file not found]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ArcaVir\Bin\ArcaShl.dll" [null data]

IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\IncrediMail\bin\IMShExt.dll" ["IncrediMail, Ltd."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ArcaVir\Bin\ArcaShl.dll" [null data]

FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"

  -> {CLSID}\InProcServer32\(Default) = "d:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll" ["ABBYY (BIT Software)"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\A\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"FRU Task #Hewlett-Packard#hp psc 1200 series#1134904292" -> launches: "D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1134904292"" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{A19EF336-01D4-48E6-926A-FE7E1C747AED}" = "Search" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\azesearch4.ocx" [file not found]


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}\ = "Shell Search Band" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{669695BC-A811-4A9D-8CDF-BA8C795F261C}\

"ButtonText" = "Run DAP"

"Exec" = "D:\PROGRA~1\DAP\DAP.EXE" ["Speedbit Ltd."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\

"ButtonText" = "eBay - Homepage"

"CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\shdocvw.dll" [MS]

"Exec" = "D:\Program Files\IrfanView\Ebay\Ebay.htm" [null data]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


ArcaBit NetMonitor, ABNetMon, "D:\Program Files\ArcaVir\Bin\NetMonSv.exe" ["ArcaBit sp. z o.o."]

ArcaScan, ArcaScan, "D:\Program Files\ArcaVir\Bin\arcascan.exe" ["ArcaBit"]

ArcaVir Monitor, ArcaMonSvc, "D:\Program Files\ArcaVir\Bin\avmonsv.exe" ["ArcaBit"]

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

MSSQL$INVENTORCONTENT, MSSQL$INVENTORCONTENT, "D:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 214 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 83 seconds.

---------- (total run time: 441 seconds)

Złączono Posta _: 04.01.2006 (Sro) 23:17_Jeszcze pytanie na wyrost jak się obsługuje KillTrusted 0.7 Złączono Posta _: 04.01.2006 (Sro) 23:40_to jest nowy log z HijackThis

Logfile of HijackThis v1.99.1

Scan saved at 23:37:34, on 2006-01-04

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\System32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

D:\Program Files\ArcaVir\Bin\ABmenu.exe

D:\Program Files\ArcaVir\Bin\ABregmon.exe

D:\Program Files\Skype\Phone\Skype.exe

D:\Program Files\Tlen.pl\tlen.exe

D:\Program Files\Gadu-Gadu\gg.exe

D:\Program Files\ArcaVir\Bin\NetMonSv.exe

D:\PROGRA~1\INCRED~1\bin\IMApp.exe

D:\Program Files\ArcaVir\Bin\avmonsv.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\ArcaVir\Bin\arcascan.exe

D:\PROGRA~1\INCRED~1\bin\IncMail.exe

D:\WINDOWS\system32\wuauclt.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Documents and Settings\A\Pulpit\pobrane z DAP\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.ols.vectranet.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ABmenu] D:\Program Files\ArcaVir\Bin\ABmenu.exe

O4 - HKLM\..\Run: [ABREGMON] D:\Program Files\ArcaVir\Bin\ABregmon.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [IncrediMail] D:\Program Files\IncrediMail\bin\IncMail.exe /c

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - D:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O18 - Protocol: pcl - {182D0C85-206F-4103-B4FA-DCC1FB0A0A44} - D:\Program Files\Autodesk\Inventor Professional 9\bin\HSPCLPRO10.dll

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - D:\Program Files\ArcaVir\Bin\NetMonSv.exe

O23 - Service: ArcaVir Monitor (ArcaMonSvc) - ArcaBit - D:\Program Files\ArcaVir\Bin\avmonsv.exe

O23 - Service: ArcaScan - ArcaBit - D:\Program Files\ArcaVir\Bin\arcascan.exe

O23 - Service: arcaserv - ArcaBit Sp. z o. o. - D:\Program Files\ArcaVir\bin\arcaserv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

a to nowy z Silent

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Skype" = ""D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"Komunikator" = "D:\Program Files\Tlen.pl\tlen.exe" [null data]

"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"IncrediMail" = "D:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"ABmenu" = "D:\Program Files\ArcaVir\Bin\ABmenu.exe" ["ArcaBit"]

"ABREGMON" = "D:\Program Files\ArcaVir\Bin\ABregmon.exe" ["ArcaBit"]

"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}

"Flag" = 2


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [file not found]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Uchwyt nakładania ikony podpisu cyfrowego"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]

"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 DragDrop Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Property Sheet Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ArcaVir\Bin\ArcaShl.dll" [null data]

IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\IncrediMail\bin\IMShExt.dll" ["IncrediMail, Ltd."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ArcaVir\Bin\ArcaShl.dll" [null data]

FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"

  -> {CLSID}\InProcServer32\(Default) = "d:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll" ["ABBYY (BIT Software)"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\A\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"FRU Task #Hewlett-Packard#hp psc 1200 series#1134904292" -> launches: "D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1134904292"" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}\ = "Shell Search Band" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{669695BC-A811-4A9D-8CDF-BA8C795F261C}\

"ButtonText" = "Run DAP"

"Exec" = "D:\PROGRA~1\DAP\DAP.EXE" ["Speedbit Ltd."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\

"ButtonText" = "eBay - Homepage"

"CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\shdocvw.dll" [MS]

"Exec" = "D:\Program Files\IrfanView\Ebay\Ebay.htm" [null data]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


ArcaBit NetMonitor, ABNetMon, "D:\Program Files\ArcaVir\Bin\NetMonSv.exe" ["ArcaBit sp. z o.o."]

ArcaScan, ArcaScan, "D:\Program Files\ArcaVir\Bin\arcascan.exe" ["ArcaBit"]

ArcaVir Monitor, ArcaMonSvc, "D:\Program Files\ArcaVir\Bin\avmonsv.exe" ["ArcaBit"]

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

MSSQL$INVENTORCONTENT, MSSQL$INVENTORCONTENT, "D:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 91 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 27 seconds.

---------- (total run time: 160 seconds)

wielkie dzięki za pomoc jeszcze nie skonowałem antywirusami bo kobieta krzyczy abym szedł spać przeskanuje jutro i się odezwę.

Jeszcze raz dzięki


(Gutek) #4

Juz OK


(Kubiniak) #5

Chyba do końca nie jest dobrze bo Panda Active Scan znalazła 61 Spyware i 2 Suspicious Files

Skanowałem jeszcze Ad-Aware też tam coś znalazło ale nie jestem w tym biegły i nie wiem co. Więc podsyłam loga z tego programu

Ad-Aware SE Build 1.06r1

Logfile Created on:5 stycznia 2006 08:57:51

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R85 04.01.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CrackSpider(TAC index:4):6 total references

DyFuCA(TAC index:3):28 total references

istbar(TAC index:7):7 total references

MRU List(TAC index:0):27 total references

Possible Browser Hijack attempt(TAC index:3):2 total references

Powerscan(TAC index:5):5 total references

SideFind(TAC index:5):8 total references

Tracking Cookie(TAC index:3):13 total references

ZToolbar(TAC index:10):6 total references

ZyncosMark(TAC index:3):1 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file


Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects



2006-01-05 08:57:51 - Scan started. (Full System Scan)


 MRU List Object Recognized!

    Location: : D:\Documents and Settings\A\recent

    Description : list of recently opened documents



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles

    Description : list of recently used files in adobe reader



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\direct3d\mostrecentapplication

    Description : most recent application to use microsoft direct3d



 MRU List Object Recognized!

    Location: : software\microsoft\direct3d\mostrecentapplication

    Description : most recent application to use microsoft direct3d



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\direct3d\mostrecentapplication

    Description : most recent application to use microsoft direct X



 MRU List Object Recognized!

    Location: : software\microsoft\direct3d\mostrecentapplication

    Description : most recent application to use microsoft direct X



 MRU List Object Recognized!

    Location: : software\microsoft\directdraw\mostrecentapplication

    Description : most recent application to use microsoft directdraw



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\directinput\mostrecentapplication

    Description : most recent application to use microsoft directinput



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\directinput\mostrecentapplication

    Description : most recent application to use microsoft directinput



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\internet explorer

    Description : last download directory used in microsoft internet explorer



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\internet explorer\typedurls

    Description : list of recently entered addresses in microsoft internet explorer



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\microsoft management console\recent file list

    Description : list of recent snap-ins used in the microsoft management console



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\office\11.0\common\general

    Description : list of recently used symbols in microsoft office



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\office\11.0\powerpoint\recent file list

    Description : list of recent files used by microsoft powerpoint



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\office\11.0\powerpoint\recent templates

    Description : list of recent templates used by microsoft powerpoint



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\office\11.0\powerpoint\recent typeface list

    Description : list of recently used typefaces in microsoft powerpoint



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\office\11.0\powerpoint\recenttemplatelist

    Description : list of recent templates used by microsoft powerpoint



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\search assistant\acmru

    Description : list of recent search terms used with the search assistant



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows\currentversion\applets\paint\recent file list

    Description : list of files recently opened using microsoft paint



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows\currentversion\applets\wordpad\recent file list

    Description : list of recent files opened using wordpad



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

    Description : list of recent programs opened



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

    Description : list of recently saved files, stored according to file extension



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows\currentversion\explorer\recentdocs

    Description : list of recent documents opened



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows\currentversion\explorer\runmru

    Description : mru list for items opened in start | run



 MRU List Object Recognized!

    Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general

    Description : windows media sdk 



 MRU List Object Recognized!

    Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general

    Description : windows media sdk 



 MRU List Object Recognized!

    Location: : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows media\wmsdk\general

    Description : windows media sdk 



Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


#:1 [smss.exe]

    FilePath : \SystemRoot\System32\

    ProcessID : 536

    ThreadCreationTime : 2006-01-05 06:22:49

    BasePriority : Normal



#:2 [csrss.exe]

    FilePath : \??\D:\WINDOWS\system32\

    ProcessID : 604

    ThreadCreationTime : 2006-01-05 06:22:51

    BasePriority : Normal



#:3 [winlogon.exe]

    FilePath : \??\D:\WINDOWS\system32\

    ProcessID : 640

    ThreadCreationTime : 2006-01-05 06:22:52

    BasePriority : High



#:4 [services.exe]

    FilePath : D:\WINDOWS\system32\

    ProcessID : 684

    ThreadCreationTime : 2006-01-05 06:22:52

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : System operacyjny Microsoft® Windows®

    CompanyName : Microsoft Corporation

    FileDescription : Usługi i aplikacja Kontroler

    InternalName : services.exe

    LegalCopyright : © Microsoft Corporation. Wszelkie prawa zastrzeżone.

    OriginalFilename : services.exe


#:5 [lsass.exe]

    FilePath : D:\WINDOWS\system32\

    ProcessID : 696

    ThreadCreationTime : 2006-01-05 06:22:52

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : LSA Shell (Export Version)

    InternalName : lsass.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : lsass.exe


#:6 [ati2evxx.exe]

    FilePath : D:\WINDOWS\System32\

    ProcessID : 864

    ThreadCreationTime : 2006-01-05 06:22:53

    BasePriority : Normal

    FileVersion : 6.14.10.4121

    ProductVersion : 6.14.10.4121

    ProductName : ATI External Event Utility for WindowsNT and Windows9X

    CompanyName : ATI Technologies Inc.

    FileDescription : ATI External Event Utility EXE Module

    InternalName : ATI2EVXX.EXE

    LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.

    OriginalFilename : ATI2EVXX.EXE


#:7 [svchost.exe]

    FilePath : D:\WINDOWS\system32\

    ProcessID : 876

    ThreadCreationTime : 2006-01-05 06:22:53

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe


#:8 [svchost.exe]

    FilePath : D:\WINDOWS\system32\

    ProcessID : 956

    ThreadCreationTime : 2006-01-05 06:22:53

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe


#:9 [svchost.exe]

    FilePath : D:\WINDOWS\System32\

    ProcessID : 1048

    ThreadCreationTime : 2006-01-05 06:22:53

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe


#:10 [svchost.exe]

    FilePath : D:\WINDOWS\System32\

    ProcessID : 1096

    ThreadCreationTime : 2006-01-05 06:22:53

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe


#:11 [svchost.exe]

    FilePath : D:\WINDOWS\System32\

    ProcessID : 1172

    ThreadCreationTime : 2006-01-05 06:22:54

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe


#:12 [spoolsv.exe]

    FilePath : D:\WINDOWS\system32\

    ProcessID : 1452

    ThreadCreationTime : 2006-01-05 06:22:55

    BasePriority : Normal

    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

    ProductVersion : 5.1.2600.2696

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Spooler SubSystem App

    InternalName : spoolsv.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : spoolsv.exe


#:13 [ati2evxx.exe]

    FilePath : D:\WINDOWS\system32\

    ProcessID : 1652

    ThreadCreationTime : 2006-01-05 06:22:56

    BasePriority : Normal

    FileVersion : 6.14.10.4121

    ProductVersion : 6.14.10.4121

    ProductName : ATI External Event Utility for WindowsNT and Windows9X

    CompanyName : ATI Technologies Inc.

    FileDescription : ATI External Event Utility EXE Module

    InternalName : ATI2EVXX.EXE

    LegalCopyright : Copyright © 1999-2004 ATI Technologies Inc.

    OriginalFilename : ATI2EVXX.EXE


#:14 [explorer.exe]

    FilePath : D:\WINDOWS\

    ProcessID : 1728

    ThreadCreationTime : 2006-01-05 06:22:56

    BasePriority : Normal

    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 6.00.2900.2180

    ProductName : System operacyjny Microsoft® Windows®

    CompanyName : Microsoft Corporation

    FileDescription : Eksplorator Windows

    InternalName : explorer

    LegalCopyright : © Microsoft Corporation. Wszelkie prawa zastrzeżone.

    OriginalFilename : EXPLORER.EXE


#:15 [atiptaxx.exe]

    FilePath : D:\Program Files\ATI Technologies\ATI Control Panel\

    ProcessID : 1824

    ThreadCreationTime : 2006-01-05 06:22:57

    BasePriority : Normal

    FileVersion : 6.14.10.5006

    ProductVersion : 6.14.10.5006

    ProductName : ATI Desktop Component

    CompanyName : ATI Technologies, Inc.

    FileDescription : ATI Desktop Control Panel

    InternalName : Atiptaxx.exe

    LegalCopyright : Copyright (C) 1998-2002 ATI Technologies Inc.

    OriginalFilename : Atiptaxx.exe


#:16 [abmenu.exe]

    FilePath : D:\Program Files\ArcaVir\Bin\

    ProcessID : 1836

    ThreadCreationTime : 2006-01-05 06:22:58

    BasePriority : Normal

    FileVersion : 1, 0, 0, 1

    ProductVersion : 1, 0, 0, 1

    ProductName : ArcaVir Tray

    CompanyName : ArcaBit

    FileDescription : ArcaVir Tray

    InternalName : ABMenu

    LegalCopyright : Copyright (C) 1997

    OriginalFilename : ABMenu.exe


#:17 [abregmon.exe]

    FilePath : D:\Program Files\ArcaVir\Bin\

    ProcessID : 1844

    ThreadCreationTime : 2006-01-05 06:22:58

    BasePriority : Normal

    FileVersion : 1, 0, 0, 1

    ProductVersion : 1, 0, 0, 1

    ProductName : Registry Monitor

    CompanyName : ArcaBit

    FileDescription : Registry Monitor

    InternalName : Registry Monitor

    LegalCopyright : Copyright (C) 2005

    OriginalFilename : Registry Monitor


#:18 [skype.exe]

    FilePath : D:\Program Files\Skype\Phone\

    ProcessID : 1864

    ThreadCreationTime : 2006-01-05 06:22:58

    BasePriority : Normal



#:19 [tlen.exe]

    FilePath : D:\Program Files\Tlen.pl\

    ProcessID : 1880

    ThreadCreationTime : 2006-01-05 06:22:58

    BasePriority : High



#:20 [gg.exe]

    FilePath : D:\Program Files\Gadu-Gadu\

    ProcessID : 1888

    ThreadCreationTime : 2006-01-05 06:22:58

    BasePriority : Normal



#:21 [avmonsv.exe]

    FilePath : D:\Program Files\ArcaVir\Bin\

    ProcessID : 324

    ThreadCreationTime : 2006-01-05 06:23:04

    BasePriority : Normal

    FileVersion : 1, 0, 0, 1

    ProductVersion : 1, 0, 0, 1

    ProductName : ArcaVir

    CompanyName : ArcaBit

    FileDescription : ArcaVir Antivirus Monitor

    InternalName : ArcaVir Monitor Service

    LegalCopyright : Copyright (C) 2005

    OriginalFilename : ArcaVir Monitor Service


#:22 [mdm.exe]

    FilePath : D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\

    ProcessID : 424

    ThreadCreationTime : 2006-01-05 06:23:05

    BasePriority : Normal

    FileVersion : 7.00.9466

    ProductVersion : 7.00.9466

    ProductName : Microsoft® Visual Studio .NET

    CompanyName : Microsoft Corporation

    FileDescription : Machine Debug Manager

    InternalName : mdm.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : mdm.exe


#:23 [imapp.exe]

    FilePath : D:\PROGRA~1\INCRED~1\bin\

    ProcessID : 432

    ThreadCreationTime : 2006-01-05 06:23:05

    BasePriority : Normal

    FileVersion : 4, 5, 0, 2068

    ProductVersion : 4, 5, 0, 2068

    ProductName : IncrediMail

    CompanyName : IncrediMail, Ltd.

    FileDescription : IncrediMail Application

    InternalName : IncrediApp

    LegalCopyright : Copyright © 2002 IncrediMail, Ltd.

    OriginalFilename : IMAPP.EXE


#:24 [sqlservr.exe]

    FilePath : D:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\

    ProcessID : 476

    ThreadCreationTime : 2006-01-05 06:23:06

    BasePriority : Normal

    FileVersion : 2000.080.0760.00

    ProductVersion : 8.00.760

    ProductName : Microsoft SQL Server

    CompanyName : Microsoft Corporation

    FileDescription : SQL Server Windows NT

    InternalName : SQLSERVR

    LegalCopyright : © 1988-2003 Microsoft Corp. All rights reserved.

    LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation

    OriginalFilename : SQLSERVR.EXE

    Comments : NT INTEL X86


#:25 [svchost.exe]

    FilePath : D:\WINDOWS\System32\

    ProcessID : 1076

    ThreadCreationTime : 2006-01-05 06:23:11

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Generic Host Process for Win32 Services

    InternalName : svchost.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : svchost.exe


#:26 [alg.exe]

    FilePath : D:\WINDOWS\System32\

    ProcessID : 2272

    ThreadCreationTime : 2006-01-05 06:23:21

    BasePriority : Normal

    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 5.1.2600.2180

    ProductName : Microsoft® Windows® Operating System

    CompanyName : Microsoft Corporation

    FileDescription : Application Layer Gateway Service

    InternalName : ALG.exe

    LegalCopyright : © Microsoft Corporation. All rights reserved.

    OriginalFilename : ALG.exe


#:27 [arcascan.exe]

    FilePath : D:\Program Files\ArcaVir\Bin\

    ProcessID : 2472

    ThreadCreationTime : 2006-01-05 06:23:25

    BasePriority : Normal

    FileVersion : 1, 0, 0, 1

    ProductVersion : 1, 0, 0, 1

    ProductName : ArcaBit Scanner Component

    CompanyName : ArcaBit

    FileDescription : ArcaBit Scanner Component

    InternalName : ArcaScan

    LegalCopyright : Copyright 2004

    OriginalFilename : ArcaScan.exe


#:28 [iexplore.exe]

    FilePath : D:\Program Files\Internet Explorer\

    ProcessID : 3640

    ThreadCreationTime : 2006-01-05 06:26:31

    BasePriority : Normal

    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 6.00.2900.2180

    ProductName : System operacyjny Microsoft® Windows®

    CompanyName : Microsoft Corporation

    FileDescription : Internet Explorer

    InternalName : iexplore

    LegalCopyright : © Microsoft Corporation. Wszelkie prawa zastrzeżone.

    OriginalFilename : IEXPLORE.EXE


#:29 [netmonsv.exe]

    FilePath : D:\Program Files\ArcaVir\Bin\

    ProcessID : 3328

    ThreadCreationTime : 2006-01-05 06:41:10

    BasePriority : Normal

    FileVersion : 1, 2, 0, 1

    ProductVersion : 1, 2, 0, 1

    ProductName : ArcaBit Net Monitor

    CompanyName : ArcaBit sp. z o.o.

    FileDescription : NetMonSV

    InternalName : NetMonSV

    LegalCopyright : Copyright © 2004

    OriginalFilename : NetMonSV.exe

    Comments : Kontroluje dane przesyłane przez TCP/IP.


#:30 [iexplore.exe]

    FilePath : D:\Program Files\Internet Explorer\

    ProcessID : 2388

    ThreadCreationTime : 2006-01-05 07:51:43

    BasePriority : Normal

    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

    ProductVersion : 6.00.2900.2180

    ProductName : System operacyjny Microsoft® Windows®

    CompanyName : Microsoft Corporation

    FileDescription : Internet Explorer

    InternalName : iexplore

    LegalCopyright : © Microsoft Corporation. Wszelkie prawa zastrzeżone.

    OriginalFilename : IEXPLORE.EXE


#:31 [ad-aware.exe]

    FilePath : D:\Program Files\Lavasoft\Ad-Aware SE Personal\

    ProcessID : 3500

    ThreadCreationTime : 2006-01-05 07:55:32

    BasePriority : Normal

    FileVersion : 6.2.0.236

    ProductVersion : SE 106

    ProductName : Lavasoft Ad-Aware SE

    CompanyName : Lavasoft Sweden

    FileDescription : Ad-Aware SE Core application

    InternalName : Ad-Aware.exe

    LegalCopyright : Copyright © Lavasoft AB Sweden

    OriginalFilename : Ad-Aware.exe

    Comments : All Rights Reserved


Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 27



Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


 CrackSpider Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 4

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : typelib\{dea43ce3-d57b-45f6-a4d1-110e652ced11}


 CrackSpider Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 4

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : interface\{38252777-2500-456e-8b3d-a55850306da2}


 CrackSpider Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 4

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : addressbar.loader.1


 CrackSpider Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 4

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : addressbar.loader


 istbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 7

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : typelib\{67907b3c-a6ef-4a01-99ad-3fcd5f526429}


 istbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 7

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : istx.installer


 istbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 7

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : interface\{0985c112-2562-46f2-8da6-92648ba4630f}


 SideFind Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : clsid\{8cba1b49-8144-4721-a7b1-64c578c9eed7}


 SideFind Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : typelib\{58634367-d62b-4c2c-86be-5aac45cdb671}


 SideFind Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : typelib\{d0288a41-9855-4a9b-8316-babe243648da}


 ZToolbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 10

    Category : Data Miner

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : ztoolbar.activator


 ZToolbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 10

    Category : Data Miner

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : ztoolbar.activator.1


 ZToolbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 10

    Category : Data Miner

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : ztoolbar.paramwr


 ZToolbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 10

    Category : Data Miner

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : ztoolbar.paramwr.1


 ZToolbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 10

    Category : Data Miner

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : ztoolbar.stockbar


 ZToolbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 10

    Category : Data Miner

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : ztoolbar.stockbar.1


 ZyncosMark Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Data Miner

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : clsid\{dc341f1b-ec77-47be-8f58-96e83861cc5a}


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\policies\avenue media


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\ist


 DyFuCA Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\ist

    Value : account_id


 DyFuCA Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\ist

    Value : config


 DyFuCA Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\ist

    Value : referer


 DyFuCA Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\ist

    Value : NeverISTsvc


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\avenue media


 SideFind Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}


 CrackSpider Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 4

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\loaderco


 CrackSpider Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 4

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\azesearchco


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\policies\avenue media


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\windows\currentversion\uninstall\dyfuca


 DyFuCA Object Recognized!

    Type : Regkey

    Data : DyFuCA

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : .DEFAULT\software\microsoft\windows\currentversion\uninstall\DyFuCA


 DyFuCA Object Recognized!

    Type : Regkey

    Data : DyFuCA

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-18\software\microsoft\windows\currentversion\uninstall\DyFuCA


 DyFuCA Object Recognized!

    Type : Regkey

    Data : DyFuCA

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-19\software\microsoft\windows\currentversion\uninstall\DyFuCA


 DyFuCA Object Recognized!

    Type : Regkey

    Data : DyFuCA

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-20\software\microsoft\windows\currentversion\uninstall\DyFuCA


 DyFuCA Object Recognized!

    Type : Regkey

    Data : DyFuCA

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows\currentversion\uninstall\DyFuCA


 DyFuCA Object Recognized!

    Type : Regkey

    Data : Internet Optimizer

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : .DEFAULT\software\microsoft\windows\currentversion\uninstall\Internet Optimizer


 DyFuCA Object Recognized!

    Type : Regkey

    Data : Internet Optimizer

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-18\software\microsoft\windows\currentversion\uninstall\Internet Optimizer


 DyFuCA Object Recognized!

    Type : Regkey

    Data : Internet Optimizer

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-19\software\microsoft\windows\currentversion\uninstall\Internet Optimizer


 DyFuCA Object Recognized!

    Type : Regkey

    Data : Internet Optimizer

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-20\software\microsoft\windows\currentversion\uninstall\Internet Optimizer


 DyFuCA Object Recognized!

    Type : Regkey

    Data : Internet Optimizer

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\microsoft\windows\currentversion\uninstall\Internet Optimizer


 DyFuCA Object Recognized!

    Type : Regkey

    Data : Internet Optimizer

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\windows\currentversion\uninstall\Internet Optimizer


 DyFuCA Object Recognized!

    Type : RegValue

    Data : Internet Optimizer

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\windows\currentversion\uninstall\Internet Optimizer

    Value : UninstallString


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\avenue media


 SideFind Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\sidefind


 SideFind Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\sidefind

    Value : shoppingautosearch


 Powerscan Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : "account_id"

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\software\powerscan

    Value : account_id


 Powerscan Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : "LoadNum"

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\powerscan

    Value : LoadNum


 Powerscan Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : "account_id"

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\\software\powerscan

    Value : account_id


Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 47

Objects found so far: 74



Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Possible Browser Hijack attempt : S-1-5-21-583907252-926492609-725345543-1003\Software\Microsoft\Internet Explorer\MainStart Pageonet.pl


 Possible Browser Hijack attempt Object Recognized!

    Type : RegData

    Data : "http://www.onet.pl/"

    TAC Rating : 5

    Category : Malware

    Comment : Possible Browser Hijack attempt

    Rootkey : HKEY_USERS

    Object : S-1-5-21-583907252-926492609-725345543-1003\Software\Microsoft\Internet Explorer\Main

    Value : Start Page

    Data : "http://www.onet.pl/"


Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 1

Objects found so far: 75



Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»



 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : a@tribalfusion[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:1

    Value : Cookie:a@tribalfusion.com/

    Expires : 2038-01-01 01:00:00

    LastSync : Hits:1

    UseCount : 0

    Hits : 1


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : a@tradedoubler[2].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:9

    Value : Cookie:a@tradedoubler.com/

    Expires : 2025-12-30 20:31:38

    LastSync : Hits:9

    UseCount : 0

    Hits : 9


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : a@casalemedia[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:19

    Value : Cookie:a@casalemedia.com/

    Expires : 2006-12-26 15:32:14

    LastSync : Hits:19

    UseCount : 0

    Hits : 19


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : a@mediaplex[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:1

    Value : Cookie:a@mediaplex.com/

    Expires : 2009-06-22 01:00:00

    LastSync : Hits:1

    UseCount : 0

    Hits : 1


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : a@trafic[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:1

    Value : Cookie:a@trafic.ro/

    Expires : 2037-01-11 15:00:00

    LastSync : Hits:1

    UseCount : 0

    Hits : 1


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : a@please[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:1

    Value : Cookie:a@ad2.pl.mediainter.net/please/

    Expires : 2006-12-03 20:32:16

    LastSync : Hits:1

    UseCount : 0

    Hits : 1


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : a@servedby.netshelter[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:1

    Value : Cookie:a@servedby.netshelter.net/

    Expires : 2006-01-12 01:20:38

    LastSync : Hits:1

    UseCount : 0

    Hits : 1


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : a@adserver.o2[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : Hits:19

    Value : Cookie:a@adserver.o2.pl/

    Expires : 2008-09-02 03:37:52

    LastSync : Hits:19

    UseCount : 0

    Hits : 19


Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 8

Objects found so far: 83




Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : ktos@doubleclick[2].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : 

    Value : C:\WINDOWS\Cookies\ktos@doubleclick[2].txt


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : ktos@hitbox[2].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : 

    Value : C:\WINDOWS\Cookies\ktos@hitbox[2].txt


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : ktos@ehg-ati.hitbox[2].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : 

    Value : C:\WINDOWS\Cookies\ktos@ehg-ati.hitbox[2].txt


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : ktos@please[1].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : 

    Value : C:\WINDOWS\Cookies\ktos@please[1].txt


 Tracking Cookie Object Recognized!

    Type : IECache Entry

    Data : ktos@please[2].txt

    TAC Rating : 3

    Category : Data Miner

    Comment : 

    Value : C:\WINDOWS\Cookies\ktos@please[2].txt


Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 88



Deep scanning and examining files (D:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Disk Scan Result for D:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 88



Deep scanning and examining files (E:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Disk Scan Result for E:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 88


 Possible Browser Hijack attempt Object Recognized!

    Type : File

    Data : CRACKS.AM - Page A.url

    TAC Rating : 3

    Category : Misc

    Comment : Problematic URL discovered: http://www.cracks.am/cracks/a.html

    Object : D:\Documents and Settings\A\Ulubione\





Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


 istbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 7

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : aspfile\persistenthandler


 istbar Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 7

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\downloadmanager


 istbar Object Recognized!

    Type : RegData

    Data : Never

    TAC Rating : 7

    Category : Malware

    Comment : 

    Rootkey : HKEY_CURRENT_USER

    Object : software\microsoft\internet explorer\main

    Value : BandRest

    Data : Never


 istbar Object Recognized!

    Type : RegData

    Data : Never

    TAC Rating : 7

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\internet explorer\main

    Value : BandRest

    Data : Never


 SideFind Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : interface\{339d8aff-0b42-4260-ad82-78ce605a9543}


 SideFind Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_CLASSES_ROOT

    Object : interface\{a36a5936-cfd9-4b41-86bd-319a1931887f}


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_CURRENT_USER

    Object : software\microsoft\windows\currentversion\policies\ameopt


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\windows\currentversion\uninstall\kapabout


 DyFuCA Object Recognized!

    Type : RegValue

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\windows\currentversion\uninstall\kapabout

    Value : DComment


 DyFuCA Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\windows\currentversion\policies\ameopt


 DyFuCA Object Recognized!

    Type : RegData

    Data : Never

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_CURRENT_USER

    Object : software\microsoft\internet explorer\main

    Value : BandRest

    Data : Never


 DyFuCA Object Recognized!

    Type : RegData

    Data : Never

    TAC Rating : 3

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\microsoft\internet explorer\main

    Value : BandRest

    Data : Never


 Powerscan Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_CURRENT_USER

    Object : software\powerscan


 Powerscan Object Recognized!

    Type : Regkey

    Data : 

    TAC Rating : 5

    Category : Malware

    Comment : 

    Rootkey : HKEY_LOCAL_MACHINE

    Object : software\powerscan


Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 14

Objects found so far: 103


09:33:59 Scan Complete


Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:36:07.812

Objects scanned:150478

Objects identified:76

Objects ignored:0

New critical objects:76

Jak potrzeba mogę jeszcze wrzucić logi z innych programów.


(Kacz2n) #6

usuń to co znalazł Ad-aware. MRU nie stanowi zagrożenia :wink: . Opróżij też w trybie awaryjnym katalog TEMP.


(Kubiniak) #7
Logfile of HijackThis v1.99.1

Scan saved at 10:20:27, on 2006-01-05

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\WINDOWS\System32\Ati2evxx.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\Ati2evxx.exe

D:\WINDOWS\Explorer.EXE

D:\WINDOWS\system32\spoolsv.exe

D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

D:\Program Files\ArcaVir\Bin\ABmenu.exe

D:\Program Files\ArcaVir\Bin\ABregmon.exe

D:\Program Files\Skype\Phone\Skype.exe

D:\Program Files\Tlen.pl\tlen.exe

D:\Program Files\Gadu-Gadu\gg.exe

D:\PROGRA~1\INCRED~1\bin\IMApp.exe

D:\Program Files\ArcaVir\Bin\NetMonSv.exe

D:\Program Files\ArcaVir\Bin\avmonsv.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe

D:\WINDOWS\System32\svchost.exe

D:\Program Files\ArcaVir\Bin\arcascan.exe

D:\PROGRA~1\INCRED~1\bin\IncMail.exe

D:\WINDOWS\system32\wuauclt.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\Program Files\Internet Explorer\iexplore.exe

D:\WINDOWS\System32\WScript.exe

D:\Documents and Settings\A\Pulpit\pobrane z DAP\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.ols.vectranet.pl:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [ABmenu] D:\Program Files\ArcaVir\Bin\ABmenu.exe

O4 - HKLM\..\Run: [ABREGMON] D:\Program Files\ArcaVir\Bin\ABregmon.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [Skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Komunikator] D:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [IncrediMail] D:\Program Files\IncrediMail\bin\IncMail.exe /c

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - D:\PROGRA~1\DAP\DAP.EXE

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - D:\Program Files\IrfanView\Ebay\Ebay.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O18 - Protocol: pcl - {182D0C85-206F-4103-B4FA-DCC1FB0A0A44} - D:\Program Files\Autodesk\Inventor Professional 9\bin\HSPCLPRO10.dll

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit sp. z o.o. - D:\Program Files\ArcaVir\Bin\NetMonSv.exe

O23 - Service: ArcaVir Monitor (ArcaMonSvc) - ArcaBit - D:\Program Files\ArcaVir\Bin\avmonsv.exe

O23 - Service: ArcaScan - ArcaBit - D:\Program Files\ArcaVir\Bin\arcascan.exe

O23 - Service: arcaserv - ArcaBit Sp. z o. o. - D:\Program Files\ArcaVir\bin\arcaserv.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Skype" = ""D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"Komunikator" = "D:\Program Files\Tlen.pl\tlen.exe" [null data]

"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"IncrediMail" = "D:\Program Files\IncrediMail\bin\IncMail.exe /c" ["IncrediMail, Ltd."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"ABmenu" = "D:\Program Files\ArcaVir\Bin\ABmenu.exe" ["ArcaBit"]

"ABREGMON" = "D:\Program Files\ArcaVir\Bin\ABregmon.exe" ["ArcaBit"]

"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ {++}

"Flag" = 2


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [file not found]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Uchwyt nakładania ikony podpisu cyfrowego"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]

"{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 DragDrop Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.5 Property Sheet Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ArcaVir\Bin\ArcaShl.dll" [null data]

IMMenuShellExt\(Default) = "{F8984111-38B6-11D5-8725-0050DA2761C4}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\IncrediMail\bin\IMShExt.dll" ["IncrediMail, Ltd."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinAce\arcext.dll" ["e-merge GmbH"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ArcaVir\(Default) = "{39D48A26-EB1E-494c-973B-DDF4B2BEFE3F}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ArcaVir\Bin\ArcaShl.dll" [null data]

FineReader\(Default) = "{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F}"

  -> {CLSID}\InProcServer32\(Default) = "d:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll" ["ABBYY (BIT Software)"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\A\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "D:\WINDOWS\System32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"FRU Task #Hewlett-Packard#hp psc 1200 series#1134904292" -> launches: "D:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1134904292"" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}\ = "Shell Search Band" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{669695BC-A811-4A9D-8CDF-BA8C795F261C}\

"ButtonText" = "Run DAP"

"Exec" = "D:\PROGRA~1\DAP\DAP.EXE" ["Speedbit Ltd."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\

"ButtonText" = "eBay - Homepage"

"CLSIDExtension" = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"

  -> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\shdocvw.dll" [MS]

"Exec" = "D:\Program Files\IrfanView\Ebay\Ebay.htm" [null data]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


ArcaBit NetMonitor, ABNetMon, "D:\Program Files\ArcaVir\Bin\NetMonSv.exe" ["ArcaBit sp. z o.o."]

ArcaScan, ArcaScan, "D:\Program Files\ArcaVir\Bin\arcascan.exe" ["ArcaBit"]

ArcaVir Monitor, ArcaMonSvc, "D:\Program Files\ArcaVir\Bin\avmonsv.exe" ["ArcaBit"]

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

Machine Debug Manager, MDM, ""D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

MSSQL$INVENTORCONTENT, MSSQL$INVENTORCONTENT, "D:\Program Files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 101 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 30 seconds.

---------- (total run time: 184 seconds)

(Kacz2n) #8

Log jest OK. :slight_smile: