Prosze o sprawdzenie loga, coś dziwnego z e-mailami


(Ple91) #1

Właśnie do mnie dzwonili z obsługi internetu, że zablokowali mi port od E-maili, ponieważ wysyła za dużo e-maili. Ja żadnego nie wysyłam, więc na 99% to wirus lub coś w tym stylu... Jestem w trakcie robienia skanu NOD'em 32...

Proszę o pomoc.

Logfile of HijackThis v1.99.1

Scan saved at 15:09:05, on 2006-05-04

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\windows\System32\smss.exe

C:\windows\SYSTEM32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\windows\system32\cisvc.exe

C:\WINDOWS\system32\drivers\crauto.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\system32\drivers\IMountSRV.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\oodag.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\windows\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\windows\System32\svchost.exe

C:\windows\SYSTEM32\cidaemon.exe

C:\windows\Explorer.EXE

C:\windows\system32\ntvdm.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe

C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\windows\iexploler.exe

C:\windows\System.exe

C:\Program Files\NetMeter\NetMeter.exe

C:\Program Files\ScannerU\AM32.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\Program Files\D-Link AirPlus\AirPlus.exe

C:\Program Files\DoubleDesktop\dd.exe

C:\Program Files\Labtec Wireless Desktop\MulMouse.exe

C:\Program Files\Labtec Wireless Desktop\MagicKey.exe

C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\FlashGet\flashget.exe

C:\Program Files\Eset\nod32.exe

C:\Documents and Settings\123\Pulpit\Rozpakowywane\hijackthis (1)\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

F3 - REG:win.ini: load=c:\progra~1\programy\YDPDict\watch.exe

F2 - REG:system.ini: UserInit=C:\windows\svchost32.exe,C:\WINDOWS\SYSTEM32\Userinit.exe,

O1 - Hosts: 80.190.241.30 home.edonkey.com

O2 - BHO: XBTP05231 Class - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - (no file)

O3 - Toolbar: (no name) - {92E1B3F7-0546-421E-9835-904D25B7BA66} - (no file)

O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-f7ed0776fb27} - c:\program files\steganos internet anonym 2006\sia2006iep.dll

O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1045

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray

O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

O4 - HKCU\..\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto

O4 - HKCU\..\Run: [TaskMgr] C:\windows\iexploler.exe

O4 - HKCU\..\Run: [C] C:\Program Files\NetMeter\NetMeter.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: D-Link AirPlus.lnk = ?

O4 - Global Startup: DoubleDesktop.lnk = C:\Program Files\DoubleDesktop\dd.exe

O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MulMouse.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: PGGForever.lnk = C:\Program Files\Gadu-Gadu\PGGForever.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .exe: C:\Program Files\Opera75\PLUGINS\NPFgc1.dll

O12 - Plugin for .rar: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for .zip: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for H÷: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for ôĺ: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O15 - Trusted Zone: *.flingstone.com

O15 - Trusted Zone: *.i-lookup.com

O15 - Trusted Zone: *.offshoreclicks.com

O15 - Trusted Zone: *.teensguru.com

O15 - Trusted Zone: *.xxxtoolbar.com

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll

O20 - Winlogon Notify: winveg32 - C:\windows\SYSTEM32\winveg32.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: crauto - Unknown owner - C:\WINDOWS\system32\drivers\crauto.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\system32\drivers\IMountSRV.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: PMounter - Unknown owner - C:\WINDOWS\system32\PMounter.exe

O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Steganos Live Encryption Engine (Version 503) [Service] (SLEE_503_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE503.exe (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

====================================

Widziałeś ten komunikat Ważny komunikat dotyczący tytułowania tematów zastosuj sie do niego => inaczej temat poleci do śmietnika :evil:

Pozdrawiam kuz5


(Bbieniol) #2

Widziałeś ten komunikat --> Ważny komunikat dotyczący tytułowania tematów <-- zastosuj sie do niego

Wyłączasz przywracanie systemu:

Włączasz tryb awaryjny:

Odpalasz Hijacka --> do a system scan only i zaznaczasz wpisy:

I klikasz na dole "fix checked" :slight_smile:

Uruchamiasz narzędzie KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\windows\SYSTEM32\winveg32.dll

C:\windows\iexploler.exe

C:\windows\System.exe

C:\windows\svchost32.exe

Klikasz X i restart kompa (restart dopiero po usunięciu ostatniego pliku) :slight_smile:

Po zabiegach nowy log z Hijacka + log z Silent Runners


(Ple91) #3

Log z Silent Runners:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"explorer" = "C:\windows\System.exe" [file not found]


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Dzieńdobry!" = "C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto" ["VSD Software"]

"C:\Program Files\NetMeter\NetMeter.exe" = "C:\Program Files\NetMeter\NetMeter.exe" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"DiskeeperSystray" = ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"" ["Diskeeper Corporation"]

"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1045" ["DT Soft Ltd."]

"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]

"HPDJ Taskbar Utility" = "C:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]

"ISUSPM Startup" = ""C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["Macrovision Corporation"]

"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]

"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray" ["Nokia"]

"DataLayer" = "C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]

"UVS10 Preload" = "C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" ["Ulead Systems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{031F120A-BBAF-45d8-B306-375F2A6B9398}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "XBTP05231 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll" ["IE Toolbar"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"

  -> {HKLM...CLSID} = "Microsoft Office Binder Unbind"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]

"{51550900-DCAC-11d4-AA0F-0080C87C465B}" = "WayTech MultiMouse"

  -> {HKLM...CLSID} = "WayTech MultiMouse Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Labtec Wireless Desktop\CPDll.dll" [null data]

"{19F500E0-9964-11cf-B63D-08002B317C03}" = "Desktop Icon Layout"

  -> {HKLM...CLSID} = "Desktop Icon Layout"

                   \InProcServer32\(Default) = "Layout.dll" ["Microsoft"]

"{D00900BC-23F7-4FD6-BFA2-8232112C5C49}" = "NRad Extension"

  -> {HKLM...CLSID} = "NRadExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\NRad.dll" [empty string]

"{5380C14E-C0A1-4D66-87DB-5995E6FF4623}" = "Rad Extension"

  -> {HKLM...CLSID} = "RadPropExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Rad.dll" [empty string]

"{D2FD83AE-994A-4D4B-9097-2C9E11ED85F0}" = "RadClkr Extension"

  -> {HKLM...CLSID} = "RadClkRExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\RadClkR.dll" [empty string]

"{C6844A1E-2C59-415A-84B3-C6A458372779}" = "RadType Extension"

  -> {HKLM...CLSID} = "RadTypeExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\RadType.dll" [empty string]

"{75B8D633-9021-442C-9EA4-FF4BE72CE20F}" = "NRad2 Extension"

  -> {HKLM...CLSID} = "NRadExt2 Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\NRad.dll" [empty string]

"{36518101-49AC-42CB-8E4C-40C1F328A565}" = "Rad2 Extension"

  -> {HKLM...CLSID} = "RadPropExt2 Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Rad.dll" [empty string]

"{793FEE91-6A71-11d3-BFDB-000000000000}" = "Paragon Encrypted Disk Shell Extension"

  -> {HKLM...CLSID} = "Paragon Encrypted Disk Shell Extension"

                   \InProcServer32\(Default) = "edshell.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\windows\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\windows\system32\Audiodev.dll" [MS]

"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"

  -> {HKLM...CLSID} = "Contact View"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]

"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"

  -> {HKLM...CLSID} = "Message View"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

  -> {HKLM...CLSID} = "ShellLink for Application References"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}" = "ImageShack QuickLoad Image Uploader"

  -> {HKLM...CLSID} = "QuickLoad.QuickLoadContextMenu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.DLL" [MS]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\windows\system32\browseui.dll" [MS]

"{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive"

  -> {HKLM...CLSID} = "GMail Drive"

                   \InProcServer32\(Default) = "C:\windows\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet"

  -> {HKLM...CLSID} = "GMailFS Property Sheet"

                   \InProcServer32\(Default) = "C:\windows\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler"

  -> {HKLM...CLSID} = "GMailFS Drop Handler"

                   \InProcServer32\(Default) = "C:\windows\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu"

  -> {HKLM...CLSID} = "GMailFS Context Menu"

                   \InProcServer32\(Default) = "C:\windows\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

"{00000000-5736-4205-0100-f7ed0776fb27}" = "Steganos Internet Anonym 2006"

  -> {HKLM...CLSID} = "Steganos Internet Anonym 2006"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006se.dll" [null data]

"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"

  -> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"

                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{DBD8E168-244D-448C-9922-25508950D1DC}" = "Ulead UDF Driver"

  -> {HKLM...CLSID} = "USIShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll" ["Ulead Systems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{35B2861B-2B26-4691-9FF0-09083722C736}" = "RadExe Extension"

  -> {HKLM...CLSID} = "RadExeExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\RadExe.dll" [empty string]


HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "load" = "c:\progra~1\programy\YDPDict\watch.exe" [null data]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "c:\progra~1\agnitum\outpos~1\wl_hook.dll" [file not found]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * OODBS" [file not found], [MS], [file not found], [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

INFECTION WARNING! winveg32\DLLName = "winveg32.dll" [file not found]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

QuickLoad\(Default) = "{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}"

  -> {HKLM...CLSID} = "QuickLoad.QuickLoadContextMenu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.DLL" [MS]

Steganos Internet Anonym 2006\(Default) = "{00000000-5736-4205-0100-f7ed0776fb27}"

  -> {HKLM...CLSID} = "Steganos Internet Anonym 2006"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006se.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

Steganos Internet Anonym 2006\(Default) = "{00000000-5736-4205-0100-f7ed0776fb27}"

  -> {HKLM...CLSID} = "Steganos Internet Anonym 2006"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006se.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

  -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

IconLayout\(Default) = "{19F500E0-9964-11cf-B63D-08002B317C03}"

  -> {HKLM...CLSID} = "Desktop Icon Layout"

                   \InProcServer32\(Default) = "Layout.dll" ["Microsoft"]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\123\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "123" & "All Users" startup folders:

-----------------------------------------------------


C:\Documents and Settings\123\Menu Start\Programy\Autostart

"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Action Manager 32" -> shortcut to: "C:\Program Files\ScannerU\AM32.exe" [null data]

"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"D-Link AirPlus" -> shortcut to: "C:\Program Files\D-Link AirPlus\AirPlus.exe" ["D-Link"]

"DoubleDesktop" -> shortcut to: "C:\Program Files\DoubleDesktop\dd.exe" ["Fat Free Software"]

"Enable Labtec Wireless Desktop" -> shortcut to: "C:\Program Files\Labtec Wireless Desktop\MulMouse.exe" [null data]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

"PGGForever" -> shortcut to: "C:\Program Files\Gadu-Gadu\PGGForever.exe" [null data]

"Symantec Fax Starter Edition Port" -> shortcut to: "C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\Secure Surfing Engine\sselsp.dll [null data], 01 - 03, 25

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{00000000-5736-4205-0008-F7ED0776FB27}"

  -> {HKLM...CLSID} = "Steganos Internet Anonym"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006iep.dll" [null data]

"{1CE4EE89-2D5C-4361-AF3B-D902AB545381}"

  -> {HKLM...CLSID} = "Alcohol Soft - Alcohol 120% Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll" ["IE Toolbar"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{00000000-5736-4205-0008-F7ED0776FB27}" = (no title provided)

  -> {HKLM...CLSID} = "Steganos Internet Anonym"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006iep.dll" [null data]

"{1CE4EE89-2D5C-4361-AF3B-D902AB545381}" = (no title provided)

  -> {HKLM...CLSID} = "Alcohol Soft - Alcohol 120% Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll" ["IE Toolbar"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Miscellaneous IE Hijack Points

------------------------------


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\


Missing lines (compared with English-language version):

HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


crauto, crauto, "C:\WINDOWS\system32\drivers\crauto.exe" [null data]

Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]

HTTP SSL, HTTPFilter, "C:\windows\System32\svchost.exe -k HTTPFilter" {"C:\windows\System32\w3ssl.dll" [MS]}

IMountSRV, IMountSRV, "C:\WINDOWS\system32\drivers\IMountSRV.exe" [null data]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]

StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]

OLFax Ports\Driver = "OLFMNT40.DLL" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 66 seconds)

I z Hijacka:

Logfile of HijackThis v1.99.1

Scan saved at 10:50:00, on 2006-05-05

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\windows\System32\smss.exe

C:\windows\SYSTEM32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\Explorer.EXE

C:\windows\system32\spoolsv.exe

C:\windows\system32\cisvc.exe

C:\WINDOWS\system32\drivers\crauto.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\system32\drivers\IMountSRV.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\oodag.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\windows\System32\svchost.exe

C:\windows\system32\ntvdm.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe

C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\Program Files\NetMeter\NetMeter.exe

C:\windows\System32\svchost.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\Program Files\ScannerU\AM32.exe

C:\Program Files\D-Link AirPlus\AirPlus.exe

C:\Program Files\DoubleDesktop\dd.exe

C:\Program Files\Labtec Wireless Desktop\MulMouse.exe

C:\Program Files\Labtec Wireless Desktop\MagicKey.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\Opera\Opera.exe

C:\windows\SYSTEM32\cidaemon.exe

C:\Documents and Settings\123\Pulpit\Rozpakowywane\hijackthis (1)\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

F3 - REG:win.ini: load=c:\progra~1\programy\YDPDict\watch.exe

O2 - BHO: XBTP05231 Class - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-f7ed0776fb27} - c:\program files\steganos internet anonym 2006\sia2006iep.dll

O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1045

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray

O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

O4 - HKCU\..\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto

O4 - HKCU\..\Run: [C] C:\Program Files\NetMeter\NetMeter.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: D-Link AirPlus.lnk = ?

O4 - Global Startup: DoubleDesktop.lnk = C:\Program Files\DoubleDesktop\dd.exe

O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MulMouse.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: PGGForever.lnk = C:\Program Files\Gadu-Gadu\PGGForever.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .exe: C:\Program Files\Opera75\PLUGINS\NPFgc1.dll

O12 - Plugin for .rar: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for .zip: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for H÷: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for ôĺ: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll

O20 - Winlogon Notify: winveg32 - winveg32.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: crauto - Unknown owner - C:\WINDOWS\system32\drivers\crauto.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\system32\drivers\IMountSRV.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: PMounter - Unknown owner - C:\WINDOWS\system32\PMounter.exe

O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Steganos Live Encryption Engine (Version 503) [Service] (SLEE_503_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE503.exe (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(Bbieniol) #4

Otwórz notatnik i wklej w nim to:

Plik --> zapisz jako --> zmień rozszerzenie na wszystkie pliki --> zapisz pid nazwą FIX.REG

W trybie awaryjnym odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa :slight_smile:

Otwórz edytor rejestru Start >>> Uruchom >>> regedit i przejdź do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Tam kliknij podwójnie na wartość BootExecute i z okienka usuń wszystko z wyjątkiem autocheck autochk *

Po tych zabiegach jeszcze raz logi do kontroli :slight_smile:


(Ple91) #5

log z Silent Runners:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Dzieńdobry!" = "C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto" ["VSD Software"]

"C:\Program Files\NetMeter\NetMeter.exe" = "C:\Program Files\NetMeter\NetMeter.exe" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"DiskeeperSystray" = ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"" ["Diskeeper Corporation"]

"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1045" ["DT Soft Ltd."]

"HP Software Update" = "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]

"HPDJ Taskbar Utility" = "C:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]

"ISUSPM Startup" = ""C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["Macrovision Corporation"]

"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]

"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"PCSuiteTrayApplication" = "C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray" ["Nokia"]

"DataLayer" = "C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE" ["Nokia Mobile Phones Ltd."]

"UVS10 Preload" = "C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe" ["Ulead Systems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{031F120A-BBAF-45d8-B306-375F2A6B9398}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "XBTP05231 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll" ["IE Toolbar"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"

  -> {HKLM...CLSID} = "Microsoft Office Binder Unbind"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1045\UNBIND.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]

"{51550900-DCAC-11d4-AA0F-0080C87C465B}" = "WayTech MultiMouse"

  -> {HKLM...CLSID} = "WayTech MultiMouse Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Labtec Wireless Desktop\CPDll.dll" [null data]

"{19F500E0-9964-11cf-B63D-08002B317C03}" = "Desktop Icon Layout"

  -> {HKLM...CLSID} = "Desktop Icon Layout"

                   \InProcServer32\(Default) = "Layout.dll" ["Microsoft"]

"{D00900BC-23F7-4FD6-BFA2-8232112C5C49}" = "NRad Extension"

  -> {HKLM...CLSID} = "NRadExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\NRad.dll" [empty string]

"{5380C14E-C0A1-4D66-87DB-5995E6FF4623}" = "Rad Extension"

  -> {HKLM...CLSID} = "RadPropExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Rad.dll" [empty string]

"{D2FD83AE-994A-4D4B-9097-2C9E11ED85F0}" = "RadClkr Extension"

  -> {HKLM...CLSID} = "RadClkRExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\RadClkR.dll" [empty string]

"{C6844A1E-2C59-415A-84B3-C6A458372779}" = "RadType Extension"

  -> {HKLM...CLSID} = "RadTypeExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\RadType.dll" [empty string]

"{75B8D633-9021-442C-9EA4-FF4BE72CE20F}" = "NRad2 Extension"

  -> {HKLM...CLSID} = "NRadExt2 Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\NRad.dll" [empty string]

"{36518101-49AC-42CB-8E4C-40C1F328A565}" = "Rad2 Extension"

  -> {HKLM...CLSID} = "RadPropExt2 Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Rad.dll" [empty string]

"{793FEE91-6A71-11d3-BFDB-000000000000}" = "Paragon Encrypted Disk Shell Extension"

  -> {HKLM...CLSID} = "Paragon Encrypted Disk Shell Extension"

                   \InProcServer32\(Default) = "edshell.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\windows\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\windows\system32\Audiodev.dll" [MS]

"{40950107-FEA6-4d53-A65F-B2DCBA57DD58}" = "Nokia Phone Browser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{FBFE7864-D495-41f0-B7DC-4BB601CC295E}" = "Contact View"

  -> {HKLM...CLSID} = "Contact View"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\ContactView.dll" ["Nokia"]

"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"

  -> {HKLM...CLSID} = "Message View"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

  -> {HKLM...CLSID} = "ShellLink for Application References"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]

"{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}" = "ImageShack QuickLoad Image Uploader"

  -> {HKLM...CLSID} = "QuickLoad.QuickLoadContextMenu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.DLL" [MS]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\windows\system32\browseui.dll" [MS]

"{2B3453E4-49DF-11D3-8229-0080BE509050}" = "GMail Drive"

  -> {HKLM...CLSID} = "GMail Drive"

                   \InProcServer32\(Default) = "C:\windows\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509052}" = "GMailFS Property Sheet"

  -> {HKLM...CLSID} = "GMailFS Property Sheet"

                   \InProcServer32\(Default) = "C:\windows\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509054}" = "GMailFS Drop Handler"

  -> {HKLM...CLSID} = "GMailFS Drop Handler"

                   \InProcServer32\(Default) = "C:\windows\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{2B3453E4-49DF-11D3-8229-0080BE509056}" = "GMailFS Context Menu"

  -> {HKLM...CLSID} = "GMailFS Context Menu"

                   \InProcServer32\(Default) = "C:\windows\system32\ShellExt\GMailFS.dll" ["Bjarke Viksoe"]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

"{00000000-5736-4205-0100-f7ed0776fb27}" = "Steganos Internet Anonym 2006"

  -> {HKLM...CLSID} = "Steganos Internet Anonym 2006"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006se.dll" [null data]

"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"

  -> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"

                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client 2.0\smarthook.dll" ["SmartFTP"]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{DBD8E168-244D-448C-9922-25508950D1DC}" = "Ulead UDF Driver"

  -> {HKLM...CLSID} = "USIShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ulead Systems\DVD\USIShex.dll" ["Ulead Systems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! "{35B2861B-2B26-4691-9FF0-09083722C736}" = "RadExe Extension"

  -> {HKLM...CLSID} = "RadExeExt Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\RadExe.dll" [empty string]


HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "load" = "c:\progra~1\programy\YDPDict\watch.exe" [null data]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

INFECTION WARNING! "AppInit_DLLs" = "c:\progra~1\agnitum\outpos~1\wl_hook.dll" [file not found]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * OODBS" [file not found], [MS], [file not found], [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

QuickLoad\(Default) = "{0f0a4d40-adf0-4e8f-98d8-7208b98be01e}"

  -> {HKLM...CLSID} = "QuickLoad.QuickLoadContextMenu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mscoree.DLL" [MS]

Steganos Internet Anonym 2006\(Default) = "{00000000-5736-4205-0100-f7ed0776fb27}"

  -> {HKLM...CLSID} = "Steganos Internet Anonym 2006"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006se.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

Steganos Internet Anonym 2006\(Default) = "{00000000-5736-4205-0100-f7ed0776fb27}"

  -> {HKLM...CLSID} = "Steganos Internet Anonym 2006"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006se.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

  -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

IconLayout\(Default) = "{19F500E0-9964-11cf-B63D-08002B317C03}"

  -> {HKLM...CLSID} = "Desktop Icon Layout"

                   \InProcServer32\(Default) = "Layout.dll" ["Microsoft"]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\123\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "123" & "All Users" startup folders:

-----------------------------------------------------


C:\Documents and Settings\123\Menu Start\Programy\Autostart

"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Action Manager 32" -> shortcut to: "C:\Program Files\ScannerU\AM32.exe" [null data]

"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"D-Link AirPlus" -> shortcut to: "C:\Program Files\D-Link AirPlus\AirPlus.exe" ["D-Link"]

"DoubleDesktop" -> shortcut to: "C:\Program Files\DoubleDesktop\dd.exe" ["Fat Free Software"]

"Enable Labtec Wireless Desktop" -> shortcut to: "C:\Program Files\Labtec Wireless Desktop\MulMouse.exe" [null data]

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]

"PGGForever" -> shortcut to: "C:\Program Files\Gadu-Gadu\PGGForever.exe" [null data]

"Symantec Fax Starter Edition Port" -> shortcut to: "C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\Secure Surfing Engine\sselsp.dll [null data], 01 - 03, 25

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{00000000-5736-4205-0008-F7ED0776FB27}"

  -> {HKLM...CLSID} = "Steganos Internet Anonym"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006iep.dll" [null data]

"{1CE4EE89-2D5C-4361-AF3B-D902AB545381}"

  -> {HKLM...CLSID} = "Alcohol Soft - Alcohol 120% Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll" ["IE Toolbar"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{00000000-5736-4205-0008-F7ED0776FB27}" = (no title provided)

  -> {HKLM...CLSID} = "Steganos Internet Anonym"

                   \InProcServer32\(Default) = "c:\program files\steganos internet anonym 2006\sia2006iep.dll" [null data]

"{1CE4EE89-2D5C-4361-AF3B-D902AB545381}" = (no title provided)

  -> {HKLM...CLSID} = "Alcohol Soft - Alcohol 120% Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll" ["IE Toolbar"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Miscellaneous IE Hijack Points

------------------------------


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\


Missing lines (compared with English-language version):

HIJACK WARNING! "TuneUp" = "file://C|/Documents and Settings/All Users/Dane aplikacji/TuneUp Software/Common/base.css" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


crauto, crauto, "C:\WINDOWS\system32\drivers\crauto.exe" [null data]

Diskeeper, Diskeeper, ""C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe"" ["Diskeeper Corporation"]

HTTP SSL, HTTPFilter, "C:\windows\System32\svchost.exe -k HTTPFilter" {"C:\windows\System32\w3ssl.dll" [MS]}

IMountSRV, IMountSRV, "C:\WINDOWS\system32\drivers\IMountSRV.exe" [null data]

Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]

StarWind iSCSI Service, StarWindService, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]

OLFax Ports\Driver = "OLFMNT40.DLL" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 49 seconds)

i z Hijacka

Logfile of HijackThis v1.99.1

Scan saved at 11:22:52, on 2006-05-05

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\windows\System32\smss.exe

C:\windows\SYSTEM32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\Explorer.EXE

C:\windows\system32\spoolsv.exe

C:\windows\system32\cisvc.exe

C:\WINDOWS\system32\drivers\crauto.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\system32\drivers\IMountSRV.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\oodag.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\windows\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\windows\system32\ntvdm.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe

C:\windows\System32\svchost.exe

C:\Program Files\NetMeter\NetMeter.exe

C:\Program Files\ScannerU\AM32.exe

C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE

C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe

C:\Program Files\D-Link AirPlus\AirPlus.exe

C:\Program Files\DoubleDesktop\dd.exe

C:\Program Files\Labtec Wireless Desktop\MulMouse.exe

C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Labtec Wireless Desktop\MagicKey.exe

C:\Program Files\Opera\Opera.exe

C:\windows\SYSTEM32\cidaemon.exe

C:\Documents and Settings\123\Pulpit\Rozpakowywane\hijackthis (1)\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 

F3 - REG:win.ini: load=c:\progra~1\programy\YDPDict\watch.exe

O2 - BHO: XBTP05231 Class - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: Steganos Internet Anonym - {00000000-5736-4205-0008-f7ed0776fb27} - c:\program files\steganos internet anonym 2006\sia2006iep.dll

O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"

O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1045

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\Launch Application 2.exe -onlytray

O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE

O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

O4 - HKCU\..\Run: [Dzieńdobry!] C:\Program Files\VSD Software\Dzieńdobry!\dziendobry.exe /auto

O4 - HKCU\..\Run: [C] C:\Program Files\NetMeter\NetMeter.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Action Manager 32.lnk = C:\Program Files\ScannerU\AM32.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: D-Link AirPlus.lnk = ?

O4 - Global Startup: DoubleDesktop.lnk = C:\Program Files\DoubleDesktop\dd.exe

O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MulMouse.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: PGGForever.lnk = C:\Program Files\Gadu-Gadu\PGGForever.exe

O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1045\OLFSNT40.EXE

O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .exe: C:\Program Files\Opera75\PLUGINS\NPFgc1.dll

O12 - Plugin for .rar: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for .zip: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for H÷: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O12 - Plugin for ôĺ: C:\Program Files\Opera\PLUGINS\NPFgc1.dll

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

O20 - AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: crauto - Unknown owner - C:\WINDOWS\system32\drivers\crauto.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IMountSRV - Unknown owner - C:\WINDOWS\system32\drivers\IMountSRV.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

O23 - Service: PMounter - Unknown owner - C:\WINDOWS\system32\PMounter.exe

O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Steganos Live Encryption Engine (Version 503) [Service] (SLEE_503_SERVICE) - Unknown owner - C:\WINDOWS\System32\SLEE503.exe (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(Bbieniol) #6

Nie zrobiłeś jeszcze tego:

Poza tym czysto :slight_smile:


(Ple91) #7

Hmmm... Zrobiłem to, ale po ponownym uruchomieniu komputera znowu jest

autocheck autochk *

OODBS

Złączono Posta : 05.05.2006 (Pią) 11:41

Po każdym ponownym uruchomieniu komputera tak się robi...


(Kuz5) #8

Nie przejmuj się tym, to nic ważnego

Co się robi ??


(Ple91) #9

Zmienia się z

autocheck autochk *

na

autocheck autochk * 

OODBS