Prosze o sprawdzenie loga


(Desad) #1
Logfile of HijackThis v1.99.1

Scan saved at 22:36:39, on 10/12/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\mssearchnet.exe

C:\WINDOWS\System32\nvctrl.exe

C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\?hkntfs.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\program files\internet explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\darek\Ustawienia lokalne\Temp\Katalog tymczasowy 2 dla hijackthis.zip\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.pai.net.pl:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hp691A.tmp

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Not] C:\WINDOWS\System32\?hkntfs.exe

O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {22222222-2222-2222-2222-222222222222} - 

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=65&id=28747&1s&tag=25

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O18 - Protocol: bw+0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw+0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw-0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw00s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw10s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw20s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw30s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw40s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw50s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw60s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw70s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw80s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bw90s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwa0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwb0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwc0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwd0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwe0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwf0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: bwg0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwg0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwh0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwi0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwj0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwk0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwl0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwm0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwn0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwo0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwp0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwq0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwr0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bws0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwt0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwu0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwv0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bww0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwx0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwy0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: bwz0s - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O18 - Protocol: offline-8876480 - {C61491A4-6898-4357-BA5E-FD7708F987D1} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

====================================

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Proponuje poczytać TEN temat i zobacz jaka jest prośba do userów wklejających loga.

Pozdrawiam kuz5


(Gutek) #2
  1. Wyłączyć Przywracanie systemu w XP TU

  2. Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).

  3. Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte. Dodatkowo O15 może będzie stawiać opór więc ściągnij KillTrusted 0.7

  4. Skasować z dysku pliki i foldery, które podkreśliłem na czerwono

  5. Dokończyć skanerami online - Scanery do wyboru

  6. Pokazać nowy log :stuck_out_tongue:

023 - Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz ISEXEng potem usuń plik

Odinstaluj w całości Desktop Messenger i BackWeb od Logitecha.

Zastosuj Usuwanie updatescenter.com / security2k.net / syserrors.com / SpyAxe oraz TROJAN STYDLER


(Desad) #3

Dziekuje bardzo. Na pulpicie wszystko gra, jedynie strona startowa w IE ciagle “doradza” spy axe. Nowy log:

Logfile of HijackThis v1.99.1

Scan saved at 01:05:22, on 12/12/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\System32\?hkntfs.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\program files\internet explorer\iexplore.exe

C:\Documents and Settings\darek\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis1.99.1.zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://msaps.dll/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://msaps.dll/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.pai.net.pl:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

R3 - URLSearchHook: (no name) - {FDE3577A-6254-181C-4E11-339E4F746BD3} - (no file)

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hp68DB.tmp

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Not] C:\WINDOWS\System32\?hkntfs.exe

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O15 - Trusted Zone: http://arcaonline.arcabit.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {22222222-2222-2222-2222-222222222222} - 

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://l00kl23.com/default.cab?uid=65&id=28747&1s&tag=25

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

st3.dll - killbox odmawia usuniecia

angelex- ISEXeng zastalem wylaczone, sam plik nie istnieje


(Gutek) #4

023 - Start >>> Uruchom >>> services.msc >>> zatrzymaj i wyłącz ISEXEng potem usuń plik

Przeczytaj dokładnie co ja prosiłem abyś zrobił:

  1. Wyłączyć Przywracanie systemu w XP TU

  2. Zastartować do trybu awaryjnego bez internetu(opis w linku wyżej).

  3. Zaznaczyć wskazane wpisy w Hijacku i kliknąć Fix checked. Wpisy zostaną usunięte. Dodatkowo O15 może będzie stawiać opór więc ściągnij KillTrusted 0.7

  4. Skasować z dysku pliki i foldery, które podkreśliłem na czerwono

  5. Dokończyć skanerami online - Scanery do wyboru

  6. Pokazać nowy log :stuck_out_tongue:

Zastosuj Usuwanie updatescenter.com / security2k.net / syserrors.com / SpyAxe oraz TROJAN STYDLER

Masz plik “z pytajnikiem” - ?hkntfs.exe , jak usunąć zobacz TU

Zastosuj usuwania i metode opisaną w tematach podkreslonych na czerwono :wink:


(Desad) #5

Dzieki, przepraszam, za poprzednie, poprostu nie widzialem podkreslen. Dopiero w wordzie…

Logfile of HijackThis v1.99.1

Scan saved at 00:42:40, on 13/12/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\mssearchnet.exe

C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\alt.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\Documents and Settings\darek\Ustawienia lokalne\Temp\Katalog tymczasowy 6 dla hijackthis1.99.1.zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.pai.net.pl:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O15 - Trusted Zone: http://arcaonline.arcabit.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

020 - odmawia usuniecia

Pozdrawiam


(Gutek) #6

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżki

C:\WINDOWS\System32\st3.dll

C:\WINDOWS\alt.exe

C:\WINDOWS\System32\mssearchnet.exe

i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

Proszę o LOG z Silent Runners

Silent opis: http://www.searchengines.pl/phpbb203/in … opic=15989


(Desad) #7

witam, usunalem wszystko, oprocz C:\WINDOWS\System32\st3.dll

Powrocil alarm w zasobniku i zaproszenia do kasyna :frowning:

Ponizej logi z hijacka i srunnera. Dziekuje za pomoc.

Logfile of HijackThis v1.99.1

Scan saved at 00:07:38, on 15/12/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\nvctrl.exe

C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\program files\internet explorer\iexplore.exe

C:\WINDOWS\System32\mssearchnet.exe

C:\program files\internet explorer\iexplore.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Documents and Settings\darek\Ustawienia lokalne\Temp\Katalog tymczasowy 7 dla hijackthis1.99.1.zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.pai.net.pl:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\System32\hp60EC.tmp

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O15 - Trusted Zone: http://arcaonline.arcabit.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"AlexaToolbar" = "C:\WINDOWS\alt.exe" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

"wininet.dll" = "mscornet.exe" [null data]

"nvctrl.exe" = "nvctrl.exe" [null data]

"kernel32.dll" = "C:\WINDOWS\System32\mssearchnet.exe" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"AudioHQ" = "C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]

"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."]

"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

"CmUsbSound" = "RunDll32 cmcnfgu.cpl,CMICtrlWnd" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{1ca480cd-c0e5-4548-874e-b85b17905b3a}\(Default) = "HomepageBHO" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hp60EC.tmp" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE10\msohev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! "{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}" = "st3"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]

INFECTION WARNING! "{C7CF1142-0785-4B12-A280-B64681E4D45E}" = "z"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\prflbmsgp32.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

INFECTION WARNING! st3\DLLName = "C:\WINDOWS\system32\st3.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\darek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "darek" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\fgiebar.dll" ["Amaze Soft"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FLASHGET\flashget.exe" ["Amaze Soft"]



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

: ˙ţ[V e r s i o n] 


: S i g n a t u r e = " $ C H I C A G O $ " 


: A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l " 


:  


: [R e s t o r e H o m e P a g e] 


: A d d R e g = R e s t o r e H o m e P a g e . r e g 


:  


: [R e s t o r e B r o w s e r S e t t i n g s] 


: A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g 


: D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g 


:  


: [R e s t o r e H o m e P a g e . r e g] 


: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L % 


:  


: [R e s t o r e B r o w s e r S e t t i n g s . r e g] 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L % 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L % 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u " 


: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % 


:  


: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t 


: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " " 


:  


: t m " 


: t m " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * " 


:  


: [D e l e t e T e m p l a t e s . r e g] 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 " 


:  


: [D e l e t e A u t o s e a r c h . r e g] 


: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t 


: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h " 


:  


: [S t r i n g s] 


: S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " 


: S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h " 


: S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m " 


:  


: ; I M P O R T A N T N O T E : 


: ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s . 


: ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s . 


: ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S . 


: M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " 


:  


Missing lines (compared with English-language version):

[Version]: 2 lines

[RestoreHomePage]: 1 line

[RestoreHomePage.reg]: 1 line

[RestoreBrowserSettings.reg]: 12 lines

[DeleteTemplates.reg]: 5 lines

[DeleteAutosearch.reg]: 1 line

[Strings]: 1 line

[RestoreBrowserSettings]: 2 lines

[Strings]: 3 lines


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

HIJACK WARNING! "NavigationFailure" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "NavigationCanceled" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "OfflineInformation" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "blank" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "PostNotCached" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "MRU Update" = "1" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZONELABS\vsmon.exe -service" ["Zone Labs Inc."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 17 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 8 seconds.

---------- (total run time: 48 seconds)

(Gutek) #8

Zastosuj dokładnie instrukcję Usuwanie SpyAxe

usuń w trybie awaryjnym plik ręcznie

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG Przejście do trybu awaryjnego Windows i uruchomienie pliku FIX.REG.


(Desad) #9

Witam, wreszcie mialem chwilke czasu, zeby powalczyc :slight_smile:

Oto logi: srunner

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"AlexaToolbar" = "C:\WINDOWS\alt.exe" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"AudioHQ" = "C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]

"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs Inc."]

"RemoteControl" = ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"Logitech Utility" = "Logi_MwX.Exe" ["Logitech Inc."]

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]

"CmUsbSound" = "RunDll32 cmcnfgu.cpl,CMICtrlWnd" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE10\msohev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! "{1B68470C-2DEF-493B-8A4A-8E2D81BE4EA5}" = "st3"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\st3.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

INFECTION WARNING! st3\DLLName = "C:\WINDOWS\system32\st3.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "darek" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\FLASHGET\fgiebar.dll" ["Amaze Soft"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FLASHGET\flashget.exe" ["Amaze Soft"]



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

: ˙ţ[V e r s i o n] 


: S i g n a t u r e = " $ C H I C A G O $ " 


: A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l " 


:  


: [R e s t o r e H o m e P a g e] 


: A d d R e g = R e s t o r e H o m e P a g e . r e g 


:  


: [R e s t o r e B r o w s e r S e t t i n g s] 


: A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g 


: D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g 


:  


: [R e s t o r e H o m e P a g e . r e g] 


: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L % 


:  


: [R e s t o r e B r o w s e r S e t t i n g s . r e g] 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L % 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L % 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u " 


: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % 


:  


: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t 


: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " " 


:  


: t m " 


: t m " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * " 


:  


: [D e l e t e T e m p l a t e s . r e g] 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 " 


: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 " 


:  


: [D e l e t e A u t o s e a r c h . r e g] 


: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t 


: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h " 


:  


: [S t r i n g s] 


: S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " 


: S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h " 


: S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m " 


:  


: ; I M P O R T A N T N O T E : 


: ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s . 


: ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s . 


: ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S . 


: M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " 


:  


Missing lines (compared with English-language version):

[Version]: 2 lines

[RestoreHomePage]: 1 line

[RestoreHomePage.reg]: 1 line

[RestoreBrowserSettings.reg]: 12 lines

[DeleteTemplates.reg]: 5 lines

[DeleteAutosearch.reg]: 1 line

[Strings]: 1 line

[RestoreBrowserSettings]: 2 lines

[Strings]: 3 lines


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

HIJACK WARNING! "NavigationFailure" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "NavigationCanceled" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "OfflineInformation" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "blank" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "PostNotCached" = "res://msaps.dll/index.html" [null data]

HIJACK WARNING! "MRU Update" = "1" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\System32\CTsvcCDA.EXE" ["Creative Technology Ltd"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZONELABS\vsmon.exe -service" ["Zone Labs Inc."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 15 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 8 seconds.

---------- (total run time: 51 seconds)

hijack

Logfile of HijackThis v1.99.1

Scan saved at 22:46:16, on 20/12/2005

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\WINDOWS\System32\devldr32.exe

C:\WINDOWS\System32\RunDll32.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZONELABS\vsmon.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\darek\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis1.99.1.zip\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.pai.net.pl:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [AlexaToolbar] C:\WINDOWS\alt.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe

O15 - Trusted Zone: http://arcaonline.arcabit.com

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab

O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Dziekuje serdecznie za pomoc, na piewszy rzut oka wszystko wyglada ok.

Maszyna znacznie przyspieszyla.

Przesylam pozdrowienia z zielonej Irlandii.


(Gutek) #10

zostało więc:

Otwórz notatnik i wklej:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG Zanim przejdziesz do awaryjnego usuń:

  • użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot oraz All Files i w polu Full Path of File to Delete wklejasz ścieżki C:\WINDOWS\alt.exe

C:\WINDOWS\System32\st3.dll i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz i przejście do trybu awaryjnego Windows i uruchomienie pliku FIX.REG.