Proszę sprawdzić loga, mam problem z SpywareQuake

Dla specjalistów Bezpieczeństwo
#1

Witam,

Mam problem z virusem “SpywareQuake” i nie wiem jak go usunąć a program atyvirusowy nie pomaga.

Cały czas w dolnym prawym rogu wyskakuje komunikat o kryrycznym zagrożeniu systemu, poczym klikam na to i przenosi mnie na stronę podejrzaną. Poniżej przesyłam loga do sprawdzenia, która to cholera.

Jestem początkowym użytkownikiem, więc zupełnie się nie znam na tym problemie.

Proszę o pomoc :slight_smile:

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

"wininet.dll" = "regperf.exe" [file not found]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]

"00THotkey" = "C:\WINDOWS\system32\00THotkey.exe" ["TOSHIBA Corp."]

"000StTHK" = "000StTHK.exe" [null data]

"SigmaTel StacMon" = "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" ["SigmaTel Inc."]

"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]

"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]

"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]

"LTSMMSG" = "LTSMMSG.exe" ["LT"]

"TFncKy" = "TFncKy.exe" ["TOSHIBA Corporation"]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"TFNF5" = "TFNF5.exe" ["TOSHIBA Corp."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"

  -> {HKLM...CLSID} = "TouchShellExt Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "Skladnik rozszerzenia powloki CorelDRAW"

  -> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"

                   \InProcServer32\(Default) = "C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [null data]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {HKLM...CLSID} = "ACTHUMBNAIL"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Uchwyt nakładania ikony podpisu cyfrowego"

  -> {HKLM...CLSID} = "AcSignIcon"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"

  -> {HKLM...CLSID} = "ACDWFTHMBPRXY"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"

  -> {HKLM...CLSID} = "Message View"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "My Phones"

  -> {HKLM...CLSID} = "My Phones"

                   \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Teleca Software Solutions AB"]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"cholecyst" = "{ee2975b6-e8d5-405e-8448-8fe9590f6cfb}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mzoeut.dll" [null data]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

XPTools\(Default) = "{23F2DE6C-2C3F-4F95-B16A-56714C6FAAF4}"

  -> {HKLM...CLSID} = "Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

XPTools\(Default) = "{23F2DE6C-2C3F-4F95-B16A-56714C6FAAF4}"

  -> {HKLM...CLSID} = "Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]



Default executables:

--------------------


HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"

INFECTION WARNING! HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Mariusz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"{464531DF-65C1-4088-B05F-AE08DE294784}_MARIUSZ-TOSHIBA_Mariusz" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{464531DF-65C1-4088-B05F-AE08DE294784}_MARIUSZ-TOSHIBA_Mariusz"" [MS]

"{5E1913D4-A5FA-4464-AEC5-ED73A6E55D82}_MARIUSZ-TOSHIBA_Mariusz" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{5E1913D4-A5FA-4464-AEC5-ED73A6E55D82}_MARIUSZ-TOSHIBA_Mariusz"" [MS]

"{8C351409-3740-4F9E-BA3F-BD71C83F8A7D}_MARIUSZ-TOSHIBA_Mariusz" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{8C351409-3740-4F9E-BA3F-BD71C83F8A7D}_MARIUSZ-TOSHIBA_Mariusz"" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 31

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

"ButtonText" = "Utwórz Ulubione dla urządzenia przenośnego"

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

  -> {HKLM...CLSID} = "Create Mobile Favorite"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]


{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

"MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..."

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

  -> {HKLM...CLSID} = "Create Mobile Favorite"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]

ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 97 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 10 seconds.

---------- (total run time: 137 seconds)
#2

Użyj smitfraudfix http://forum.dobreprogramy.pl/viewtopic.php?t=36654 i wklej raport + nowe log z silenta.

#3

dzięki już sobie poradziłem

#4

Ale jeszcze po tym miałeś zrobić to:

#5

log po wyeliminowaniu SpywareQuake

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]

"00THotkey" = "C:\WINDOWS\system32\00THotkey.exe" ["TOSHIBA Corp."]

"000StTHK" = "000StTHK.exe" [null data]

"SigmaTel StacMon" = "C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" ["SigmaTel Inc."]

"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]

"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]

"TouchED" = "C:\Program Files\TOSHIBA\TouchED\TouchED.Exe" ["TOSHIBA Corporation"]

"LTSMMSG" = "LTSMMSG.exe" ["LT"]

"TFncKy" = "TFncKy.exe" ["TOSHIBA Corporation"]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"TFNF5" = "TFNF5.exe" ["TOSHIBA Corp."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{30D02401-6A81-11d0-8274-00C04FD5AE38}" = "IE Search Band"

  -> {HKLM...CLSID} = "IE Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}" = "Shell DocObject Viewer"

  -> {HKLM...CLSID} = "Shell DocObject Viewer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}" = "InternetShortcut"

  -> {HKLM...CLSID} = "Internet Shortcut"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}" = "Microsoft Url History Service"

  -> {HKLM...CLSID} = "Microsoft Url History Service"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{FF393560-C2A7-11CF-BFF4-444553540000}" = "History"

  -> {HKLM...CLSID} = "History"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"

  -> {HKLM...CLSID} = "Temporary Internet Files"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}" = "Temporary Internet Files"

  -> {HKLM...CLSID} = "Temporary Internet Files"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" = "Microsoft Url Search Hook"

  -> {HKLM...CLSID} = "Microsoft Url Search Hook"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}" = "The Internet"

  -> {HKLM...CLSID} = "The Internet"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{871C5380-42A0-1069-A2EA-08002B30309D}" = "Internet Name Space"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{C4213067-97B3-4929-9B98-B5600FBBBA13}" = "TouchED"

  -> {HKLM...CLSID} = "TouchShellExt Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll" ["TOSHIBA Corporation"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{4CCEFB41-18FA-11D3-9EF3-00A0C9E897FD}" = "Skladnik rozszerzenia powloki CorelDRAW"

  -> {HKLM...CLSID} = "CorelDRAW Shell Extension Component"

                   \InProcServer32\(Default) = "C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [null data]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {HKLM...CLSID} = "ACTHUMBNAIL"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Uchwyt nakładania ikony podpisu cyfrowego"

  -> {HKLM...CLSID} = "AcSignIcon"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"

  -> {HKLM...CLSID} = "ACDWFTHMBPRXY"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]

"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"

  -> {HKLM...CLSID} = "Nokia Phone Browser"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]

"{C0C4375A-5B72-4efe-929D-3B848C3A1E91}" = "Message View"

  -> {HKLM...CLSID} = "Message View"

                   \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\MessageView.dll" ["Nokia"]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "My Phones"

  -> {HKLM...CLSID} = "My Phones"

                   \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Teleca Software Solutions AB"]

"{07C45BB1-4A8C-4642-A1F5-237E7215FF66}" = "IE Microsoft BrowserBand"

  -> {HKLM...CLSID} = "IE Microsoft BrowserBand"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{1C1EDB47-CE22-4bbb-B608-77B48F83C823}" = "IE Fade Task"

  -> {HKLM...CLSID} = "IE Fade Task"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{205D7A97-F16D-4691-86EF-F3075DCCA57D}" = "IE Menu Desk Bar"

  -> {HKLM...CLSID} = "IE Menu Desk Bar"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE AutoComplete"

  -> {HKLM...CLSID} = "IE AutoComplete"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{43886CD5-6529-41c4-A707-7B3C92C05E68}" = "IE Navigation Bar"

  -> {HKLM...CLSID} = "IE Navigation Bar"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{44C76ECD-F7FA-411c-9929-1B77BA77F524}" = "IE Menu Site"

  -> {HKLM...CLSID} = "IE Menu Site"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{4B78D326-D922-44f9-AF2A-07805C2A3560}" = "IE Menu Band"

  -> {HKLM...CLSID} = "IE Menu Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{6038EF75-ABFC-4e59-AB6F-12D397F6568D}" = "IE Microsoft History AutoComplete List"

  -> {HKLM...CLSID} = "IE Microsoft History AutoComplete List"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}" = "IE Tracking Shell Menu"

  -> {HKLM...CLSID} = "IE Tracking Shell Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{6CF48EF8-44CD-45d2-8832-A16EA016311B}" = "IE IShellFolderBand"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{73CFD649-CD48-4fd8-A272-2070EA56526B}" = "IE BandProxy"

  -> {HKLM...CLSID} = "IE BandProxy"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}" = "IE MRU AutoComplete List"

  -> {HKLM...CLSID} = "IE MRU AutoComplete List"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}" = "IE Microsoft Shell Folder AutoComplete List"

  -> {HKLM...CLSID} = "IE Microsoft Shell Folder AutoComplete List"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{B31C5FAE-961F-415b-BAF0-E697A5178B94}" = "IE Microsoft Multiple AutoComplete List Container"

  -> {HKLM...CLSID} = "IE Microsoft Multiple AutoComplete List Container"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}" = "Microsoft Browser Architecture"

  -> {HKLM...CLSID} = "Microsoft Browser Architecture"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}" = "IE Shell Rebar BandSite"

  -> {HKLM...CLSID} = "IE Shell Rebar BandSite"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{E6EE9AAC-F76B-4947-8260-A9F136138E11}" = "IE Shell Band Site Menu"

  -> {HKLM...CLSID} = "IE Shell Band Site Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{F0353E1D-FEEC-474e-A984-1E5C6865E380}" = "IE Global Folder Settings"

  -> {HKLM...CLSID} = "IE Global Folder Settings"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{F2CF5485-4E02-4f68-819C-B92DE9277049}" = "&Links"

  -> {HKLM...CLSID} = "&Links"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}" = "IE Registry Tree Options Utility"

  -> {HKLM...CLSID} = "IE Registry Tree Options Utility"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" = "IE User Assist"

  -> {HKLM...CLSID} = "IE User Assist"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}" = "IE Custom MRU AutoCompleted List"

  -> {HKLM...CLSID} = "IE Custom MRU AutoCompleted List"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! "{553858A7-4922-4e7e-B1C1-97140C1C16EF}" = "IE Component Categories cache daemon"

  -> {HKLM...CLSID} = "IE Component Categories cache daemon"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! WgaLogon\DLLName = "WgaLogon.dll" [MS]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

XPTools\(Default) = "{23F2DE6C-2C3F-4F95-B16A-56714C6FAAF4}"

  -> {HKLM...CLSID} = "Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"

  -> {HKLM...CLSID} = "WinZip"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

XPTools\(Default) = "{23F2DE6C-2C3F-4F95-B16A-56714C6FAAF4}"

  -> {HKLM...CLSID} = "Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]



Default executables:

--------------------


HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"

INFECTION WARNING! HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""C:\WINDOWS\notepad.exe" "%1"" [MS]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Mariusz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Enabled Scheduled Tasks:

------------------------


"{464531DF-65C1-4088-B05F-AE08DE294784}_MARIUSZ-TOSHIBA_Mariusz" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{464531DF-65C1-4088-B05F-AE08DE294784}_MARIUSZ-TOSHIBA_Mariusz"" [MS]

"{5E1913D4-A5FA-4464-AEC5-ED73A6E55D82}_MARIUSZ-TOSHIBA_Mariusz" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{5E1913D4-A5FA-4464-AEC5-ED73A6E55D82}_MARIUSZ-TOSHIBA_Mariusz"" [MS]

"{8C351409-3740-4F9E-BA3F-BD71C83F8A7D}_MARIUSZ-TOSHIBA_Mariusz" -> launches: "C:\WINDOWS\system32\mobsync.exe /Schedule="{8C351409-3740-4F9E-BA3F-BD71C83F8A7D}_MARIUSZ-TOSHIBA_Mariusz"" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 31

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

"ButtonText" = "Utwórz Ulubione dla urządzenia przenośnego"

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

  -> {HKLM...CLSID} = "Create Mobile Favorite"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]


{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

"MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..."

"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"

  -> {HKLM...CLSID} = "Create Mobile Favorite"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

[Strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"


Missing lines (compared with English-language version):

[Strings]: 2 lines


HKLM\Software\Microsoft\Internet Explorer\AboutURLs\

HIJACK WARNING! "NavigationFailure" = "res://ieframe.dll/navcancl.htm" [MS]

HIJACK WARNING! "DesktopItemNavigationFailure" = "res://ieframe.dll/navcancl.htm" [MS]

HIJACK WARNING! "NavigationCanceled" = "res://ieframe.dll/navcancl.htm" [MS]

HIJACK WARNING! "OfflineInformation" = "res://ieframe.dll/offcancl.htm" [MS]

HIJACK WARNING! "PostNotCached" = "res://ieframe.dll/repost.htm" [MS]

HIJACK WARNING! "NoAdd-ons" = "res://ieframe.dll/noaddon.htm" [MS]

HIJACK WARNING! "NoAdd-onsInfo" = "res://ieframe.dll/noaddoninfo.htm" [MS]

HIJACK WARNING! "SecurityRisk" = "res://ieframe.dll/securityatrisk.htm" [MS]

HIJACK WARNING! "Tabs" = "res://ieframe.dll/tabswelcome.htm" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]

ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt07\Driver = "hpzlnt07.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 54 seconds, including 11 seconds for message boxes)
#6

no, jest ok.