Samoczynne otwieranie IE 7 oraz problem z komunikatorem


(Elenka1984) #1

Mam następujący problem: otóż po tym jak podłączyłam pendrive'a do laptopa kolegi (bardzo zawirusowanego jak się później okazało)... okazało się, że na pendrivie mnóstwo tego świństwa sie "przeniosło"... Po podłączeniu do komputera od razu przeskanowałam Nod32 i posprawdzałam logi z HijackThis... (zaczynam się uczyć...) było parę podejrzanych wpisów, więc ich usunęłam... Restart i wsio ok... Ale zostawiłam mamie komputer a ona gdzieś wlazła i dziś zauważyłam, że IE mi się sam "uruchamia"... Wiadomo => coś musi być... W HijackThis nie widziałam nic podejrzanego, ale na SilentRunners to sie nie znam... Poza tym... od kiedy używam AQQ mam następujący problem... otóż ktoś pisze co ileś tam minut... ale jak chcę sprawdzić kto to, to nie ma w katalogu żadnych danych... Dodam tylko, że to jest z nr gg... Może robię z igły widły, ale z lekka mi się to nie podoba... Co najdziwniejsze, pomimo blokady pisze dalej... No cóż... wklejam logi HijackThis i Silent... Proszę pomóżcie...

HijackThis

Logfile of HijackThis v1.99.1

Scan saved at 01:01:36, on 2007-05-31

Platform: Unknown Windows (WinNT 6.00.1904)

MSIE: Internet Explorer v7.00 (7.00.6000.16386)


Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

E:\Program Files\NetMeter\NetMeter.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\Program Files\Eset\nod32kui.exe

C:\Windows\System32\mobsync.exe

C:\Windows\system32\taskeng.exe

C:\Windows\system32\conime.exe

I:\opera921int\op.com

C:\Windows\system32\Dwm.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\SearchProtocolHost.exe

E:\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16

O4 - HKCU\..\Run: [E] E:\Program Files\NetMeter\NetMeter.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O23 - Service: Adobe Version Cue CS3 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe" -win32service (file missing)

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30007 (IISADMIN) - Unknown owner - %windir%\system32\inetsrv\inetinfo.exe (file missing)

O23 - Service: lxcc_device - - C:\Windows\system32\lxcccoms.exe

O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe" -s:MSSQL.2 -f:MSSQLSERVER (file missing)

O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30005 (MSFTPSVC) - Unknown owner - %windir%\system32\inetsrv\inetinfo.exe (file missing)

O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)

O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)

O23 - Service: SQL Server Analysis Services (MSSQLSERVER) (MSSQLServerOLAPService) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config (file missing)

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: @%systemroot%\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelInstallRC.dll,-8195 (NetMsmqActivator) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -NetMsmqActivator (file missing)

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)

O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30003 (W3SVC) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-30001 (WAS) - Unknown owner - %windir%\system32\svchost.exe (file missing)

O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

O23 - Service: @%windir%\system32\inetsrv\iisres.dll,-20001 (WMSvc) - Unknown owner - %windir%\system32\inetsrv\wmsvc.exe (file missing)

Silent

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows Vista RC1

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"E:\Program Files\NetMeter\NetMeter.exe" = "E:\Program Files\NetMeter\NetMeter.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide"

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]

"(Default)" = "(empty string)" [file not found]

"LXCCCATS" = "rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{E7DE9B1A-7533-4556-9484-B26FB486475E}" = (no title provided)

  -> {HKLM...CLSID} = "Network Map"

                   \InProcServer32\(Default) = "C:\Windows\system32\shdocvw.dll" [MS]

"{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486}" = "IGD Property Sheet Handler"

  -> {HKLM...CLSID} = "IGD Property Page"

                   \InProcServer32\(Default) = "C:\Windows\System32\icsigd.dll" [MS]

"{8856f961-340a-11d0-a96b-00c04fd705a2}" = "Microsoft Web Browser"

  -> {HKLM...CLSID} = "Microsoft Web Browser"

                   \InProcServer32\(Default) = "C:\Windows\system32\ieframe.dll" [MS]

"{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}" = "MSHTML Document"

  -> {HKLM...CLSID} = "MHTML Document"

                   \InProcServer32\(Default) = "C:\Windows\system32\mshtml.dll" [MS]

"{25336920-03f9-11cf-8fd0-00aa00686f13}" = "HTML Document"

  -> {HKLM...CLSID} = "HTML Document"

                   \InProcServer32\(Default) = "C:\Windows\system32\mshtml.dll" [MS]

"{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

"{74246bfc-4c96-11d0-abef-0020af6b0b7a}" = "Device Manager"

  -> {HKLM...CLSID} = "Device Manager"

                   \InProcServer32\(Default) = "C:\Windows\System32\devmgr.dll" [MS]

"{44f3dab6-4392-4186-bb7b-6282ccb7a9f6}" = "MyDocuments menu and properties"

  -> {HKLM...CLSID} = "MyDocuments menu and properties"

                   \InProcServer32\(Default) = "C:\Windows\system32\mydocs.dll" [MS]

"{D34A6CA6-62C2-4C34-8A7C-14709C1AD938}" = "Common Places Folder"

  -> {HKLM...CLSID} = "Common Places FS Folder"

                   \InProcServer32\(Default) = "C:\Windows\System32\shdocvw.dll" [MS]

"{865e5e76-ad83-4dca-a109-50dc2113ce9a}" = "Programs Folder and Fast Items"

  -> {HKLM...CLSID} = "Programs Folder and Fast Items"

                   \InProcServer32\(Default) = "C:\Windows\system32\shell32.dll" [MS]

"{21ec2020-3aea-1069-a2dd-08002b30309d}" = "Control Panel"

  -> {HKLM...CLSID} = "Control Panel"

                   \InProcServer32\(Default) = "shell32.dll" [MS]

"{25585dc7-4da0-438d-ad04-e42c8d2d64b9}" = "Client application shell extension"

  -> {HKLM...CLSID} = "Client application shell extension"

                   \InProcServer32\(Default) = "C:\Windows\system32\shell32.dll" [MS]

"{4d5c8c2a-d075-11d0-b416-00c04fb90376}" = "Microsoft CommBand"

  -> {HKLM...CLSID} = "Microsoft CommBand"

                   \InProcServer32\(Default) = "C:\Windows\system32\browseui.dll" [MS]

"{92337A8C-E11D-11D0-BE48-00C04FC30DF6}" = "OlePrn.PrinterURL"

  -> {HKLM...CLSID} = "prturl Class"

                   \InProcServer32\(Default) = "C:\Windows\system32\oleprn.dll" [MS]

"{16C2C29D-0E5F-45f3-A445-03E03F587B7D}" = "group_wab_auto_file"

  -> {HKLM...CLSID} = ".group shell context menu"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\System\wab32.dll" [MS]

"{CF67796C-F57F-45F8-92FB-AD698826C602}" = "contact_wab_auto_file"

  -> {HKLM...CLSID} = ".contact shell context menu"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\System\wab32.dll" [MS]

"{90b9bce2-b6db-4fd3-8451-35917ea1081b}" = "Search Execute Command"

  -> {HKLM...CLSID} = "CLSID_SearchExecute"

                   \InProcServer32\(Default) = "ExplorerFrame.dll" [MS]

"{1a184871-359e-4f67-aad9-5b9905d62232}" = "Microsoft Windows Font File Context Menu Handler"

  -> {HKLM...CLSID} = "Microsoft Windows Font Context Menu Handler"

                   \InProcServer32\(Default) = "fontext.dll" [MS]

"{8a7cae0e-5951-49cb-bf20-ab3fa1e44b01}" = "Microsoft Windows Font Previewer"

  -> {HKLM...CLSID} = "Microsoft Windows Font Preview Handler"

                   \InProcServer32\(Default) = "fontext.dll" [MS]

"{BC65FB43-1958-4349-971A-210290480130}" = "Network Explorer Property Sheet Handler"

  -> {HKLM...CLSID} = "Ncd Property Page"

                   \InProcServer32\(Default) = "C:\Windows\System32\NcdProp.dll" [MS]

"{0a4286ea-e355-44fb-8086-af3df7645bd9}" = "Windows Media Player"

  -> {HKLM...CLSID} = "&Windows Media Player"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WI4EB4~1\wmpband.dll" [MS]

"{BB6B2374-3D79-41DB-87F4-896C91846510}" = "EMDFileProperties"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "emdmgmt.dll" [MS]

"{7A0F6AB7-ED84-46B6-B47E-02AA159A152B}" = "Sync Center Simple Conflict Presenter"

  -> {HKLM...CLSID} = "Simple Conflict Presenter"

                   \InProcServer32\(Default) = "C:\Windows\System32\SyncCenter.dll" [MS]

"{BE122A0E-4503-11DA-8BDE-F66BAD1E3F3A}" = (no title provided)

  -> {HKLM...CLSID} = "Windows Anytime Upgrade"

                   \InProcServer32\(Default) = "C:\Windows\System32\shdocvw.dll" [MS]

"{00f20eb5-8fd6-4d9d-b75e-36801766c8f1}" = "PhotoAcqDropTarget"

  -> {HKLM...CLSID} = "PhotoAcqDropTarget"

                   \InProcServer32\(Default) = "C:\Program Files\Windows Photo Gallery\PhotoAcq.dll" [MS]

"{91ADC906-6722-4B05-A12B-471ADDCCE132}" = "Touch Band"

  -> {HKLM...CLSID} = "Touch Pointer"

                   \InProcServer32\(Default) = "C:\Windows\System32\TouchX.dll" [MS]

"{7D4734E6-047E-41e2-AEAA-E763B4739DC4}" = "Windows Media Player Play as Playlist Context Menu Handler"

  -> {HKLM...CLSID} = "WMP Play Folder As Playlist Launcher"

                   \InProcServer32\(Default) = "C:\Windows\system32\wmpshell.dll" [MS]

"{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A}" = "GameUX.RichGameMediaThumbnail"

  -> {HKLM...CLSID} = "RichGameMediaThumbnail Class"

                   \InProcServer32\(Default) = "C:\Windows\System32\gameux.dll" [MS]

"{15D633E2-AD00-465b-9EC7-F56B7CDF8E27}" = "Tablet PC Input Panel"

  -> {HKLM...CLSID} = "Tablet PC Input Panel"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\microsoft shared\ink\TipBand.dll" [MS]

"{6b9228da-9c15-419e-856c-19e768a13bdc}" = "Windows gadget DropTarget"

  -> {HKLM...CLSID} = "Windows gadget DropTarget"

                   \InProcServer32\(Default) = "C:\Program Files\Windows Sidebar\sbdrop.dll" [MS]

"{8A734961-C4AA-4741-AC1E-791ACEBF5B39}" = "Windows Media Player Shop Music Context Menu Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Windows\system32\wmpshell.dll" [MS]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"

  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

"{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension"

  -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL" [null data]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Outlook File Icon Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Expression\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{E81FFB23-40E2-431C-A041-76AEA0E4B04C}" = "Nameext"

  -> {HKLM...CLSID} = "Enterprise Projects"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\NAMEEXT.DLL" [MS]

"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"

  -> {HKLM...CLSID} = "ImageExtractorShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]

"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"

  -> {HKLM...CLSID} = "CInfoTipShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\VISSHE.DLL" [MS]

"{B73A057F-DC1B-4067-9D8E-B69A07A7C368}" = "Microsoft Visual SourceSafe"

  -> {HKLM...CLSID} = "Microsoft Visual SourceSafe"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Visual SourceSafe\tdnamespaceextension.dll" [MS]

"{AB4F43CA-ADCD-4384-B9AF-3CECEA7D6544}" = "Web Sites"

  -> {HKLM...CLSID} = "Web Sites"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\12\BIN\FPNSE.DLL" [MS]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

AQQFileTransfer\(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}"

  -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL" [null data]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

WinMerge\(Default) = "{4E716236-AA30-4C65-B225-D68BBA81E9C2}"

  -> {HKLM...CLSID} = "WinMergeShell Class"

                   \InProcServer32\(Default) = "C:\Program Files\WinMerge\ShellExtensionU.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinMerge\(Default) = "{4E716236-AA30-4C65-B225-D68BBA81E9C2}"

  -> {HKLM...CLSID} = "WinMergeShell Class"

                   \InProcServer32\(Default) = "C:\Program Files\WinMerge\ShellExtensionU.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"ConsentPromptBehaviorAdmin" = (REG_DWORD) hex:0x00000002

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}


"ConsentPromptBehaviorUser" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Behavior Of The Elevation Prompt For Standard Users}


"EnableInstallerDetection" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Detect Application Installations And Prompt For Elevation}


"EnableLUA" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Run All Administrators In Admin Approval Mode}


"EnableSecureUIAPaths" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Only elevate UIAccess applications that are installed in secure locations}


"EnableVirtualization" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Virtualize file and registry write failures to per-user locations}


"PromptOnSecureDesktop" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Conrol: Switch to the secure desktop when prompting for elevation}


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}


"FilterAdministratorToken" = (REG_DWORD) hex:0x00000000

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

User Account Control: Admin Approval Mode for the Built-in Administrator Account}


"TheTest" = (REG_DWORD) hex:0x00000001

{unrecognized setting}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Tree.jpg"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Users\Public\Pictures\Sample Pictures\Tree.jpg"



Startup items in "KahlanAmnell" & "All Users" startup folders:

--------------------------------------------------------------


C:\Users\KahlanAmnell\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

"Stardock ObjectDock" -> shortcut to: "C:\Program Files\Stardock\ObjectDock\ObjectDock.exe" ["Stardock"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]

000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS]

000000000007\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Windows\system32\imon.dll ["Eset "], 01 - 10, 25

%SystemRoot%\system32\mswsock.dll [MS], 11 - 24



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Function Discovery Resource Publication, FDResPub, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\fdrespub.dll" [MS]}

Indexing Service, CISVC, "C:\Windows\system32\CISVC.EXE" [MS]

IP Helper, iphlpsvc, "C:\Windows\System32\svchost.exe -k NetSvcs" {(missing data)}

lxcc_device, lxcc_device, "C:\Windows\system32\lxcccoms.exe -service" [" "]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"" [MS]

Net.Pipe Listener Adapter, NetPipeActivator, ""C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"" [MS]

Net.Tcp Listener Adapter, NetTcpActivator, ""C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"" [MS]

Net.Tcp Port Sharing Service, NetTcpPortSharing, ""C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"" [MS]

Network Store Interface Service, nsi, "C:\Windows\system32\svchost.exe -k LocalService" {(missing data)}

NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

SQL Server (MSSQLSERVER), MSSQLSERVER, ""C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER" [MS]

SQL Server (SQLEXPRESS), MSSQL$SQLEXPRESS, ""c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS" [MS]

SQL Server Analysis Services (MSSQLSERVER), MSSQLServerOLAPService, ""C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe" -s "C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\Config"" [file not found]

SQL Server Browser, SQLBrowser, ""c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"" [MS]

SQL Server FullText Search (MSSQLSERVER), msftesql, ""C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe" -s:MSSQL.2 -f:MSSQLSERVER" [MS]

SQL Server Integration Services, MsDtsServer, ""C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe"" [null data]

SQL Server Reporting Services (MSSQLSERVER), ReportServer, ""C:\Program Files\Microsoft SQL Server\MSSQL.4\Reporting Services\ReportServer\bin\ReportingServicesService.exe"" [null data]

SQL Server VSS Writer, SQLWriter, ""c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]

TCP/IP NetBIOS Helper, lmhosts, "C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted" {(missing data)}

UPnP Device Host, upnphost, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\System32\upnphost.dll" [MS]}

Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}

Windows Event Log, Eventlog, "C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted" {(missing data)}

Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}

WinHTTP Web Proxy Auto-Discovery Service, WinHttpAutoProxySvc, "C:\Windows\system32\svchost.exe -k LocalService" {"winhttp.dll" [MS]}



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

3300 Series Port\Driver = "lxcclmpm.dll" [" "]

Adobe PDF Port\Driver = "AdobePDF.dll" ["Adobe Systems Incorporated."]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 142 seconds, including 4 seconds for message boxes)

Może coś przegapiłam w usuwaniu... :frowning:


(Gutek) #2

Użyj Skanerów online


(Elenka1984) #3

Już jest dobrze... żaden skaner nic nie znalazł... :!: Natomiast po odinstalowaniu AQQ (miałam wersję portable od kolegi)... wszystko wróciło do normy... Po tym jak wyczyściłam rejestr i zainstalowałam ponownie -> nie wykazało już żadnych problemów. Zaczynam się zastanawiać czy te wiry które były na pendrivie nie były przyczyną problemu... :wink: ale ta "niezidentyfikowana" osoba nadal pisze... :frowning:

Dodam, że na dysku nic nie znaleziono... :!:

P.S. Na pewno mam logi czyste??


(adam9870) #4

Spróbuj w komunikatorze zablokować numer, z którego pisze ta "niezidentyfikowana" osoba. Ewentualnie sprawdź adres IP tej osoby i zablokuj go w firewallu. Jeśli ta osoba ma stały adres IP, to zablokowanie tego adresu w firewallu powinno dać spokój na długi czas.

Tak.