System się zawiesza, logi Hijack i silent runner

Smile19 · 17 Kwiecień 2007 18:38

Witam. Mój problem pojawił się jakieś 3 dni temu. System się zawiesza sam po pewnym czasie (różnie, raz po 20 minutach a raz po 2 h także niema reguły). Poza tym zawsze na kilka sekund się zatrzymuje po naciśnijęciu prawego przycisku myszy gdy chcę wejść w menu które się wtedy uruchamia. Nigdy wcześniej nie miałem takich problemów więc troche “śmieci” się mogło nazbierać…

log hijack:

Logfile of HijackThis v1.99.1 Scan saved at 20:37:29, on 07-04-17 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Agnitum\Outpost Firewall\outpost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Opera-moja\Opera.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\wupdates.exe C:\Program Files\Digitop\LightMail\LightMail.exe C:\WINDOWS\System32\svcchosst.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\WINDOWS\System32\wgp.exe C:\WINDOWS\system32\srvc.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\System32\rasautou.exe D:\Downloads\programy\hijackthis_199\HijackThis.exe C:\Program Files\WinRAR\WinRAR.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoby.net/sb/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yoby.net/sp/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [Microsoft Corp Updates] wupdates.exe O4 - HKLM…\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKLM…\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup O4 - HKLM…\Run: [msbb] c:\progra~1\n-case\msbb.exe O4 - HKLM…\Run: [LightMail] C:\Program Files\Digitop\LightMail\LightMail.exe O4 - HKLM…\Run: [msvccc66] svcchosst.exe O4 - HKLM…\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM…\Run: [WinGuard Pro] C:\WINDOWS\System32\wgp.exe O4 - HKLM…\Run: [johnj315] C:\WINDOWS\system32\srvc.exe O4 - HKLM…\Run: [PrintDrive] rundll32.exe “C:\WINDOWS\System32\qypwvnhe.dll”,setvm O4 - HKLM…\RunServices: [Microsoft Corp Updates] wupdates.exe O4 - HKLM…\RunServices: [msvccc66] svcchosst.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU…\Run: [johnj315] C:\WINDOWS\system32\srvc.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter: text/html - {2AB289AE-4B90-4281-B2AE-1F4BB034B647} - (no file) O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

log silent runner:

“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{D85F49BC-07E2-1045-0704-020322010030}” = ““C:\Program Files\Common Files{D85F49BC-07E2-1045-0704-020322010030}\Update.exe” te-110-12-0000208” [file not found] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit” [MS] “johnj315” = “C:\WINDOWS\system32\srvc.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “SoundMan” = “SOUNDMAN.EXE” [“Avance Logic, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “Microsoft Corp Updates” = “wupdates.exe” [null data] “Outpost Firewall” = “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice” [“Agnitum Ltd.”] “OutpostFeedBack” = “C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup” [“Agnitum Ltd.”] “msbb” = “c:\progra~1\n-case\msbb.exe” [file not found] “LightMail” = “C:\Program Files\Digitop\LightMail\LightMail.exe” [“Digitop”] “msvccc66” = “svcchosst.exe” [null data] “LVCOMSX” = “C:\WINDOWS\System32\LVCOMSX.EXE” [“Labtec Inc.”] “WinGuard Pro” = “C:\WINDOWS\System32\wgp.exe” [“WGP”] “johnj315” = “C:\WINDOWS\system32\srvc.exe” [null data] “PrintDrive” = “rundll32.exe “C:\WINDOWS\System32\qypwvnhe.dll”,setvm” [MS] HKLM\Software\Microsoft\Active Setup\Installed Components\ {33D70CC7-A466-B486-0606-000208040405}(Default) = (no title provided) \StubPath = “C:\WINDOWS\System32\windword.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“FlashGet”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {6148028B-D532-4417-8C0B-5A4A0B745393}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\byxyayv.dll” [null data] {67C55A8D-E808-4caa-9EA7-F77102DE0BB6}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\uvodaclm.dll” [null data] {6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided) -> {HKLM…CLSID} = “BitComet Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {A5E30CCE-2826-44CA-9762-0F9B82A737C9}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\awtst.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów” -> {HKLM…CLSID} = “Eksplorator pulpitów” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B8323370-FF27-11D2-97B6-204C4F4F5020}” = “SmartFTP Shell Extension DLL” -> {HKLM…CLSID} = “SmartFTP Shell Extension DLL” \InProcServer32(Default) = “C:\Program Files\SmartFTP\smarthook.dll” [“SmartFTP”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{0DB27A62-5684-44F0-A8D3-8D6AEEB7ABD9}” = “UsbscanExtExt Extension” -> {HKLM…CLSID} = “UsbscanExt Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvritf.dll” [null data] “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}” = “wodShellMenu” -> {HKLM…CLSID} = “wodShellMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\wodshellmenu.dll” [“WeOnlyDo! COM”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{6148028B-D532-4417-8C0B-5A4A0B745393}” = “*^” (unwritable string) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\byxyayv.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! awtst\DLLName = “C:\WINDOWS\System32\awtst.dll” [null data] INFECTION WARNING! byxyayv\DLLName = “byxyayv.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] wodShellMenu(Default) = “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}” -> {HKLM…CLSID} = “wodShellMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\wodshellmenu.dll” [“WeOnlyDo! COM”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] wodShellMenu(Default) = “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}” -> {HKLM…CLSID} = “wodShellMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\wodshellmenu.dll” [“WeOnlyDo! COM”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] wodShellMenu(Default) = “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}” -> {HKLM…CLSID} = “wodShellMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\wodshellmenu.dll” [“WeOnlyDo! COM”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\adminh\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “none” [file not found] Startup items in “adminh” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” = “BitComet Toolbar” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}\ “ButtonText” = “PalTalk” “Exec” = “C:\Program Files\Paltalk Messenger\Paltalk.exe” [“AVM Software Inc.”] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ BlueSoleil Hid Service, BlueSoleil Hid Service, “C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe” [null data] NVIDIA Driver Helper Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Outpost Firewall Service, OutpostFirewall, “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /service” [“Agnitum Ltd.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 2561 seconds, including 8 seconds for message boxes)

adam9870 · 17 Kwiecień 2007 19:11

Pobierz Gmer’a.

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

w zakładce Procesy kliknij Gmer awaryjny. Komputer się zrestartuje i zostanie samo okienko Gmer’a
w zakładce Procesy kliknij Pliki i usuń:

zrestartuj komputer przyciskiem na obudowie
po resecie otwórz Gmer’a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:

Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run] “{D85F49BC-07E2-1045-0704-020322010030}”=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “johnj315”=- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Microsoft Corp Updates”=- “msbb”=- “msvccc66”=- “johnj315”=- “PrintDrive”=- [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{6148028B-D532-4417-8C0B-5A4A0B745393}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{67C55A8D-E808-4caa-9EA7-F77102DE0BB6}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{A5E30CCE-2826-44CA-9762-0F9B82A737C9}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{6148028B-D532-4417-8C0B-5A4A0B745393}”=- [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtst] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxyayv]

kliknij Uruchom i reset.

Usuń wpisy HJT.

Przeskanuj plik C:\WINDOWS\System32\windword.exe na stronie http://virusscan.jotti.org/ lub http://www.virustotal.com/ a jeśli okaże się szkodliwy:

plik usuń ręcznie w trybie awaryjnym
start >>> uruchom >>> regedit >>> i skasuj klucz:

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.

Po wykonaniu pokaż nowy log z hjt, SilentRunners + log numer 1 z L2Mfix.

Smile19 · 17 Kwiecień 2007 22:06

Strasznie wielkie dzięki, system znowu działa przyzwoicie a ja nie tracę nerwów Dzięki bardzo. A oto logi o które proszono:

Hijack:

Logfile of HijackThis v1.99.1 Scan saved at 22:45:11, on 07-04-17 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Agnitum\Outpost Firewall\outpost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Opera-moja\Opera.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\Digitop\LightMail\LightMail.exe C:\WINDOWS\System32\LVCOMSX.EXE C:\WINDOWS\System32\wgp.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe D:\Downloads\programy\hijackthis_199\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoby.net/sb/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yoby.net/sp/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} - (no file) O2 - BHO: BitComet Toolbar Helper - {6A373B7E-496E-424f-A9BE-486A5E9AB018} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: (no name) - {D53DB1D0-5D54-4342-BA07-ACD749D1CF5E} - C:\WINDOWS\System32\awtst.dll (file missing) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: BitComet Toolbar - {2E608F70-C430-4bc5-96F6-608E02EBA5B2} - C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe” O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKLM…\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup O4 - HKLM…\Run: [LightMail] C:\Program Files\Digitop\LightMail\LightMail.exe O4 - HKLM…\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE O4 - HKLM…\Run: [WinGuard Pro] C:\WINDOWS\System32\wgp.exe O4 - HKLM…\RunServices: [Microsoft Corp Updates] wupdates.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

L2MFIX

L2MFIX find log 051206 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 “Logoff”=“ChainWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Logoff”=“CryptnetWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] “DLLName”=“cscdll.dll” “Logon”=“WinlogonLogonEvent” “Logoff”=“WinlogonLogoffEvent” “ScreenSaver”=“WinlogonScreenSaverEvent” “Startup”=“WinlogonStartupEvent” “Shutdown”=“WinlogonShutdownEvent” “StartShell”=“WinlogonStartShellEvent” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] “DLLName”=“wlnotify.dll” “Logon”=“SCardStartCertProp” “Logoff”=“SCardStopCertProp” “Lock”=“SCardSuspendCertProp” “Unlock”=“SCardResumeCertProp” “Enabled”=dword:00000001 “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] “Asynchronous”=dword:00000000 “DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Impersonate”=dword:00000000 “StartShell”=“SchedStartShell” “Logoff”=“SchedEventLogOff” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] “Logoff”=“WLEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 “DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] “DLLName”=“WlNotify.dll” “Lock”=“SensLockEvent” “Logon”=“SensLogonEvent” “Logoff”=“SensLogoffEvent” “Safe”=dword:00000001 “MaxWait”=dword:00000258 “StartScreenSaver”=“SensStartScreenSaverEvent” “StopScreenSaver”=“SensStopScreenSaverEvent” “Startup”=“SensStartupEvent” “Shutdown”=“SensShutdownEvent” “StartShell”=“SensStartShellEvent” “PostShell”=“SensPostShellEvent” “Disconnect”=“SensDisconnectEvent” “Reconnect”=“SensReconnectEvent” “Unlock”=“SensUnlockEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] “Asynchronous”=dword:00000000 “DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Impersonate”=dword:00000000 “Logoff”=“TSEventLogoff” “Logon”=“TSEventLogon” “PostShell”=“TSEventPostShell” “Shutdown”=“TSEventShutdown” “StartShell”=“TSEventStartShell” “Startup”=“TSEventStartup” “MaxWait”=dword:00000258 “Reconnect”=“TSEventReconnect” “Disconnect”=“TSEventDisconnect” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] “DLLName”=“wlnotify.dll” “Logon”=“RegisterTicketExpiredNotificationEvent” “Logoff”=“UnregisterTicketExpiredNotificationEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] “{00022613-0000-0000-C000-000000000046}”=“Karta waciwoci pliku multimedialnego” “{176d6597-26d3-11d1-b350-080036a75b03}”=“ZarzĄdzanie skanerem ICM” “{1F2E5C40-9550-11CE-99D2-00AA006E086C}”=“Strona zabezpieczeä NTFS” “{3EA48300-8CF6-101B-84FB-666CCB9BCD32}”=“Strona waciwoci OLE Docfile” “{40dd6e20-7c17-11ce-a804-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{41E300E0-78B6-11ce-849B-444553540000}”=“PlusPack CPL Extension” “{42071712-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL karty graficznej” “{42071713-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL monitora wywietlania” “{42071714-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL kadrowania wywietlania” “{4E40F770-369C-11d0-8922-00A024AB2DBB}”=“Strona zabezpieczeä usugi DS” “{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}”=“Strona zgodnoci” “{56117100-C0CD-101B-81E2-00AA004AE837}”=“Program obsugi danych wycinkowych powoki” “{59099400-57FF-11CE-BD94-0020AF85B590}”=“Rozszerzenie Disc Copy” “{59be4990-f85c-11ce-aff7-00aa003ca9f6}”=“Rozszerzenia powoki dla obiekt˘w Microsoft Windows Network” “{5DB2625A-54DF-11D0-B6C4-0800091AA605}”=“ZarzĄdzanie monitorem ICM” “{675F097E-4C4D-11D0-B6C1-0800091AA605}”=“ZarzĄdzanie drukarkĄ ICM” “{764BF0E1-F219-11ce-972D-00AA00A14F56}”=“Rozszerzenia powoki dla kompresji plik˘w” “{77597368-7b15-11d0-a0c2-080036af3f03}”=“Rozszerzenie powoki drukarek sieci Web” “{7988B573-EC89-11cf-9C00-00AA00A14F56}”=“Disk Quota UI” “{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}”=“Menu kontekstowe szyfrowania” “{85BBD920-42A0-1069-A2E4-08002B30309D}”=“Akt˘wka” “{88895560-9AA2-1069-930E-00AA0030EBC8}”=“Rozszerzenie ikony HyperTerminalu” “{BD84B380-8CA2-1069-AB1D-08000948F534}”=“Fonts” “{DBCE2480-C732-101B-BE72-BA78E9AD5B27}”=“Profil ICC” “{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}”=“Strona zabezpieczeä drukarek” “{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{f92e8c40-3d33-11d2-b1aa-080036a75b03}”=“Display TroubleShoot CPL Extension” “{7444C717-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto PKO” “{7444C719-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto Sign” “{7007ACC7-3202-11D1-AAD2-00805FC1270E}”=“PoĄczenia sieciowe” “{992CFFA0-F557-101A-88EC-00DD010CCC48}”=“PoĄczenia sieciowe” “{E211B736-43FD-11D1-9EFB-0000F8757FCD}”="&Skanery i aparaty fotograficzne" “{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}”="&Skanery i aparaty fotograficzne" “{905667aa-acd6-11d2-8080-00805f6596d2}”="&Skanery i aparaty fotograficzne" “{3F953603-1008-4f6e-A73A-04AAC7A992F1}”="&Skanery i aparaty fotograficzne" “{83bbcbf3-b28a-4919-a5aa-73027445d672}”="&Skanery i aparaty fotograficzne" “{F0152790-D56E-4445-850E-4F3117DB740C}”=“Remote Sessions CPL Extension” “{5F327514-6C5E-4d60-8F16-D07FA08A78ED}”=“Auto Update Property Sheet Extension” “{60254CA5-953B-11CF-8C96-00AA00B8708C}”=“Rozszerzenia powoki dla hosta skrypt˘w systemu Windows” “{2206CDB2-19C1-11D1-89E0-00C04FD7A829}”=“Microsoft Data Link” “{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Icon Handler” “{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Shell Extension” “{D6277990-4C6A-11CF-8D87-00AA0060F5BF}”=“Zaplanowane zadania” “{0DF44EAA-FF21-4412-828E-260A8728E7F1}”=“Pasek zadaä i menu Start” “{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}”=“Wyszukaj” “{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}”=“Pomoc i obsuga techniczna” “{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}”=“Pomoc i obsuga techniczna” “{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}”=“Uruchom…” “{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}”=“Internet” “{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}”=“E-mail” “{D20EA4E1-3957-11d2-A40B-0C5020524152}”=“Czcionki” “{D20EA4E1-3957-11d2-A40B-0C5020524153}”=“Narz©dzia administracyjne” “{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}”=“Audio Media Properties Handler” “{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}”=“Video Media Properties Handler” “{E4B29F9D-D390-480b-92FD-7DDB47101D71}”=“Wav Properties Handler” “{87D62D94-71B3-4b9a-9489-5FE6850DC73E}”=“Avi Properties Handler” “{A6FD9E45-6E44-43f9-8644-08598F5A74D9}”=“Midi Properties Handler” “{c5a40261-cd64-4ccf-84cb-c394da41d590}”=“Video Thumbnail Extractor” “{5E6AB780-7743-11CF-A12B-00AA004AE837}”=“Pasek narz©dzi programu Microsoft Internet” “{22BF0C20-6DA7-11D0-B373-00A0C9034938}”=“Stan pobierania” “{91EA3F8B-C99B-11d0-9815-00C04FD91972}”=“Folder powoki zwi©kszonej” “{6413BA2C-B461-11d1-A18A-080036B11A03}”=“Folder powoki zwi©kszonej 2” “{F61FFEC1-754F-11d0-80CA-00AA005B4383}”=“BandProxy” “{7BA4C742-9E81-11CF-99D3-00AA004AE837}”=“Pasek przeglĄdarki Microsoft” “{30D02401-6A81-11d0-8274-00C04FD5AE38}”=“Pasek wyszukiwania” “{32683183-48a0-441b-a342-7c2a440a9478}”=“Pasek multimedi˘w” “{169A0691-8DF9-11d1-A1C4-00C04FD75D13}”=“Wyszukiwanie w okienku” “{07798131-AF23-11d1-9111-00A0C98BA67D}”=“Wyszukiwanie w sieci Web” “{AF4F6510-F982-11d0-8595-00AA004CD6D8}”=“Narz©dzie opcji drzewa rejestru” “{01E04581-4EEE-11d0-BFE9-00AA005B4383}”="&Adres" “{A08C11D2-A228-11d0-825B-00AA005B4383}”=“Pole edycji adresu” “{00BB2763-6A77-11D0-A535-00C04FD7D062}”=“Autouzupenianie Microsoft” “{7376D660-C583-11d0-A3A5-00C04FD706EC}”=“Wyodr©bnianie obraz˘w Trident” “{6756A641-DE71-11d0-831B-00AA005B4383}”=“Lista autouzupeniania MRU” “{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}”=“Niestandardowa lista autouzupeniania MRU” “{7e653215-fa25-46bd-a339-34a2790f3cb7}”=“Dost©pny” “{acf35015-526e-4230-9596-becbe19f0ac9}”=“Pasek podr©czny ledzenia” “{E0E11A09-5CB8-4B6C-8332-E00720A168F2}”=“Analizator paska adresu” “{00BB2764-6A77-11D0-A535-00C04FD7D062}”=“Lista autouzupeniania historii Microsoft” “{03C036F1-A186-11D0-824A-00AA005B4383}”=“Lista autouzupeniania folderu powoki Microsoft” “{00BB2765-6A77-11D0-A535-00C04FD7D062}”=“Kontener wielu list autouzupeniania Microsoft” “{ECD4FC4E-521C-11D0-B792-00A0C90312E1}”=“Menu witryny paska powoki” “{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}”=“Shell DeskBarApp” “{ECD4FC4C-521C-11D0-B792-00A0C90312E1}”=“Pasek pulpitu powoki” “{ECD4FC4D-521C-11D0-B792-00A0C90312E1}”=“Shell Rebar BandSite” “{DD313E04-FEFF-11d1-8ECD-0000F87A470C}”=“Pomoc dla uľytkownika” “{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}”=“Globalne ustawienia folder˘w” “{EFA24E61-B078-11d0-89E4-00C04FC9E26E}”=“Favorites Band” “{0A89A860-D7B1-11CE-8350-444553540000}”=“Shell Automation Inproc Service” “{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}”=“Shell DocObject Viewer” “{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}”=“Microsoft Browser Architecture” “{FBF23B40-E3F0-101B-8488-00AA003E56F8}”=“InternetShortcut” “{3C374A40-BAE4-11CF-BF7D-00AA006946EE}”=“Microsoft Url History Service” “{FF393560-C2A7-11CF-BFF4-444553540000}”=“Historia” “{7BD29E00-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{7BD29E01-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=“Microsoft Url Search Hook” “{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}”=“Ekran powitalny pakietu IE4” “{67EA19A0-CCEF-11d0-8024-00C04FD75D13}”=“CDF Extension Copy Hook” “{131A6951-7F78-11D0-A979-00C04FD705A2}”=“ISFBand OC” “{9461b922-3c5a-11d2-bf8b-00c04fb93661}”=“Search Assistant OC” “{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}”=“Internet” “{871C5380-42A0-1069-A2EA-08002B30309D}”=“Internet Name Space” “{EFA24E64-B078-11d0-89E4-00C04FC9E26E}”=“Pasek eksploratora” “{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{88C6C381-2E85-11D0-94DE-444553540000}”=“Folder pami©ci podr©cznej ActiveX” “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”=“WebCheck” “{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}”=“Subscription Mgr” “{F5175861-2688-11d0-9C5E-00AA00A45957}”=“Folder subskrypcji” “{08165EA0-E946-11CF-9C87-00AA005127ED}”=“WebCheckWebCrawler” “{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}”=“WebCheckChannelAgent” “{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}”=“TrayAgent” “{7D559C10-9FE9-11d0-93F7-00AA0059CE02}”=“Code Download Agent” “{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}”=“ConnectionAgent” “{D8BD2030-6FC9-11D0-864F-00AA006809D9}”=“PostAgent” “{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}”=“WebCheck SyncMgr Handler” “{352EC2B7-8B9A-11D1-B8AE-006008059382}”=“Menedľer aplikacji powoki” “{0B124F8F-91F0-11D1-B8B5-006008059382}”=“Wyliczanie zainstalowanych aplikacji” “{CFCCC7A0-A282-11D1-9082-006008059382}”=“Publikator aplikacji Darwin” “{e84fda7c-1d6a-45f6-b725-cb260c236066}”=“Shell Image Verbs” “{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}”=“Shell Image Data Factory” “{3F30C968-480A-4C6C-862D-EFC0897BB84B}”=“GDI+program wyodr©bniajĄcy miniatury plik˘w” “{9DBD2C50-62AD-11d0-B806-00C04FD706EC}”=“Informacje podsumowujĄce obsugi miniatur (DOCFILES)” “{EAB841A0-9550-11cf-8C16-00805F1408F3}”=“Wyodr©bnianie miniatur HTML” “{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}”=“Shell Image Property Handler” “{CC6EEFFB-43F6-46c5-9619-51D571967F7D}”=“Kreator publikacji w sieci Web” “{add36aa8-751a-4579-a266-d66f5202ccbb}”=“Zamawianie odbitek w sieci Web” “{6b33163c-76a5-4b6c-bf21-45de9cd503a1}”=“Obiekt powoki kreatora publikacji” “{58f1f272-9240-4f51-b6d4-fd63d1618591}”=“Kreator uzyskiwania profilu usugi Passport” “{7A9D77BD-5403-11d2-8785-2E0420524153}”=“Konta uľytkownik˘w” “{BD472F60-27FA-11cf-B8B4-444553540000}”=“Compressed (zipped) Folder Right Drag Handler” “{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}”=“Compressed (zipped) Folder SendTo Target” “{63da6ec0-2e98-11cf-8d82-444553540000}”=“FTP Folders Webview” “{883373C3-BF89-11D1-BE35-080036B11A03}”=“Microsoft DocProp Shell Ext” “{A9CF0EAE-901A-4739-A481-E35B73E47F6D}”=“Microsoft DocProp Inplace Edit Box Control” “{8EE97210-FD1F-4B19-91DA-67914005F020}”=“Microsoft DocProp Inplace ML Edit Box Control” “{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}”=“Microsoft DocProp Inplace Droplist Combo Control” “{6A205B57-2567-4A2C-B881-F787FAB579A3}”=“Microsoft DocProp Inplace Calendar Control” “{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}”=“Microsoft DocProp Inplace Time Control” “{8A23E65E-31C2-11d0-891C-00A024AB2DBB}”=“Directory Query UI” “{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}”=“Shell properties for a DS object” “{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}”=“Directory Object Find” “{F020E586-5264-11d1-A532-0000F8757D7E}”=“Directory Start/Search Find” “{0D45D530-764B-11d0-A1CA-00AA00C16E65}”=“Directory Property UI” “{62AE1F9A-126A-11D0-A14B-0800361B1103}”=“Directory Context Menu Verbs” “{ECF03A33-103D-11d2-854D-006008059367}”=“MyDocs Copy Hook” “{ECF03A32-103D-11d2-854D-006008059367}”=“MyDocs Drop Target” “{4a7ded0a-ad25-11d0-98a8-0800361b1103}”=“MyDocs Properties” “{750fdf0e-2a26-11d1-a3ea-080036587f03}”=“Offline Files Menu” “{10CFC467-4392-11d2-8DB4-00C04FA31A66}”=“Offline Files Folder Options” “{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}”=“Folder plik˘w trybu offline” “{143A62C8-C33B-11D1-84FE-00C04FA34A14}”=“Microsoft Agent Character Property Sheet Handler” “{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}”=“DfsShell” “{60fd46de-f830-4894-a628-6fa81bc0190d}”="%DESC_PublishDropTarget%" “{7A80E4A8-8005-11D2-BCF8-00C04F72C717}”=“MMC Icon Handler” “{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}”=".CAB file viewer" “{32714800-2E5F-11d0-8B85-00AA0044F941}”="&Do os˘b…" “{8DD448E6-C188-4aed-AF92-44956194EB1F}”=“Windows Media Player Play as Playlist Context Menu Handler” “{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}”=“Windows Media Player Burn Audio CD Context Menu Handler” “{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}”=“Windows Media Player Add to Playlist Context Menu Handler” “{1CDB2949-8F65-4355-8456-263E7C208A5D}”=“Eksplorator pulpit˘w” “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}”=“Desktop Explorer Menu” “{0006F045-0000-0000-C000-000000000046}”=“Microsoft Outlook Custom Icon Handler” “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”=“WinRAR shell extension” “{1D2680C9-0E2A-469d-B787-065558BC7D43}”=“Fusion Cache” “{B8323370-FF27-11D2-97B6-204C4F4F5020}”=“SmartFTP Shell Extension DLL” “{A70C977A-BF00-412C-90B7-034C51DA2439}”=“NvCpl DesktopContext Class” “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}”=“nView Desktop Context Menu” “{640167b4-59b0-47a6-b335-a6b3c0695aea}”=“Portable Media Devices” “{cc86590a-b60a-48e6-996b-41d25ed39a1e}”=“Portable Media Devices Menu” “{14BADD07-F9B0-4133-881F-A7EA7CDD71C2}”=“NetstrapExtExt Extension” “{0DB27A62-5684-44F0-A8D3-8D6AEEB7ABD9}”=“UsbscanExtExt Extension” “{73B24247-042E-4EF5-ADC2-42F62E6FD654}”=“ICQ Lite Shell Extension” “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}”=“wodShellMenu” “{f39a0dc0-9cc8-11d0-a599-00c04fd64433}”=“Plik kanau” “{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}”=“Skr˘t kanau” “{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}”=“Obiekt obsugi kanau” “{f3da0dc0-9cc8-11d0-a599-00c04fd64437}”=“Channel Menu” “{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}”=“Channel Properties” ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ bassmod.dll Sun 2007-04-15 11:50:44 A… 34 308 33,50 K hbbmymwh.dll Sun 2007-04-15 12:33:14 A… 76 412 74,62 K msffff~1.dll Fri 2007-04-06 21:36:52 A… 8 0,01 K sintf16.dll Wed 2007-02-21 16:15:44 A… 12 067 11,78 K sintf32.dll Wed 2007-02-21 16:15:44 A… 17 212 16,81 K sintfnt.dll Wed 2007-02-21 16:15:44 A… 21 840 21,33 K slfxdat.dll Sat 2007-04-07 9:02:30 A… 600 0,59 K yuxcqoju.dll Mon 2007-04-16 16:10:16 A… 76 412 74,62 K 8 items found: 8 files, 0 directories. Total of file sizes: 238 859 bytes 233,26 K Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Wolumin w stacji C nie ma etykiety. Numer seryjny woluminu: D85F-49BC Katalog: C:\WINDOWS\System32 07-04-17 21:42 2˙214 ehnvwpyq.ini 07-04-17 19:14 07-04-13 12:54 2˙560 helpersrvc.exe 07-04-08 13:46 2˙560 helperssc.exe 07-04-08 13:46 70˙581 ssc.exe 06-12-23 18:09 06-10-31 11:22 848 KGyGaAvL.sys 06-09-21 19:37 56 916094F337.sys 06-04-27 11:24 2˙945˙024 Smab.dll 05-10-07 20:14 308˙224 avisynth.dll 05-07-14 13:31 27˙648 AVSredirect.dll 05-06-26 16:32 616˙448 cygwin1.dll 05-06-21 23:37 45˙568 cygz.dll 05-02-28 14:16 240˙128 x.264.exe 01-10-26 18:29 359˙994 wupdates.exe 01-10-26 18:29 77˙757 svcchost.exe 01-10-26 18:29 76˙456 mysvcc.exe 15 plik(˘w) 4˙776˙066 bajt˘w 2 katalog(˘w) 1˙018˙427˙392 bajt˘w wolnych

Silent runner:

“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “SoundMan” = “SOUNDMAN.EXE” [“Avance Logic, Inc.”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “Outpost Firewall” = “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice” [“Agnitum Ltd.”] “OutpostFeedBack” = “C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup” [“Agnitum Ltd.”] “LightMail” = “C:\Program Files\Digitop\LightMail\LightMail.exe” [“Digitop”] “LVCOMSX” = “C:\WINDOWS\System32\LVCOMSX.EXE” [“Labtec Inc.”] “WinGuard Pro” = “C:\WINDOWS\System32\wgp.exe” [“WGP”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {33D70CC7-A466-B486-0606-000208040405}(Default) = (no title provided) \StubPath = “C:\WINDOWS\System32\windword.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx” [empty string] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“FlashGet”] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] {6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided) -> {HKLM…CLSID} = “BitComet Toolbar Helper” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] {D53DB1D0-5D54-4342-BA07-ACD749D1CF5E}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\awtst.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów” -> {HKLM…CLSID} = “Eksplorator pulpitów” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B8323370-FF27-11D2-97B6-204C4F4F5020}” = “SmartFTP Shell Extension DLL” -> {HKLM…CLSID} = “SmartFTP Shell Extension DLL” \InProcServer32(Default) = “C:\Program Files\SmartFTP\smarthook.dll” [“SmartFTP”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{0DB27A62-5684-44F0-A8D3-8D6AEEB7ABD9}” = “UsbscanExtExt Extension” -> {HKLM…CLSID} = “UsbscanExt Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvritf.dll” [null data] “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}” = “wodShellMenu” -> {HKLM…CLSID} = “wodShellMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\wodshellmenu.dll” [“WeOnlyDo! COM”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] wodShellMenu(Default) = “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}” -> {HKLM…CLSID} = “wodShellMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\wodshellmenu.dll” [“WeOnlyDo! COM”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] wodShellMenu(Default) = “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}” -> {HKLM…CLSID} = “wodShellMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\wodshellmenu.dll” [“WeOnlyDo! COM”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}” -> {HKLM…CLSID} = “Outpost.ASWShellExt Component” \InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] wodShellMenu(Default) = “{E54B19BC-69B6-43B2-A1F2-15BBC1D72C93}” -> {HKLM…CLSID} = “wodShellMenu” \InProcServer32(Default) = “C:\WINDOWS\System32\wodshellmenu.dll” [“WeOnlyDo! COM”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\adminh\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “none” [file not found] Startup items in “adminh” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” = “BitComet Toolbar” -> {HKLM…CLSID} = “BitComet Toolbar” \InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data] “{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided) -> {HKLM…CLSID} = “MEGAUPLOADTOOLBAR” \InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_11” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll” [“Sun Microsystems, Inc.”] {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE}\ “ButtonText” = “PalTalk” “Exec” = “C:\Program Files\Paltalk Messenger\Paltalk.exe” [“AVM Software Inc.”] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com”] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ BlueSoleil Hid Service, BlueSoleil Hid Service, “C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe” [null data] NVIDIA Driver Helper Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Outpost Firewall Service, OutpostFirewall, “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /service” [“Agnitum Ltd.”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 1399 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 1789 seconds. ---------- (total run time: 4931 seconds)

adam9870 · 17 Kwiecień 2007 22:19

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

w zakładce Procesy kliknij Gmer awaryjny. Komputer się zrestartuje i zostanie samo okienko Gmer’a
w zakładce Procesy kliknij Pliki i usuń:

w zakładce Procesy przez … (trzy kropki) wskaż hijacka i usuń wpisy:

zrestartuj komputer przyciskiem na obudowie
po resecie otwórz Gmer’a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:

kliknij Uruchom i reset.

Proponuję usunąć Megaupload Toolbar ponieważ jest to Toolbar wątpliwej reputacji. Bowiem zbiera dane o użytkowniki i gdzieś je wysyła, nie wiadomo gdzie.

Po wykonaniu wklej nowy log z hijacka, silenta, l2mfix’a plus właściwości/producenta/skan na stronie http://virusscan.jotti.org/ pliku C:\WINDOWS\System32\916094F337.sys plus dwa logi z Gmer’a wykonane przy takich ustawieniach:

Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.