Trojan Spylocked - info wyskakujące w tasktray'u

Albatros78 · 18 Kwiecień 2007 16:48

Usunąłem wszystkie podpadające wpisy z HiJacka i pliki się do nich owołujące, przestały się otwierać strony w IE, ale info w tasktray’u pozostało, pomóżcie to zwalczyć, proszę…

HiJack:

Logfile of HijackThis v1.99.1

Scan saved at 23:48:52, on 31-12-2003

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Softick\PPP\Bin\PPPGate.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\albi\USTAWI~1\Temp\Rar$EX00.923\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPGate.exe"

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O15 - Trusted Zone: http://*.mks.com.pl

O15 - Trusted Zone: http://www.mks.com.pl

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

i z Silent Runnera

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z o.o."]

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

"user32.dll" = "C:\Program Files\Video ActiveX Object\isamntr.exe" [file not found]

"rare" = "C:\Program Files\Video ActiveX Object\pmsnrr.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"KernelFaultCheck" = "%systemroot%\system32\dumprep 0 -k" [MS]

"SoftickPPP" = ""C:\Program Files\Softick\PPP\Bin\PPPGate.exe"" ["Softick"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" [file not found]

"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"

  -> {HKLM...CLSID} = "Siemens Device"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" [file not found]

"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"

  -> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" [file not found]

"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"

  -> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" [file not found]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"

  -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{fc181130-05a0-11d6-8140-000102e745a6}" = "Mój P910i"

  -> {HKLM...CLSID} = "Mój P910i"

                   \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\auexpext.dll" ["Teleca Software Solutions AB"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

<> "{abef791f-947e-4cdf-83c3-e72a240afb67}" = "frisbee"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ygjun.dll" [null data]


HKLM\System\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"| [file not found]| [file not found]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {policy setting}:

--------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "None"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\TOPGEA~1.SCR" (Top Gear.scr) ["ScreenTime Media"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 29

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{84938242-5C5B-4A55-B6B9-A1507543B418}"

  -> {HKLM...CLSID} = "Protection Bar"

                   \InProcServer32\(Default) = "C:\Program Files\Video ActiveX Object\iesplugin.dll" [file not found]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{10ADD1E8-EC8A-4719-B39D-B46DD1D6A65D}\(Default) = "PrintView"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL" [file not found]


HKLM\Software\Classes\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\(Default) = "Protection Bar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Video ActiveX Object\iesplugin.dll" [file not found]


HKLM\Software\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\(Default) = "SideFind"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\SideFind\sidefind.dll" [file not found]


HKLM\Software\Classes\CLSID\{90FE6C53-F8B4-4631-B42A-02D63D1C949C}\(Default) = "PrintView"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

5200 Series Port\Driver = "lxbtlmpm.DLL" ["Lexmark International, Inc."]

HPLJ1018LM\Driver = "ZLhp1018.DLL" ["Zenographics, Inc."]

hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 79 seconds.

---------- (total run time: 127 seconds)

Joan · 18 Kwiecień 2007 20:32

Użyj SmitFraudFix z opcji 2 w trybie awaryjnym

usun wpis

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa

Daj nowe logi z HJT i Silent Runners a także raport ze SmitFraudFix – plik c:\rapport.txt.

Albatros78 · 18 Kwiecień 2007 20:54

Po resecie “badziew” w tasktray’u jest i ma się dobrze

HJT:

Logfile of HijackThis v1.99.1

Scan saved at 22:46:16, on 18-04-2007

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Softick\PPP\Bin\PPPGate.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\WScript.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\albi\USTAWI~1\Temp\Rar$EX05.036\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPGate.exe"

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O15 - Trusted Zone: http://*.mks.com.pl

O15 - Trusted Zone: http://www.mks.com.pl

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

SilentRunner

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z o.o."]

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

"user32.dll" = "C:\Program Files\Video ActiveX Object\isamntr.exe" [file not found]

"rare" = "C:\Program Files\Video ActiveX Object\pmsnrr.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"SoftickPPP" = ""C:\Program Files\Softick\PPP\Bin\PPPGate.exe"" ["Softick"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" [file not found]

"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"

  -> {HKLM...CLSID} = "Siemens Device"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" [file not found]

"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"

  -> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" [file not found]

"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"

  -> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"

                   \InProcServer32\(Default) = "C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" [file not found]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"

  -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{fc181130-05a0-11d6-8140-000102e745a6}" = "Mój P910i"

  -> {HKLM...CLSID} = "Mój P910i"

                   \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\auexpext.dll" ["Teleca Software Solutions AB"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

<> "{abef791f-947e-4cdf-83c3-e72a240afb67}" = "frisbee"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ygjun.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {policy setting}:

--------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "None"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\TOPGEA~1.SCR" (Top Gear.scr) ["ScreenTime Media"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 29

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{84938242-5C5B-4A55-B6B9-A1507543B418}"

  -> {HKLM...CLSID} = "Protection Bar"

                   \InProcServer32\(Default) = "C:\Program Files\Video ActiveX Object\iesplugin.dll" [file not found]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{10ADD1E8-EC8A-4719-B39D-B46DD1D6A65D}\(Default) = "PrintView"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL" [file not found]


HKLM\Software\Classes\CLSID\{84938242-5C5B-4A55-B6B9-A1507543B418}\(Default) = "Protection Bar"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Video ActiveX Object\iesplugin.dll" [file not found]


HKLM\Software\Classes\CLSID\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}\(Default) = "SideFind"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\SideFind\sidefind.dll" [file not found]


HKLM\Software\Classes\CLSID\{90FE6C53-F8B4-4631-B42A-02D63D1C949C}\(Default) = "PrintView"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

5200 Series Port\Driver = "lxbtlmpm.DLL" ["Lexmark International, Inc."]

HPLJ1018LM\Driver = "ZLhp1018.DLL" ["Zenographics, Inc."]

hpzlnt05\Driver = "hpzlnt05.dll" ["HP"]

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 109 seconds.

---------- (total run time: 149 seconds)

SmitfraudFix

SmitFraudFix v2.170


Scan done at 22:50:26,09, 18-04-2007

Run from C:\Documents and Settings\albi\Pulpit\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode


»»»»»»»»»»»»»»»»»»»»»»»» Process


C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Softick\PPP\Bin\PPPGate.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cmd.exe


»»»»»»»»»»»»»»»»»»»»»»»» hosts



»»»»»»»»»»»»»»»»»»»»»»»» C:\



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


C:\WINDOWS\system32\ygjun.dll FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles



»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\albi



»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\albi\Application Data



»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


C:\DOCUME~1\ALLUSE~1\MENUST~1\Online Security Guide.url FOUND !

C:\DOCUME~1\ALLUSE~1\MENUST~1\Security Troubleshooting.url FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\albi\Ulubione


C:\DOCUME~1\albi\Ulubione\Online Security Test.url FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


C:\DOCUME~1\ALLUSE~1\Pulpit\Online Security Guide.url FOUND !

C:\DOCUME~1\ALLUSE~1\Pulpit\Security Troubleshooting.url FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


C:\Program Files\SpywareLocked 3.4\ FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys



»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Moja bieľĄca strona g˘wna"



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]

"{abef791f-947e-4cdf-83c3-e72a240afb67}"="frisbee"


[HKEY_CLASSES_ROOT\CLSID\{abef791f-947e-4cdf-83c3-e72a240afb67}\InProcServer32]

@="C:\WINDOWS\system32\ygjun.dll"


[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{abef791f-947e-4cdf-83c3-e72a240afb67}\InProcServer32]

@="C:\WINDOWS\system32\ygjun.dll"




»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32




»»»»»»»»»»»»»»»»»»»»»»»» DNS


Description: Ralink RT2500 Wireless LAN Card - Sterownik miniport Harmonogramu pakietów

DNS Server Search Order: 217.172.224.92

DNS Server Search Order: 192.168.0.1


HKLM\SYSTEM\CCS\Services\Tcpip\..\{D7A49987-3E5D-4047-B286-4BBBD073DE00}: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D77C0B2-63DE-4308-AC74-CD69A87D742C}: NameServer=192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{D7A49987-3E5D-4047-B286-4BBBD073DE00}: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{D7A49987-3E5D-4047-B286-4BBBD073DE00}: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=217.172.224.92 192.168.0.1



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection



»»»»»»»»»»»»»»»»»»»»»»»» End


[/code]

Joan · 18 Kwiecień 2007 20:59

oto powód, wyraźnie napisałam, że ma być tryb awaryjny, a więc zabawa jeszcze raz tym razem porządnie

Albatros78 · 18 Kwiecień 2007 21:18

Najwyraźniej czytanie ze zrozumieniem mnie przerosło Teraz już bez fuszerki

HJT:

Logfile of HijackThis v1.99.1

Scan saved at 23:11:02, on 18-04-2007

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\totalcmd\TOTALCMD.EXE

C:\DOCUME~1\albi\USTAWI~1\Temp\_tc\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPGate.exe"

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O15 - Trusted Zone: http://*.mks.com.pl

O15 - Trusted Zone: http://www.mks.com.pl

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

SmitfraudFix

SmitFraudFix v2.170


Scan done at 23:13:04,55, 18-04-2007

Run from c:\Documents and Settings\albi\Pulpit\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» Process


C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\totalcmd\TOTALCMD.EXE

C:\WINDOWS\System32\WScript.exe

C:\WINDOWS\system32\cmd.exe


»»»»»»»»»»»»»»»»»»»»»»»» hosts



»»»»»»»»»»»»»»»»»»»»»»»» C:\



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32



»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles



»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\albi



»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\albi\Application Data



»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


C:\DOCUME~1\ALLUSE~1\MENUST~1\Online Security Guide.url FOUND !

C:\DOCUME~1\ALLUSE~1\MENUST~1\Security Troubleshooting.url FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\albi\Ulubione


C:\DOCUME~1\albi\Ulubione\Online Security Test.url FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


C:\DOCUME~1\ALLUSE~1\Pulpit\Online Security Guide.url FOUND !

C:\DOCUME~1\ALLUSE~1\Pulpit\Security Troubleshooting.url FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


C:\Program Files\SpywareLocked 3.4\ FOUND !


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys



»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="Moja bieľĄca strona g˘wna"



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32




»»»»»»»»»»»»»»»»»»»»»»»» DNS


Description: Ralink RT2500 Wireless LAN Card - Sterownik miniport Harmonogramu pakietów

DNS Server Search Order: 217.172.224.92

DNS Server Search Order: 192.168.0.1


HKLM\SYSTEM\CCS\Services\Tcpip\..\{D7A49987-3E5D-4047-B286-4BBBD073DE00}: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{8D77C0B2-63DE-4308-AC74-CD69A87D742C}: NameServer=192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\..\{D7A49987-3E5D-4047-B286-4BBBD073DE00}: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{D7A49987-3E5D-4047-B286-4BBBD073DE00}: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=217.172.224.92 192.168.0.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=217.172.224.92 192.168.0.1



»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection



»»»»»»»»»»»»»»»»»»»»»»»» End


[/code]


SilentRunner

[code] “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “user32.dll” = “C:\Program Files\Video ActiveX Object\isamntr.exe” [file not found] “rare” = “C:\Program Files\Video ActiveX Object\pmsnrr.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [null data] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “SoftickPPP” = ““C:\Program Files\Softick\PPP\Bin\PPPGate.exe”” [“Softick”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll” [file not found] “{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens Device” -> {HKLM…CLSID} = “Siemens Device” \InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [file not found] “{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens Device ContextMenuHandler” -> {HKLM…CLSID} = “Siemens Device ContextMenuHandler” \InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [file not found] “{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens SX1 PropertySheetHandler” -> {HKLM…CLSID} = “Siemens Device PropertySheetHandler” \InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [file not found] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{fc181130-05a0-11d6-8140-000102e745a6}” = “Mój P910i” -> {HKLM…CLSID} = “Mój P910i” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile\auexpext.dll” [“Teleca Software Solutions AB”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “None” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\WINDOWS\ACD Wallpaper.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\TOPGEA~1.SCR” (Top Gear.scr) [“ScreenTime Media”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 29 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{84938242-5C5B-4A55-B6B9-A1507543B418}” -> {HKLM…CLSID} = “Protection Bar” \InProcServer32(Default) = “C:\Program Files\Video ActiveX Object\iesplugin.dll” [file not found] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{10ADD1E8-EC8A-4719-B39D-B46DD1D6A65D}(Default) = “PrintView” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL” [file not found] HKLM\Software\Classes\CLSID{84938242-5C5B-4A55-B6B9-A1507543B418}(Default) = “Protection Bar” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Video ActiveX Object\iesplugin.dll” [file not found] HKLM\Software\Classes\CLSID{8CBA1B49-8144-4721-A7B1-64C578C9EED7}(Default) = “SideFind” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\SideFind\sidefind.dll” [file not found] HKLM\Software\Classes\CLSID{90FE6C53-F8B4-4631-B42A-02D63D1C949C}(Default) = “PrintView” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL” [file not found] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- Adobe LM Service, Adobe LM Service, ““C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe”” [null data] ASP.NET State Service, aspnet_state, “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe” [MS] Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]} Fax, Fax, “C:\WINDOWS\system32\fxssvc.exe” [MS] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] User Privilege Service, usprserv, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {(missing data)} Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\MsPMSNSv.dll” [MS]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Zarządzanie aplikacjami, AppMgmt, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\appmgmts.dll” [file not found]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ 5200 Series Port\Driver = “lxbtlmpm.DLL” [“Lexmark International, Inc.”] HPLJ1018LM\Driver = “ZLhp1018.DLL” [“Zenographics, Inc.”] hpzlnt05\Driver = “hpzlnt05.dll” [“HP”] Microsoft Shared Fax Monitor\Driver = “FXSMON.DLL” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 93 seconds. ---------- (total run time: 131 seconds)

Joan · 18 Kwiecień 2007 21:32

Otwórz notatnik i wklej w nim to:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion] “user32.dll”=- “rare”=- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser] “{84938242-5C5B-4A55-B6B9-A1507543B418}”=- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] “{32020A01-506E-484D-A2A8-BE3CF17601C3}”=- “{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}”=- “{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}”=- “{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}”=- [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{10ADD1E8-EC8A-4719-B39D-B46DD1D6A65D}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{84938242-5C5B-4A55-B6B9-A1507543B418}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{8CBA1B49-8144-4721-A7B1-64C578C9EED7}] [-HKEY_LOCAL_MACHINE\Software\Classes\CLSID{90FE6C53-F8B4-4631-B42A-02D63D1C949C}]

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa

nowy log z silenta…