Usluga directx.exe? jak usunac?


(Osiolekmatolek) #1

otwieraja mi sie jakies strony.

Logfile of HijackThis v1.99.1

Scan saved at 11:14:52, on 26.11.2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

C:\Programme\Roxio\Media Experience\DMXLauncher.exe

C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe

C:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe

C:\Programme\G DATA InternetSecurity SE\AVKTray\AVKTray.exe

C:\Programme\ewido anti-spyware 4.0\ewido.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programme\G DATA InternetSecurity SE\Firewall\GDFirewallTray.exe

C:\Programme\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

C:\Programme\TechSmith\SnagIt 8\SnagIt32.exe

C:\Programme\TechSmith\SnagIt 8\TSCHelp.exe

C:\Programme\Internet Explorer\iexplore.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINDOWS\system32\hpoipm07.exe

C:\Programme\G DATA InternetSecurity SE\AVK\AVKService.exe

C:\Programme\G DATA InternetSecurity SE\AVK\AVKWCtl.exe

C:\Programme\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Programme\ewido anti-spyware 4.0\guard.exe

c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Programme\G DATA InternetSecurity SE\Firewall\GDFwSvc.exe

c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

C:\WINDOWS\System32\svchost.exe

c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe

C:\WINDOWS\security\explorer.exe

C:\Programme\Outlook Express\msimn.exe

C:\Programme\Messenger\msmsgs.exe

C:\Programme\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Dokumente und Einstellungen\Monia\Eigene Dateien\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://de.yahoo.com/fsc/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://de.yahoo.com/fsc/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com

O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programme\TechSmith\SnagIt 8\SnagItBHO.dll

O2 - BHO: G DATA WebFilter Class - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G DATA InternetSecurity SE\Webfilter\AVKWebIE.dll

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll

O3 - Toolbar: G DATA WebFilter - {0124123D-61B4-456f-AF86-78C53A0790C5} - C:\Programme\G DATA InternetSecurity SE\Webfilter\AVKWebIE.dll

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programme\TechSmith\SnagIt 8\SnagItIEAddin.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Muscbrigade] c:\Musicbrigade\Musicbrigade.exe check

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [RoxWatchTray] "c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [DMXLauncher] "c:\Programme\Roxio\Media Experience\DMXLauncher.exe"

O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "c:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxioDragToDisc] "c:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [AVKTray] "C:\Programme\G DATA InternetSecurity SE\AVKTray\AVKTray.exe"

O4 - HKLM\..\Run: [!ewido] "C:\Programme\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Programme\WordPerfect Office X3\Programs\QFSCHD130.EXE"

O4 - HKLM\..\Run: [Byte rdr bolt ref] C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\OnlineLoudByteRdr\Bat nurb.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [AOLMIcon] C:\ISP\AOL\AOLMIcon.exe

O4 - HKCU\..\Run: [T-Online Hinweis] c:\t-online_hinweis\t-online_fs2.exe

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Programme\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [BuildSave] C:\DOKUME~1\Monia\ANWEND~1\ROAMPA~1\Vc About.exe

O4 - Global Startup: Adobe Reader - Schnellstart.lnk = C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: G DATA Firewall Tray.lnk = C:\Programme\G DATA InternetSecurity SE\Firewall\GDFirewallTray.exe

O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Programme\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

O4 - Global Startup: SnagIt 8.lnk = C:\Programme\TechSmith\SnagIt 8\SnagIt32.exe

O8 - Extra context menu item: Öffnen mit WordPerfect - C:\Programme\WordPerfect Office X3\Programs\WPLauncher.hta

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AVKProxy - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe

O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Programme\G DATA InternetSecurity SE\AVK\AVKService.exe

O23 - Service: AVK Wächter (AVKWCtl) - Unknown owner - C:\Programme\G DATA InternetSecurity SE\AVK\AVKWCtl.exe

O23 - Service: DirectX Service (DirectXiwr) - Unknown owner - C:\WINDOWS\system32\directx.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programme\ewido anti-spyware 4.0\guard.exe

O23 - Service: G DATA Personal Firewall (GDFwSvc) - Unknown owner - C:\Programme\G DATA InternetSecurity SE\Firewall\GDFwSvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - c:\Programme\Gemeinsame Dateien\Sonic Shared\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - c:\Programme\Gemeinsame Dateien\Sonic Shared\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Programme\Gemeinsame Dateien\SureThing Shared\stllssvr.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"AOLMIcon" = "C:\ISP\AOL\AOLMIcon.exe" [file not found]

"T-Online Hinweis" = "c:\t-online_hinweis\t-online_fs2.exe" [file not found]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Programme\Gemeinsame Dateien\Ahead\Lib\NMBgMonitor.exe"" [file not found]

"MsnMsgr" = ""C:\Programme\MSN Messenger\MsnMsgr.Exe" /background" [MS]

"BuildSave" = "C:\DOKUME~1\Monia\ANWEND~1\ROAMPA~1\Vc About.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]

"SkyTel" = "SkyTel.EXE" ["Realtek Semiconductor Corp."]

"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]

"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"Muscbrigade" = "c:\Musicbrigade\Musicbrigade.exe check" [null data]

"PinnacleDriverCheck" = "C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]

"(Default)" = "(empty string)" [file not found]

"RoxWatchTray" = ""c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"" ["Sonic Solutions"]

"DMXLauncher" = ""c:\Programme\Roxio\Media Experience\DMXLauncher.exe"" [null data]

"ISUSPM Startup" = ""C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\isuspm.exe" -startup" ["Macrovision Corporation"]

"ISUSScheduler" = ""c:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]

"RoxioDragToDisc" = ""c:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe"" ["Roxio"]

"AVKTray" = ""C:\Programme\G DATA InternetSecurity SE\AVKTray\AVKTray.exe"" ["G DATA Software AG"]

"!ewido" = ""C:\Programme\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]

"QuickFinder Scheduler" = ""C:\Programme\WordPerfect Office X3\Programs\QFSCHD130.EXE"" ["Corel Corporation"]

"Byte rdr bolt ref" = "C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\OnlineLoudByteRdr\Bat nurb.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{00C6482D-C502-44C8-8409-FCE54AD9C208}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "HelperObject Class"

                   \InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItBHO.dll" ["TechSmith Corporation"]

{0124123D-61B4-456f-AF86-78C53A0790C5}\(Default) = "G DATA WebFilter Class"

  -> {HKLM...CLSID} = "G DATA WebFilter"

                   \InProcServer32\(Default) = "C:\Programme\G DATA InternetSecurity SE\Webfilter\AVKWebIE.dll" ["G DATA Software AG"]

{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Companion BHO"

                   \InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll" ["Yahoo! Inc."]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{9030D464-4C02-4ABF-8ECC-5164760863C6}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Windows Live Sign-in Helper"

                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Microsoft Shared\Windows Live\WindowsLiveLogin.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "CPL-Erweiterung für Anzeigeverschiebung"

  -> {HKLM...CLSID} = "CPL-Erweiterung für Anzeigeverschiebung"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Erweiterung für HyperTerminal-Icons"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}" = "RXDCExtShlExt extension"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "c:\Programme\Roxio\Virtual Drive 9\DC_ShellExt.dll" ["Sonic Solutions"]

"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"

  -> {HKLM...CLSID} = "Roxio DragToDisc Shell Extension"

                   \InProcServer32\(Default) = "c:\Programme\Roxio\Drag-to-Disc\Shellex.dll" ["Roxio"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" [file not found]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" [file not found]

"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"

  -> {HKLM...CLSID} = "Meine freigegebenen Ordner"

                   \InProcServer32\(Default) = "C:\Programme\MSN Messenger\fsshext.8.0.0812.00.dll" [MS]

"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = "SnagIt"

  -> {HKLM...CLSID} = "SnagIt"

                   \InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]

"{CF74B903-3389-469c-B3B6-0204D204FCBD}" = "SnagIt Shell Extension"

  -> {HKLM...CLSID} = "SnagItShellExt Class"

                   \InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "C:\Programme\Gemeinsame Dateien\Ahead\Lib\NeroDigitalExt.dll" [file not found]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Programme\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AVK9CM\(Default) = "{CAF4C320-32F5-11D3-A222-004095200FF2}"

  -> {HKLM...CLSID} = "AVK9ContextMenue"

                   \InProcServer32\(Default) = "C:\Programme\G DATA InternetSecurity SE\AVK\ShellExt.dll" [empty string]

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

IGXMADD\(Default) = "{6DB8751F-2BBF-11d2-A39B-00C04FB96AD2}"

  -> {HKLM...CLSID} = "Micrografx Share Media File Import Shell Extension"

                   \InProcServer32\(Default) = "C:\Programme\Corel\CorelDRAW ESSENTIALS 2\Photobook\Share\Media\igxMadd.dll" ["Micrografx, Inc."]

RXDCExtSvr\(Default) = "{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "c:\Programme\Roxio\Virtual Drive 9\DC_ShellExt.dll" ["Sonic Solutions"]

SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"

  -> {HKLM...CLSID} = "SnagItShellExt Class"

                   \InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "C:\Programme\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

QuickFinderMenu\(Default) = "{C0E10002-0028-0006-C0E1-C0E1C0E1C0E1}"

  -> {HKLM...CLSID} = "QuickFinder Shell Extension"

                   \InProcServer32\(Default) = "C:\Programme\WordPerfect Office X3\Programs\PFSE130.DLL" ["Corel Corporation"]

SnagItMainShellExt\(Default) = "{CF74B903-3389-469c-B3B6-0204D204FCBD}"

  -> {HKLM...CLSID} = "SnagItShellExt Class"

                   \InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItShellExt.dll" ["TechSmith Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AVK9CM\(Default) = "{CAF4C320-32F5-11D3-A222-004095200FF2}"

  -> {HKLM...CLSID} = "AVK9ContextMenue"

                   \InProcServer32\(Default) = "C:\Programme\G DATA InternetSecurity SE\AVK\ShellExt.dll" [empty string]

RXDCExtSvr\(Default) = "{0FB82570-BB2D-23D3-8D3B-AC2F34F1FA3C}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "c:\Programme\Roxio\Virtual Drive 9\DC_ShellExt.dll" ["Sonic Solutions"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Programme\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{User Configuration|Administrative Templates|System|

Prevent access to registry editing tools}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}


"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

{unrecognized setting}


"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme

{unrecognized setting}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\Präriewind.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Dokumente und Einstellungen\Monia\Anwendungsdaten\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\fsc-scr.scr" ["Neoaspire.com"]



Startup items in "Monia" & "All Users" startup folders:

-------------------------------------------------------


C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart

"Adobe Reader - Schnellstart" -> shortcut to: "C:\Programme\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"G DATA Firewall Tray" -> shortcut to: "C:\Programme\G DATA InternetSecurity SE\Firewall\GDFirewallTray.exe" [null data]

"HPAiODevice(hp psc 700 series) - 1" -> shortcut to: "C:\Programme\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe -DeviceID 1164467468" ["Hewlett-Packard Co."]

"SnagIt 8" -> shortcut to: "C:\Programme\TechSmith\SnagIt 8\SnagIt32.exe" ["TechSmith Corporation"]



Enabled Scheduled Tasks:

------------------------


"AB3B6A3891B4E4D0" -> launches: "c:\dokume~1\monia\anwend~1\roampa~1\math ping book.exe" [file not found]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

  -> {HKLM...CLSID} = "Yahoo! Companion"

                   \InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll" ["Yahoo! Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Companion"

                   \InProcServer32\(Default) = "C:\Programme\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll" ["Yahoo! Inc."]

"{0124123D-61B4-456F-AF86-78C53A0790C5}" = "G DATA WebFilter"

  -> {HKLM...CLSID} = "G DATA WebFilter"

                   \InProcServer32\(Default) = "C:\Programme\G DATA InternetSecurity SE\Webfilter\AVKWebIE.dll" ["G DATA Software AG"]

"{8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3}" = (no title provided)

  -> {HKLM...CLSID} = "SnagIt"

                   \InProcServer32\(Default) = "C:\Programme\TechSmith\SnagIt 8\SnagItIEAddin.dll" ["TechSmith Corporation"]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{99996159-755D-4D62-AB84-F2B0082EBDFC}\(Default) = "PMC Taskbar"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "mscoree.dll" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Programme\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVK Service, AVKService, "C:\Programme\G DATA InternetSecurity SE\AVK\AVKService.exe" ["G DATA Software AG"]

AVK Wächter, AVKWCtl, "C:\Programme\G DATA InternetSecurity SE\AVK\AVKWCtl.exe" [empty string]

AVKProxy, AVKProxy, ""C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe"" ["G DATA Software AG"]

ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Programme\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]

G DATA Personal Firewall, GDFwSvc, "C:\Programme\G DATA InternetSecurity SE\Firewall\GDFwSvc.exe" [null data]

HTTP-SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}

Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]

Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]

Media Center-Planerdienst, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]

Messenger Sharing USN Journal Reader-Service, usnsvc, "C:\WINDOWS\system32\svchost.exe -k usnsvc" {"C:\Programme\MSN Messenger\usnsvc.dll" [MS]}

Roxio Hard Drive Watcher 9, RoxWatch9, ""c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe"" ["Sonic Solutions"]

RoxMediaDB9, RoxMediaDB9, ""c:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe"" ["Sonic Solutions"]

X10 Device Network Service, x10nets, "C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe" ["X10"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 35 seconds, including 7 seconds for message boxes)

(Bbieniol) #2

Start --> uruchom --> services.msc --> zatrzymaj i wyłącz usługe DirectX Service

Otwórz hijackthis --> open misc tools section --> delete a NT service --> wpisz DirectXiwr i ok

W trybie awaryjnym z wyłączonym przywracaniem systemu usuwasz (wpisy Hijackiem, pliki/foldery na czerwono ręcznie z dysku):

Po zabiegach nowe logi :slight_smile:


(Osiolekmatolek) #3

mam pewien problem, aby wylaczyc "DirectXiwr" Hijackem.

Otrzymuje nastepujacy komunikat:

464343warn.gif

Zatrzymalam i wylaczylam úsluge DirectX Service

Co mam teraz zrobic?? Prosze o pomoc


(Monczkin) #4

Majka75 proszę zmienić tytuł na konkretny.


(Asterisk) #5

Teraz spróbuj wykonać to


(Osiolekmatolek) #6

wlasnie po wykonaniu tej opcji otrzymalam powyzej wklejony komunikat


(Asterisk) #7

Przecież on mówi, że masz najpierw wyłączyć usługę

Dopiero potem usuwanie.


(Osiolekmatolek) #8

tez tak zrobilam, niemysl ze pomylilam kolejnosci.

pomimo ze wylanczam usluge DirekX Service,niemoge wykonac dalszego punktu Hijackem :frowning:


(adam9870) #9

W takim razie spróbuj zatrzymać i usunąć usługę spod wiersza poleceń. Zatem wybierz start => uruchom => cmd => w konsoli, która się otwrzy wpis kolejno:

Możesz to zrobić będąc pod trybem normalnym. I potem nie musisz już korzystać z opcji open misc tools section w HijackThis.


(Osiolekmatolek) #10

Dzieki :slight_smile:

udalo sie tym sposobem usunac DirectXiwr

Oto moj Log:

Tylko mam jeszcze problem z firewall, wchodze do internetu tylko jesli go wylacze, Jezeli firewall jest aktywny niemoge wejsc do internetu.Moge tylko uzywac Outlok i Msn messenger przy wlaczonym firewall

P.S Niewiem co to jest:Czy to tez jest do skasowania?


(Bbieniol) #11

Logi są już OK :slight_smile:

Skonfigurowałeś poprawnie tego Firewalla?