W32.Myzor.FK@yf problem z wirusem(logi)


(Smietniknr1) #1

Witam. Widze ze pomagacie takim laikom jak ja pozbyć sie wirusów, przez usuniecie odpowiednich logów

Ponizej zamiesczam log z HiJack

Za pomoc z góry dziekuje i pozdrawiam!

Logfile of HijackThis v1.99.1

Scan saved at 15:30:27, on 2007-01-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\Ati2evxx.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\Ati2evxx.exe

F:\WINDOWS\Explorer.EXE

F:\WINDOWS\system32\spoolsv.exe

F:\Program Files\Video ActiveX Object\isamonitor.exe

F:\Program Files\Video ActiveX Object\pmsngr.exe

F:\WINDOWS\SOUNDMAN.EXE

F:\Program Files\ArcaBit\ArcaVir\AVMenu.exe

F:\Program Files\Video ActiveX Object\pmmon.exe

F:\Program Files\ArcaBit\ArcaVir\ABregmon.exe

F:\Program Files\Video ActiveX Object\isamini.exe

F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

F:\Program Files\HP\HP Software Update\HPWuSchd2.exe

X:\Piter\daemon tools\daemon.exe

F:\Program Files\A4Tech\Mouse\Amoumain.exe

F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

F:\WINDOWS\system32\ctfmon.exe

F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe

F:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe

F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

F:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe

F:\Program Files\TechniSat DVB\bin\Server4PC.exe

F:\Program Files\Common Files\Sonic Shared\cinetray.exe

F:\Program Files\ArcaBit\ArcaVir\AvMon.exe

V:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe

X:\Piter\NetLimiter 2 Pro\nlsvc.exe

F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

F:\WINDOWS\system32\svchost.exe

F:\Program Files\ArcaBit\Common\TaskScheduler.exe

F:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

X:\Piter\NetLimiter 2 Pro\NLClient.exe

v:\pinnacle\shared files\programs\mediaserver\pmshost.exe

F:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Internet Explorer\iexplore.exe

X:\Piter\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://onet.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - F:\Program Files\Video ActiveX Object\isaddon.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVMenu] F:\Program Files\ArcaBit\ArcaVir\AVMenu.exe

O4 - HKLM\..\Run: [ArcaCheck] F:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup

O4 - HKLM\..\Run: [abregmon] F:\Program Files\ArcaBit\ArcaVir\ABregmon.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [zango] "f:\program files\zango\zango.exe"

O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DAEMON Tools] "X:\Piter\daemon tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [WheelMouse] F:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [ISUSPM Startup] "F:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Steam] "f:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [VoipDiscount] "X:\VoipDiscount\VoipDiscount.exe" -nosplash -minimized

O4 - HKCU\..\Run: [Microsoft Location Finder] "F:\Program Files\Microsoft Location Finder\LocationFinder.exe"

O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Sonic CinePlayer Quick Launch.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Server4PC.lnk = F:\Program Files\TechniSat DVB\bin\Server4PC.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pobierz używając Download &Express'a - F:\Program Files\Download Express\Add_Url.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab

O20 - Winlogon Notify: TS_LogonListener - F:\WINDOWS\SYSTEM32\TS_LogonListener.dll

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - F:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe

O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ArcaBit.Core.Configurator - ArcaBit - F:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe

O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - F:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe

O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - F:\Program Files\ArcaBit\Common\TaskScheduler.exe

O23 - Service: ArcaVir Antivirus Monitor Service (ArcaVirMonitor) - ArcaBit - F:\Program Files\ArcaBit\ArcaVir\AvMon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe

O23 - Service: MSSQL$PINNACLESYS - Unknown owner - V:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)

O23 - Service: NetLimiter (nlsvc) - Locktime Software - X:\Piter\NetLimiter 2 Pro\nlsvc.exe

O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - v:\pinnacle\shared files\programs\mediaserver\pmshost.exe

O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - V:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(adam9870) #2

Użyj narzędzia SmitFraudFix (opcja 2). Potem sprawdź co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Po wykonaniu pokaż nowy log z hjt, SilentRunners oraz c:\rapport.txt


(Smietniknr1) #3

Nie chce zapeszać... ale po Twoich radach, system wygląda już dużo "ładniej" :D...

HiJack:

Logfile of HijackThis v1.99.1

Scan saved at 16:46:29, on 2007-01-20

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\system32\cleanmgr.exe

F:\WINDOWS\explorer.exe

X:\Piter\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AVMenu] F:\Program Files\ArcaBit\ArcaVir\AVMenu.exe

O4 - HKLM\..\Run: [ArcaCheck] F:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup

O4 - HKLM\..\Run: [abregmon] F:\Program Files\ArcaBit\ArcaVir\ABregmon.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe

O4 - HKLM\..\Run: [PinnacleDriverCheck] F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

O4 - HKLM\..\Run: [HP Software Update] F:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [DAEMON Tools] "X:\Piter\daemon tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [WheelMouse] F:\Program Files\A4Tech\Mouse\Amoumain.exe

O4 - HKLM\..\Run: [ISUSPM Startup] "F:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [ISUSScheduler] "F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [Steam] "f:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [VoipDiscount] "X:\VoipDiscount\VoipDiscount.exe" -nosplash -minimized

O4 - HKCU\..\Run: [Microsoft Location Finder] "F:\Program Files\Microsoft Location Finder\LocationFinder.exe"

O4 - Startup: Adobe Gamma.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Startup: Sonic CinePlayer Quick Launch.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone - szybkie uruchamianie.lnk = F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Server4PC.lnk = F:\Program Files\TechniSat DVB\bin\Server4PC.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Pobierz używając Download &Express'a - F:\Program Files\Download Express\Add_Url.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/sezam/components/SignActivX.cab

O20 - Winlogon Notify: TS_LogonListener - F:\WINDOWS\SYSTEM32\TS_LogonListener.dll

O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - F:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe

O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: ArcaBit.Core.Configurator - ArcaBit - F:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe

O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - F:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe

O23 - Service: ArcaBit.TaskScheduler - ArcaBit sp. z o.o. - F:\Program Files\ArcaBit\Common\TaskScheduler.exe

O23 - Service: ArcaVir Antivirus Monitor Service (ArcaVirMonitor) - ArcaBit - F:\Program Files\ArcaBit\ArcaVir\AvMon.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe

O23 - Service: MSSQL$PINNACLESYS - Unknown owner - V:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)

O23 - Service: NetLimiter (nlsvc) - Locktime Software - X:\Piter\NetLimiter 2 Pro\nlsvc.exe

O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - v:\pinnacle\shared files\programs\mediaserver\pmshost.exe

O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - V:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Silent Runners:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "F:\WINDOWS\system32\ctfmon.exe" [MS]

"MSMSGS" = ""F:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]

"Steam" = ""f:\program files\valve\steam\steam.exe" -silent" ["Valve Corporation"]

"VoipDiscount" = ""X:\VoipDiscount\VoipDiscount.exe" -nosplash -minimized" [file not found]

"Start WingMan Profiler" = "(empty string)" [file not found]

"Microsoft Location Finder" = ""F:\Program Files\Microsoft Location Finder\LocationFinder.exe"" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

"none" = "F:\Program Files\Video ActiveX Object\pmsngr.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Ptipbmf" = "rundll32.exe ptipbmf.dll,SetWriteCacheMode" [MS]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"AVMenu" = "F:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" ["ArcaBit"]

"ArcaCheck" = "F:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup" ["ArcaBit"]

"abregmon" = "F:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" ["ArcaBit"]

"SunJavaUpdateSched" = ""F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"NWEReboot" = "(empty string)" [file not found]

"NeroFilterCheck" = "F:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"PinnacleDriverCheck" = "F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]

"HP Software Update" = "F:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

"DAEMON Tools" = ""X:\Piter\daemon tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"WheelMouse" = "F:\Program Files\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co., Ltd."]

"ISUSPM Startup" = ""F:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["Macrovision Corporation"]

"ISUSScheduler" = ""F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]

"MSConfig" = "F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "F:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "F:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"

  -> {HKLM...CLSID} = "ImageExtractorShellExt Class"

                   \InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"

  -> {HKLM...CLSID} = "CInfoTipShellExt Class"

                   \InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

"{D7824897-C8DC-49b4-B790-30F7ED16A5FD}" = "ArcaVir Shell Extension"

  -> {HKLM...CLSID} = "ArcaVir Shell Extension"

                   \InProcServer32\(Default) = "F:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "F:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]

"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"

  -> {HKLM...CLSID} = "Studio.Project"

                   \InProcServer32\(Default) = "V:\program\programs\BlueShellExt.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "F:\WINDOWS\system32\Audiodev.dll" [MS]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {HKLM...CLSID} = "ACTHUMBNAIL"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"

  -> {HKLM...CLSID} = "AcSignIcon"

                   \InProcServer32\(Default) = "F:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"

  -> {HKLM...CLSID} = "ACDWFTHMBPRXY"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<> TS_LogonListener\DLLName = "TS_LogonListener.dll" ["ArcaBit sp. z o.o."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"

  -> {HKLM...CLSID} = "ArcaVir Shell Extension"

                   \InProcServer32\(Default) = "F:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"

  -> {HKLM...CLSID} = "ArcaVir Shell Extension"

                   \InProcServer32\(Default) = "F:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKCU\Software\Classes\.scr\(Default) = "DWGTrueViewScriptFile"

<> HKCU\Software\Classes\DWGTrueViewScriptFile\shell\open\command\(Default) = ""F:\WINDOWS\system32\notepad.exe" "%1"" [MS]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "F:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "F:\WINDOWS\system32\logon.scr" [MS]



Startup items in "dom" & "All Users" startup folders:

-----------------------------------------------------


F:\Documents and Settings\dom\Menu Start\Programy\Autostart

"Adobe Gamma" -> shortcut to: "F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Sonic CinePlayer Quick Launch" -> shortcut to: "F:\Program Files\Common Files\Sonic Shared\cinetray.exe" ["Sonic Solutions"]


F:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"HP Digital Imaging Monitor" -> shortcut to: "F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]

"HP Image Zone - szybkie uruchamianie" -> shortcut to: "F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]

"Server4PC" -> shortcut to: "F:\Program Files\TechniSat DVB\bin\Server4PC.exe" ["B2C2, Inc."]



Enabled Scheduled Tasks:

------------------------


"HPpromotions journeysoftware" -> launches: "F:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe /N "journeysoftware" -r" ["hp"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "F:\Program Files\Messenger\msmsgs.exe" [MS]



All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

---------------------------------------------------------------------------


.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]

Adobe LM Service, Adobe LM Service, ""F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"" ["Adobe Systems"]

ArcaBit NetMonitor, ABNetMon, "F:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe" ["ArcaBit"]

ArcaBit.Core.Configurator, ArcaBit.Core.Configurator, ""F:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe"" ["ArcaBit"]

ArcaBit.Core.LoggingService, ArcaBit.Core.LoggingService, ""F:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe"" ["ArcaBit"]

ArcaBit.TaskScheduler, ArcaBit.TaskScheduler, "F:\Program Files\ArcaBit\Common\TaskScheduler.exe" ["ArcaBit sp. z o.o."]

ArcaVir Antivirus Monitor Service, ArcaVirMonitor, "F:\Program Files\ArcaBit\ArcaVir\AvMon.exe" ["ArcaBit"]

ASP.NET State Service, aspnet_state, "F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe" [MS]

Ati HotKey Poller, Ati HotKey Poller, "F:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

ATI Smart, ATI Smart, "F:\WINDOWS\system32\ati2sgag.exe" [empty string]

Karta wydajności WMI, WmiApSrv, "F:\WINDOWS\system32\wbem\wmiapsrv.exe" [MS]

MSSQL$PINNACLESYS, MSSQL$PINNACLESYS, ""V:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS" [MS]

MSSQLServerADHelper, MSSQLServerADHelper, ""F:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe"" [MS]

NetLimiter, nlsvc, ""X:\Piter\NetLimiter 2 Pro\nlsvc.exe"" ["Locktime Software"]

Office Source Engine, ose, ""F:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]

Pinnacle Systems Media Service, PinnacleSys.MediaServer, "v:\pinnacle\shared files\programs\mediaserver\pmshost.exe" [null data]

Pml Driver HPZ12, Pml Driver HPZ12, "F:\WINDOWS\system32\HPZipm12.exe" ["HP"]

SQLAgent$PINNACLESYS, SQLAgent$PINNACLESYS, ""V:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS" [MS]

StarWind iSCSI Service, StarWindService, "F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Usługa administracyjna Menedżera dysków logicznych, dmadmin, "F:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]

Usługa dostarczania sieci, xmlprov, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\System32\xmlprov.dll" [MS]}

Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, "F:\WINDOWS\System32\svchost.exe -k netsvcs" {"F:\WINDOWS\system32\MsPMSNSv.dll" [MS]}

Windows User Mode Driver Framework, UMWdf, "F:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 8 seconds.

---------- (total run time: 36 seconds)

Rapport:

SmitFraudFix v2.132


Scan done at 16:32:33,70, 2007-01-20

Run from X:\Piter\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


F:\DOCUME~1\dom\Ulubione\Online Security Test.url Deleted

F:\Program Files\Video ActiveX Object\ Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End[/code]

To chyba jest to.


(adam9870) #4

Usuń kosmetycznie HJT.

Start => uruchom => wpisz regedit i kliknij OK => przejdź do klucza:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

i skasuj z prawokliku znajdującą się tam wartość none

Proponuję przeczyścić rejestr ponieważ masz wiele pustych kluczy opis.

Możesz zajrzeć tutaj:

http://forum.dobreprogramy.pl/viewtopic ... 872#861872

Po wykonaniu możesz wkleić nowy log z Silenta.


(Smietniknr1) #5

Takkk.. zrobiłem tak jak kazałeś. oczyściłem rejestr (sprawo tego było)

zamieszczam logi z silent'a

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "F:\WINDOWS\system32\ctfmon.exe" [MS]

"MSMSGS" = ""F:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""F:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]

"Steam" = ""f:\program files\valve\steam\steam.exe" -silent" ["Valve Corporation"]

"Start WingMan Profiler" = "(empty string)" [file not found]

"Microsoft Location Finder" = ""F:\Program Files\Microsoft Location Finder\LocationFinder.exe"" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Ptipbmf" = "rundll32.exe ptipbmf.dll,SetWriteCacheMode" [MS]

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"AVMenu" = "F:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" ["ArcaBit"]

"ArcaCheck" = "F:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup" ["ArcaBit"]

"abregmon" = "F:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" ["ArcaBit"]

"SunJavaUpdateSched" = ""F:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"NWEReboot" = "(empty string)" [file not found]

"NeroFilterCheck" = "F:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"AtiPTA" = "atiptaxx.exe" ["ATI Technologies, Inc."]

"PinnacleDriverCheck" = "F:\WINDOWS\system32\PSDrvCheck.exe -CheckReg" [empty string]

"HP Software Update" = "F:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Co."]

"DAEMON Tools" = ""X:\Piter\daemon tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"WheelMouse" = "F:\Program Files\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co., Ltd."]

"ISUSPM Startup" = ""F:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" ["Macrovision Corporation"]

"ISUSScheduler" = ""F:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["Macrovision Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "F:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "F:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"

  -> {HKLM...CLSID} = "ImageExtractorShellExt Class"

                   \InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"

  -> {HKLM...CLSID} = "CInfoTipShellExt Class"

                   \InProcServer32\(Default) = "F:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

"{D7824897-C8DC-49b4-B790-30F7ED16A5FD}" = "ArcaVir Shell Extension"

  -> {HKLM...CLSID} = "ArcaVir Shell Extension"

                   \InProcServer32\(Default) = "F:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"

  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"

  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "F:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]

"{79BC0345-1015-11D2-A299-006008312725}" = "blue.shell"

  -> {HKLM...CLSID} = "Studio.Project"

                   \InProcServer32\(Default) = "V:\program\programs\BlueShellExt.dll" [null data]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "F:\WINDOWS\system32\Audiodev.dll" [MS]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {HKLM...CLSID} = "ACTHUMBNAIL"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "AutoCAD Digital Signatures Icon Overlay Handler"

  -> {HKLM...CLSID} = "AcSignIcon"

                   \InProcServer32\(Default) = "F:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{6DEA92E9-8682-4b6a-97DE-354772FE5727}" = "Autodesk DWF Preview"

  -> {HKLM...CLSID} = "ACDWFTHMBPRXY"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll" ["Autodesk"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<> TS_LogonListener\DLLName = "TS_LogonListener.dll" ["ArcaBit sp. z o.o."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"

  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"

                   \InProcServer32\(Default) = "F:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"

  -> {HKLM...CLSID} = "ArcaVir Shell Extension"

                   \InProcServer32\(Default) = "F:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}"

  -> {HKLM...CLSID} = "ArcaVir Shell Extension"

                   \InProcServer32\(Default) = "F:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKCU\Software\Classes\.scr\(Default) = "DWGTrueViewScriptFile"

<> HKCU\Software\Classes\DWGTrueViewScriptFile\shell\open\command\(Default) = ""F:\WINDOWS\system32\notepad.exe" "%1"" [MS]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "F:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "F:\WINDOWS\system32\logon.scr" [MS]



Startup items in "dom" & "All Users" startup folders:

-----------------------------------------------------


F:\Documents and Settings\dom\Menu Start\Programy\Autostart

"Adobe Gamma" -> shortcut to: "F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

"Sonic CinePlayer Quick Launch" -> shortcut to: "F:\Program Files\Common Files\Sonic Shared\cinetray.exe" ["Sonic Solutions"]


F:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"HP Digital Imaging Monitor" -> shortcut to: "F:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]

"HP Image Zone - szybkie uruchamianie" -> shortcut to: "F:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]

"Server4PC" -> shortcut to: "F:\Program Files\TechniSat DVB\bin\Server4PC.exe" ["B2C2, Inc."]



Enabled Scheduled Tasks:

------------------------


"HPpromotions journeysoftware" -> launches: "F:\Program Files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe /N "journeysoftware" -r" ["hp"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "F:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "F:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


ArcaBit NetMonitor, ABNetMon, "F:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe" ["ArcaBit"]

ArcaBit.Core.Configurator, ArcaBit.Core.Configurator, ""F:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe"" ["ArcaBit"]

ArcaBit.Core.LoggingService, ArcaBit.Core.LoggingService, ""F:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe"" ["ArcaBit"]

ArcaBit.TaskScheduler, ArcaBit.TaskScheduler, "F:\Program Files\ArcaBit\Common\TaskScheduler.exe" ["ArcaBit sp. z o.o."]

ArcaVir Antivirus Monitor Service, ArcaVirMonitor, "F:\Program Files\ArcaBit\ArcaVir\AvMon.exe" ["ArcaBit"]

Ati HotKey Poller, Ati HotKey Poller, "F:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

MSSQL$PINNACLESYS, MSSQL$PINNACLESYS, ""V:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS" [MS]

NetLimiter, nlsvc, ""X:\Piter\NetLimiter 2 Pro\nlsvc.exe"" ["Locktime Software"]

Pinnacle Systems Media Service, PinnacleSys.MediaServer, "v:\pinnacle\shared files\programs\mediaserver\pmshost.exe" [null data]

StarWind iSCSI Service, StarWindService, "F:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]

Windows User Mode Driver Framework, UMWdf, "F:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 87 seconds.

---------- (total run time: 135 seconds)

(adam9870) #6

Już jest ok.

Czy już nie dostajesz żadnej informacji o wirusie?


(Smietniknr1) #7

Nie. nie wyskakują mi juz dymki informujące o wirusie, tak samo jak otwieram przeglądarke internetową, nie wywala mi jakiejs dziwnej strony.

Ale mam jeszcze wątpliwości, a mianowicie podczas uzerania sie z "W32.Myzor.FK@yf" w dymku pojawił mi sie komunikat o jakimś nowym wirusie spyware : "CyberLog-X" (fakt faktem juz sie nie wyswietla, ale czy wirusa tez nie ma ?)


(adam9870) #8

W ciągu ostatnich kilku miesięcy wiele systemów jest infekowanych fałszywymi programami, które podobno są paczką kodeków, programem zabezpieczającym typu antyspyware ale w rzeczywistości są to śmieci. Jako dodatek że tak się wyrażę do takich fałszywych programów są dołączane uporczywe dymki w stylu "your computer is infectd" czy właśnie wspomniany przez Ciebie "CyberLog-X". Ale w internecie można znaleźć wiele automatów umożliwiających całkowite usunięcie tych szkodników. Jednym z takich automatycznych usuwaczy jest SmitFraudFix.

Logi są ok, więc syfu już nie masz.