Wir z linka na gadu + logi


(Zuraw1989) #1

moj kumpel zalapal wira z jakiegos linka i prosze o sprawdzenie jego logow

Logfile of HijackThis v1.99.1

Scan saved at 20:40:41, on 2007-03-01

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

E:\Nerox\InCD\InCD.exe

E:\GG\Gadu-Gadu\gg.exe

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\msconfig.exe

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Mateusz.DOM.000\Pulpit\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media11.fastclick.net/w/safepop.cgi?mid=58768&sid=1452&id=102106&len=0&c=0&nfcp=1&ie=1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll

O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll

O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll

O2 - BHO: (no name) - {F4678142-3EA6-1175-F79C-164491811DC5} - C:\WINDOWS\System32\dmffjb.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll (file missing)

O3 - Toolbar: ToolBar888 - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [BearShare] "E:\br\x\BearShare.exe" /pause

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools] "E:\tool\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [InCD] E:\Nerox\InCD\InCD.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto

O4 - HKLM\..\Run: [winlog] winlog.exe

O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e177.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmad_5.exe

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

O4 - HKLM\..\Run: [defender] C:\\dfndrff_177.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

O4 - HKLM\..\RunServices: [winlog] winlog.exe

O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\GG\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [AQQ] E:\AQQ\AQQ.exe

O4 - HKCU\..\Run: [Skype] "E:\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Komunikator] C:\Documents and Settings\Mateusz.DOM.000\Pulpit\Nowy folder (2)\Nowy folder\tlen.exe

O4 - HKCU\..\Run: [NBJ] "E:\Nero\Nero BackItUp\nbj.exe"

O4 - Startup: Uninstall0.exe

O4 - Startup: UniSpiker-2.6.lnk = ?

O4 - Startup: Wincbr.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: msconfig.exe

O4 - Global Startup: taskmgr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O17 - HKLM\System\CCS\Services\Tcpip\..\{F1CE47BC-4A72-4FE2-8A9B-A0B7DAF01183}: NameServer = 192.168.22.1

O20 - AppInit_DLLs: winword.dll  

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\eHh4\command.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Nerox\InCD\InCDsrv.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" 

-atboottime" ["Apple Computer, Inc."]

"Gadu-Gadu" = ""E:\GG\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"AQQ" = "E:\AQQ\AQQ.exe" ["AQQ Sp z o.o."]

"Skype" = ""E:\Phone\Skype.exe" /nosplash /minimized" ["Skype 

Technologies S.A."]

"Komunikator" = "C:\Documents and Settings\Mateusz.DOM.000\Pulpit\Nowy 

folder (2)\Nowy folder\tlen.exe" [file not found]

"NBJ" = ""E:\Nero\Nero BackItUp\nbj.exe"" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

"SunJavaUpdateSched" = "C:\Program 

Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]

"BearShare" = ""E:\br\x\BearShare.exe" /pause" ["Free Peers, Inc."]

"snpstd" = "C:\WINDOWS\vsnpstd.exe" [empty string]

"GhostStartTrayApp" = "C:\Program Files\Symantec\Norton Ghost 

2003\GhostStartTrayApp.exe" ["Symantec Corporation"]

"iTunesHelper" = ""E:\iTunes\iTunesHelper.exe"" [file not found]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" 

-atboottime" ["Apple Computer, Inc."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead 

Software Gmbh"]

"DAEMON Tools" = ""E:\tool\DAEMON Tools\daemon.exe" -lang 1033" ["DT 

Soft Ltd."]

"InCD" = "E:\Nerox\InCD\InCD.exe" ["Ahead Software AG"]

"winupdates" = "C:\Program Files\winupdates\winupdates.exe /auto" 

["inno setup"]

"outlook" = "C:\Program Files\outlook\outlook.exe /auto" 

["InstallShield Software Corporation"]

"winlog" = "winlog.exe" [null data]

"keyboard" = "C:\\kybrdff_e177.exe" ["fdslj 

reditf8eru8turdtreduj54tr8u548"]

"newname" = "C:\\nwnmad_5.exe" [file not found]

"IpWins" = "C:\Program Files\ipwins\ipwins.exe" [null data]

"defender" = "C:\\dfndrff_177.exe" ["de5"]

"New.net Startup" = "rundll32 

C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper 

Objects\

{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "URLLink Class"

                   \InProcServer32\(Default) = "C:\Program 

Files\NewDotNet\newdotnet6_38.dll" ["New.net, Inc."]

{A8B28872-3324-4CD2-8AA3-7D555C872D96}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "DeskbarBHO"

                   \InProcServer32\(Default) = "C:\Program 

Files\Deskbar\deskbar.dll" ["Deskbar"]

{C004DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "888Bar"

                   \InProcServer32\(Default) = "C:\Program Files\Common 

Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll" [null data]

{F4678142-3EA6-1175-F79C-164491811DC5}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\System32\dmffjb.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell 

Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania 

wyœwietlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyœwietlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not 

found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony 

HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = 

"C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom 

Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = 

"C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"

  -> {HKLM...CLSID} = "PropPage Class"

                   \InProcServer32\(Default) = "C:\Program 

Files\Symantec\Norton Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = 

"E:\iTunes\iTunesMiniPlayer.dll" [file not found]

"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"

  -> {HKLM...CLSID} = "Shell Extension for CDRW"

                   \InProcServer32\(Default) = 

"E:\Nerox\InCD\incdshx.dll" ["Ahead Software AG"]

"{B9FD67DE-5934-46B6-819A-B72D288F46D9}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lRp20c7oef.dll" [file not found]

"{B6A657CB-C507-42E3-A5B6-AD52ECFA4D46}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\mhdtclog.dll" [file not found]

"{E5051EEC-77AB-4FE8-B5C0-D98EB6F93E98}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lzcdll.dll" [file not found]

"{237CE374-F977-4FEA-8BB3-FB92A0CE0BEF}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lJp20c7oef.dll" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<> "AppInit_DLLs" = " winword.dll " [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local 

Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local 

Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group 

Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Mateusz.DOM.000\Moje 

dokumenty\Moje obrazy\kosa.jpg"


Displayed if Active Desktop disabled and wallpaper not set by Group 

Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Mateusz.DOM.000\Ustawienia 

lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Startup items in "Mateusz" & "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\Mateusz.DOM.000\Menu Start\Programy\Autostart

<> "Uninstall0.exe" [null data]

"UniSpiker-2.6" -> shortcut to: 

"E:\Iwona\UniSpiker-2.6\uni_spiker-2.6.exe" [file not found]

<> "Wincbr.exe" [null data]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft 

Office\Office\OSA9.EXE -b -l" [MS]

<> "msconfig.exe" ["Windows Installer"]

<> "taskmgr.exe" ["Windows Installer"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ 

{++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

000000000005\LibraryPath = "C:\Program 

Files\NewDotNet\newdotnet6_38.dll" ["New.net, Inc."]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ 

{++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## 

range:

C:\Program Files\NewDotNet\newdotnet6_38.dll ["New.net, Inc."], 01 - 

02, 25 - 26

%SystemRoot%\system32\mswsock.dll [MS], 03 - 05, 08 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 06 - 07



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "C:\Program 

Files\Yahoo!\Companion\Installs\cpn\yt.dll" [file not found]

"{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}"

  -> {HKLM...CLSID} = "Toolbar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\Toolbar888\tbu02640\ToolBar888.dll" [file not found]

"{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}"

  -> {HKLM...CLSID} = "ToolBar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\ToolBar888\MyToolBar.dll" [file not found]

"{C004DEC2-2623-438E-9CA2-C9043AB28508}"

  -> {HKLM...CLSID} = "888Bar"

                   \InProcServer32\(Default) = "C:\Program Files\Common 

Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll" [null data]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "C:\Program 

Files\Yahoo!\Companion\Installs\cpn\yt.dll" [file not found]

"{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}" = (no title provided)

  -> {HKLM...CLSID} = "Toolbar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\Toolbar888\tbu02640\ToolBar888.dll" [file not found]

"{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" = (no title provided)

  -> {HKLM...CLSID} = "ToolBar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\ToolBar888\MyToolBar.dll" [file not found]

"{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}" = (no title provided)

  -> {HKLM...CLSID} = "ToolBar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\ToolBar888\MyToolBar.dll" [file not found]

"{C004DEC2-2623-438E-9CA2-C9043AB28508}" = (no title provided)

  -> {HKLM...CLSID} = "888Bar"

                   \InProcServer32\(Default) = "C:\Program Files\Common 

Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll" [null data]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"

                   \InProcServer32\(Default) = "C:\Program 

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{A8B28872-3324-4CD2-8AA3-7D555C872D96}" = (no title provided)

  -> {HKLM...CLSID} = "DeskbarBHO"

                   \InProcServer32\(Default) = "C:\Program 

Files\Deskbar\deskbar.dll" ["Deskbar"]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" 

["H+BEDV Datentechnik GmbH, Germany"]

Command Service, cmdService, "C:\WINDOWS\eHh4\command.exe" [null data]

GhostStartService, GhostStartService, "C:\Program Files\Symantec\Norton 

Ghost 2003\GhostStartService.exe" ["Symantec Corporation"]

InCD Helper, InCDsrv, "E:\Nerox\InCD\InCDsrv.exe" ["Ahead Software AG"]

Network Monitor, Network Monitor, "C:\Program Files\Network 

Monitor\netmon.exe service" [null data]



----------

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all 

parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 505 seconds, including 7 seconds for 

message boxes)

(adam9870) #2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Pobierz i odpal LSP-Fix zaznacz " I know what I'm doing" następnie w okienku Keep zaznacz bibliotekę newdotnet*_** i za pomocą strzałki (>>) przenieś ją do okienka Remover i kliknij Finish i restart.

Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:

W trybie awaryjnym z wyłączonym przywracaniem systemu usuń:

Pliki i foldery zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Użyj narzędzia SmitFraudFix z opcji numer 2 w trybie awaryjnym.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt


(Zuraw1989) #3
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" 

-atboottime" ["Apple Computer, Inc."]

"Gadu-Gadu" = ""E:\GG\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"AQQ" = "E:\AQQ\AQQ.exe" ["AQQ Sp z o.o."]

"Skype" = ""E:\Phone\Skype.exe" /nosplash /minimized" ["Skype 

Technologies S.A."]

"Komunikator" = "C:\Documents and Settings\Mateusz.DOM.000\Pulpit\Nowy 

folder (2)\Nowy folder\tlen.exe" [file not found]

"NBJ" = ""E:\Nero\Nero BackItUp\nbj.exe"" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k"

"SunJavaUpdateSched" = "C:\Program 

Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]

"BearShare" = ""E:\br\x\BearShare.exe" /pause" ["Free Peers, Inc."]

"snpstd" = "C:\WINDOWS\vsnpstd.exe" [empty string]

"GhostStartTrayApp" = "C:\Program Files\Symantec\Norton Ghost 

2003\GhostStartTrayApp.exe" ["Symantec Corporation"]

"iTunesHelper" = ""E:\iTunes\iTunesHelper.exe"" [file not found]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" 

-atboottime" ["Apple Computer, Inc."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead 

Software Gmbh"]

"DAEMON Tools" = ""E:\tool\DAEMON Tools\daemon.exe" -lang 1033" ["DT 

Soft Ltd."]

"InCD" = "E:\Nerox\InCD\InCD.exe" ["Ahead Software AG"]

"winupdates" = "C:\Program Files\winupdates\winupdates.exe /auto" 

["inno setup"]

"outlook" = "C:\Program Files\outlook\outlook.exe /auto" 

["InstallShield Software Corporation"]

"winlog" = "winlog.exe" [null data]

"keyboard" = "C:\\kybrdff_e177.exe" [file not found]

"newname" = "C:\\nwnmad_5.exe" [file not found]

"IpWins" = "C:\Program Files\ipwins\ipwins.exe" [file not found]

"defender" = "C:\\dfndrff_177.exe" [file not found]

"New.net Startup" = "rundll32 

C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper 

Objects\

{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "URLLink Class"

                   \InProcServer32\(Default) = "C:\Program 

Files\NewDotNet\newdotnet6_38.dll" [file not found]

{A8B28872-3324-4CD2-8AA3-7D555C872D96}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "DeskbarBHO"

                   \InProcServer32\(Default) = "C:\Program 

Files\Deskbar\deskbar.dll" [file not found]

{C004DEC2-2623-438e-9CA2-C9043AB28508}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "888Bar"

                   \InProcServer32\(Default) = "C:\Program Files\Common 

Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll" [file not 

found]

{F4678142-3EA6-1175-F79C-164491811DC5}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\System32\dmffjb.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell 

Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania 

wyœwietlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyœwietlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not 

found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony 

HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = 

"C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom 

Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = 

"C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"

  -> {HKLM...CLSID} = "PropPage Class"

                   \InProcServer32\(Default) = "C:\Program 

Files\Symantec\Norton Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = 

"E:\iTunes\iTunesMiniPlayer.dll" [file not found]

"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"

  -> {HKLM...CLSID} = "Shell Extension for CDRW"

                   \InProcServer32\(Default) = 

"E:\Nerox\InCD\incdshx.dll" ["Ahead Software AG"]

"{B9FD67DE-5934-46B6-819A-B72D288F46D9}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lRp20c7oef.dll" [file not found]

"{B6A657CB-C507-42E3-A5B6-AD52ECFA4D46}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\mhdtclog.dll" [file not found]

"{E5051EEC-77AB-4FE8-B5C0-D98EB6F93E98}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lzcdll.dll" [file not found]

"{237CE374-F977-4FEA-8BB3-FB92A0CE0BEF}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lJp20c7oef.dll" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<> "AppInit_DLLs" = " winword.dll " [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local 

Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local 

Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group 

Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Mateusz.DOM.000\Moje 

dokumenty\Moje obrazy\kosa.jpg"


Displayed if Active Desktop disabled and wallpaper not set by Group 

Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Mateusz.DOM.000\Ustawienia 

lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Startup items in "Mateusz" & "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\Mateusz.DOM.000\Menu Start\Programy\Autostart

"UniSpiker-2.6" -> shortcut to: 

"E:\Iwona\UniSpiker-2.6\uni_spiker-2.6.exe" [file not found]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft 

Office\Office\OSA9.EXE -b -l" [MS]

<> "msconfig.exe" ["Windows Installer"]

<> "taskmgr.exe" ["Windows Installer"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ 

{++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ 

{++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## 

range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "C:\Program 

Files\Yahoo!\Companion\Installs\cpn\yt.dll" [file not found]

"{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}"

  -> {HKLM...CLSID} = "Toolbar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\Toolbar888\tbu02640\ToolBar888.dll" [file not found]

"{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}"

  -> {HKLM...CLSID} = "ToolBar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\ToolBar888\MyToolBar.dll" [file not found]

"{C004DEC2-2623-438E-9CA2-C9043AB28508}"

  -> {HKLM...CLSID} = "888Bar"

                   \InProcServer32\(Default) = "C:\Program Files\Common 

Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll" [file not 

found]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)

  -> {HKLM...CLSID} = "Yahoo! Toolbar"

                   \InProcServer32\(Default) = "C:\Program 

Files\Yahoo!\Companion\Installs\cpn\yt.dll" [file not found]

"{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F}" = (no title provided)

  -> {HKLM...CLSID} = "Toolbar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\Toolbar888\tbu02640\ToolBar888.dll" [file not found]

"{0E1230F8-EA50-42A9-983C-D22ABC2EED3B}" = (no title provided)

  -> {HKLM...CLSID} = "ToolBar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\ToolBar888\MyToolBar.dll" [file not found]

"{CBCC61FA-0221-4CCC-B409-CEE865CACA3A}" = (no title provided)

  -> {HKLM...CLSID} = "ToolBar888"

                   \InProcServer32\(Default) = "C:\Program 

Files\ToolBar888\MyToolBar.dll" [file not found]

"{C004DEC2-2623-438E-9CA2-C9043AB28508}" = (no title provided)

  -> {HKLM...CLSID} = "888Bar"

                   \InProcServer32\(Default) = "C:\Program Files\Common 

Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll" [file not 

found]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"

                   \InProcServer32\(Default) = "C:\Program 

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{A8B28872-3324-4CD2-8AA3-7D555C872D96}" = (no title provided)

  -> {HKLM...CLSID} = "DeskbarBHO"

                   \InProcServer32\(Default) = "C:\Program 

Files\Deskbar\deskbar.dll" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" 

["H+BEDV Datentechnik GmbH, Germany"]

Command Service, cmdService, "C:\WINDOWS\eHh4\command.exe" [null data]

GhostStartService, GhostStartService, "C:\Program Files\Symantec\Norton 

Ghost 2003\GhostStartService.exe" ["Symantec Corporation"]

InCD Helper, InCDsrv, "E:\Nerox\InCD\InCDsrv.exe" ["Ahead Software AG"]



----------

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all 

parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 383 seconds, including 3 seconds for 

message boxes)

Logfile of HijackThis v1.99.1

Scan saved at 20:34:00, on 2007-03-02

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\Explorer.EXE

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

E:\Nerox\InCD\InCD.exe

C:\Program Files\winupdates\winupdates.exe

C:\Program Files\outlook\outlook.exe

E:\GG\Gadu-Gadu\gg.exe

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\msconfig.exe

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\taskmgr.exe

C:\WINDOWS\System32\WScript.exe

C:\Documents and Settings\Mateusz.DOM.000\Pulpit\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media11.fastclick.net/w/safepop.cgi?mid=58768&sid=1452&id=102106&len=0&c=0&nfcp=1&ie=1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)

O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll (file missing)

O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll (file missing)

O2 - BHO: (no name) - {F4678142-3EA6-1175-F79C-164491811DC5} - C:\WINDOWS\System32\dmffjb.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\tbu02640\ToolBar888.dll (file missing)

O3 - Toolbar: ToolBar888 - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program Files\ToolBar888\MyToolBar.dll (file missing)

O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30424E25-0321-1045-0430-010212010030}\888Bar.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [BearShare] "E:\br\x\BearShare.exe" /pause

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools] "E:\tool\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [InCD] E:\Nerox\InCD\InCD.exe

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto

O4 - HKLM\..\Run: [winlog] winlog.exe

O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e177.exe

O4 - HKLM\..\Run: [newname] C:\\nwnmad_5.exe

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

O4 - HKLM\..\Run: [defender] C:\\dfndrff_177.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

O4 - HKLM\..\RunServices: [winlog] winlog.exe

O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\GG\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [AQQ] E:\AQQ\AQQ.exe

O4 - HKCU\..\Run: [Skype] "E:\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [Komunikator] C:\Documents and Settings\Mateusz.DOM.000\Pulpit\Nowy folder (2)\Nowy folder\tlen.exe

O4 - HKCU\..\Run: [NBJ] "E:\Nero\Nero BackItUp\nbj.exe"

O4 - Startup: UniSpiker-2.6.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: msconfig.exe

O4 - Global Startup: taskmgr.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{F1CE47BC-4A72-4FE2-8A9B-A0B7DAF01183}: NameServer = 192.168.22.1

O20 - AppInit_DLLs: winword.dll  

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\eHh4\command.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Nerox\InCD\InCDsrv.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

SmitFraudFix v2.145


Scan done at 20:22:30,16, 2007-03-02

Run from E:\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» hosts



127.0.0.1 localhost


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


C:\WINDOWS\drsmartload2.dat Deleted

C:\WINDOWS\keyboard1.dat Deleted

C:\WINDOWS\mousepad??.exe Deleted

C:\WINDOWS\newname.dat Deleted

C:\WINDOWS\teller2.chk Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 

NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End

[/code]

(adam9870) #4

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG

Przejdź do trybu awaryjnego i uruchom utworzone pliki.

Usuń wpisy HJT.

Po wykonaniu wklej nowe logi.


(Zuraw1989) #5
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"{B0424E25-0321-1045-0430-010212010030}" = ""C:\Program Files\Common 

Files\{B0424E25-0321-1045-0430-010212010030}\Update.exe" 

mc-110-12-0000140" [file not found]


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""E:\GG\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"Firewall Pro" = "C:\Program Files\Play\PC Tools 2005\Firewall Pro 

2005\fwpro.exe" ["Aktywni.pl"]

"NBJ" = ""E:\Nero\Nero BackItUp\nbj.exe"" [file not found]

"services32" = "C:\Program Files\Common 

Files\Windows\mc-110-12-0000137.exe" [file not found]

"koim" = "C:\PROGRA~1\COMMON~1\koim\koimm.exe" [empty string]

"TClock.exe" = "C:\Program Files\TClock\tclock_install.exe" [null data]

"Wtea" = ""C:\DOCUME~1\admin\MOJEDO~1\DOBE~1\fast.exe" -vt yazb" [null 

data]

"Qqkaoqm" = "C:\DOCUME~1\admin\DANEAP~1\ECURIT~1\OOL32~1.EXE" [null 

data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SunJavaUpdateSched" = "C:\Program 

Files\Java\jre1.5.0_04\bin\jusched.exe" ["Sun Microsystems, Inc."]

"BearShare" = ""E:\br\x\BearShare.exe" /pause" ["Free Peers, Inc."]

"snpstd" = "C:\WINDOWS\vsnpstd.exe" [empty string]

"GhostStartTrayApp" = "C:\Program Files\Symantec\Norton Ghost 

2003\GhostStartTrayApp.exe" ["Symantec Corporation"]

"iTunesHelper" = ""E:\iTunes\iTunesHelper.exe"" [file not found]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" 

-atboottime" ["Apple Computer, Inc."]

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead 

Software Gmbh"]

"DAEMON Tools" = ""E:\tool\DAEMON Tools\daemon.exe" -lang 1033" ["DT 

Soft Ltd."]

"InCD" = "E:\Nerox\InCD\InCD.exe" ["Ahead Software AG"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper 

Objects\

{4A2AACF3-ADF6-11D5-98A9-00E018981B9E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "URLLink Class"

                   \InProcServer32\(Default) = "C:\Program 

Files\NewDotNet\newdotnet6_38.dll" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell 

Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania 

wyœwietlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyœwietlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not 

found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony 

HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = 

"C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom 

Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = 

"C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"

  -> {HKLM...CLSID} = "PropPage Class"

                   \InProcServer32\(Default) = "C:\Program 

Files\Symantec\Norton Ghost 2003\GhoShExt.dll" ["Symantec Corporation"]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = 

"E:\iTunes\iTunesMiniPlayer.dll" [file not found]

"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"

  -> {HKLM...CLSID} = "Shell Extension for CDRW"

                   \InProcServer32\(Default) = 

"E:\Nerox\InCD\incdshx.dll" ["Ahead Software AG"]

"{B9FD67DE-5934-46B6-819A-B72D288F46D9}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lRp20c7oef.dll" [file not found]

"{B6A657CB-C507-42E3-A5B6-AD52ECFA4D46}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\mhdtclog.dll" [file not found]

"{E5051EEC-77AB-4FE8-B5C0-D98EB6F93E98}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lzcdll.dll" [file not found]

"{237CE374-F977-4FEA-8BB3-FB92A0CE0BEF}" = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = 

"C:\WINDOWS\system32\lJp20c7oef.dll" [file not found]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program 

Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local 

Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local 

Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group 

Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\admin\Ustawienia lokalne\Dane 

aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group 

Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\admin\Ustawienia lokalne\Dane 

aplikacji\Microsoft\Wallpaper1.bmp"


Active Desktop web content (hidden if disabled):


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

"FriendlyName" = ""

"Source" = "C:\Program Files\Windows NT\kyzer.html"

"SubscribedURL" = ""


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\

"FriendlyName" = ""

"Source" = "C:\Program Files\Internet Explorer\howypyh.html"

"SubscribedURL" = ""


HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\3\

"FriendlyName" = ""

"Source" = "\"

"SubscribedURL" = ""



Startup items in "admin" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft 

Office\Office\OSA9.EXE -b -l" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ 

{++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ 

{++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## 

range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC}"

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_04"

                   \InProcServer32\(Default) = "C:\Program 

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll" ["Sun Microsystems, Inc."]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" 

["H+BEDV Datentechnik GmbH, Germany"]

GhostStartService, GhostStartService, "C:\Program Files\Symantec\Norton 

Ghost 2003\GhostStartService.exe" ["Symantec Corporation"]

InCD Helper, InCDsrv, "E:\Nerox\InCD\InCDsrv.exe" ["Ahead Software AG"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all 

parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 222 seconds, including 3 seconds for 

message boxes)

Logfile of HijackThis v1.99.1

Scan saved at 22:15:19, on 2007-03-02

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

E:\Nerox\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

C:\WINDOWS\vsnpstd.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

C:\Program Files\QuickTime\qttask.exe

E:\tool\DAEMON Tools\daemon.exe

E:\Nerox\InCD\InCD.exe

E:\GG\Gadu-Gadu\gg.exe

C:\Program Files\Play\PC Tools 2005\Firewall Pro 2005\fwpro.exe

C:\PROGRA~1\COMMON~1\koim\koimm.exe

C:\DOCUME~1\admin\MOJEDO~1\DOBE~1\fast.exe

C:\PROGRA~1\COMMON~1\koim\koima.exe

C:\DOCUME~1\admin\DANEAP~1\ECURIT~1\OOL32~1.EXE

C:\Program Files\TClock\TClock.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\PROGRA~1\COMMON~1\koim\koiml.exe

C:\Documents and Settings\Mateusz.DOM.000\Pulpit\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yourstartingpage.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

O4 - HKLM\..\Run: [BearShare] "E:\br\x\BearShare.exe" /pause

O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe

O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DAEMON Tools] "E:\tool\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [InCD] E:\Nerox\InCD\InCD.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\GG\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Firewall Pro] C:\Program Files\Play\PC Tools 2005\Firewall Pro 2005\fwpro.exe

O4 - HKCU\..\Run: [NBJ] "E:\Nero\Nero BackItUp\nbj.exe"

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000137.exe

O4 - HKCU\..\Run: [koim] C:\PROGRA~1\COMMON~1\koim\koimm.exe

O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe

O4 - HKCU\..\Run: [Wtea] "C:\DOCUME~1\admin\MOJEDO~1\DOBE~1\fast.exe" -vt yazb

O4 - HKCU\..\Run: [Qqkaoqm] C:\DOCUME~1\admin\DANEAP~1\ECURIT~1\OOL32~1.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{F1CE47BC-4A72-4FE2-8A9B-A0B7DAF01183}: NameServer = 192.168.22.1

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Nerox\InCD\InCDsrv.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

(adam9870) #6

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i umieść go bezpośrednio na partycji C

Uruchom system w trybie awaryjnym i uruchom plik FIX.BAT. Zaś co do FIX.REG zrób tak:

start >>> uruchom >>> wpisz polecenie regedit.exe /s C:\fix.reg

Usuń wpisy HJT.

Zwykła wersja programu BearShare posiada w sobie syf dlatego proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.

Po wykonaniu wklej nowe logi. Dodatkowo ściągnij l2mfix.exe i daj log numer 1.