Wolne działanie systemu, częste 100% użycia procesora

korgan · 25 Luty 2007 11:37

Logfile of HijackThis v1.99.1

Scan saved at 12:25:40, on 2007-02-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

E:\PROGRAMY\FIREFOX\FIREFOX.EXE

E:\Instalki\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcworld.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 212.72.187.2 L2authd.lineage2.com

O1 - Hosts: 212.72.187.2 L2testauthd.lineage2.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programy\Acrobat Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\Jccatch.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\Programy\FlashGet\fgiebar.dll (file missing)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Programy\gg\gg.exe" /tray

O4 - HKCU\..\Run: [ADS] C:\Windows\ADS.exe

O4 - Global Startup: Kalendarz XP.lnk = E:\Programy\Kalendarz XP\Kalendarz.exe

O8 - Extra context menu item: Download All by FlashGet - E:\Programy\FlashGet\jc_all.htm

O8 - Extra context menu item: Download Link Using Mega Manager... - E:\Programy\bezuytecznebadziewie\mm_file.htm

O8 - Extra context menu item: Download using FlashGet - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Programy\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Programy\FlashGet\flashget.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""E:\Programy\gg\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"ADS" = "C:\Windows\ADS.exe" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\Acrobat Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = "Megaupload Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\FlashGet\Jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\ACE Mega CoDecS Pack\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\winrar\rarext.dll" [null data]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{08267B21-223F-11d3-ACD4-004F4902B913}" = "Desktop Architect"

  -> {CLSID}\InProcServer32\(Default) = "E:\roznosci\dadesk.dll" [file not found]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\Office10\msohev.dll" [MS]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * pgdfgsvc C 1 OODBS" [file not found], [MS], [file not found], ["Sysinternals - www.sysinternals.com"], [file not found], [file not found], [file not found]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\MagicISO\misosh.dll" ["MagicISO, Inc."]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\winrar\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\MagicISO\misosh.dll" ["MagicISO, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\winrar\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\MagicISO\misosh.dll" ["MagicISO, Inc."]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\winrar\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Korgan" & "All Users" startup folders:

--------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Kalendarz XP" -> shortcut to: "E:\Programy\Kalendarz XP\Kalendarz.exe" [null data]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = "Megaupload Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\FlashGet\fgiebar.dll" [file not found]


"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = "Megaupload Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "E:\Programy\FlashGet\flashget.exe" [file not found]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL=http://www.pcworld.pl


Missing lines (compared with English-language version):

[Strings]: 1 line



HOSTS file

----------


C:\WINDOWS\System32\drivers\etc\HOSTS


maps: 3 domain names to IP addresses,

      2 of the IP addresses are *not* localhost!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 149 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 38 seconds.

---------- (total run time: 271 seconds)

adam9870 · 25 Luty 2007 12:28

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\Windows\ADS.exe

Klikasz X czerwony i restart kompa.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Usuń wpis HJT jeśli będzie.

Czy masz jeszcze FlashGet’a? Jeśli nie to ciachnij również te wpisy:

Po wykonaniu wklej nowe logi.

korgan · 25 Luty 2007 13:19

Logfile of HijackThis v1.99.1

Scan saved at 14:17:24, on 2007-02-25

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Eset\nod32kui.exe

E:\Programy\gg\gg.exe

E:\Programy\Kalendarz XP\Kalendarz.exe

C:\WINDOWS\system32\wuauclt.exe

E:\PROGRAMY\FIREFOX\FIREFOX.EXE

E:\Instalki\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.pcworld.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O1 - Hosts: 212.72.187.2 L2authd.lineage2.com

O1 - Hosts: 212.72.187.2 L2testauthd.lineage2.com

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Programy\Acrobat Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\Programy\FlashGet\Jccatch.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\Programy\FlashGet\fgiebar.dll (file missing)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Programy\gg\gg.exe" /tray

O4 - Global Startup: Kalendarz XP.lnk = E:\Programy\Kalendarz XP\Kalendarz.exe

O8 - Extra context menu item: Download All by FlashGet - E:\Programy\FlashGet\jc_all.htm

O8 - Extra context menu item: Download Link Using Mega Manager... - E:\Programy\bezuytecznebadziewie\mm_file.htm

O8 - Extra context menu item: Download using FlashGet - E:\Programy\FlashGet\jc_link.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Programy\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\Programy\FlashGet\flashget.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.pcworld.pl

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

"Silent Runners.vbs", revision 41, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""E:\Programy\gg\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"nod32kui" = ""C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "]

"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\Acrobat Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = "Megaupload Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = "IeCatch2 Class" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\FlashGet\Jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\ACE Mega CoDecS Pack\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

"{B7056B8E-4F99-44f8-8CBD-282390FE5428}" = "VirtualCloneDrive"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\VirtualCloneDrive\ElbyVCDShell.dll" ["Elaborate Bytes AG"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\winrar\rarext.dll" [null data]

"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{08267B21-223F-11d3-ACD4-004F4902B913}" = "Desktop Architect"

  -> {CLSID}\InProcServer32\(Default) = "E:\roznosci\dadesk.dll" [file not found]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\Office10\msohev.dll" [MS]


HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! "BootExecute" = "autocheck autochk * pgdfgsvc C 1 OODBS" [file not found], [MS], [file not found], ["Sysinternals - www.sysinternals.com"], [file not found], [file not found], [file not found]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\MagicISO\misosh.dll" ["MagicISO, Inc."]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\winrar\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\MagicISO\misosh.dll" ["MagicISO, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\winrar\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

MagicISO\(Default) = "{DB85C504-C730-49DD-BEC1-7B39C6103B7A}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\MagicISO\misosh.dll" ["MagicISO, Inc."]

NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\winrar\rarext.dll" [null data]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "Korgan" & "All Users" startup folders:

--------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Kalendarz XP" -> shortcut to: "E:\Programy\Kalendarz XP\Kalendarz.exe" [null data]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = "Megaupload Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"

  -> {CLSID}\InProcServer32\(Default) = "E:\Programy\FlashGet\fgiebar.dll" [file not found]


"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = "Megaupload Toolbar" [from CLSID]

  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"

  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "E:\Programy\FlashGet\flashget.exe" [file not found]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL=http://www.pcworld.pl


Missing lines (compared with English-language version):

[Strings]: 1 line



HOSTS file

----------


C:\WINDOWS\System32\drivers\etc\HOSTS


maps: 3 domain names to IP addresses,

      2 of the IP addresses are *not* localhost!



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]

NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 134 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 27 seconds.

---------- (total run time: 241 seconds)

adam9870 · 25 Luty 2007 13:45

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Kosmetyka:

Jak podczas startu pokazuje się okienko to zaznacz na nim, aby się nie pokazywało więcej.

W opcjach programu możesz wyłączyć automatyczny start jeśli nie jest Ci potrzebny.

Dodatkowo przejrzyj Optymalizacja i odchudzanie Windowsa XP.