SmitFraudFix v2.171 Scan done at 1:21:33,37, 2007-04-21 Run from C:\Documents and Settings\ja\Pulpit\Czyszczenie\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost 127.0.0.1 preymaster.humanhead.com 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\tool1.exe Deleted C:\uniq Deleted C:\WINDOWS\iexplorer.exe Deleted C:\WINDOWS\system32\atmclk.exe Deleted C:\WINDOWS\system32\dcomcfg.exe Deleted C:\WINDOWS\system32\hp???.tmp Deleted C:\WINDOWS\system32\ld???.tmp Deleted C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\regperf.exe Deleted C:\WINDOWS\system32\simpole.tlb Deleted C:\WINDOWS\system32\stdole3.tlb Deleted C:\WINDOWS\system32\svchosts.exe Deleted C:\WINDOWS\system32\ts.ico Deleted C:\WINDOWS\system32\twain32.dll Deleted C:\WINDOWS\system32\1024\ Deleted C:\Program Files\secure32.html Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CCS\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer=83.238.255.76 213.241.79.37 HKLM\SYSTEM\CCS\Services\Tcpip…{8B12265D-67C1-4364-A7B2-E430BDFAF67B}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CS1\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CS1\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer=83.238.255.76 213.241.79.37 HKLM\SYSTEM\CS1\Services\Tcpip…{8B12265D-67C1-4364-A7B2-E430BDFAF67B}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CS2\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CS2\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer=83.238.255.76 213.241.79.37 HKLM\SYSTEM\CS2\Services\Tcpip…{8B12265D-67C1-4364-A7B2-E430BDFAF67B}: DhcpNameServer=85.255.114.70,85.255.112.182 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “system”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End I nowe z : HJ: Logfile of HijackThis v1.99.1 Scan saved at 01:40:13, on 2007-04-21 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\Explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\ja\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: XBTP05231 Class - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll (file missing) O2 - BHO: (no name) - {24CA9643-4692-0D63-8C79-5FCE0ED985AC} - C:\WINDOWS\system32\jgjt.dll (file missing) O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\Jccatch.dll (file missing) O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll (file missing) O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM…\Run: [Explorer] C:\WINDOWS\iexplorer.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [AQQ] E:\AQQ\AQQ.exe O4 - HKCU…\Run: [secrecy File Folder Hider] C:\Program Files\Secrecy File Folder Hider\Secrethider.exe O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O17 - HKLM\System\CCS\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer = 83.238.255.76 213.241.79.37 O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Bufor wydruku (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe I z Silent Runners : “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{F020F967-0707-1045-1109-050504100030}” = ““C:\Program Files\Common Files{F020F967-0707-1045-1109-050504100030}\Update.exe” mc-110-12-0000478” [file not found] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “AQQ” = “E:\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”] “Secrecy File Folder Hider” = “C:\Program Files\Secrecy File Folder Hider\Secrethider.exe” [“SecretHider LLC”] “userinit” = “C:\WINDOWS\system32\ntos.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [file not found] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime” [file not found] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “New.net Startup” = “rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s” [MS] “Explorer” = “C:\WINDOWS\iexplorer.exe” [“vbnxcvdfcvb”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {031F120A-BBAF-45d8-B306-375F2A6B9398}(Default) = (no title provided) - {HKLM…CLSID} = “XBTP05231 Class” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll” [file not found] {24CA9643-4692-0D63-8C79-5FCE0ED985AC}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\jgjt.dll” [file not found] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) - {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\Jccatch.dll” [file not found] {c900b400-cdfe-11d3-976a-00e02913a9e0}(Default) = (no title provided) - {HKLM…CLSID} = “WhIeHelperObj Class” \InProcServer32(Default) = “C:\Program Files\webHancer\programs\whiehlpr.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” - {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll” [“Alcohol Soft Development Team”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ “Userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,” [file not found], [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] instcat\DLLName = “instcat.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “NoThemesTab” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoRecentDocsHistory” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktopChanges” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “NoDispAppearancePage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Hide Desktop tab} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Remove Display in Control Panel} “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ “HomePage” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Internet Explorer| Disable changing home page settings} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\ja\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “ja” “All Users” startup folders: ---------------------------------------------------- C:\Documents and Settings\ja\Menu Start\Programy\Autostart “Adobe Gamma” - shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” - {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” - {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” - {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” = (no title provided) - {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [file not found] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” - {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\Program Files\FlashGet\flashget.exe” [“FlashGet.com”] {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\ “ButtonText” = “eBay - Homepage” “CLSIDExtension” = “{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}” - {HKLM…CLSID} = “Toolbar Extension for Executable” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “Exec” = “C:\Program Files\IrfanView\Ebay\Ebay.htm” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\system32\UAService7.exe” [“Sony DADC Austria AG.”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- : Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 121 seconds. ---------- (total run time: 176 seconds) Niewiem czy to może mieć jakieś znaczenie ale po otworzeniu kompa wchodze w menadżera zadań i kończe niektóre procesy (te, które wiem że są szkodliwe) ale robiłem już tak przed zwolnieniem neta… No i jeszcze jeden problem doszedł Kiedy włanczam kompa pokazuje się tło i nic… Musze dopiero “dodać zadanie” i wtedy wchodzi… Pomocy Złączono Posta: 21.04.2007 (Sob) 1:40 Przez jakieś 2-3h ok. a teraz znowu… Raport z SmitfraudFix : SmitFraudFix v2.171 Scan done at 1:21:33,37, 2007-04-21 Run from C:\Documents and Settings\ja\Pulpit\Czyszczenie\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in safe mode »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» hosts 127.0.0.1 localhost 127.0.0.1 preymaster.humanhead.com 127.0.0.1 localhost »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files C:\tool1.exe Deleted C:\uniq Deleted C:\WINDOWS\iexplorer.exe Deleted C:\WINDOWS\system32\atmclk.exe Deleted C:\WINDOWS\system32\dcomcfg.exe Deleted C:\WINDOWS\system32\hp???.tmp Deleted C:\WINDOWS\system32\ld???.tmp Deleted C:\WINDOWS\system32\ot.ico Deleted C:\WINDOWS\system32\regperf.exe Deleted C:\WINDOWS\system32\simpole.tlb Deleted C:\WINDOWS\system32\stdole3.tlb Deleted C:\WINDOWS\system32\svchosts.exe Deleted C:\WINDOWS\system32\ts.ico Deleted C:\WINDOWS\system32\twain32.dll Deleted C:\WINDOWS\system32\1024\ Deleted C:\Program Files\secure32.html Deleted »»»»»»»»»»»»»»»»»»»»»»»» DNS HKLM\SYSTEM\CCS\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CCS\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer=83.238.255.76 213.241.79.37 HKLM\SYSTEM\CCS\Services\Tcpip…{8B12265D-67C1-4364-A7B2-E430BDFAF67B}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CS1\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CS1\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer=83.238.255.76 213.241.79.37 HKLM\SYSTEM\CS1\Services\Tcpip…{8B12265D-67C1-4364-A7B2-E430BDFAF67B}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CS2\Services\Tcpip…{17CF06F0-5D90-4848-9737-D0480A43DABC}: DhcpNameServer=85.255.114.70,85.255.112.182 HKLM\SYSTEM\CS2\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer=83.238.255.76 213.241.79.37 HKLM\SYSTEM\CS2\Services\Tcpip…{8B12265D-67C1-4364-A7B2-E430BDFAF67B}: DhcpNameServer=85.255.114.70,85.255.112.182 »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] “system”="" »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End I nowe z : HJ: Logfile of HijackThis v1.99.1 Scan saved at 01:40:13, on 2007-04-21 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\Explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\ja\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebportal.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: XBTP05231 Class - {031F120A-BBAF-45d8-B306-375F2A6B9398} - C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll (file missing) O2 - BHO: (no name) - {24CA9643-4692-0D63-8C79-5FCE0ED985AC} - C:\WINDOWS\system32\jgjt.dll (file missing) O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\Jccatch.dll (file missing) O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll (file missing) O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O3 - Toolbar: Alcohol Soft - Alcohol 120% Toolbar - {1CE4EE89-2D5C-4361-AF3B-D902AB545381} - C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll (file missing) O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s O4 - HKLM…\Run: [Explorer] C:\WINDOWS\iexplorer.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [AQQ] E:\AQQ\AQQ.exe O4 - HKCU…\Run: [secrecy File Folder Hider] C:\Program Files\Secrecy File Folder Hider\Secrethider.exe O4 - HKCU…\Run: [userinit] C:\WINDOWS\system32\ntos.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Eksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet’a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm O17 - HKLM\System\CCS\Services\Tcpip…{46B99464-7F15-48E3-9683-03DA19E9A346}: NameServer = 83.238.255.76 213.241.79.37 O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Bufor wydruku (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing) O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe I z Silent Runners : “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “{F020F967-0707-1045-1109-050504100030}” = ““C:\Program Files\Common Files{F020F967-0707-1045-1109-050504100030}\Update.exe” mc-110-12-0000478” [file not found] HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “AQQ” = “E:\AQQ\AQQ.exe” [“AQQ Sp. z o.o.”] “Secrecy File Folder Hider” = “C:\Program Files\Secrecy File Folder Hider\Secrethider.exe” [“SecretHider LLC”] “userinit” = “C:\WINDOWS\system32\ntos.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [file not found] “ATICCC” = ““C:\Program Files\ATI Technologies\ATI.ACE\cli.exe” runtime” [file not found] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “New.net Startup” = “rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s” [MS] “Explorer” = “C:\WINDOWS\iexplorer.exe” [“vbnxcvdfcvb”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {031F120A-BBAF-45d8-B306-375F2A6B9398}(Default) = (no title provided) - {HKLM…CLSID} = “XBTP05231 Class” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~2\a120_tb.dll” [file not found] {24CA9643-4692-0D63-8C79-5FCE0ED985AC}(Default) = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\jgjt.dll” [file not found] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) - {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\Jccatch.dll” [file not found] {c900b400-cdfe-11d3-976a-00e02913a9e0}(Default) = (no title provided) - {HKLM…CLSID} = “WhIeHelperObj Class” \InProcServer32(Default) = “C:\Program Files\webHancer\programs\whiehlpr.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” - {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\axshlex.dll” [“Alcohol Soft Development Team”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ “Userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,” [file not found], [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] instcat\DLLName = “instcat.dll” [MS] HKLM\Software\Classes\PROTOCOLS\Filter\ text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” - {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” - {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “NoThemesTab” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoRecentDocsHistory” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoActiveDesktopChanges” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} “NoDispAppearancePage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispBackgroundPage” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Hide Desktop tab} “NoDispScrSavPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispCPL” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Control Panel|Display| Remove Display in Control Panel} “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoDispSettingsPage” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\ “HomePage” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Internet Explorer| Disable changing home page settings} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be enabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\ja\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “ja” “All Users” startup folders: ---------------------------------------------------- C:\Documents and Settings\ja\Menu Start\Programy\Autostart “Adobe Gamma” - shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” - {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [file not found] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” - {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [file not found] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” - {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] “{1CE4EE89-2D5C-4361-AF3B-D902AB545381}” = (no title provided) - {HKLM…CLSID} = “Alcohol Soft - Alcohol 120% Toolbar” \InProcServer32(Default) = “C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll” [file not found] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” - {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “FlashGet” “Exec” = “C:\Program Files\FlashGet\flashget.exe” [“FlashGet.com”] {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A}\ “ButtonText” = “eBay - Homepage” “CLSIDExtension” = “{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}” - {HKLM…CLSID} = “Toolbar Extension for Executable” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “Exec” = “C:\Program Files\IrfanView\Ebay\Ebay.htm” [null data] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\system32\UAService7.exe” [“Sony DADC Austria AG.”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] ---------- : Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 121 seconds. ---------- (total run time: 176 seconds) Niewiem czy to może mieć jakieś znaczenie ale po otworzeniu kompa wchodze w menadżera zadań i kończe niektóre procesy (te, które wiem że są szkodliwe) ale robiłem już tak przed zwolnieniem neta… No i jeszcze jeden problem doszedł Kiedy włanczam kompa pokazuje się tło i nic… Musze dopiero “dodać zadanie” i wtedy wchodzi… Pomocy