Kleko15
(Kleko15)
3 Maj 2007 11:07
#1
Logfile of HijackThis v1.99.1 Scan saved at 13:02:17, on 2007-05-03 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\nvraidservice.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe E:\Drukarka HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kalendarz XP\Kalendarz.exe C:\WINDOWS\System32\wbem\unsecapp.exe E:\Drukarka HP\Digital Imaging\bin\hpqSTE08.exe E:\Drukarka HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Lato\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - C:\PROGRA~1\BEARSH~1\BEARSH~2\MediaBar.dll (file missing) O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - C:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll (file missing) O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NVRTCLK] C:\WINDOWS\System32\NVRTCLK\NVRTClk.exe O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM…\Run: [odk_mon] C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe O4 - HKLM…\Run: [HP Software Update] E:\Drukarka HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [binamokrdrwipe] C:\Documents and Settings\All Users\Dane aplikacji\Free Four Bin Amok\Dent Inside.exe O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun O4 - HKCU…\Run: [LiteIdol] C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15 O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.40 85.255.112.15 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\ O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
Pomóżcie… Sprawdźcie tego loga BO JA JESTEM W TYM KOMPLETNIE ŁYSY… a CiD już mnie tak wnerwia że szok… Będę bardzo wdzięczny… Prosze zaznaczcie co jest do usunięcia… Proszę… Dzięki
Gutek
(Gutek)
3 Maj 2007 11:12
#2
Najpierw użyj narzędzia NoLop oraz FixWareOut - http://downloads.subratam.org/Fixwareout.exe po tym nowe logi HJT a Silent
Foldery usuń ręcznie w trybie awaryjnym natomiast wpisy HijackThis.
Jeśli nie masz już Messneger’a to usuń dodatkowo te dwa wpisy:
Proponuję usunąć Megaupload Toolbar ponieważ jest to Toolbar wątpliwej reputacji. Bowiem zbiera dane o użytkowniki i gdzieś je wysyła, nie wiadomo gdzie.
Czy masz jeszcze .NET Framework? Jeśli nie to poczytaj o jego skutecznym usunięciu:
http://blogs.msdn.com/astebner/archive/ … 08856.aspx
Po wykonaniu pokaż nowy log z HijackThis plus z SilentRunners .
Usuń wpisy HJT.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Start >>> programy >>> akcesoria >>> narzędzia systemowe >>> zaplanowane zadania >>> skasuj z prawokliku wszystkie pozycje “At”.
Po wykonaniu pokaż dla pewności nowy log z Silenta.
Już jest Ok.
Kosmetyka:
Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.
Panel sterowania => Java Plug-in => Update => odznacz opcję Check for updates automatically.
Jeśli RealOne nie jest Ci bardzo potrzebny to zastąp go Real Alternative .
Proponuję przeczyścić rejestr ponieważ masz kilka pustych kluczy, opis .
Gutek
(Gutek)
5 Maj 2007 00:05
#9
Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE - proszę popraw
Pozdrawiam Gutek2222
Kleko15
(Kleko15)
21 Maj 2007 19:00
#10
Znowu mnie ten cid dobija… oto mój nowy log… pomóżcie co usunąć…
Logfile of HijackThis v1.99.1 Scan saved at 20:57:14, on 2007-05-21 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\nvraidservice.exe E:\Drukarka HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\Internet Explorer\iexplore.exe c:\progra~1\intern~1\iexplore.exe C:\WINDOWS\System32\wbem\unsecapp.exe E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kalendarz XP\Kalendarz.exe C:\Program Files\Gadu-Gadu\gg.exe E:\Drukarka HP\Digital Imaging\bin\hpqSTE08.exe E:\Drukarka HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Lato\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll O2 - BHO: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll O3 - Toolbar: Share Accelerator MM Toolbar - {4596013b-6c31-408b-a266-deae5c086dc2} - C:\Program Files\Share_Accelerator_MM\tbShar.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe O4 - HKLM…\Run: [odk_mon] C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe O4 - HKLM…\Run: [HP Software Update] E:\Drukarka HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [TrustInstaller] D:\Setup.EXE O4 - HKLM…\Run: [binamokrdrwipe] C:\Documents and Settings\All Users\Dane aplikacji\Free Four Bin Amok\DoesHope.exe O4 - HKCU…\Run: [internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [LiteIdol] C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
Gutek
(Gutek)
21 Maj 2007 19:29
#11
Użyj narzędzia NoLop
Wpisy usuń HJT, a foldery ręcznie w trybie awaryjnym
Kleko15
(Kleko15)
21 Maj 2007 19:49
#12
Dziekuje bardzo… To na prawde jest bardzo przydatne forum… Gdyby nie wy to bym juz padł…
Joan
(Joan Sunshine)
22 Maj 2007 14:25
#15
to co na czerwono usuń z dysku w awaryjnym a wpisy w hijacku, daj nowego loga z SilentRunners:)
Kleko15
(Kleko15)
24 Maj 2007 13:06
#16
ale ja tego "C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe " folderu nigdzie nie mam… szuakłem i go nigdzie nie ma ;/
Złączono Posta : 24.05.2007 (Czw) 15:10
ale ja tego "C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe " folderu nigdzie nie mam… szuakłem i go nigdzie nie ma ;/
Złączono Posta : 24.05.2007 (Czw) 15:13
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Internet Download Accelerator” = “C:\Program Files\IDA\ida.exe -autorun” [file not found] “NBJ” = ““C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “LiteIdol” = “C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “NVRTCLK” = “C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe” [empty string] “NVRaidService” = “C:\WINDOWS\System32\nvraidservice.exe” [“NVIDIA Corporation”] “odk_mon” = “C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe” [“FranmoSoft”] “HP Software Update” = “E:\Drukarka HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”] “TrustInstaller” = “D:\Setup.EXE” [file not found] “Binamokrdrwipe” = “C:\Documents and Settings\All Users\Dane aplikacji\Free Four Bin Amok\New Active.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {85F685C3-20D9-4943-95E4-EB4224056C3F}(Default) = (no title provided) -> {HKLM…CLSID} = “Expressivo” \InProcServer32(Default) = “C:\Program Files\ivo\Expressivo\IH_iexplore.dll” [“IVO Software Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “E:\UKASZ~1\ALKOCH~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Lato\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssmarque.scr” [MS] Startup items in “Lato” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “HP Digital Imaging Monitor” -> shortcut to: “E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “Kalendarz XP” -> shortcut to: “C:\Program Files\Kalendarz XP\Kalendarz.exe” [null data] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “AC5BE13A91B09182” -> launches: “c:\docume~1\lato\daneap~1\fiveup~1\Thirdroaddeaf.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{85F685C3-20D9-4943-95E4-EB4224056C3F}” = “Expressivo” -> {HKLM…CLSID} = “Expressivo” \InProcServer32(Default) = “C:\Program Files\ivo\Expressivo\IH_iexplore.dll” [“IVO Software Sp. z o.o.”] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {137E6E5E-A205-4657-A49F-1AB865787089}(Default) = (no title provided) -> {HKLM…CLSID} = “SmartShopper” \InProcServer32(Default) = “C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF}\ “ButtonText” = “SmartShopper - Compare product prices” “CLSIDExtension” = “{2260D608-C844-435d-90FD-DC16CFA577F2}” -> {HKLM…CLSID} = “IEButton” \InProcServer32(Default) = “C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll” [file not found] {3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0}\ “ButtonText” = “SmartShopper - Compare travel rates” “CLSIDExtension” = “{BCEB373D-A35A-4200-BD43-8586CD9DFAE7}” -> {HKLM…CLSID} = “IEButtonA” \InProcServer32(Default) = “C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\system32\UAService7.exe” [“Sony DADC Austria AG.”] StarWind iSCSI Service, StarWindService, “E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] STI Simulator, STI Simulator, “C:\WINDOWS\System32\PAStiSvc.exe” [null data] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] hpzsnt12\Driver = “hpzsnt12.dll” [“HP”] Kodak Printer Dock Language Monitor\Driver = “KPDLM.dll” [file not found] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 35 seconds, including 6 seconds for message boxes) log z silenta Logfile of HijackThis v1.99.1 Scan saved at 15:13:25, on 2007-05-24 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\System32\nvraidservice.exe E:\Drukarka HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Ahead\InCD\InCD.exe E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kalendarz XP\Kalendarz.exe C:\WINDOWS\System32\wbem\unsecapp.exe E:\Drukarka HP\Digital Imaging\bin\hpqSTE08.exe E:\Drukarka HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Gadu-Gadu\gg.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Lato\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe O4 - HKLM…\Run: [odk_mon] C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe O4 - HKLM…\Run: [HP Software Update] E:\Drukarka HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [TrustInstaller] D:\Setup.EXE O4 - HKLM…\Run: [binamokrdrwipe] C:\Documents and Settings\All Users\Dane aplikacji\Free Four Bin Amok\New Active.exe O4 - HKCU…\Run: [internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [LiteIdol] C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll (file missing) O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe a to z hijacka
Złączono Posta : 24.05.2007 (Czw) 15:14
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Internet Download Accelerator” = “C:\Program Files\IDA\ida.exe -autorun” [file not found] “NBJ” = ““C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “LiteIdol” = “C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “NVRTCLK” = “C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe” [empty string] “NVRaidService” = “C:\WINDOWS\System32\nvraidservice.exe” [“NVIDIA Corporation”] “odk_mon” = “C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe” [“FranmoSoft”] “HP Software Update” = “E:\Drukarka HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”] “TrustInstaller” = “D:\Setup.EXE” [file not found] “Binamokrdrwipe” = “C:\Documents and Settings\All Users\Dane aplikacji\Free Four Bin Amok\New Active.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {85F685C3-20D9-4943-95E4-EB4224056C3F}(Default) = (no title provided) -> {HKLM…CLSID} = “Expressivo” \InProcServer32(Default) = “C:\Program Files\ivo\Expressivo\IH_iexplore.dll” [“IVO Software Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “E:\UKASZ~1\ALKOCH~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}” -> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Lato\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\ssmarque.scr” [MS] Startup items in “Lato” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “HP Digital Imaging Monitor” -> shortcut to: “E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “Kalendarz XP” -> shortcut to: “C:\Program Files\Kalendarz XP\Kalendarz.exe” [null data] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] Enabled Scheduled Tasks: ------------------------ “AC5BE13A91B09182” -> launches: “c:\docume~1\lato\daneap~1\fiveup~1\Thirdroaddeaf.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{85F685C3-20D9-4943-95E4-EB4224056C3F}” = “Expressivo” -> {HKLM…CLSID} = “Expressivo” \InProcServer32(Default) = “C:\Program Files\ivo\Expressivo\IH_iexplore.dll” [“IVO Software Sp. z o.o.”] Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {137E6E5E-A205-4657-A49F-1AB865787089}(Default) = (no title provided) -> {HKLM…CLSID} = “SmartShopper” \InProcServer32(Default) = “C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll” [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEBF}\ “ButtonText” = “SmartShopper - Compare product prices” “CLSIDExtension” = “{2260D608-C844-435d-90FD-DC16CFA577F2}” -> {HKLM…CLSID} = “IEButton” \InProcServer32(Default) = “C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll” [file not found] {3CC3D8FE-F0E0-4DD1-A69A-8C56BCC7BEC0}\ “ButtonText” = “SmartShopper - Compare travel rates” “CLSIDExtension” = “{BCEB373D-A35A-4200-BD43-8586CD9DFAE7}” -> {HKLM…CLSID} = “IEButtonA” \InProcServer32(Default) = “C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll” [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\system32\UAService7.exe” [“Sony DADC Austria AG.”] StarWind iSCSI Service, StarWindService, “E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] STI Simulator, STI Simulator, “C:\WINDOWS\System32\PAStiSvc.exe” [null data] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”] hpzsnt12\Driver = “hpzsnt12.dll” [“HP”] Kodak Printer Dock Language Monitor\Driver = “KPDLM.dll” [file not found] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 35 seconds, including 6 seconds for message boxes) log z silenta Logfile of HijackThis v1.99.1 Scan saved at 15:13:25, on 2007-05-24 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.EXE E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\UAService7.exe C:\WINDOWS\System32\nvraidservice.exe E:\Drukarka HP\HP Software Update\HPWuSchd2.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Eset\nod32kui.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Ahead\InCD\InCD.exe E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Kalendarz XP\Kalendarz.exe C:\WINDOWS\System32\wbem\unsecapp.exe E:\Drukarka HP\Digital Imaging\bin\hpqSTE08.exe E:\Drukarka HP\Digital Imaging\Product Assistant\bin\hprblog.exe C:\Program Files\Gadu-Gadu\gg.exe c:\progra~1\intern~1\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Lato\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\IH_iexplore.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe O4 - HKLM…\Run: [odk_mon] C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe O4 - HKLM…\Run: [HP Software Update] E:\Drukarka HP\HP Software Update\HPWuSchd2.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [nwiz] nwiz.exe /install O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [TrustInstaller] D:\Setup.EXE O4 - HKLM…\Run: [binamokrdrwipe] C:\Documents and Settings\All Users\Dane aplikacji\Free Four Bin Amok\New Active.exe O4 - HKCU…\Run: [internet Download Accelerator] C:\Program Files\IDA\ida.exe -autorun O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [LiteIdol] C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = E:\Drukarka HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Kalendarz XP.lnk = C:\Program Files\Kalendarz XP\Kalendarz.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm O9 - Extra button: SmartShopper - Compare product prices - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEBF} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll (file missing) O9 - Extra button: SmartShopper - Compare travel rates - {3CC3D8FE-F0E0-4dd1-A69A-8C56BCC7BEC0} - C:\Program Files\SmartShopper\Bin\2.0.20\SmrtShpr.dll (file missing) O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET \Framework\v2.0.50727\aspnet_state.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Łukasz\Alkochol 120%\Alcohol 120\Alcohol 120\StarWind\StarWindService.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe a to z hijacka
Kleko15
(Kleko15)
24 Maj 2007 16:01
#18
“Lato” - 2007-05-24 17:58:07 Dodatek Service Pack 2 ComboFix 07-05.24.7.V - Running from: “C:\Documents and Settings\Lato\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-24 )))))))))))))))))))))))))))))))))) 2007-05-24 17:50 2007-05-24 17:48 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-05-24 15:49 2007-05-24 15:01 2007-05-24 15:00 2007-05-21 16:55 2007-05-21 16:55 2007-05-08 16:10 434,252 --a------ C:\WINDOWS\system32\Msvcrtd.dll 2007-05-08 16:10 2007-05-06 21:08 2007-05-05 10:42 5,600 --a------ C:\WINDOWS\system\WINASPI.DLL 2007-05-05 10:42 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL 2007-05-05 10:42 4,672 --a------ C:\WINDOWS\system\WOWPOST.EXE 2007-05-05 10:42 16,877 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS 2007-05-05 10:03 2007-05-04 15:30 5 --ahs---- C:\WINDOWS\system32\fcaaffaba_s.dll 2007-05-04 15:10 2007-05-01 10:20 2007-04-30 19:49 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll 2007-04-30 19:49 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll 2007-04-30 19:49 2007-04-30 19:49 2007-04-30 19:30 2007-04-24 20:33 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-24 15:56:06 -------- d-----w C:\Program Files\Odkurzacz 9.3 Pro 2007-05-24 14:32:08 -------- d-----w C:\Program Files\Kalendarz XP 2007-05-24 13:55:10 -------- d-----w C:\Program Files\XviD 2007-05-24 13:55:09 -------- d-----w C:\Program Files\DivX 2007-05-24 13:55:09 -------- d-----w C:\Program Files\BitSpirit 2007-05-21 20:02:55 -------- d-----w C:\DOCUME~1\Lato\DANEAP~1\Skype 2007-05-06 12:56:45 -------- d-----w C:\Program Files\Gadu-Gadu 2007-05-02 08:25:15 -------- d-----w C:\Program Files\BearShare 2007-05-01 15:01:58 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-05-01 09:27:50 -------- d-----w C:\DOCUME~1\Lato\DANEAP~1\Image Zone Express 2007-05-01 08:20:01 -------- d-----w C:\Program Files\HP 2007-05-01 08:11:09 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll 2007-04-22 14:37:02 -------- d-----w C:\DOCUME~1\Lato\DANEAP~1\Gadu-Gadu 2007-04-19 11:49:49 -------- d-----w C:\Program Files\Winamp 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-14 17:39:27 -------- d-----w C:\Program Files\PC Camer@ 2007-04-14 17:39:27 -------- d-----w C:\Program Files\Common Files\PCCamera 2007-04-14 17:34:36 -------- d-----w C:\DOCUME~1\Lato\DANEAP~1\ArcSoft 2007-04-14 17:32:02 -------- d-----w C:\Program Files\Common Files\ArcSoft 2007-04-14 17:31:40 -------- d-----w C:\Program Files\ArcSoft 2007-04-14 12:38:01 -------- d-----w C:\Program Files\WinAVIVideoConverter 2007-04-11 07:33:09 -------- d-----w C:\DOCUME~1\Lato\DANEAP~1\BearShare 2007-04-09 18:59:11 -------- d-----w C:\Program Files\Deluxe Ski Jump 3 2007-04-09 17:07:51 -------- d-----w C:\Program Files\ivo 2007-04-06 11:00:00 -------- d-----w C:\Program Files\Elaborate Bytes 2007-04-05 05:44:46 -------- d-----w C:\DOCUME~1\Lato\DANEAP~1\Azureus 2007-04-01 08:23:15 552 ----a-w C:\WINDOWS\system32\d3d8caps.dat 2007-03-25 04:53:57 64,754 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-03-25 04:53:57 383,228 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-03-21 20:14:43 -------- d-----w C:\Program Files\Windows Media Connect 2 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-15 14:40:13 37,375 ----a-w C:\WINDOWS\system32\uninstall.exe 2007-03-15 14:40:01 -------- d-----w C:\Program Files\DirectShow Pack 2007-03-14 08:43:48 -------- d-----w C:\Program Files\DVD X Studios 2007-03-14 08:42:47 -------- d-----w C:\Program Files\Project64 1.6 2007-03-11 07:41:42 535,040 ----a-w C:\WINDOWS\flashax.exe 2007-03-11 07:41:42 12,288 ----a-w C:\WINDOWS\impborl.dll 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-10 16:23:41 2,181,632 ----a-w C:\WINDOWS\system32\kernel1.exe 2007-02-05 20:19:48 185,856 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17] {85F685C3-20D9-4943-95E4-EB4224056C3F}=C:\Program Files\ivo\Expressivo\IH_iexplore.dll [2006-12-04 22:00] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“C:\WINDOWS\System32\NvCpl.dll” [2004-07-12 10:50] “NvMediaCenter”=“C:\WINDOWS\System32\NvMcTray.dll” [2004-07-12 10:50] “NVRTCLK”=“C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe” [2003-12-30 11:44] “NVRaidService”=“C:\WINDOWS\System32\nvraidservice.exe” [2004-06-11 05:15] “odk_mon”=“C:\Program Files\Odkurzacz 9.3 Pro\odk_mon.exe” [2005-06-30 19:43] “HP Software Update”=“E:\Drukarka HP\HP Software Update\HPWuSchd2.exe” [2005-05-12 00:12] “SoundMan”=“SOUNDMAN.EXE” [] “nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-01-15 11:40] “TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-03-02 21:26] “nwiz”=“nwiz.exe” [2004-07-12 10:50 C:\WINDOWS\system32\nwiz.exe] “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” [2001-07-09 11:50] “InCD”=“C:\Program Files\Ahead\InCD\InCD.exe” [2004-09-07 15:25] “TrustInstaller”=“D:\Setup.EXE” [] “Binamokrdrwipe”=“C:\Documents and Settings\All Users\Dane aplikacji\Free Four Bin Amok\New Active.exe” [2007-05-24 15:01] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “Internet Download Accelerator”=“C:\Program Files\IDA\ida.exe” [] “NBJ”=“C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” [2004-09-22 16:10] “LiteIdol”=“C:\DOCUME~1\Lato\DANEAP~1\FIVEUP~1\SoftwareMail.exe” [2007-05-24 15:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0dd71a4b-d303-11db-86fb-000fead5351d}] AutoRun\command- G:\Autorun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{194b8ad6-4fa0-11da-9969-000fead5351d}] AutoRun\command- F:\Autorun.exe ******************************************************************** catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-24 17:59:13 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ******************************************************************** Completion time: 2007-05-24 17:59:42 — E O F —
Chyba o to chodziłoz z logiem z Combofix (nic mi nnego nie zostawił)
Gutek
(Gutek)
24 Maj 2007 16:37
#19
Pobierz The Avenger . Wypakuj => uruchom => zaznacz opcję Input script manually => kliknij w taką lupkę => w okienku, które się otworzy wklej:
kliknij klawisz Done => teraz kliknij na zielone światełko => powinna pojawić się pewna informacja i kliknij OK (teraz restart).
Kleko15
(Kleko15)
24 Maj 2007 20:27
#20
jak wziąłem tym programem co mi kazałeś i zrobiłem wszystko jak kazałeś to wyskoczył mi błąd “Syntax error in line — does not appear to be a valid registry path. Line will be ignored.” Potem nastepny komunikat " Press OK to log error nad continue or Cancel to abort" i wziąłem OK i potem nastepny błąd “Error code: 1813 Line:” i potem nastepny błąd
“HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0dd71a4b-d303-11db-86fb-000fead5351d}\AutoRun\command” i znowu “Syntax error in line — does not appear to be a valid registry path. Line will be ignored.” i znowu " Press OK to log error nad continue or Cancel to abort" to teraz wziąłem Anuluj i tez komunikat sie pokazał “Error code: 1813 Line:” i znowu “HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{0dd71a4b-d303-11db-86fb-000fead5351d}\AutoRun\command” i na tym sie skonczyło ;/