"your computer is infected" + mój log

Dla specjalistów Bezpieczeństwo
#1

mam problem z czerwona, migajaca ikonka, ktora pojawia sie przy zegarze i co jakis czas informuje, ze moj komputer jest zainfekowany. nie pomogl tego usunac advare, spybot i inne tego typu programy.

jesli ktos wie, jak sie tego pozbyc, prosze o pomoc.

ponizej moj log, nie wiem, co z tym zrobic, nie znam sie na kompach:

“Silent Runners.vbs”, revision 44, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

“wininet.dll” = (empty string)

“kernel32.dll” = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“SynTPLpr” = ““C:\Program Files\Synaptics\SynTP\SynTPLpr.exe”” [“Synaptics, Inc.”]

“SynTPEnh” = ““C:\Program Files\Synaptics\SynTP\SynTPEnh.exe”” [“Synaptics, Inc.”]

“IgfxTray” = ““C:\WINDOWS\system32\igfxtray.exe”” [“Intel Corporation”]

“HotKeysCmds” = ““C:\WINDOWS\system32\hkcmd.exe”” [“Intel Corporation”]

“TPKMAPHELPER” = "“C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe " -helper” [“IBM Corp.”]

“TPHOTKEY” = ““C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe”” [null data]

“EZEJMNAP” = ““C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe”” [“IBM Corp.”]

“UC_Start” = ““C:\Program Files\IBM\Updater\ucstartup.exe”” [null data]

“BMMLREF” = ““C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE”” [null data]

“BMMMONWND” = "“rundll32.exe " C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor” [MS]

“AVGCtrl” = ““C:\Program Files\AVPersonal\AVGNT.EXE” /min” [“H+BEDV Datentechnik GmbH”]

“QCTRAY” = “C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE” [“IBM Corp.”]

“QCWLICON” = “C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE” [“IBM Corp.”]

“PRONoMgrWired” = ““C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe”” [“Intel® Corporation”]

“IBMPRC” = “C:\IBMTOOLS\UTILS\ibmprc.exe” [“IBM Corp.”]

“WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]

“TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]

“HP Component Manager” = ““C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”]

“HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe” [“HP”]

“HP Software Update” = ““C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe”” [“Hewlett-Packard Company”]

“Windows Defender” = ““C:\Program Files\Windows Defender\MSASCui.exe” -hide” [MS]

“TpShocks” = ““TpShocks.exe”” [“IBM Corp.”]

“TP4EX” = ““tp4ex.exe”” [“IBM Corporation”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{8d83b16e-0de1-452b-ac52-96ec0b34aa4b}(Default) = (no title provided)

-> {HKLM…CLSID} = “Nothing”

\InProcServer32(Default) = “C:\WINDOWS\system32\hpF1DC.tmp” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices”

-> {HKLM…CLSID} = “Portable Media Devices”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band”

-> {HKLM…CLSID} = “Shell Search Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”

-> {HKLM…CLSID} = “RealOne Player Context Menu Class”

\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! “{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}” = “USB Mouse Driver”

-> {HKCU…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\system32\suprox.dll” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! “{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}” = “Microsoft AntiMalware ShellExecuteHook”

-> {HKLM…CLSID} = “Microsoft AntiMalware ShellExecuteHook”

\InProcServer32(Default) = “C:\PROGRA~1\WIFD1F~1\MpShHook.dll” [MS]

INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard”

-> {HKLM…CLSID} = “CShellExecuteHookImpl Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”]

INFECTION WARNING! QConGina\DLLName = “QConGina.dll” [“IBM Corp.”]

INFECTION WARNING! tphotkey\DLLName = “tphklock.dll” [null data]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

AntiVir/Win(Default) = “{a7cda720-84ee-11d0-b5c0-00001b3ca278}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\AVPersonal\AVShlExt.DLL” [“H+BEDV Datentechnik GmbH”]

ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}”

-> {HKLM…CLSID} = “Ctest Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}”

-> {HKLM…CLSID} = “Ctest Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AntiVir/Win(Default) = “{a7cda720-84ee-11d0-b5c0-00001b3ca278}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\AVPersonal\AVShlExt.DLL” [“H+BEDV Datentechnik GmbH”]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\1400 x 1050 IBM EMEA Map.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\D&GSCR~1.SCR” [file not found]

Startup items in “P_DGHMP” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS]

Enabled Scheduled Tasks:

“MP Scheduled Scan” -> launches: “C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges” [MS]

“Przypomnienie o rejestracji 1” -> launches: “C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:1” [MS]

“Przypomnienie o rejestracji 2” -> launches: “C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:2” [MS]

“Przypomnienie o rejestracji 3” -> launches: “C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:3” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Explorer Bars

Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}\

“ButtonText” = “Software Installer”

“Exec” = “C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe” [“Lenovo Group Limited”]

Miscellaneous IE Hijack Points

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):

“{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided)

-> {HKLM…CLSID} = “Search Class”

\InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):

AntiVir Service, AntiVirService, ““C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE”” [“H+BEDV Datentechnik GmbH”]

AntiVir Update, AVWUpSrv, ““C:\Program Files\AVPersonal\AVWUPSRV.EXE”” [“H+BEDV Datentechnik GmbH, Germany”]

ewido security suite control, ewido security suite control, “C:\Program Files\ewido anti-malware\ewidoctrl.exe” [“ewido networks”]

ewido security suite guard, ewido security suite guard, “C:\Program Files\ewido anti-malware\ewidoguard.exe” [“ewido networks”]

IBM HDD APS Logging Service, TPHDEXLGSVC, “System32\TPHDEXLG.EXE” [“IBM Corporation”]

IBM KCU Service, TpKmpSVC, “C:\WINDOWS\system32\TpKmpSVC.exe” [null data]

IBM Rapid Restore Ultra Service, IBM Rapid Restore Ultra Service, ““C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe”” [empty string]

QCONSVC, QCONSVC, “System32\QCONSVC.EXE” [“IBM Corp.”]

SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”]

ThinkPad PM Service, IBMPMSVC, “C:\WINDOWS\system32\ibmpmsvc.exe” [“Lenovo.”]

Windows Defender Service, WinDefend, ““C:\Program Files\Windows Defender\MsMpEng.exe”” [MS]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt10\Driver = “hpzlnt10.dll” [“HP”]

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 309 seconds.

  • The search for all Registry CLSIDs containing dormant Explorer Bars

took 31 seconds.

---------- (total run time: 403 seconds)

#2

Wklej jeszcze log z HijackThisa :slight_smile:

#3

Logfile of HijackThis v1.99.1

Scan saved at 18:38:18, on 2006-04-18

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE

C:\Program Files\AVPersonal\AVWUPSRV.EXE

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

C:\WINDOWS\System32\QCONSVC.EXE

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\TPHDEXLG.EXE

C:\WINDOWS\system32\TpKmpSVC.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\WINDOWS\system32\hkcmd.exe

C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\AVPersonal\AVGNT.EXE

C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

C:\IBMTOOLS\UTILS\ibmprc.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\TpShocks.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\DOCUME~1\P_DGHMP\USTAWI~1\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: Nothing - {8d83b16e-0de1-452b-ac52-96ec0b34aa4b} - C:\WINDOWS\system32\hpF1DC.tmp

O4 - HKLM…\Run: [synTPLpr] “C:\Program Files\Synaptics\SynTP\SynTPLpr.exe”

O4 - HKLM…\Run: [synTPEnh] “C:\Program Files\Synaptics\SynTP\SynTPEnh.exe”

O4 - HKLM…\Run: [igfxTray] “C:\WINDOWS\system32\igfxtray.exe”

O4 - HKLM…\Run: [HotKeysCmds] “C:\WINDOWS\system32\hkcmd.exe”

O4 - HKLM…\Run: [TPKMAPHELPER] "C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe " -helper

O4 - HKLM…\Run: [TPHOTKEY] “C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe”

O4 - HKLM…\Run: [EZEJMNAP] “C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe”

O4 - HKLM…\Run: [uC_Start] “C:\Program Files\IBM\Updater\ucstartup.exe”

O4 - HKLM…\Run: [bMMLREF] “C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE”

O4 - HKLM…\Run: [bMMMONWND] "rundll32.exe " C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

O4 - HKLM…\Run: [AVGCtrl] “C:\Program Files\AVPersonal\AVGNT.EXE” /min

O4 - HKLM…\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

O4 - HKLM…\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

O4 - HKLM…\Run: [PRONoMgrWired] “C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe”

O4 - HKLM…\Run: [iBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe

O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon

O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot

O4 - HKLM…\Run: [HP Component Manager] “C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”

O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe

O4 - HKLM…\Run: [HP Software Update] “C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe”

O4 - HKLM…\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide

O4 - HKLM…\Run: [TpShocks] “TpShocks.exe”

O4 - HKLM…\Run: [TP4EX] “tp4ex.exe”

O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra ‘Tools’ menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe

O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebcam/e … nProj1.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O17 - HKLM\System\CCS\Services\Tcpip…{AFA37862-4B84-49EF-9F61-6888FB7AF869}: NameServer = 194.204.152.34 217.98.63.164

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll

O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll

O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE

O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe

O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)

O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE

O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

#4

Otwórz notatnik i wklej w nim to:

Plik>>>zapisz jako>>zmień rozszerzenie z .txt na wszystkie pliki>>>zapisz pod nazwą FIX.REG

Ściągnij Pocket Killbox>>>uruchom>>>zaznacz opcje “Delete on Reboot”>>>w polu “Full path of file” wklej:

C:\WINDOWS\system32\hpF1DC.tmp

Klikasz X i reset kompa.

Przeczytaj Usuwanie Fałszywej Tapety SpyFalcon i użyj narzędzia Smitrem

Przeskanuj http://www.ewido.net

Daj nowego loga z silent runners

Hmm nie wiem co to jest, to może być ster od myszki, albo jakiś syf może się pod to podszywac. PPM> właściwości> sprawdź producenta, date powstania itp.

#5

czy to wszystko mam zrobic w trybie awaryjnym czy normalnie?

#6

tak, fixa odpalić w trybie awaryjnym

#7

i gdzie mam wkleic ten tekst? do ktorego notatnika? prosze o pomoc, bo nie znam sie na tym.

#8

do zwykłego ehh( start>>>uruchom>>>notepad )

#9

zrobilem wszystko, co napisales. dziekuje bardzo za pomoc. juz nie pojawia sie ten komunikat. wszytko ok, tylko komp dziala wolniej niz kiedys.

“Silent Runners.vbs”, revision 44, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}

“wininet.dll” = (empty string)

“kernel32.dll” = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“SynTPLpr” = ““C:\Program Files\Synaptics\SynTP\SynTPLpr.exe”” [“Synaptics, Inc.”]

“SynTPEnh” = ““C:\Program Files\Synaptics\SynTP\SynTPEnh.exe”” [“Synaptics, Inc.”]

“IgfxTray” = ““C:\WINDOWS\system32\igfxtray.exe”” [“Intel Corporation”]

“HotKeysCmds” = ““C:\WINDOWS\system32\hkcmd.exe”” [“Intel Corporation”]

“TPKMAPHELPER” = "“C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe " -helper” [“IBM Corp.”]

“TPHOTKEY” = ““C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe”” [null data]

“EZEJMNAP” = ““C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe”” [“IBM Corp.”]

“UC_Start” = ““C:\Program Files\IBM\Updater\ucstartup.exe”” [null data]

“BMMLREF” = ““C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE”” [null data]

“BMMMONWND” = "“rundll32.exe " C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor” [MS]

“AVGCtrl” = ““C:\Program Files\AVPersonal\AVGNT.EXE” /min” [“H+BEDV Datentechnik GmbH”]

“QCTRAY” = “C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE” [“IBM Corp.”]

“QCWLICON” = “C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE” [“IBM Corp.”]

“PRONoMgrWired” = ““C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe”” [“Intel® Corporation”]

“IBMPRC” = “C:\IBMTOOLS\UTILS\ibmprc.exe” [“IBM Corp.”]

“WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]

“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]

“WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]

“WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]

“TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]

“HP Component Manager” = ““C:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”]

“HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe” [“HP”]

“HP Software Update” = ““C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe”” [“Hewlett-Packard Company”]

“Windows Defender” = ““C:\Program Files\Windows Defender\MSASCui.exe” -hide” [MS]

“TpShocks” = ““TpShocks.exe”” [“IBM Corp.”]

“TP4EX” = ““tp4ex.exe”” [“IBM Corporation”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{8d83b16e-0de1-452b-ac52-96ec0b34aa4b}(Default) = (no title provided)

-> {HKLM…CLSID} = “Nothing”

\InProcServer32(Default) = “C:\WINDOWS\system32\hpF1DC.tmp” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices”

-> {HKLM…CLSID} = “Portable Media Devices”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band”

-> {HKLM…CLSID} = “Shell Search Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”

-> {HKLM…CLSID} = “RealOne Player Context Menu Class”

\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! “{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}” = “USB Mouse Driver”

-> {HKCU…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\system32\suprox.dll” [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! “{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}” = “Microsoft AntiMalware ShellExecuteHook”

-> {HKLM…CLSID} = “Microsoft AntiMalware ShellExecuteHook”

\InProcServer32(Default) = “C:\PROGRA~1\WIFD1F~1\MpShHook.dll” [MS]

INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard”

-> {HKLM…CLSID} = “CShellExecuteHookImpl Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! igfxcui\DLLName = “igfxsrvc.dll” [“Intel Corporation”]

INFECTION WARNING! QConGina\DLLName = “QConGina.dll” [“IBM Corp.”]

INFECTION WARNING! tphotkey\DLLName = “tphklock.dll” [null data]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

AntiVir/Win(Default) = “{a7cda720-84ee-11d0-b5c0-00001b3ca278}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\AVPersonal\AVShlExt.DLL” [“H+BEDV Datentechnik GmbH”]

ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}”

-> {HKLM…CLSID} = “Ctest Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}”

-> {HKLM…CLSID} = “Ctest Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AntiVir/Win(Default) = “{a7cda720-84ee-11d0-b5c0-00001b3ca278}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\AVPersonal\AVShlExt.DLL” [“H+BEDV Datentechnik GmbH”]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\WINDOWS\1400 x 1050 IBM EMEA Map.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\D&GSCR~1.SCR” [file not found]

Startup items in “P_DGHMP” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS]

Enabled Scheduled Tasks:

“MP Scheduled Scan” -> launches: “C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges” [MS]

“Przypomnienie o rejestracji 1” -> launches: “C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:1” [MS]

“Przypomnienie o rejestracji 2” -> launches: “C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:2” [MS]

“Przypomnienie o rejestracji 3” -> launches: “C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:3” [MS]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Explorer Bars

Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}\

“ButtonText” = “Software Installer”

“Exec” = “C:\Program Files\ThinkPad\PkgMgr\PkgMgr.exe” [“Lenovo Group Limited”]

Miscellaneous IE Hijack Points

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):

“{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided)

-> {HKLM…CLSID} = “Search Class”

\InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):

AntiVir Service, AntiVirService, ““C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE”” [“H+BEDV Datentechnik GmbH”]

AntiVir Update, AVWUpSrv, ““C:\Program Files\AVPersonal\AVWUPSRV.EXE”” [“H+BEDV Datentechnik GmbH, Germany”]

ewido security suite control, ewido security suite control, “C:\Program Files\ewido anti-malware\ewidoctrl.exe” [“ewido networks”]

ewido security suite guard, ewido security suite guard, “C:\Program Files\ewido anti-malware\ewidoguard.exe” [“ewido networks”]

IBM HDD APS Logging Service, TPHDEXLGSVC, “System32\TPHDEXLG.EXE” [“IBM Corporation”]

IBM KCU Service, TpKmpSVC, “C:\WINDOWS\system32\TpKmpSVC.exe” [null data]

IBM Rapid Restore Ultra Service, IBM Rapid Restore Ultra Service, ““C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe”” [empty string]

QCONSVC, QCONSVC, “System32\QCONSVC.EXE” [“IBM Corp.”]

SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”]

ThinkPad PM Service, IBMPMSVC, “C:\WINDOWS\system32\ibmpmsvc.exe” [“Lenovo.”]

Windows Defender Service, WinDefend, ““C:\Program Files\Windows Defender\MsMpEng.exe”” [MS]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt10\Driver = “hpzlnt10.dll” [“HP”]

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 301 seconds.

  • The search for all Registry CLSIDs containing dormant Explorer Bars

took 12 seconds.

---------- (total run time: 381 seconds)

#10

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG Przejście do trybu awaryjnego Windows i uruchomienie pliku FIX.REG.

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

#11

komp dziala juz sprawnie.

dziekuje za pomoc.

na wszelki wypadek podaje jeszcze loga.

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"SynTPLpr" = ""C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"" ["Synaptics, Inc."]

"SynTPEnh" = ""C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"" ["Synaptics, Inc."]

"IgfxTray" = ""C:\WINDOWS\system32\igfxtray.exe"" ["Intel Corporation"]

"HotKeysCmds" = ""C:\WINDOWS\system32\hkcmd.exe"" ["Intel Corporation"]

"TPKMAPHELPER" = ""C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe " -helper" ["IBM Corp."]

"TPHOTKEY" = ""C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe"" [null data]

"EZEJMNAP" = ""C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe"" ["IBM Corp."]

"UC_Start" = ""C:\Program Files\IBM\Updater\\ucstartup.exe"" [null data]

"BMMLREF" = ""C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE"" [null data]

"BMMMONWND" = ""rundll32.exe " C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor" [MS]

"AVGCtrl" = ""C:\Program Files\AVPersonal\AVGNT.EXE" /min" ["H+BEDV Datentechnik GmbH"]

"QCTRAY" = "C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE" ["IBM Corp."]

"QCWLICON" = "C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" ["IBM Corp."]

"PRONoMgrWired" = ""C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe"" ["Intel(R) Corporation"]

"IBMPRC" = "C:\IBMTOOLS\UTILS\ibmprc.exe" ["IBM Corp."]

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]

"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"HP Component Manager" = ""C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]

"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]

"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]

"TpShocks" = ""TpShocks.exe"" ["IBM Corp."]

"TP4EX" = ""tp4ex.exe"" ["IBM Corporation"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\

INFECTION WARNING! "{AC1B4DA2-12FA-31F2-1A7D-CD2B14E6AD4E}" = "USB Mouse Driver"

  -> {HKCU...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\suprox.dll" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

INFECTION WARNING! QConGina\DLLName = "QConGina.dll" ["IBM Corp."]

INFECTION WARNING! tphotkey\DLLName = "tphklock.dll" [null data]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

AntiVir/Win\(Default) = "{a7cda720-84ee-11d0-b5c0-00001b3ca278}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\AVPersonal\AVShlExt.DLL" ["H+BEDV Datentechnik GmbH"]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\1400 x 1050 IBM EMEA Map.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\D&GSCR~1.SCR" [file not found]



Startup items in "P_DGHMP" & "All Users" startup folders:

---------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]



Enabled Scheduled Tasks:

------------------------


"Przypomnienie o rejestracji 1" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:1" [MS]

"Przypomnienie o rejestracji 2" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:2" [MS]

"Przypomnienie o rejestracji 3" -> launches: "C:\WINDOWS\system32\OOBE\oobebaln.exe /sys /r /n:3" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


Dormant Explorer Bars in "View, Explorer Bar" menu


HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"

Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{D1A4DEBD-C2EE-449F-B9FB-E8409F9A0BC5}\

"ButtonText" = "Software Installer"

"Exec" = "C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe" ["Lenovo Group Limited"]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\


Missing lines (compared with English-language version):

"{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  -> {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AntiVir Service, AntiVirService, ""C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE"" ["H+BEDV Datentechnik GmbH"]

AntiVir Update, AVWUpSrv, ""C:\Program Files\AVPersonal\AVWUPSRV.EXE"" ["H+BEDV Datentechnik GmbH, Germany"]

IBM HDD APS Logging Service, TPHDEXLGSVC, "System32\TPHDEXLG.EXE" ["IBM Corporation"]

IBM KCU Service, TpKmpSVC, "C:\WINDOWS\system32\TpKmpSVC.exe" [null data]

IBM Rapid Restore Ultra Service, IBM Rapid Restore Ultra Service, ""C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe"" [empty string]

QCONSVC, QCONSVC, "System32\QCONSVC.EXE" ["IBM Corp."]

SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]

ThinkPad PM Service, IBMPMSVC, "C:\WINDOWS\system32\ibmpmsvc.exe" ["Lenovo."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzlnt10\Driver = "hpzlnt10.dll" ["HP"]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 37 seconds.

+ The search for all Registry CLSIDs containing dormant Explorer Bars

  took 8 seconds.

---------- (total run time: 65 seconds)
#12

no jest Ok ale zapuśc jeszcze - http://www.f-secure.com/tools/f-spyaxe.zip i git

#13

wszystko dziala ok. dziekuje za pomoc, sam bym sobie nie poradzil z tym. chyba musze zmienic przegladarke z ie na opere. pozdrawiam.