Logfile of HijackThis v1.99.1
Scan saved at 12:44:14, on 2007-02-18
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\System32\FTRTSVC.exe
F:\WINDOWS\System32\oodag.exe
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\System32\mysvcc.exe
F:\WINDOWS\system32\mfee.exe
F:\WINDOWS\system32\mdmd.exe
F:\WINDOWS\system32\mfcee.exe
F:\WINDOWS\system32\srvc.exe
F:\WINDOWS\System32\kernels88.exe
F:\WINDOWS\System32\ctfmon.exe
F:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
G:\Program Files\Tlen.pl\tlen.exe
F:\WINDOWS\System32\dlh9jkd1q2.exe
C:\Program Files\Rainlendar\Rainlendar.exe
F:\PROGRA~1\NEOSTR~1\neostradatp.exe
F:\PROGRA~1\NEOSTR~1\ComComp.exe
F:\PROGRA~1\NEOSTR~1\Toaster.exe
F:\PROGRA~1\NEOSTR~1\Inactivity.exe
F:\PROGRA~1\NEOSTR~1\PollingModule.exe
F:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
F:\PROGRA~1\NEOSTR~1\Watch.exe
F:\Program Files\Internet Explorer\iexplore.exe
G:\Program Files\Winamp\winamp.exe
E:\pob\instalki\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - g:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] F:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe
O4 - HKLM\..\Run: [stack12] F:\WINDOWS\system32\mfee.exe
O4 - HKLM\..\Run: [mel34] F:\WINDOWS\system32\mdm4.exe
O4 - HKLM\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe
O4 - HKLM\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe
O4 - HKLM\..\Run: [System] F:\WINDOWS\System32\kernels88.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKLM\..\RunServices: [SystemTools] F:\WINDOWS\System32\kernels88.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Komunikator] G:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [stack12] F:\WINDOWS\system32\mfee.exe
O4 - HKCU\..\Run: [mel34] F:\WINDOWS\system32\mdm4.exe
O4 - HKCU\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe
O4 - HKCU\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe
O4 - HKCU\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/pl/soccer_2_0_0_14.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF4310C-2F90-434C-9891-F05000148AFA}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - F:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - F:\WINDOWS\System32\lxbucoms.exe
O23 - Service: O&O Defrag - O&O Software GmbH - F:\WINDOWS\System32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.
Użyj narzędzia SmitFraudFix (wybierz opcję 2). Potem sprawdź co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)
Pliki zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.
Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt
Logfile of HijackThis v1.99.1
Scan saved at 13:24:33, on 2007-02-18
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\System32\FTRTSVC.exe
F:\WINDOWS\System32\oodag.exe
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\system32\mfcee.exe
F:\WINDOWS\System32\ctfmon.exe
G:\Program Files\Tlen.pl\tlen.exe
F:\WINDOWS\system32\mdmd.exe
F:\WINDOWS\system32\srvc.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Rainlendar\Rainlendar.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\PROGRA~1\NEOSTR~1\neostradatp.exe
F:\PROGRA~1\NEOSTR~1\ComComp.exe
F:\PROGRA~1\NEOSTR~1\Toaster.exe
F:\PROGRA~1\NEOSTR~1\Inactivity.exe
F:\PROGRA~1\NEOSTR~1\PollingModule.exe
F:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
F:\PROGRA~1\NEOSTR~1\Watch.exe
F:\Program Files\Opera\Opera.exe
F:\WINDOWS\System32\WScript.exe
E:\pob\instalki\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - g:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] F:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe
O4 - HKLM\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe
O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Komunikator] G:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [mel34] F:\WINDOWS\system32\mdm4.exe
O4 - HKCU\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe
O4 - HKCU\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe
O4 - HKCU\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/pl/soccer_2_0_0_14.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF4310C-2F90-434C-9891-F05000148AFA}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - F:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - F:\WINDOWS\System32\lxbucoms.exe
O23 - Service: O&O Defrag - O&O Software GmbH - F:\WINDOWS\System32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
silent
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "F:\WINDOWS\System32\ctfmon.exe" [MS]
"Komunikator" = "G:\Program Files\Tlen.pl\tlen.exe" ["o2.pl Sp. z o.o."]
"mel34" = "F:\WINDOWS\system32\mdm4.exe" [file not found]
"melg34" = "F:\WINDOWS\system32\mdmd.exe" [null data]
"staeck12" = "F:\WINDOWS\system32\mfcee.exe" [null data]
"johnj315" = "F:\WINDOWS\system32\srvc.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = "(empty string)" [file not found]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [file not found]
"SpeedTouch USB Diagnostics" = ""F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"WOOWATCH" = "F:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]
"WOOTASKBARICON" = "F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe" ["France Télécom R&D"]
"avast!" = "G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"staeck12" = "F:\WINDOWS\system32\mfcee.exe" [null data]
"QuickTime Task" = ""F:\WINDOWS\system32\qttask.exe" -atboottime" [file not found]
"johnj315" = "F:\WINDOWS\system32\srvc.exe" [null data]
"melg34" = "F:\WINDOWS\system32\mdmd.exe" [null data]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""F:\WINDOWS\System32\rundll32.exe" "F:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]
{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashFXP Helper for Internet Explorer"
\InProcServer32\(Default) = "g:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "F:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "G:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]
"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"
-> {HKLM...CLSID} = "Siemens Device"
\InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"
-> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"
\InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"
-> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"
\InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{280CFDE1-1354-4431-92F3-03073BA593FB}" = "TotalConverter Context Menu Shell Extension"
-> {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"
\InProcServer32\(Default) = "G:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "G:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "G:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\System\CurrentControlSet\Control\Session Manager\
<> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
DAP_Menu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"
-> {HKLM...CLSID} = "DAPMenuShellExt Class"
\InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"
-> {HKLM...CLSID} = "DAPMenuShellExt Class"
\InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
TotalConverter\(Default) = "{280CFDE1-1354-4431-92F3-03073BA593FB}"
-> {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"
\InProcServer32\(Default) = "G:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"
-> {HKLM...CLSID} = "DAPMenuShellExt Class"
\InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"
-> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"
\InProcServer32\(Default) = "G:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "F:\Documents and Settings\Tom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Startup items in "Tom" & "All Users" startup folders:
-----------------------------------------------------
F:\Documents and Settings\Tom\Menu Start\Programy\Autostart
"Rainlendar" -> shortcut to: "C:\Program Files\Rainlendar\Rainlendar.exe" ["Rainy"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"
-> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)
-> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
-> {HKLM...CLSID} = "Search Class"
\InProcServer32\(Default) = "F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "F:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""G:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
France Telecom Routing Table Service, FTRTSVC, "F:\WINDOWS\System32\FTRTSVC.exe" ["France Telecom"]
O&O Defrag, O&O Defrag, "F:\WINDOWS\System32\oodag.exe" ["O&O Software GmbH"]
StarWind iSCSI Service, StarWindService, "G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
6200 Series Port\Driver = "lxbulmpm.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]
----------
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 247 seconds, including 13 seconds for message boxes)
Złączono Posta _: 18.02.2007 (Nie) 13:25_raport:
SmitFraudFix v2.142
Scan done at 13:06:17,95, 2007-02-18
Run from E:\pob\instalki\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
F:\WINDOWS\desktop.html Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
[/code]
Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
F:\WINDOWS\system32\mdmd.exe
F:\WINDOWS\system32\mfcee.exe
F:\WINDOWS\system32\srvc.exe
po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Otwórz Notatnik i wklej w nim to:
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Usuń wpisy HJT.
Po wykonaniu wklej nowe logi.
zrobilem wszystko ( W HJT jedynym wpisem z wymienionych byl “O4 - HKLM…\RunServices: [mysvcig38] mysvcc.exe”)
i na poczatku skanu pojawia sie:
Złączono Posta : 18.02.2007 (Nie) 13:46
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 13:51:40, on 2007-02-18
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
G:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\System32\FTRTSVC.exe
F:\WINDOWS\System32\oodag.exe
G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
F:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe
G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\WINDOWS\System32\ctfmon.exe
G:\Program Files\Tlen.pl\tlen.exe
C:\Program Files\Rainlendar\Rainlendar.exe
G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
G:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\PROGRA~1\NEOSTR~1\neostradatp.exe
F:\PROGRA~1\NEOSTR~1\ComComp.exe
F:\PROGRA~1\NEOSTR~1\Toaster.exe
F:\PROGRA~1\NEOSTR~1\Inactivity.exe
F:\PROGRA~1\NEOSTR~1\PollingModule.exe
F:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE
F:\PROGRA~1\NEOSTR~1\Watch.exe
F:\Program Files\Opera\Opera.exe
F:\WINDOWS\System32\WScript.exe
E:\pob\instalki\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - g:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] F:\PROGRA~1\NEOSTR~1\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Komunikator] G:\Program Files\Tlen.pl\tlen.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O8 - Extra context menu item: Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: Download with DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download all with DAP - F:\Program Files\DAP\dapextie2.htm
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab
O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/pl/soccer_2_0_0_14.cab
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF4310C-2F90-434C-9891-F05000148AFA}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - F:\WINDOWS\System32\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxbu_device - Lexmark International, Inc. - F:\WINDOWS\System32\lxbucoms.exe
O23 - Service: OO Defrag - OO Software GmbH - F:\WINDOWS\System32\oodag.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Złączono Posta _: 18.02.2007 (Nie) 13:49_Sillent:
"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "F:\WINDOWS\System32\ctfmon.exe" [MS]
"Komunikator" = "G:\Program Files\Tlen.pl\tlen.exe" ["o2.pl Sp. z o.o."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"(Default)" = "(empty string)" [file not found]
"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [file not found]
"SpeedTouch USB Diagnostics" = ""F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"WOOWATCH" = "F:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom RD"]
"WOOTASKBARICON" = "F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe" ["France Télécom RD"]
"avast!" = "G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]
"QuickTime Task" = ""F:\WINDOWS\system32\qttask.exe" -atboottime" [file not found]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""F:\WINDOWS\System32\rundll32.exe" "F:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
- {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)
- {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]
{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = (no title provided)
- {HKLM...CLSID} = "FlashFXP Helper for Internet Explorer"
\InProcServer32\(Default) = "g:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
- {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
- {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
- {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
- {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "F:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
- {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "G:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]
"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"
- {HKLM...CLSID} = "Siemens Device"
\InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"
- {HKLM...CLSID} = "Siemens Device ContextMenuHandler"
\InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"
- {HKLM...CLSID} = "Siemens Device PropertySheetHandler"
\InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]
"{280CFDE1-1354-4431-92F3-03073BA593FB}" = "TotalConverter Context Menu Shell Extension"
- {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"
\InProcServer32\(Default) = "G:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
- {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "G:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
- {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "G:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
- {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\System\CurrentControlSet\Control\Session Manager\
"BootExecute" = "autocheck autochk *"|"OODBS" ["OO Software GmbH"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
- {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
DAP_Menu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"
- {HKLM...CLSID} = "DAPMenuShellExt Class"
\InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"
- {HKLM...CLSID} = "DAPMenuShellExt Class"
\InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
TotalConverter\(Default) = "{280CFDE1-1354-4431-92F3-03073BA593FB}"
- {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"
\InProcServer32\(Default) = "G:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
- {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"
- {HKLM...CLSID} = "DAPMenuShellExt Class"
\InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
- {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
- {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"
- {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"
\InProcServer32\(Default) = "G:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
- {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "F:\Documents and Settings\Tom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Startup items in "Tom" "All Users" startup folders:
-----------------------------------------------------
F:\Documents and Settings\Tom\Menu Start\Programy\Autostart
"Rainlendar" - shortcut to: "C:\Program Files\Rainlendar\Rainlendar.exe" ["Rainy"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"
- {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)
- {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"
\InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
"{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
- {HKLM...CLSID} = "Search Class"
\InProcServer32\(Default) = "F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "F:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""G:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
France Telecom Routing Table Service, FTRTSVC, "F:\WINDOWS\System32\FTRTSVC.exe" ["France Telecom"]
OO Defrag, OO Defrag, "F:\WINDOWS\System32\oodag.exe" ["OO Software GmbH"]
StarWind iSCSI Service, StarWindService, "G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
6200 Series Port\Driver = "lxbulmpm.DLL" ["Lexmark International, Inc."]
Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]
----------
: Suspicious data at a malware launch point.
: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 201 seconds, including 4 seconds for message boxes)
Czysto
Proponuję zainstalować dodatek Service Pack 2. Poprawia on bezpieczeństwo w systemie etc. Możesz go pobrać stąd:
txh za pomoc