Zainfekowany komp


(T Hankus) #1
Logfile of HijackThis v1.99.1

Scan saved at 12:44:14, on 2007-02-18

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\System32\Ati2evxx.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

G:\Program Files\Alwil Software\Avast4\ashServ.exe

F:\WINDOWS\System32\FTRTSVC.exe

F:\WINDOWS\System32\oodag.exe

G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\Ati2evxx.exe

F:\WINDOWS\Explorer.EXE

G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

G:\Program Files\Alwil Software\Avast4\ashWebSv.exe

F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

F:\WINDOWS\System32\mysvcc.exe

F:\WINDOWS\system32\mfee.exe

F:\WINDOWS\system32\mdmd.exe

F:\WINDOWS\system32\mfcee.exe

F:\WINDOWS\system32\srvc.exe

F:\WINDOWS\System32\kernels88.exe

F:\WINDOWS\System32\ctfmon.exe

F:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe

G:\Program Files\Tlen.pl\tlen.exe

F:\WINDOWS\System32\dlh9jkd1q2.exe

C:\Program Files\Rainlendar\Rainlendar.exe

F:\PROGRA~1\NEOSTR~1\neostradatp.exe

F:\PROGRA~1\NEOSTR~1\ComComp.exe

F:\PROGRA~1\NEOSTR~1\Toaster.exe

F:\PROGRA~1\NEOSTR~1\Inactivity.exe

F:\PROGRA~1\NEOSTR~1\PollingModule.exe

F:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

F:\PROGRA~1\NEOSTR~1\Watch.exe

F:\Program Files\Internet Explorer\iexplore.exe

G:\Program Files\Winamp\winamp.exe

E:\pob\instalki\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - g:\PROGRA~1\FlashFXP\IEFlash.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] F:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe

O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [mysvcig38] mysvcc.exe

O4 - HKLM\..\Run: [stack12] F:\WINDOWS\system32\mfee.exe

O4 - HKLM\..\Run: [mel34] F:\WINDOWS\system32\mdm4.exe

O4 - HKLM\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe

O4 - HKLM\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe

O4 - HKLM\..\Run: [QuickTime Task] "F:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe

O4 - HKLM\..\Run: [System] F:\WINDOWS\System32\kernels88.exe

O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe

O4 - HKLM\..\RunServices: [SystemTools] F:\WINDOWS\System32\kernels88.exe

O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Komunikator] G:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU\..\Run: [stack12] F:\WINDOWS\system32\mfee.exe

O4 - HKCU\..\Run: [mel34] F:\WINDOWS\system32\mdm4.exe

O4 - HKCU\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe

O4 - HKCU\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe

O4 - HKCU\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe

O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/pl/soccer_2_0_0_14.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF4310C-2F90-434C-9891-F05000148AFA}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - F:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: lxbu_device - Lexmark International, Inc. - F:\WINDOWS\System32\lxbucoms.exe

O23 - Service: O&O Defrag - O&O Software GmbH - F:\WINDOWS\System32\oodag.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

(adam9870) #2

Użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

Użyj narzędzia SmitFraudFix (wybierz opcję 2). Potem sprawdź co będzie z tego co wskazałem poniżej i usuń: (wszystko oczywiście robisz w trybie awaryjnym z wyłączonym przywracaniem systemu)

Pliki zaznaczone kasujesz ręcznie z dysku natomiast wpisy w HijackThis.

Po wykonaniu pokaż nowy log z HijackThis, SilentRunners oraz zawartość pliku c:\rapport.txt


(T Hankus) #3
Logfile of HijackThis v1.99.1

Scan saved at 13:24:33, on 2007-02-18

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\System32\Ati2evxx.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

G:\Program Files\Alwil Software\Avast4\ashServ.exe

F:\WINDOWS\System32\FTRTSVC.exe

F:\WINDOWS\System32\oodag.exe

G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\Ati2evxx.exe

F:\WINDOWS\Explorer.EXE

F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

F:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe

G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

F:\WINDOWS\system32\mfcee.exe

F:\WINDOWS\System32\ctfmon.exe

G:\Program Files\Tlen.pl\tlen.exe

F:\WINDOWS\system32\mdmd.exe

F:\WINDOWS\system32\srvc.exe

G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Rainlendar\Rainlendar.exe

G:\Program Files\Alwil Software\Avast4\ashWebSv.exe

F:\PROGRA~1\NEOSTR~1\neostradatp.exe

F:\PROGRA~1\NEOSTR~1\ComComp.exe

F:\PROGRA~1\NEOSTR~1\Toaster.exe

F:\PROGRA~1\NEOSTR~1\Inactivity.exe

F:\PROGRA~1\NEOSTR~1\PollingModule.exe

F:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

F:\PROGRA~1\NEOSTR~1\Watch.exe

F:\Program Files\Opera\Opera.exe

F:\WINDOWS\System32\WScript.exe

E:\pob\instalki\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - g:\PROGRA~1\FlashFXP\IEFlash.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] F:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe

O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe

O4 - HKLM\..\Run: [QuickTime Task] "F:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKLM\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe

O4 - HKLM\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe

O4 - HKLM\..\RunServices: [mysvcig38] mysvcc.exe

O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Komunikator] G:\Program Files\Tlen.pl\tlen.exe

O4 - HKCU\..\Run: [mel34] F:\WINDOWS\system32\mdm4.exe

O4 - HKCU\..\Run: [melg34] F:\WINDOWS\system32\mdmd.exe

O4 - HKCU\..\Run: [staeck12] F:\WINDOWS\system32\mfcee.exe

O4 - HKCU\..\Run: [johnj315] F:\WINDOWS\system32\srvc.exe

O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe

O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/pl/soccer_2_0_0_14.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF4310C-2F90-434C-9891-F05000148AFA}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - F:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: lxbu_device - Lexmark International, Inc. - F:\WINDOWS\System32\lxbucoms.exe

O23 - Service: O&O Defrag - O&O Software GmbH - F:\WINDOWS\System32\oodag.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

silent

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "F:\WINDOWS\System32\ctfmon.exe" [MS]

"Komunikator" = "G:\Program Files\Tlen.pl\tlen.exe" ["o2.pl Sp. z o.o."]

"mel34" = "F:\WINDOWS\system32\mdm4.exe" [file not found]

"melg34" = "F:\WINDOWS\system32\mdmd.exe" [null data]

"staeck12" = "F:\WINDOWS\system32\mfcee.exe" [null data]

"johnj315" = "F:\WINDOWS\system32\srvc.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"(Default)" = "(empty string)" [file not found]

"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [file not found]

"SpeedTouch USB Diagnostics" = ""F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "F:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe" ["France Télécom R&D"]

"avast!" = "G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"staeck12" = "F:\WINDOWS\system32\mfcee.exe" [null data]

"QuickTime Task" = ""F:\WINDOWS\system32\qttask.exe" -atboottime" [file not found]

"johnj315" = "F:\WINDOWS\system32\srvc.exe" [null data]

"melg34" = "F:\WINDOWS\system32\mdmd.exe" [null data]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""F:\WINDOWS\System32\rundll32.exe" "F:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"

                   \InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "FlashFXP Helper for Internet Explorer"

                   \InProcServer32\(Default) = "g:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "F:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "G:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]

"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"

  -> {HKLM...CLSID} = "Siemens Device"

                   \InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"

  -> {HKLM...CLSID} = "Siemens Device ContextMenuHandler"

                   \InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"

  -> {HKLM...CLSID} = "Siemens Device PropertySheetHandler"

                   \InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{280CFDE1-1354-4431-92F3-03073BA593FB}" = "TotalConverter Context Menu Shell Extension"

  -> {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"

                   \InProcServer32\(Default) = "G:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "G:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "G:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\System\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"OODBS" ["O&O Software GmbH"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

DAP_Menu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

  -> {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

  -> {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

TotalConverter\(Default) = "{280CFDE1-1354-4431-92F3-03073BA593FB}"

  -> {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"

                   \InProcServer32\(Default) = "G:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

  -> {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

  -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "G:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "F:\Documents and Settings\Tom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Tom" & "All Users" startup folders:

-----------------------------------------------------


F:\Documents and Settings\Tom\Menu Start\Programy\Autostart

"Rainlendar" -> shortcut to: "C:\Program Files\Rainlendar\Rainlendar.exe" ["Rainy"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"

  -> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"

                   \InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)

  -> {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"

                   \InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  -> {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "F:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""G:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

France Telecom Routing Table Service, FTRTSVC, "F:\WINDOWS\System32\FTRTSVC.exe" ["France Telecom"]

O&O Defrag, O&O Defrag, "F:\WINDOWS\System32\oodag.exe" ["O&O Software GmbH"]

StarWind iSCSI Service, StarWindService, "G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

6200 Series Port\Driver = "lxbulmpm.DLL" ["Lexmark International, Inc."]

Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]



----------

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 247 seconds, including 13 seconds for message boxes)

Złączono Posta : 18.02.2007 (Nie) 13:25raport:

SmitFraudFix v2.142


Scan done at 13:06:17,95, 2007-02-18

Run from E:\pob\instalki\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» hosts



127.0.0.1 localhost


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


F:\WINDOWS\desktop.html Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End



[/code]

(adam9870) #4

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

F:\WINDOWS\system32\mdmd.exe

F:\WINDOWS\system32\mfcee.exe

F:\WINDOWS\system32\srvc.exe

po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Usuń wpisy HJT.

Po wykonaniu wklej nowe logi.


(T Hankus) #5

zrobilem wszystko ( W HJT jedynym wpisem z wymienionych byl "O4 - HKLM..\RunServices: [mysvcig38] mysvcc.exe")

i na poczatku skanu pojawia sie:

hjss5.jpg

Złączono Posta : 18.02.2007 (Nie) 13:46

HJT:

Logfile of HijackThis v1.99.1

Scan saved at 13:51:40, on 2007-02-18

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

F:\WINDOWS\System32\smss.exe

F:\WINDOWS\system32\winlogon.exe

F:\WINDOWS\system32\services.exe

F:\WINDOWS\system32\lsass.exe

F:\WINDOWS\System32\Ati2evxx.exe

F:\WINDOWS\system32\svchost.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\spoolsv.exe

G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

G:\Program Files\Alwil Software\Avast4\ashServ.exe

F:\WINDOWS\System32\FTRTSVC.exe

F:\WINDOWS\System32\oodag.exe

G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

F:\WINDOWS\System32\svchost.exe

F:\WINDOWS\system32\Ati2evxx.exe

F:\WINDOWS\Explorer.EXE

F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

F:\PROGRA~1\NEOSTR~1\TaskBarIcon.exe

G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

F:\WINDOWS\System32\ctfmon.exe

G:\Program Files\Tlen.pl\tlen.exe

C:\Program Files\Rainlendar\Rainlendar.exe

G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

G:\Program Files\Alwil Software\Avast4\ashWebSv.exe

F:\PROGRA~1\NEOSTR~1\neostradatp.exe

F:\PROGRA~1\NEOSTR~1\ComComp.exe

F:\PROGRA~1\NEOSTR~1\Toaster.exe

F:\PROGRA~1\NEOSTR~1\Inactivity.exe

F:\PROGRA~1\NEOSTR~1\PollingModule.exe

F:\WINDOWS\System32\ALERTM~1\ALERTM~1.EXE

F:\PROGRA~1\NEOSTR~1\Watch.exe

F:\Program Files\Opera\Opera.exe

F:\WINDOWS\System32\WScript.exe

E:\pob\instalki\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = neostrada tp

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - g:\PROGRA~1\FlashFXP\IEFlash.dll

O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] F:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe

O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [QuickTime Task] "F:\WINDOWS\system32\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Komunikator] G:\Program Files\Tlen.pl\tlen.exe

O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe

O8 - Extra context menu item: Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: Download with DAP - F:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download all with DAP - F:\Program Files\DAP\dapextie2.htm

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {E95CF138-A587-4C54-8175-3AD80997CB14} (GameDesire Soccer) - http://67.15.101.3/g_bin/pl/soccer_2_0_0_14.cab

O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_28.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DFF4310C-2F90-434C-9891-F05000148AFA}: NameServer = 194.204.152.34 217.98.63.164

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - F:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe

O23 - Service: avast! Antivirus - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom - F:\WINDOWS\System32\FTRTSVC.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: lxbu_device - Lexmark International, Inc. - F:\WINDOWS\System32\lxbucoms.exe

O23 - Service: OO Defrag - OO Software GmbH - F:\WINDOWS\System32\oodag.exe

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Złączono Posta : 18.02.2007 (Nie) 13:49Sillent:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "F:\WINDOWS\System32\ctfmon.exe" [MS]

"Komunikator" = "G:\Program Files\Tlen.pl\tlen.exe" ["o2.pl Sp. z o.o."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"(Default)" = "(empty string)" [file not found]

"TkBellExe" = ""F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" [file not found]

"SpeedTouch USB Diagnostics" = ""F:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WOOWATCH" = "F:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom RD"]

"WOOTASKBARICON" = "F:\PROGRA~1\NEOSTR~1\GestMaj.exe TaskBarIcon.exe" ["France Télécom RD"]

"avast!" = "G:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"QuickTime Task" = ""F:\WINDOWS\system32\qttask.exe" -atboottime" [file not found]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""F:\WINDOWS\System32\rundll32.exe" "F:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  - {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "G:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)

  - {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"

                   \InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

{E5A1691B-D188-4419-AD02-90002030B8EE}\(Default) = (no title provided)

  - {HKLM...CLSID} = "FlashFXP Helper for Internet Explorer"

                   \InProcServer32\(Default) = "g:\PROGRA~1\FlashFXP\IEFlash.dll" ["IniCom Networks, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  - {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  - {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "F:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  - {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "F:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"

  - {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "G:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]

"{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device"

  - {HKLM...CLSID} = "Siemens Device"

                   \InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens Device ContextMenuHandler"

  - {HKLM...CLSID} = "Siemens Device ContextMenuHandler"

                   \InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}" = "Siemens SX1 PropertySheetHandler"

  - {HKLM...CLSID} = "Siemens Device PropertySheetHandler"

                   \InProcServer32\(Default) = "G:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll" ["Siemens AG"]

"{280CFDE1-1354-4431-92F3-03073BA593FB}" = "TotalConverter Context Menu Shell Extension"

  - {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"

                   \InProcServer32\(Default) = "G:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  - {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "G:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  - {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "G:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  - {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]


HKLM\System\CurrentControlSet\Control\Session Manager\

 "BootExecute" = "autocheck autochk *"|"OODBS" ["OO Software GmbH"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

 AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  - {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

DAP_Menu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

  - {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

  - {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

TotalConverter\(Default) = "{280CFDE1-1354-4431-92F3-03073BA593FB}"

  - {HKLM...CLSID} = "TotalConverter Context Menu Shell Extension"

                   \InProcServer32\(Default) = "G:\Program Files\TotalAudioConverter\axTotalConverter.dll" [empty string]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}"

  - {HKLM...CLSID} = "DAPMenuShellExt Class"

                   \InProcServer32\(Default) = "F:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  - {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "G:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

  - {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "G:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  - {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "G:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "F:\Documents and Settings\Tom\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Tom" "All Users" startup folders:

-----------------------------------------------------


F:\Documents and Settings\Tom\Menu Start\Programy\Autostart

"Rainlendar" - shortcut to: "C:\Program Files\Rainlendar\Rainlendar.exe" ["Rainy"]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"

  - {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"

                   \InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)

  - {HKLM...CLSID} = "MEGAUPLOADTOOLBAR"

                   \InProcServer32\(Default) = "F:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

 "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  - {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "F:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "F:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""G:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""G:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""G:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""G:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

France Telecom Routing Table Service, FTRTSVC, "F:\WINDOWS\System32\FTRTSVC.exe" ["France Telecom"]

OO Defrag, OO Defrag, "F:\WINDOWS\System32\oodag.exe" ["OO Software GmbH"]

StarWind iSCSI Service, StarWindService, "G:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe" ["Rocket Division Software"]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

6200 Series Port\Driver = "lxbulmpm.DLL" ["Lexmark International, Inc."]

Lexmark Print-2-Fax Port\Driver = "LXPRMON.DLL" [null data]



----------

: Suspicious data at a malware launch point.

: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 201 seconds, including 4 seconds for message boxes)

(adam9870) #6

Czysto

Proponuję zainstalować dodatek Service Pack 2. Poprawia on bezpieczeństwo w systemie etc. Możesz go pobrać stąd:


(T Hankus) #7

txh za pomoc