Zaśmiecony komp koleżanki

R11 (R@F) 2007-01-03 22:15:59 UTC #1

Witam, koleżanka miała mnóstwo wirusów itp, pousuwała co mogła, ale nadal komp nie chodzi tak jak powinien, proszę o sprawdzenie i z góry dzięki za pomoc:

Logfile of HijackThis v1.99.1 Scan saved at 22:59:21, on 2007-01-03 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\system32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe D:\Program Files\Alwil Software\Avast4\ashServ.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe D:\Program Files\Gadu-Gadu\gg.exe D:\Program Files\Messenger\msmsgs.exe D:\WINDOWS\system32\drivers\CDAC11BA.EXE D:\WINDOWS\system32\svchost.exe D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe D:\Program Files\Alwil Software\Avast4\ashWebSv.exe D:\WINDOWS\system32\wuauclt.exe D:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe D:\Program Files\mks_vir_2007\bin\mksupdate.exe D:\Program Files\mks_vir_2007\bin\MksPC.exe D:\Program Files\mks_vir_2007\bin\mks_scan.exe D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe D:\Program Files\mks_vir_2007\bin\MksFwall.exe D:\Program Files\mks_vir_2007\bin\mks_mail.exe D:\Program Files\mks_vir_2007\bin\mksregmon.exe D:\Program Files\mks_vir_2007\bin\mkstray.exe D:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe D:\Program Files\FrikoPlayer\FrikoPlayer.exe D:\WINDOWS\hh.exe D:\Program Files\Internet Explorer\IEXPLORE.EXE D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Program Files\WinRAR\WinRAR.exe D:\Program Files\WinRAR\WinRAR.exe D:\DOCUME~1\Cholera\USTAWI~1\Temp\Rar$EX01.953\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll O2 - BHO: (no name) - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - (no file) O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll O4 - HKLM..\Run: [bearShare] "D:\Program Files\BearShare\BearShare.exe" /pause O4 - HKLM..\Run: [QuickTime Task] "D:\Program Files\QuickTime Alternative\qttask.exe" -atboottime O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe O4 - HKLM..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM..\Run: [mkstray] D:\Program Files\mks_vir_2007\bin\mkstray.exe O4 - HKLM..\Run: [mks_mail] D:\Program Files\mks_vir_2007\bin\mks_mail.exe O4 - HKLM..\Run: [MKSRegmon] D:\Program Files\mks_vir_2007\bin\mksregmon.exe O4 - HKCU..\Run: [Gadu-Gadu] "D:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Action Manager 32.lnk = D:\Program Files\ScannerU\AM32.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: d:\program files\mks_vir_2007\bin\mkslsp.dll O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/061011 ... 101001.cab O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://D:\Program Files\AutoCAD LT 2002 Plk\AcPreview.ocx O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: C-DillaCdaC11BA - Macrovision - D:\WINDOWS\system32\drivers\CDAC11BA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe O23 - Service: MksFwall - Unknown owner - D:\Program Files\mks_vir_2007\bin\MksFwall.exe O23 - Service: MksPC - Unknown owner - D:\Program Files\mks_vir_2007\bin\MksPC.exe O23 - Service: MksUpdate - MKS sp. z O. O. - D:\Program Files\mks_vir_2007\bin\mksupdate.exe O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe O23 - Service: MkS_Scan - Unknown owner - D:\Program Files\mks_vir_2007\bin\mks_scan.exe

a z silentem sa problemy wyskakuje coś w stylu "dostep do hosta skryptow sys win jest wyl......",

Złączono Posta : 04.01.2007 (Czw) 0:01

o udało się:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"BearShare" = ""D:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

"QuickTime Task" = ""D:\Program Files\QuickTime Alternative\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k"

"WinampAgent" = "D:\Program Files\Winamp\winampa.exe" [null data]

"SunJavaUpdateSched" = ""D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"AVG7_CC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"mkstray" = "D:\Program Files\mks_vir_2007\bin\mkstray.exe" ["MKS Sp z o.o."]

"mks_mail" = "D:\Program Files\mks_vir_2007\bin\mks_mail.exe" ["MKS sp. z o. o."]

"MKSRegmon" = "D:\Program Files\mks_vir_2007\bin\mksregmon.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "d:\program files\google\googletoolbar3.dll" ["Google Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}" = "ABBYYPDFContextMenuExtension"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "D:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {HKLM...CLSID} = "ACTHUMBNAIL"

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Ikona obsługi nakładki Podpisów cyfrowych AutoCAD"

  -> {HKLM...CLSID} = "AcSignIcon"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"

  -> {HKLM...CLSID} = "Zinio Magazine"

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]

"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"

  -> {HKLM...CLSID} = "MyMagazinesColumn Class"

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

  -> {HKLM...CLSID} = "AVG7 Find Extension Class"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}\(Default) = "Zinio Magazine Column Provider"

  -> {HKLM...CLSID} = "MyMagazinesColumn Class"

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ABBYYPDFContextMenuExtension\(Default) = "{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "D:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

  -> {HKLM...CLSID} = "MkS_Vir Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

  -> {HKLM...CLSID} = "MkS_Vir Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"

<> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""D:\WINDOWS\notepad.exe" "%1"" [MS]

HKLM\Software\Classes\.scr\(Default) = "AutoCADLTScriptFile"

<> HKLM\Software\Classes\AutoCADLTScriptFile\shell\open\command\(Default) = "D:\WINDOWS\NOTEPAD.EXE "%1"" [MS]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\Cholera\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "D:\WINDOWS\system32\ssstars.scr" [MS]



Startup items in "Cholera" & "All Users" startup folders:

---------------------------------------------------------


D:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Action Manager 32" -> shortcut to: "D:\Program Files\ScannerU\AM32.exe" [null data]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

D:\Program Files\mks_vir_2007\bin\\mkslsp.dll [null data], 01 - 03, 15

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "d:\program files\google\googletoolbar3.dll" ["Google Inc."]

"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"

  -> {HKLM...CLSID} = "Pasek poleceń Microsoft"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "d:\program files\google\googletoolbar3.dll" ["Google Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""D:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

AVG E-mail Scanner, AVGEMS, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

AVG7 Alert Manager Server, Avg7Alrt, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

C-DillaCdaC11BA, C-DillaCdaC11BA, "D:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"]

MkS_Scan, MkS_Scan, "D:\Program Files\mks_vir_2007\bin\mks_scan.exe" [empty string]

mks_vir file monitor, MksVirMonSvc, "D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe" [null data]

MksFwall, MksFwall, ""D:\Program Files\mks_vir_2007\bin\MksFwall.exe"" [null data]

MksPC, MksPC, ""D:\Program Files\mks_vir_2007\bin\MksPC.exe"" [null data]

MksUpdate, MksUpdate, ""D:\Program Files\mks_vir_2007\bin\mksupdate.exe"" ["MKS sp. z O. O."]

Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 334 seconds.

---------- (total run time: 647 seconds)

Złączono Posta : 04.01.2007 (Czw) 0:03o udało się:

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z oo"]

"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"BearShare" = ""D:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

"QuickTime Task" = ""D:\Program Files\QuickTime Alternative\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 -k"

"WinampAgent" = "D:\Program Files\Winamp\winampa.exe" [null data]

"SunJavaUpdateSched" = ""D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"AVG7_CC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]

"mkstray" = "D:\Program Files\mks_vir_2007\bin\mkstray.exe" ["MKS Sp z o.o."]

"mks_mail" = "D:\Program Files\mks_vir_2007\bin\mks_mail.exe" ["MKS sp. z o. o."]

"MKSRegmon" = "D:\Program Files\mks_vir_2007\bin\mksregmon.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "d:\program files\google\googletoolbar3.dll" ["Google Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}" = "ABBYYPDFContextMenuExtension"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "D:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" = "Autodesk Drawing Preview"

  -> {HKLM...CLSID} = "ACTHUMBNAIL"

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll" ["Autodesk"]

"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" = "Ikona obsługi nakładki Podpisów cyfrowych AutoCAD"

  -> {HKLM...CLSID} = "AcSignIcon"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\AcSignIcon.dll" ["Autodesk"]

"{AC0B5D2E-B691-4E12-A4F9-CA88492579A2}" = "Zinio Shell Extension"

  -> {HKLM...CLSID} = "Zinio Magazine"

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]

"{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}" = "Zinio Magazine Column Provider"

  -> {HKLM...CLSID} = "MyMagazinesColumn Class"

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"

  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"

  -> {HKLM...CLSID} = "AVG7 Find Extension Class"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{A9AACA72-1C51-4F84-804D-90EDBA0D58F4}\(Default) = "Zinio Magazine Column Provider"

  -> {HKLM...CLSID} = "MyMagazinesColumn Class"

                   \InProcServer32\(Default) = "D:\Program Files\Common Files\Zinio\ZShext.dll" ["Zinio Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

ABBYYPDFContextMenuExtension\(Default) = "{83903CAB-2FC1-40f6-8B82-DF123A5FB9E3}"

  -> {HKLM...CLSID} = "AbbyyPDF.PDFShellExtension.1"

                   \InProcServer32\(Default) = "D:\Program Files\ABBYY PDF Transformer 1.0\PDFShellExtension.dll" ["ABBYY (BIT Software)"]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

  -> {HKLM...CLSID} = "MkS_Vir Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "D:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"

  -> {HKLM...CLSID} = "AVG7 Shell Extension Class"

                   \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

MkS_Vir\(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

  -> {HKLM...CLSID} = "MkS_Vir Shell Extension"

                   \InProcServer32\(Default) = "D:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKCU\Software\Classes\.scr\(Default) = "AutoCADScriptFile"

<> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command\(Default) = ""D:\WINDOWS\notepad.exe" "%1"" [MS]

HKLM\Software\Classes\.scr\(Default) = "AutoCADLTScriptFile"

<> HKLM\Software\Classes\AutoCADLTScriptFile\shell\open\command\(Default) = "D:\WINDOWS\NOTEPAD.EXE "%1"" [MS]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "D:\Documents and Settings\Cholera\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "D:\WINDOWS\system32\ssstars.scr" [MS]



Startup items in "Cholera" & "All Users" startup folders:

---------------------------------------------------------


D:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Action Manager 32" -> shortcut to: "D:\Program Files\ScannerU\AM32.exe" [null data]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

D:\Program Files\mks_vir_2007\bin\\mkslsp.dll [null data], 01 - 03, 15

%SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "d:\program files\google\googletoolbar3.dll" ["Google Inc."]

"{4D5C8C2A-D075-11D0-B416-00C04FB90376}"

  -> {HKLM...CLSID} = "Pasek poleceń Microsoft"

                   \InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "d:\program files\google\googletoolbar3.dll" ["Google Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"

                   \InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""D:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

AVG E-mail Scanner, AVGEMS, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]

AVG7 Alert Manager Server, Avg7Alrt, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]

AVG7 Update Service, Avg7UpdSvc, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]

C-DillaCdaC11BA, C-DillaCdaC11BA, "D:\WINDOWS\system32\drivers\CDAC11BA.EXE" ["Macrovision"]

MkS_Scan, MkS_Scan, "D:\Program Files\mks_vir_2007\bin\mks_scan.exe" [empty string]

mks_vir file monitor, MksVirMonSvc, "D:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe" [null data]

MksFwall, MksFwall, ""D:\Program Files\mks_vir_2007\bin\MksFwall.exe"" [null data]

MksPC, MksPC, ""D:\Program Files\mks_vir_2007\bin\MksPC.exe"" [null data]

MksUpdate, MksUpdate, ""D:\Program Files\mks_vir_2007\bin\mksupdate.exe"" ["MKS sp. z O. O."]

Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

EPSON V6 2KMonitor\Driver = "EBPMON24.DLL" ["SEIKO EPSON CORPORATION"]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 334 seconds.

---------- (total run time: 647 seconds)

exJuno (Exjuno) 2007-01-04 12:40:11 UTC #2

Zaptaszkowujesz w/w wpisy w HJT i klikasz FIXChecked.

Na SR się nie znam

adam9870 (adam9870) 2007-01-04 12:56:42 UTC #3

Log z Silenta jest Ok.

Zrób skan http://www.ewido.net/en/ i wklej raport.

Poczytaj - XP - Optymalizacja, odchudzanie dla trochę bardziej zaawansowanych. Lub Optymalizacja i odchudzanie Windowsa XP dla trochę mniej zaawansowanych.

Zwykła wersja programu BearShare posiada w sobie syf dlatego proponuję go usunąć. A jeśli koniecznie chcesz z niego korzystać to zainstaluj wersję Lite, która jest pozbawiona syfu.

Monczkin (Monczkin) 2007-01-04 13:36:08 UTC #4

exJuno jeżeli masz kłopoty z interpretacją logów, to tego nie rób, tylko się ucz. Nieprawidłowa porada z Twojej strony może przynieść więcej szkody niż pożytku :!:

R11 (R@F) 2007-01-04 20:18:17 UTC #5

no i raport:

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------


 + Created at:	21:01:07 2007-01-04


 + Scan result:	




D:\Program Files\Altnet -> Adware.Altnet : Ignored.

D:\Program Files\Altnet\Download Manager -> Adware.Altnet : Ignored.

D:\Program Files\Altnet\Download Manager\altinst1.dll -> Adware.Altnet : Ignored.

D:\Program Files\Altnet\Download Manager\altinst2.dll -> Adware.Altnet : Ignored.

D:\Program Files\Altnet\My Altnet Shares -> Adware.Altnet : Ignored.

HKU\S-1-5-21-583907252-448539723-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Ignored.

HKU\S-1-5-21-583907252-448539723-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Ignored.

HKU\S-1-5-21-583907252-448539723-1177238915-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333} -> Adware.Generic : Ignored.

HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@adbrite[2].txt -> TrackingCookie.Adbrite : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@site.www.adbrite[2].txt -> TrackingCookie.Adbrite : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@www.adbrite[1].txt -> TrackingCookie.Adbrite : Ignored.

:mozilla.27:C:\WINDOWS\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.27:C:\WINDOWS\Profiles\cholera\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.27:C:\WINDOWS\Profiles\gość\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.28:C:\WINDOWS\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.28:C:\WINDOWS\Profiles\cholera\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.28:C:\WINDOWS\Profiles\gość\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.7:C:\WINDOWS\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.7:C:\WINDOWS\Profiles\cholera\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.7:C:\WINDOWS\Profiles\gość\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.8:C:\WINDOWS\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.8:C:\WINDOWS\Profiles\cholera\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

:mozilla.8:C:\WINDOWS\Profiles\gość\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Cookies\basia@ad.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Cookies\basia@ad.adocean[3].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Cookies\basia@ad.adocean[4].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Cookies\basia@gde.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Cookies\basia@gde.adocean[3].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Cookies\basia@gde.adocean[4].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Cookies\basia@idg.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Cookies\basia@my.adocean[1].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\basia@ad.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\basia@ad.adocean[3].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\basia@ad.adocean[4].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\basia@gde.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\basia@gde.adocean[3].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\basia@gde.adocean[4].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\basia@idg.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\basia@my.adocean[1].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\cholera\Cookies\cholera@idg.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\gość\Cookies\basia@ad.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\gość\Cookies\basia@ad.adocean[3].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\gość\Cookies\basia@ad.adocean[4].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\gość\Cookies\basia@gde.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\gość\Cookies\basia@gde.adocean[3].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\gość\Cookies\basia@gde.adocean[4].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\gość\Cookies\basia@idg.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

C:\WINDOWS\Profiles\gość\Cookies\basia@my.adocean[1].txt -> TrackingCookie.Adocean : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@ad.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@czgde.adocean[1].txt -> TrackingCookie.Adocean : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@gde.adocean[1].txt -> TrackingCookie.Adocean : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@gde.adocean[3].txt -> TrackingCookie.Adocean : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@my.adocean[1].txt -> TrackingCookie.Adocean : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@myao.adocean[1].txt -> TrackingCookie.Adocean : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@pracuj.adocean[2].txt -> TrackingCookie.Adocean : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@com[1].txt -> TrackingCookie.Com : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@ivwbox[3].txt -> TrackingCookie.Ivwbox : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@data2.perf.overture[1].txt -> TrackingCookie.Overture : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@tacoda[2].txt -> TrackingCookie.Tacoda : Ignored.

:mozilla.14:C:\WINDOWS\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Tradedoubler : Ignored.

:mozilla.14:C:\WINDOWS\Profiles\cholera\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Tradedoubler : Ignored.

:mozilla.14:C:\WINDOWS\Profiles\gość\Dane aplikacji\Mozilla\Firefox\Profiles\4vwdht0z.default\cookies.txt -> TrackingCookie.Tradedoubler : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@trafic[1].txt -> TrackingCookie.Trafic : Ignored.

D:\Documents and Settings\Cholera\Cookies\cholera@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Ignored.

D:\Program Files\Integram\Budownictwo\integram1.exe -> Trojan.Proxcrak.A : Ignored.

D:\System Volume Information\_restore{E6495C24-9A8E-41A2-8C85-1E51BEE77036}\RP302\A0094461.exe/td.exe -> Worm.Agent.v : Ignored.

D:\System Volume Information\_restore{E6495C24-9A8E-41A2-8C85-1E51BEE77036}\RP302\A0094461.exe/zgo.exe -> Worm.Agent.v : Ignored.



::Report end

Bieniol (Bbieniol) 2007-01-05 18:06:37 UTC #6

Użyj tego narzędzia -> http://dobreprogramy.pl/index.php?dz=2&id=1188&t=59 -> i usuń nim wszystko, co znajdzie

Oparte na Discourse, najlepiej oglądać z włączonym JavaScriptem