morawcik89 Opublikowano 17 Maja 2008 Zgłoś Opublikowano 17 Maja 2008 (edytowane) Przyszła pora na kontrolę systemu chociaż pojawiło się też kilka problemów. 1. Wyskakujące okna (można powiedzieć reklamy) Mozilli Firefox 2. Po każdym skanowaniu programem Spyware Doctor (po mimo użycia 'napraw') są te same (a nawet więcej) 'zagrożeń': - Application.TrackingCookies - Adware.Advertising - Hijacker.Affiliated_with_Browser_Hijackers - Spyware.Rogue_Anti-Spyware_Products - Spyware.Known_Bad_Sites - Application.NirCmd - Dialer.Instant_Access - Trojan.Generic 3. Programy Avira AntiVir Personal i Dr. Web nic nie wykrywają. 4. Logi: » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "ComboFix" ComboFix 08-05-15.3 - Rafal 2008-05-17 9:47:46.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.190 [GMT 2:00] Running from: C:\Documents and Settings\Rafal\Pulpit\logi\CF\ComboFix.exe * Created a new restore point * Resident AV is active WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\InternetGameBox.lnk C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\Privacy Policy.url C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\Terms and Conditions.url C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\Uninstall.lnk C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\Website.url C:\Documents and Settings\All Users\Pulpit\internetgamebox.lnk C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\hhlpyvwr.dat c:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\hhlpyvwr_nav.dat C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\hhlpyvwr_navps.dat C:\WINDOWS\system32\dqnzxzae.dat C:\WINDOWS\system32\dqnzxzae.exe C:\WINDOWS\system32\dqnzxzae_nav.dat C:\WINDOWS\system32\dqnzxzae_navps.dat C:\WINDOWS\system32\hhlpyvwr.dat C:\WINDOWS\system32\hhlpyvwr.exe C:\WINDOWS\system32\hhlpyvwr_nav.dat C:\WINDOWS\system32\hhlpyvwr_navps.dat C:\WINDOWS\system32\nvs2.inf . ((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 ))))))))))))))))))))))))))))))) . 2008-05-16 19:52 . 2008-05-16 19:52 <DIR> d-------- C:\Program Files\Ashampoo 2008-05-16 18:37 . 2008-05-17 08:37 <DIR> d-------- C:\Documents and Settings\Rafal\DoctorWeb 2008-05-16 18:34 . 2008-05-16 18:34 77,824 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL 2008-05-16 18:33 . 2008-05-16 18:33 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\InstallShield 2008-05-16 17:34 . 2008-05-16 17:34 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE 2008-05-15 16:27 . 2008-05-15 16:28 <DIR> d-------- C:\Documents and Settings\Rafal\.mysqlcc 2008-05-15 16:23 . 2007-06-19 21:52 419,840 --a------ C:\WINDOWS\system32\ws_edit.lib 2008-05-15 16:23 . 2006-08-17 22:37 130,048 --a------ C:\WINDOWS\system32\webserv.cpl 2008-05-10 20:37 . 2008-05-10 20:51 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Moyea 2008-05-09 17:48 . 2008-05-09 17:51 <DIR> d-------- C:\Program Files\Porno Links XP 2008-05-09 15:36 . 2008-05-09 15:36 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Subversion 2008-05-09 14:10 . 2008-05-09 17:07 <DIR> d-------- C:\Documents and Settings\Rafal\workspace 2008-05-08 10:51 . 2008-05-08 10:54 <DIR> d-------- C:\Documents and Settings\Rafal\.gimp-2.2 2008-05-08 10:46 . 2008-05-08 10:47 <DIR> d-------- C:\Program Files\GIMPshop 2008-05-08 10:45 . 2008-05-08 10:46 <DIR> d-------- C:\Program Files\Powerbullet 2008-05-07 20:32 . 2008-05-07 20:32 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Teleca 2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared 2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Adobe Systems 2008-05-06 19:47 . 2008-05-06 19:53 <DIR> d-------- C:\Documents and Settings\Właściciel\.gimp-2.4 2008-05-06 19:47 . 2008-05-06 19:53 <DIR> d-------- C:\Documents and Settings\Właściciel\.gimp-2.4 2008-05-05 14:12 . 2008-05-05 14:12 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP 2008-05-05 10:04 . 2008-05-05 14:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-05-05 10:04 . 2008-05-05 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\Program Files\Lavasoft 2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-05 10:02 . 2008-05-05 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2008-04-29 17:37 . 2008-04-29 17:37 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Media Player Classic 2008-04-29 17:37 . 2008-04-29 17:37 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\DivX 2008-04-29 17:36 . 2008-04-29 17:38 <DIR> d-------- C:\Program Files\Mobile Video Converter 2008-04-25 16:13 . 2008-04-25 16:13 <DIR> d-------- C:\Documents and Settings\Rafal\.thumbnails 2008-04-24 20:24 . 2008-04-24 20:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-04-24 20:24 . 2008-04-24 20:24 1,409 --a------ C:\WINDOWS\QTFont.for 2008-04-19 18:38 . 2008-04-19 19:43 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\BESTplayer 2008-04-19 17:21 . 2008-04-25 18:58 <DIR> d-------- C:\Documents and Settings\Rafal\.gimp-2.4 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-17 07:42 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Orbit 2008-05-17 06:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Google Updater 2008-05-16 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-16 16:34 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2008-05-16 10:44 --------- d-----w C:\Program Files\Spyware Doctor 2008-05-15 14:23 --------- d-----w C:\Program Files\WebServ 2008-05-14 16:46 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\FileZilla 2008-05-13 16:48 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\MEGAUPLOADTOOLBAR 2008-05-06 18:28 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\MegauploadToolbar 2008-05-06 18:24 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-05 08:07 --------- d-----w C:\Program Files\Smarty Uninstaller Pro 2008-04-29 15:36 --------- d-----w C:\Program Files\Opera 2008-04-25 13:31 --------- d-----w C:\Program Files\Macromedia 2008-04-25 13:27 --------- d-----w C:\Program Files\Common Files\Macromedia 2008-04-23 13:08 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\MEGAUPLOADTOOLBAR 2008-04-10 13:05 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Orbit 2008-04-06 18:07 --------- d-----w C:\Program Files\Microsoft.NET 2008-04-06 18:07 --------- d-----w C:\Program Files\Microsoft Works 2008-04-06 14:40 --------- d-----w C:\Program Files\MegauploadToolbar 2008-04-05 17:32 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Winamp 2008-04-05 14:19 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Notepad++ 2008-04-05 13:53 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\XnView 2008-04-05 12:07 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Gadu-Gadu 2008-04-05 09:36 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\PC Tools 2008-04-05 09:29 --------- d-----w C:\Program Files\Google 2008-04-05 09:05 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Talkback 2008-04-05 08:29 720,896 ----a-w C:\WINDOWS\iun6002.exe 2008-04-05 07:24 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll 2008-04-05 07:05 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Gadu-Gadu 2008-04-05 06:55 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Winamp 2008-04-05 06:35 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Talkback 2008-04-04 18:43 --------- d-----w C:\Program Files\Mozilla Firefox(3) 2008-04-04 18:22 --------- d-----w C:\Program Files\mIRC 2008-04-04 15:49 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\Orbit 2008-04-04 12:38 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\FileZilla 2008-04-01 13:33 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\magsgridroad 2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-23 11:47 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\OpenOffice.org2 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 19:13 --------- d-----w C:\Program Files\DivX 2008-03-19 15:48 --------- d-----w C:\Program Files\CCleaner 2008-03-19 13:43 --------- d-----w C:\Program Files\Java 2008-03-18 16:29 --------- d-----w C:\Program Files\MSXML 4.0 2008-03-09 09:19 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db 2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-06 18:47 32 ----a-r C:\Documents and Settings\All Users\hash.dat 2007-09-25 17:36 102,352 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\firstlsp.reg.dat 2007-09-19 11:55 766 ----a-w C:\Program Files\Common Files\sms.ico 2007-09-19 11:55 70 ----a-w C:\Program Files\Common Files\moje.js 2001-11-23 07:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AntyVir"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 10:33 262401] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360] C:\Documents and Settings\Waciciel\Menu Start\Programy\Autostart\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.ac3filter"= ac3filter.acm "msacm.divxa32"= divxa32.acm "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "z:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "z:\\Program Files\\Orbitdownloader\\orbitnet.exe"= "C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld-nt).exe"= "C:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe"= "C:\\Program Files\\Gadu-Gadu\\gg.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe"= "Z:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"= "C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe"= Paused2 SPIDERNT;SpIDer Guard for Windows;z:\PROGRA~1\DrWeb\spidernt.exe [2008-03-31 15:33] R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-07-03 16:47] R2 SPIDER;SpIDer Guard File System Monitor;z:\PROGRA~1\DrWeb\spider.sys [2008-03-31 15:33] S3 ddsxeiservice;ddsxeiservice2;Z:\Program Files\sXe Injected\ddsxei.sys [] S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-09-17 21:05] S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-09-17 21:05] S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-09-17 21:05] S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-09-17 21:05] S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-09-17 21:05] S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-09 05:26] S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys [] S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys [] S3 VNICPKT5;VNICPKT5 Protocol Driver;C:\WINDOWS\system32\VNICPKT5.SYS [2002-08-15 21:30] *Newly Created Service* - CATCHME *Newly Created Service* - SPIDER *Newly Created Service* - SPIDERNT . Contents of the 'Scheduled Tasks' folder "2008-05-16 17:12:01 C:\WINDOWS\Tasks\HP Usg Daily.job" - C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-17 09:50:01 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2008-05-17 9:51:14 ComboFix-quarantined-files.txt 2008-05-17 07:50:50 Pre-Run: 41,909,784,576 bajtów wolnych Post-Run: 42,025,713,664 bajtów wolnych 196 --- E O F --- 2008-05-16 05:28:05 » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "hijackthis" Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:43:11, on 2008-05-17 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe z:\PROGRA~1\DrWeb\spidernt.exe z:\Program Files\DrWeb\spiderui.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe Z:\Program Files\DrWeb\spiderml.exe Z:\Program Files\DrWeb\DRWEBSCD.EXE C:\WINDOWS\system32\ctfmon.exe C:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Rafal\Pulpit\logi\HJT\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - z:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - Z:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [AntyVir] C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [hhlpyvwr] c:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe hhlpyvwr O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Wyslij SMS'a - {215940F1-E7E0-4801-BEE3-44D045534106} - C:\Program Files\Common Files\moje.js O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - z:\PROGRA~1\DrWeb\spidernt.exe -- End of file - 6199 bytes » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Silent Runners" "Silent Runners.vbs", revision 57, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."] "hhlpyvwr" = "c:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe hhlpyvwr" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "AntyVir" = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" ["Avira GmbH"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com" -> {HKLM...CLSID} = "Octh Class" \InProcServer32\(Default) = "z:\Program Files\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided) -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {ADECBED6-0366-4377-A739-E69DFBA04663}\(Default) = (no title provided) -> {HKLM...CLSID} = "Catcher Class" \InProcServer32\(Default) = "Z:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll" ["Moyea Software Co., Ltd."] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager" -> {HKLM...CLSID} = "Sony Ericsson File Manager" \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{e7593602-124b-47c9-9f73-a69308edc973}" = "Shell Extension for DrWeb" -> {HKLM...CLSID} = "Shell Extension for DrWeb" \InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found] DrWMenuHandlers\(Default) = "{e7593602-124b-47c9-9f73-a69308edc973}" -> {HKLM...CLSID} = "Shell Extension for DrWeb" \InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."] Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}" -> {HKLM...CLSID} = "Notepad++" \InProcServer32\(Default) = "z:\Program Files\Notepad++\nppcm.dll" ["Burgaud.com"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ DrWMenuHandlers\(Default) = "{e7593602-124b-47c9-9f73-a69308edc973}" -> {HKLM...CLSID} = "Shell Extension for DrWeb" \InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ AVSDVDMovieOnArrival\ "Provider" = "AVS DVD Player" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithAVSDVDPlayer" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithAVSDVDPlayer\Command\(Default) = ""C:\Program Files\AVSMedia\DVDPlayer\AVSDVDPlayer.EXE" "%L"" ["Online Media Technologies Ltd."] MPCPlayCDAudioOnArrival\ "Provider" = "Media Player Classi" "InvokeProgID" = "MPC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\MPC.CDAudio\shell\play\command\(Default) = ""z:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /cd" ["Gabest"] MPCPlayDVDMovieOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MPC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\MPC.DVDMovie\shell\play\command\(Default) = ""z:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /dvd" ["Gabest"] NeroAutoPlay7VideoCapture\ "Provider" = "Nero Vision" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "C:\Program Files\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"] Enabled Scheduled Tasks: ------------------------ "HP Usg Daily" -> launches: "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe" [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\DRWEBSP.DLL ["Doctor Web, Ltd."], 01 - 05, 22 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS] "{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided) -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."] {215940F1-E7E0-4801-BEE3-44D045534106}\ "ButtonText" = "Wyslij SMS'a" "Script" = "C:\Program Files\Common Files\moje.js" [null data] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Badanie" {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\ <<H>> "Tabs" = "C:\Documents and Settings\Ewelina\Dane aplikacji\MEGAUPLOADTOOLBAR\tabwelcome.html" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ""C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"] Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] SpIDer Guard for Windows, SPIDERNT, "z:\PROGRA~1\DrWeb\spidernt.exe" ["Doctor Web, Ltd."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ hpzlnt09\Driver = "hpzlnt09.dll" ["HP"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- (launch time: 2008-05-17 09:44:32) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 87 seconds. ---------- (total run time: 125 seconds) Edytowane 17 Maja 2008 przez morawcik89 Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Tagasu Opublikowano 17 Maja 2008 Zgłoś Opublikowano 17 Maja 2008 W HijackThis zaznacz i usuń: O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DL O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe Poniższy klucz nie wiem, do jakiego programu należy, ale nie podoba mi się jego nazwa - sprawdź, czy z tego korzystasz, jak nie - to też wywal 8O O4 - HKCU\..\Run: [hhlpyvwr] c:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe hhlpyvwr Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
morawcik89 Opublikowano 17 Maja 2008 Zgłoś Opublikowano 17 Maja 2008 Oto nowe logi: » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "ComboFix" ComboFix 08-05-15.3 - Rafal 2008-05-17 12:51:37.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.238 [GMT 2:00] Running from: C:\Documents and Settings\Rafal\Pulpit\logi\CF\ComboFix.exe Command switches used :: C:\Documents and Settings\Rafal\Pulpit\logi\CF\CFScript.txt * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! FILE :: C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP . ((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 ))))))))))))))))))))))))))))))) . 2008-05-16 19:52 . 2008-05-16 19:52 <DIR> d-------- C:\Program Files\Ashampoo 2008-05-16 18:37 . 2008-05-17 08:37 <DIR> d-------- C:\Documents and Settings\Rafal\DoctorWeb 2008-05-16 18:34 . 2008-05-16 18:34 77,824 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL 2008-05-16 18:33 . 2008-05-16 18:33 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\InstallShield 2008-05-16 17:34 . 2008-05-16 17:34 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE 2008-05-15 16:27 . 2008-05-15 16:28 <DIR> d-------- C:\Documents and Settings\Rafal\.mysqlcc 2008-05-15 16:23 . 2007-06-19 21:52 419,840 --a------ C:\WINDOWS\system32\ws_edit.lib 2008-05-15 16:23 . 2006-08-17 22:37 130,048 --a------ C:\WINDOWS\system32\webserv.cpl 2008-05-10 20:37 . 2008-05-10 20:51 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Moyea 2008-05-09 17:48 . 2008-05-09 17:51 <DIR> d-------- C:\Program Files\Porno Links XP 2008-05-09 15:36 . 2008-05-09 15:36 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Subversion 2008-05-09 14:10 . 2008-05-09 17:07 <DIR> d-------- C:\Documents and Settings\Rafal\workspace 2008-05-08 10:51 . 2008-05-08 10:54 <DIR> d-------- C:\Documents and Settings\Rafal\.gimp-2.2 2008-05-08 10:46 . 2008-05-08 10:47 <DIR> d-------- C:\Program Files\GIMPshop 2008-05-08 10:45 . 2008-05-08 10:46 <DIR> d-------- C:\Program Files\Powerbullet 2008-05-07 20:32 . 2008-05-07 20:32 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Teleca 2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared 2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Adobe Systems 2008-05-05 14:12 . 2008-05-05 14:12 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP 2008-05-05 10:04 . 2008-05-05 14:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-05-05 10:04 . 2008-05-05 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy 2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\Program Files\Lavasoft 2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-05-05 10:02 . 2008-05-05 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft 2008-04-29 17:37 . 2008-04-29 17:37 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Media Player Classic 2008-04-29 17:37 . 2008-04-29 17:37 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\DivX 2008-04-29 17:36 . 2008-04-29 17:38 <DIR> d-------- C:\Program Files\Mobile Video Converter 2008-04-25 16:13 . 2008-04-25 16:13 <DIR> d-------- C:\Documents and Settings\Rafal\.thumbnails 2008-04-24 20:24 . 2008-04-24 20:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-04-24 20:24 . 2008-04-24 20:24 1,409 --a------ C:\WINDOWS\QTFont.for 2008-04-19 18:38 . 2008-04-19 19:43 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\BESTplayer 2008-04-19 17:21 . 2008-04-25 18:58 <DIR> d-------- C:\Documents and Settings\Rafal\.gimp-2.4 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-05-17 10:56 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP 2008-05-17 10:49 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Orbit 2008-05-17 06:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Google Updater 2008-05-16 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-16 10:44 --------- d-----w C:\Program Files\Spyware Doctor 2008-05-15 14:23 --------- d-----w C:\Program Files\WebServ 2008-05-14 16:46 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\FileZilla 2008-05-13 16:48 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\MEGAUPLOADTOOLBAR 2008-05-06 18:24 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-05 08:07 --------- d-----w C:\Program Files\Smarty Uninstaller Pro 2008-04-29 15:36 --------- d-----w C:\Program Files\Opera 2008-04-25 13:31 --------- d-----w C:\Program Files\Macromedia 2008-04-25 13:27 --------- d-----w C:\Program Files\Common Files\Macromedia 2008-04-23 13:08 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\MEGAUPLOADTOOLBAR 2008-04-10 13:05 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Orbit 2008-04-06 18:07 --------- d-----w C:\Program Files\Microsoft.NET 2008-04-06 18:07 --------- d-----w C:\Program Files\Microsoft Works 2008-04-06 14:40 --------- d-----w C:\Program Files\MegauploadToolbar 2008-04-05 17:32 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Winamp 2008-04-05 14:19 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Notepad++ 2008-04-05 13:53 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\XnView 2008-04-05 12:07 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Gadu-Gadu 2008-04-05 09:36 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\PC Tools 2008-04-05 09:29 --------- d-----w C:\Program Files\Google 2008-04-05 09:05 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Talkback 2008-04-05 08:29 720,896 ----a-w C:\WINDOWS\iun6002.exe 2008-04-05 07:24 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll 2008-04-05 07:05 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Gadu-Gadu 2008-04-05 06:55 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Winamp 2008-04-05 06:35 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Talkback 2008-04-04 18:43 --------- d-----w C:\Program Files\Mozilla Firefox(3) 2008-04-04 18:22 --------- d-----w C:\Program Files\mIRC 2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll 2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-19 19:13 --------- d-----w C:\Program Files\DivX 2008-03-19 15:48 --------- d-----w C:\Program Files\CCleaner 2008-03-19 13:43 --------- d-----w C:\Program Files\Java 2008-03-18 16:29 --------- d-----w C:\Program Files\MSXML 4.0 2008-03-09 09:19 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db 2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll 2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll 2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-06 18:47 32 ----a-r C:\Documents and Settings\All Users\hash.dat 2007-09-25 17:36 102,352 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\firstlsp.reg.dat 2007-09-19 11:55 766 ----a-w C:\Program Files\Common Files\sms.ico 2007-09-19 11:55 70 ----a-w C:\Program Files\Common Files\moje.js 2001-11-23 07:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "AntyVir"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 10:33 262401] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480] "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.I420"= i420vfw.dll "msacm.l3fhg"= mp3fhg.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv "VIDC.YV12"= yv12vfw.dll "msacm.ac3filter"= ac3filter.acm "msacm.divxa32"= divxa32.acm "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "z:\\Program Files\\Orbitdownloader\\orbitdm.exe"= "z:\\Program Files\\Orbitdownloader\\orbitnet.exe"= "C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld-nt).exe"= "C:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe"= "C:\\Program Files\\Gadu-Gadu\\gg.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe"= "Z:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"= "C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe"= R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-07-03 16:47] R2 SPIDER;SpIDer Guard File System Monitor;z:\PROGRA~1\DrWeb\spider.sys [2008-03-31 15:33] R2 SPIDERNT;SpIDer Guard for Windows;z:\PROGRA~1\DrWeb\spidernt.exe [2008-03-31 15:33] S3 ddsxeiservice;ddsxeiservice2;Z:\Program Files\sXe Injected\ddsxei.sys [] S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-09-17 21:05] S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-09-17 21:05] S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-09-17 21:05] S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-09-17 21:05] S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-09-17 21:05] S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-09 05:26] S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys [] S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys [] S3 VNICPKT5;VNICPKT5 Protocol Driver;C:\WINDOWS\system32\VNICPKT5.SYS [2002-08-15 21:30] . Contents of the 'Scheduled Tasks' folder "2008-05-17 09:12:01 C:\WINDOWS\Tasks\HP Usg Daily.job" - C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-17 12:56:11 Windows 5.1.2600 Dodatek Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\verclsid.exe . ************************************************************************** . Completion time: 2008-05-17 13:00:33 - machine was rebooted ComboFix-quarantined-files.txt 2008-05-17 11:00:26 ComboFix2.txt 2008-05-17 07:51:14 Pre-Run: 41,916,665,856 bajtów wolnych Post-Run: 41,914,310,656 bajt˘w wolnych 181 --- E O F --- 2008-05-16 05:28:05 » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "HiJackThis" Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:40, on 2008-05-17 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe z:\PROGRA~1\DrWeb\spidernt.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\alg.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\Documents and Settings\Rafal\Pulpit\logi\HJT\HiJackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - z:\Program Files\Orbitdownloader\orbitcth.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - Z:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [AntyVir] C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Wyslij SMS'a - {215940F1-E7E0-4801-BEE3-44D045534106} - C:\Program Files\Common Files\moje.js O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - z:\PROGRA~1\DrWeb\spidernt.exe -- End of file - 6171 bytes » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "SilentRunner" "Silent Runners.vbs", revision 57, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "AntyVir" = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" ["Avira GmbH"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "ISTray" = ""C:\Program Files\Spyware Doctor\pctsTray.exe"" ["PC Tools"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com" -> {HKLM...CLSID} = "Octh Class" \InProcServer32\(Default) = "z:\Program Files\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"] {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided) -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {ADECBED6-0366-4377-A739-E69DFBA04663}\(Default) = (no title provided) -> {HKLM...CLSID} = "Catcher Class" \InProcServer32\(Default) = "Z:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll" ["Moyea Software Co., Ltd."] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager" -> {HKLM...CLSID} = "Sony Ericsson File Manager" \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"] "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{e7593602-124b-47c9-9f73-a69308edc973}" = "Shell Extension for DrWeb" -> {HKLM...CLSID} = "Shell Extension for DrWeb" \InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found] DrWMenuHandlers\(Default) = "{e7593602-124b-47c9-9f73-a69308edc973}" -> {HKLM...CLSID} = "Shell Extension for DrWeb" \InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."] Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}" -> {HKLM...CLSID} = "Notepad++" \InProcServer32\(Default) = "z:\Program Files\Notepad++\nppcm.dll" ["Burgaud.com"] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ DrWMenuHandlers\(Default) = "{e7593602-124b-47c9-9f73-a69308edc973}" -> {HKLM...CLSID} = "Shell Extension for DrWeb" \InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."] Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" -> {HKLM...CLSID} = "Shell Extension for Malware scanning" \InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideLogoffScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideStartupScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Devices: Allow undock without having to log on} "HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideLogoffScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "RunLogonScriptSync" = (REG_DWORD) dword:0x00000001 {unrecognized setting} "RunStartupScriptSync" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HideStartupScripts" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "DisableRegistryTools" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ AVSDVDMovieOnArrival\ "Provider" = "AVS DVD Player" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithAVSDVDPlayer" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithAVSDVDPlayer\Command\(Default) = ""C:\Program Files\AVSMedia\DVDPlayer\AVSDVDPlayer.EXE" "%L"" ["Online Media Technologies Ltd."] MPCPlayCDAudioOnArrival\ "Provider" = "Media Player Classi" "InvokeProgID" = "MPC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\MPC.CDAudio\shell\play\command\(Default) = ""z:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /cd" ["Gabest"] MPCPlayDVDMovieOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MPC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\MPC.DVDMovie\shell\play\command\(Default) = ""z:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /dvd" ["Gabest"] NeroAutoPlay7VideoCapture\ "Provider" = "Nero Vision" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "C:\Program Files\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"] Enabled Scheduled Tasks: ------------------------ "HP Usg Daily" -> launches: "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe" [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\DRWEBSP.DLL ["Doctor Web, Ltd."], 01 - 05, 22 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{F2CF5485-4E02-4F68-819C-B92DE9277049}" -> {HKLM...CLSID} = "&Links" \InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS] "{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided) -> {HKLM...CLSID} = "Megaupload Toolbar" \InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."] {215940F1-E7E0-4801-BEE3-44D045534106}\ "ButtonText" = "Wyslij SMS'a" "Script" = "C:\Program Files\Common Files\moje.js" [null data] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Badanie" {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Miscellaneous IE Hijack Points ------------------------------ HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\ <<H>> "Tabs" = "C:\Documents and Settings\Ewelina\Dane aplikacji\MEGAUPLOADTOOLBAR\tabwelcome.html" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ""C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"] Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\pctsAuxs.exe" ["PC Tools"] PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\pctsSvc.exe" ["PC Tools"] SpIDer Guard for Windows, SPIDERNT, "z:\PROGRA~1\DrWeb\spidernt.exe" ["Doctor Web, Ltd."] Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ hpzlnt09\Driver = "hpzlnt09.dll" ["HP"] Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] ---------- (launch time: 2008-05-17 18:41:24) <<!>>: Suspicious data at a malware launch point. <<H>>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 86 seconds. ---------- (total run time: 132 seconds) Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
morawcik89 Opublikowano 18 Maja 2008 Zgłoś Opublikowano 18 Maja 2008 Spyware nadal wykrywa: - Adware.Advertising - Hijacker.Affiliated_with_Browser_Hijackers - Spyware.Rogue_Anti-Spyware_Products - Spyware.Known_Bad_Sites - Trojan.Generic » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Raport" SDFix: Version 1.183 Run by Administrator on 2008-05-17 at 15:16 Microsoft Windows XP [Wersja 5.1.2600] Running From: C:\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : No Trojan Files Found Removing Temp Files ADS Check : Final Check : catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-05-17 15:24:00 Windows 5.1.2600 Dodatek Service Pack 2 NTFS detected NTDLL code modification: ZwClose scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:72,48,28,9a,cf,a2,bb,66,1a,ff,d8,08,b1,bb,47,6c,06,67,f7,77,3d,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,54,84,06,37,15,f3,44,fa,b4,a9,24,6b,28,8f,f7,2e,3a,.. "khjeh"=hex:fc,62,b8,2e,74,76,85,fa,8f,27,cf,8a,12,0f,a0,19,8c,ca,56,de,37,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:94,0e,9d,77,4e,dd,27,68,af,1c,be,ad,07,ea,af,ca,ca,9b,a7,b8,b3,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:8d,a1,2a,c8,2d,ed,5b,60,5b,fb,d2,29,a7,e5,c1,98,f1,6f,63,34,7c,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:72,48,28,9a,cf,a2,bb,66,1a,ff,d8,08,b1,bb,47,6c,06,67,f7,77,3d,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,54,84,06,37,15,f3,44,fa,b4,a9,24,6b,28,8f,f7,2e,3a,.. "khjeh"=hex:fc,62,b8,2e,74,76,85,fa,8f,27,cf,8a,12,0f,a0,19,8c,ca,56,de,37,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:94,0e,9d,77,4e,dd,27,68,af,1c,be,ad,07,ea,af,ca,ca,9b,a7,b8,b3,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:8d,a1,2a,c8,2d,ed,5b,60,5b,fb,d2,29,a7,e5,c1,98,f1,6f,63,34,7c,.. scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "z:\\Program Files\\Orbitdownloader\\orbitdm.exe"="z:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit" "z:\\Program Files\\Orbitdownloader\\orbitnet.exe"="z:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit" "C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld-nt).exe"="C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld-nt).exe:*:Enabled:WebServ(mysqld-nt)" "C:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe"="C:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe:*:Enabled:Apache HTTP Server" "C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe"="C:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe:*:Enabled:WebServ(ftp)" "Z:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"="Z:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe:*:Enabled:script-fu" "C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe"="C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe:*:Enabled:WebServ(mysqld)" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Tue 31 Jul 2007 262,144 A..H. --- "C:\Documents and Settings\LocalService\NTUSER.bak" Tue 31 Jul 2007 229,376 A..H. --- "C:\Documents and Settings\NetworkService\NTUSER.bak" Tue 31 Jul 2007 3,670,016 A..H. --- "C:\Documents and Settings\Waciciel\NTUSER.bak" Thu 15 Nov 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Thu 15 Nov 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak" Mon 28 Jan 2008 2,097,488 A.SH. --- "C:\System Volume Information\_restore{2D6BAA92-BED3-4881-B1F1-F2C29C6B8B9E}\RP51\A0030325.exe" Mon 28 Jan 2008 5,146,448 A.SH. --- "C:\System Volume Information\_restore{2D6BAA92-BED3-4881-B1F1-F2C29C6B8B9E}\RP51\A0030327.exe" Mon 28 Jan 2008 1,404,240 A.SH. --- "C:\System Volume Information\_restore{2D6BAA92-BED3-4881-B1F1-F2C29C6B8B9E}\RP51\A0030332.exe" Mon 10 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistributionOld\Download\f1d01f188c8132c12d35c3222b7723a4\BIT2.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05030212059e1b9876d47b8cf2fa5e95\BIT1.tmp" Wed 19 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1d01f188c8132c12d35c3222b7723a4\BIT2.tmp" Thu 15 Nov 2007 4,348 ...H. --- "C:\Documents and Settings\Waciciel\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak" Thu 15 Nov 2007 401 A..H. --- "C:\Documents and Settings\Waciciel\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak" Sun 5 Aug 2007 312 A.SH. --- "C:\Documents and Settings\Waciciel\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak" Wed 20 Jun 2007 262,144 A..H. --- "C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.bak" Wed 20 Jun 2007 262,144 A..H. --- "C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.bak" Tue 31 Jul 2007 262,144 A..H. --- "C:\Documents and Settings\Waciciel\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.bak" Finished! a pliki pousówane Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...