Skocz do zawartości
morawcik89

Samo Otwierająca Się Przeglądarka I Zwykła Kontrola

Rekomendowane odpowiedzi

Przyszła pora na kontrolę systemu chociaż pojawiło się też kilka problemów.

 

1. Wyskakujące okna (można powiedzieć reklamy) Mozilli Firefox

2. Po każdym skanowaniu programem Spyware Doctor (po mimo użycia 'napraw') są te same (a nawet więcej) 'zagrożeń':

- Application.TrackingCookies

- Adware.Advertising

- Hijacker.Affiliated_with_Browser_Hijackers

- Spyware.Rogue_Anti-Spyware_Products

- Spyware.Known_Bad_Sites

- Application.NirCmd

- Dialer.Instant_Access

- Trojan.Generic

 

3. Programy Avira AntiVir Personal i Dr. Web nic nie wykrywają.

4. Logi:

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "ComboFix"
ComboFix 08-05-15.3 - Rafal 2008-05-17 9:47:46.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.190 [GMT 2:00]

Running from: C:\Documents and Settings\Rafal\Pulpit\logi\CF\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox

C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\InternetGameBox.lnk

C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\Privacy Policy.url

C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\Terms and Conditions.url

C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\Uninstall.lnk

C:\Documents and Settings\All Users\Menu Start\Programy\InternetGameBox\Website.url

C:\Documents and Settings\All Users\Pulpit\internetgamebox.lnk

C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\hhlpyvwr.dat

c:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe

C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\hhlpyvwr_nav.dat

C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\hhlpyvwr_navps.dat

C:\WINDOWS\system32\dqnzxzae.dat

C:\WINDOWS\system32\dqnzxzae.exe

C:\WINDOWS\system32\dqnzxzae_nav.dat

C:\WINDOWS\system32\dqnzxzae_navps.dat

C:\WINDOWS\system32\hhlpyvwr.dat

C:\WINDOWS\system32\hhlpyvwr.exe

C:\WINDOWS\system32\hhlpyvwr_nav.dat

C:\WINDOWS\system32\hhlpyvwr_navps.dat

C:\WINDOWS\system32\nvs2.inf

 

.

((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))

.

 

2008-05-16 19:52 . 2008-05-16 19:52 <DIR> d-------- C:\Program Files\Ashampoo

2008-05-16 18:37 . 2008-05-17 08:37 <DIR> d-------- C:\Documents and Settings\Rafal\DoctorWeb

2008-05-16 18:34 . 2008-05-16 18:34 77,824 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL

2008-05-16 18:33 . 2008-05-16 18:33 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\InstallShield

2008-05-16 17:34 . 2008-05-16 17:34 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE

2008-05-15 16:27 . 2008-05-15 16:28 <DIR> d-------- C:\Documents and Settings\Rafal\.mysqlcc

2008-05-15 16:23 . 2007-06-19 21:52 419,840 --a------ C:\WINDOWS\system32\ws_edit.lib

2008-05-15 16:23 . 2006-08-17 22:37 130,048 --a------ C:\WINDOWS\system32\webserv.cpl

2008-05-10 20:37 . 2008-05-10 20:51 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Moyea

2008-05-09 17:48 . 2008-05-09 17:51 <DIR> d-------- C:\Program Files\Porno Links XP

2008-05-09 15:36 . 2008-05-09 15:36 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Subversion

2008-05-09 14:10 . 2008-05-09 17:07 <DIR> d-------- C:\Documents and Settings\Rafal\workspace

2008-05-08 10:51 . 2008-05-08 10:54 <DIR> d-------- C:\Documents and Settings\Rafal\.gimp-2.2

2008-05-08 10:46 . 2008-05-08 10:47 <DIR> d-------- C:\Program Files\GIMPshop

2008-05-08 10:45 . 2008-05-08 10:46 <DIR> d-------- C:\Program Files\Powerbullet

2008-05-07 20:32 . 2008-05-07 20:32 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Teleca

2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Adobe Systems

2008-05-06 19:47 . 2008-05-06 19:53 <DIR> d-------- C:\Documents and Settings\Właściciel\.gimp-2.4

2008-05-06 19:47 . 2008-05-06 19:53 <DIR> d-------- C:\Documents and Settings\Właściciel\.gimp-2.4

2008-05-05 14:12 . 2008-05-05 14:12 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP

2008-05-05 10:04 . 2008-05-05 14:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-05-05 10:04 . 2008-05-05 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy

2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\Program Files\Lavasoft

2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-05 10:02 . 2008-05-05 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft

2008-04-29 17:37 . 2008-04-29 17:37 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Media Player Classic

2008-04-29 17:37 . 2008-04-29 17:37 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\DivX

2008-04-29 17:36 . 2008-04-29 17:38 <DIR> d-------- C:\Program Files\Mobile Video Converter

2008-04-25 16:13 . 2008-04-25 16:13 <DIR> d-------- C:\Documents and Settings\Rafal\.thumbnails

2008-04-24 20:24 . 2008-04-24 20:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-04-24 20:24 . 2008-04-24 20:24 1,409 --a------ C:\WINDOWS\QTFont.for

2008-04-19 18:38 . 2008-04-19 19:43 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\BESTplayer

2008-04-19 17:21 . 2008-04-25 18:58 <DIR> d-------- C:\Documents and Settings\Rafal\.gimp-2.4

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-17 07:42 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Orbit

2008-05-17 06:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Google Updater

2008-05-16 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-16 16:34 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-05-16 10:44 --------- d-----w C:\Program Files\Spyware Doctor

2008-05-15 14:23 --------- d-----w C:\Program Files\WebServ

2008-05-14 16:46 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\FileZilla

2008-05-13 16:48 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\MEGAUPLOADTOOLBAR

2008-05-06 18:28 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\MegauploadToolbar

2008-05-06 18:24 --------- d-----w C:\Program Files\Common Files\Adobe

2008-05-05 08:07 --------- d-----w C:\Program Files\Smarty Uninstaller Pro

2008-04-29 15:36 --------- d-----w C:\Program Files\Opera

2008-04-25 13:31 --------- d-----w C:\Program Files\Macromedia

2008-04-25 13:27 --------- d-----w C:\Program Files\Common Files\Macromedia

2008-04-23 13:08 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\MEGAUPLOADTOOLBAR

2008-04-10 13:05 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Orbit

2008-04-06 18:07 --------- d-----w C:\Program Files\Microsoft.NET

2008-04-06 18:07 --------- d-----w C:\Program Files\Microsoft Works

2008-04-06 14:40 --------- d-----w C:\Program Files\MegauploadToolbar

2008-04-05 17:32 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Winamp

2008-04-05 14:19 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Notepad++

2008-04-05 13:53 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\XnView

2008-04-05 12:07 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Gadu-Gadu

2008-04-05 09:36 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\PC Tools

2008-04-05 09:29 --------- d-----w C:\Program Files\Google

2008-04-05 09:05 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Talkback

2008-04-05 08:29 720,896 ----a-w C:\WINDOWS\iun6002.exe

2008-04-05 07:24 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll

2008-04-05 07:05 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Gadu-Gadu

2008-04-05 06:55 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Winamp

2008-04-05 06:35 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Talkback

2008-04-04 18:43 --------- d-----w C:\Program Files\Mozilla Firefox(3)

2008-04-04 18:22 --------- d-----w C:\Program Files\mIRC

2008-04-04 15:49 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\Orbit

2008-04-04 12:38 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\FileZilla

2008-04-01 13:33 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\magsgridroad

2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-23 11:47 --------- d-----w C:\Documents and Settings\Właściciel\Dane aplikacji\OpenOffice.org2

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-19 19:13 --------- d-----w C:\Program Files\DivX

2008-03-19 15:48 --------- d-----w C:\Program Files\CCleaner

2008-03-19 13:43 --------- d-----w C:\Program Files\Java

2008-03-18 16:29 --------- d-----w C:\Program Files\MSXML 4.0

2008-03-09 09:19 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-06 18:47 32 ----a-r C:\Documents and Settings\All Users\hash.dat

2007-09-25 17:36 102,352 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\firstlsp.reg.dat

2007-09-19 11:55 766 ----a-w C:\Program Files\Common Files\sms.ico

2007-09-19 11:55 70 ----a-w C:\Program Files\Common Files\moje.js

2001-11-23 07:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AntyVir"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 10:33 262401]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

 

C:\Documents and Settings\Waciciel\Menu Start\Programy\Autostart\

Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll

"msacm.l3fhg"= mp3fhg.acm

"VIDC.X264"= x264vfw.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

"VIDC.YV12"= yv12vfw.dll

"msacm.ac3filter"= ac3filter.acm

"msacm.divxa32"= divxa32.acm

"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"z:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"z:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld-nt).exe"=

"C:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe"=

"C:\\Program Files\\Gadu-Gadu\\gg.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe"=

"Z:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=

"C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe"=

 

Paused2 SPIDERNT;SpIDer Guard for Windows;z:\PROGRA~1\DrWeb\spidernt.exe [2008-03-31 15:33]

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-07-03 16:47]

R2 SPIDER;SpIDer Guard File System Monitor;z:\PROGRA~1\DrWeb\spider.sys [2008-03-31 15:33]

S3 ddsxeiservice;ddsxeiservice2;Z:\Program Files\sXe Injected\ddsxei.sys []

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-09-17 21:05]

S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-09-17 21:05]

S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-09-17 21:05]

S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-09-17 21:05]

S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-09-17 21:05]

S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-09 05:26]

S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []

S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

S3 VNICPKT5;VNICPKT5 Protocol Driver;C:\WINDOWS\system32\VNICPKT5.SYS [2002-08-15 21:30]

 

*Newly Created Service* - CATCHME

*Newly Created Service* - SPIDER

*Newly Created Service* - SPIDERNT

.

Contents of the 'Scheduled Tasks' folder

"2008-05-16 17:12:01 C:\WINDOWS\Tasks\HP Usg Daily.job"

- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-17 09:50:01

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-05-17 9:51:14

ComboFix-quarantined-files.txt 2008-05-17 07:50:50

 

Pre-Run: 41,909,784,576 bajtów wolnych

Post-Run: 42,025,713,664 bajtów wolnych

 

196 --- E O F --- 2008-05-16 05:28:05

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "hijackthis"
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:43:11, on 2008-05-17

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

z:\PROGRA~1\DrWeb\spidernt.exe

z:\Program Files\DrWeb\spiderui.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

Z:\Program Files\DrWeb\spiderml.exe

Z:\Program Files\DrWeb\DRWEBSCD.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Rafal\Pulpit\logi\HJT\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - z:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - Z:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [AntyVir] C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [hhlpyvwr] c:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe hhlpyvwr

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Wyslij SMS'a - {215940F1-E7E0-4801-BEE3-44D045534106} - C:\Program Files\Common Files\moje.js

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - z:\PROGRA~1\DrWeb\spidernt.exe

 

--

End of file - 6199 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Silent Runners"
"Silent Runners.vbs", revision 57, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"hhlpyvwr" = "c:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe hhlpyvwr" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"AntyVir" = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" ["Avira GmbH"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com"

-> {HKLM...CLSID} = "Octh Class"

\InProcServer32\(Default) = "z:\Program Files\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Megaupload Toolbar"

\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

{ADECBED6-0366-4377-A739-E69DFBA04663}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Catcher Class"

\InProcServer32\(Default) = "Z:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll" ["Moyea Software Co., Ltd."]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"

\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"

-> {HKLM...CLSID} = "Sony Ericsson File Manager"

\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{e7593602-124b-47c9-9f73-a69308edc973}" = "Shell Extension for DrWeb"

-> {HKLM...CLSID} = "Shell Extension for DrWeb"

\InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found]

DrWMenuHandlers\(Default) = "{e7593602-124b-47c9-9f73-a69308edc973}"

-> {HKLM...CLSID} = "Shell Extension for DrWeb"

\InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."]

Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}"

-> {HKLM...CLSID} = "Notepad++"

\InProcServer32\(Default) = "z:\Program Files\Notepad++\nppcm.dll" ["Burgaud.com"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

DrWMenuHandlers\(Default) = "{e7593602-124b-47c9-9f73-a69308edc973}"

-> {HKLM...CLSID} = "Shell Extension for DrWeb"

\InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Group Policies {policy setting}:

--------------------------------

 

Note: detected settings may not have any effect.

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

AVSDVDMovieOnArrival\

"Provider" = "AVS DVD Player"

"InvokeProgID" = "DVD"

"InvokeVerb" = "PlayWithAVSDVDPlayer"

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithAVSDVDPlayer\Command\(Default) = ""C:\Program Files\AVSMedia\DVDPlayer\AVSDVDPlayer.EXE" "%L"" ["Online Media Technologies Ltd."]

 

MPCPlayCDAudioOnArrival\

"Provider" = "Media Player Classi"

"InvokeProgID" = "MPC.CDAudio"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\MPC.CDAudio\shell\play\command\(Default) = ""z:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /cd" ["Gabest"]

 

MPCPlayDVDMovieOnArrival\

"Provider" = "Media Player Classic"

"InvokeProgID" = "MPC.DVDMovie"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\MPC.DVDMovie\shell\play\command\(Default) = ""z:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /dvd" ["Gabest"]

 

NeroAutoPlay7VideoCapture\

"Provider" = "Nero Vision"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

 

WinampMTPHandler\

"Provider" = "Winamp"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

 

WinampPlayMediaOnArrival\

"Provider" = "Winamp"

"InvokeProgID" = "Winamp.File"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]

 

 

Enabled Scheduled Tasks:

------------------------

 

"HP Usg Daily" -> launches: "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe" [empty string]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\DRWEBSP.DLL ["Doctor Web, Ltd."], 01 - 05, 22

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{F2CF5485-4E02-4F68-819C-B92DE9277049}"

-> {HKLM...CLSID} = "&Links"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"

-> {HKLM...CLSID} = "Megaupload Toolbar"

\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)

-> {HKLM...CLSID} = "Megaupload Toolbar"

\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

 

{215940F1-E7E0-4801-BEE3-44D045534106}\

"ButtonText" = "Wyslij SMS'a"

"Script" = "C:\Program Files\Common Files\moje.js" [null data]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"

 

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<<H>> "Tabs" = "C:\Documents and Settings\Ewelina\Dane aplikacji\MEGAUPLOADTOOLBAR\tabwelcome.html" [file not found]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ""C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]

Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

SpIDer Guard for Windows, SPIDERNT, "z:\PROGRA~1\DrWeb\spidernt.exe" ["Doctor Web, Ltd."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

---------- (launch time: 2008-05-17 09:44:32)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 87 seconds.

---------- (total run time: 125 seconds)

Edytowane przez morawcik89

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

W HijackThis zaznacz i usuń:

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DL

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

 

 

Poniższy klucz nie wiem, do jakiego programu należy, ale nie podoba mi się jego nazwa - sprawdź, czy z tego korzystasz, jak nie - to też wywal 8O

O4 - HKCU\..\Run: [hhlpyvwr] c:\documents and settings\rafal\ustawienia lokalne\dane aplikacji\hhlpyvwr.exe hhlpyvwr

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

Oto nowe logi:

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "ComboFix"
ComboFix 08-05-15.3 - Rafal 2008-05-17 12:51:37.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.238 [GMT 2:00]

Running from: C:\Documents and Settings\Rafal\Pulpit\logi\CF\ComboFix.exe

Command switches used :: C:\Documents and Settings\Rafal\Pulpit\logi\CF\CFScript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE ::

C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP

.

 

((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))

.

 

2008-05-16 19:52 . 2008-05-16 19:52 <DIR> d-------- C:\Program Files\Ashampoo

2008-05-16 18:37 . 2008-05-17 08:37 <DIR> d-------- C:\Documents and Settings\Rafal\DoctorWeb

2008-05-16 18:34 . 2008-05-16 18:34 77,824 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL

2008-05-16 18:33 . 2008-05-16 18:33 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\InstallShield

2008-05-16 17:34 . 2008-05-16 17:34 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE

2008-05-15 16:27 . 2008-05-15 16:28 <DIR> d-------- C:\Documents and Settings\Rafal\.mysqlcc

2008-05-15 16:23 . 2007-06-19 21:52 419,840 --a------ C:\WINDOWS\system32\ws_edit.lib

2008-05-15 16:23 . 2006-08-17 22:37 130,048 --a------ C:\WINDOWS\system32\webserv.cpl

2008-05-10 20:37 . 2008-05-10 20:51 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Moyea

2008-05-09 17:48 . 2008-05-09 17:51 <DIR> d-------- C:\Program Files\Porno Links XP

2008-05-09 15:36 . 2008-05-09 15:36 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Subversion

2008-05-09 14:10 . 2008-05-09 17:07 <DIR> d-------- C:\Documents and Settings\Rafal\workspace

2008-05-08 10:51 . 2008-05-08 10:54 <DIR> d-------- C:\Documents and Settings\Rafal\.gimp-2.2

2008-05-08 10:46 . 2008-05-08 10:47 <DIR> d-------- C:\Program Files\GIMPshop

2008-05-08 10:45 . 2008-05-08 10:46 <DIR> d-------- C:\Program Files\Powerbullet

2008-05-07 20:32 . 2008-05-07 20:32 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Teleca

2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

2008-05-06 20:22 . 2008-05-06 20:22 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Adobe Systems

2008-05-05 14:12 . 2008-05-05 14:12 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP

2008-05-05 10:04 . 2008-05-05 14:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-05-05 10:04 . 2008-05-05 14:12 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy

2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\Program Files\Lavasoft

2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-05-05 10:02 . 2008-05-05 10:03 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft

2008-04-29 17:37 . 2008-04-29 17:37 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\Media Player Classic

2008-04-29 17:37 . 2008-04-29 17:37 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\DivX

2008-04-29 17:36 . 2008-04-29 17:38 <DIR> d-------- C:\Program Files\Mobile Video Converter

2008-04-25 16:13 . 2008-04-25 16:13 <DIR> d-------- C:\Documents and Settings\Rafal\.thumbnails

2008-04-24 20:24 . 2008-04-24 20:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-04-24 20:24 . 2008-04-24 20:24 1,409 --a------ C:\WINDOWS\QTFont.for

2008-04-19 18:38 . 2008-04-19 19:43 <DIR> d-------- C:\Documents and Settings\Rafal\Dane aplikacji\BESTplayer

2008-04-19 17:21 . 2008-04-25 18:58 <DIR> d-------- C:\Documents and Settings\Rafal\.gimp-2.4

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-17 10:56 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP

2008-05-17 10:49 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Orbit

2008-05-17 06:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Google Updater

2008-05-16 16:34 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-05-16 10:44 --------- d-----w C:\Program Files\Spyware Doctor

2008-05-15 14:23 --------- d-----w C:\Program Files\WebServ

2008-05-14 16:46 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\FileZilla

2008-05-13 16:48 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\MEGAUPLOADTOOLBAR

2008-05-06 18:24 --------- d-----w C:\Program Files\Common Files\Adobe

2008-05-05 08:07 --------- d-----w C:\Program Files\Smarty Uninstaller Pro

2008-04-29 15:36 --------- d-----w C:\Program Files\Opera

2008-04-25 13:31 --------- d-----w C:\Program Files\Macromedia

2008-04-25 13:27 --------- d-----w C:\Program Files\Common Files\Macromedia

2008-04-23 13:08 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\MEGAUPLOADTOOLBAR

2008-04-10 13:05 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Orbit

2008-04-06 18:07 --------- d-----w C:\Program Files\Microsoft.NET

2008-04-06 18:07 --------- d-----w C:\Program Files\Microsoft Works

2008-04-06 14:40 --------- d-----w C:\Program Files\MegauploadToolbar

2008-04-05 17:32 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Winamp

2008-04-05 14:19 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Notepad++

2008-04-05 13:53 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\XnView

2008-04-05 12:07 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Gadu-Gadu

2008-04-05 09:36 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\PC Tools

2008-04-05 09:29 --------- d-----w C:\Program Files\Google

2008-04-05 09:05 --------- d-----w C:\Documents and Settings\Ewelina\Dane aplikacji\Talkback

2008-04-05 08:29 720,896 ----a-w C:\WINDOWS\iun6002.exe

2008-04-05 07:24 219,648 ----a-w C:\WINDOWS\system32\uxtheme.dll

2008-04-05 07:05 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Gadu-Gadu

2008-04-05 06:55 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Winamp

2008-04-05 06:35 --------- d-----w C:\Documents and Settings\Rafal\Dane aplikacji\Talkback

2008-04-04 18:43 --------- d-----w C:\Program Files\Mozilla Firefox(3)

2008-04-04 18:22 --------- d-----w C:\Program Files\mIRC

2008-03-25 04:52 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll

2008-03-25 04:52 178,976 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-20 08:09 1,845,504 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-19 19:13 --------- d-----w C:\Program Files\DivX

2008-03-19 15:48 --------- d-----w C:\Program Files\CCleaner

2008-03-19 13:43 --------- d-----w C:\Program Files\Java

2008-03-18 16:29 --------- d-----w C:\Program Files\MSXML 4.0

2008-03-09 09:19 3,584 --sha-w C:\Program Files\Common Files\Thumbs.db

2008-03-01 13:02 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

2008-02-21 02:05 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll

2008-02-21 02:05 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll

2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll

2008-02-20 05:38 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll

2008-02-06 18:47 32 ----a-r C:\Documents and Settings\All Users\hash.dat

2007-09-25 17:36 102,352 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\firstlsp.reg.dat

2007-09-19 11:55 766 ----a-w C:\Program Files\Common Files\sms.ico

2007-09-19 11:55 70 ----a-w C:\Program Files\Common Files\moje.js

2001-11-23 07:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00 15360]

"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-05-10 16:36 2111176]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AntyVir"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-17 10:33 262401]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 13:22 7700480]

"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 12:55 1103240]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.I420"= i420vfw.dll

"msacm.l3fhg"= mp3fhg.acm

"VIDC.X264"= x264vfw.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

"VIDC.YV12"= yv12vfw.dll

"msacm.ac3filter"= ac3filter.acm

"msacm.divxa32"= divxa32.acm

"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"z:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"z:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld-nt).exe"=

"C:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe"=

"C:\\Program Files\\Gadu-Gadu\\gg.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe"=

"Z:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"=

"C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe"=

 

R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-07-03 16:47]

R2 SPIDER;SpIDer Guard File System Monitor;z:\PROGRA~1\DrWeb\spider.sys [2008-03-31 15:33]

R2 SPIDERNT;SpIDer Guard for Windows;z:\PROGRA~1\DrWeb\spidernt.exe [2008-03-31 15:33]

S3 ddsxeiservice;ddsxeiservice2;Z:\Program Files\sXe Injected\ddsxei.sys []

S3 k510bus;Sony Ericsson K510 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\k510bus.sys [2007-09-17 21:05]

S3 k510mdfl;Sony Ericsson K510 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\k510mdfl.sys [2007-09-17 21:05]

S3 k510mdm;Sony Ericsson K510 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\k510mdm.sys [2007-09-17 21:05]

S3 k510mgmt;Sony Ericsson K510 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\k510mgmt.sys [2007-09-17 21:05]

S3 k510obex;Sony Ericsson K510 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\k510obex.sys [2007-09-17 21:05]

S3 KS-959;Kingsun KS-959 USB Infrared Adapter;C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-09 05:26]

S3 PavSRK.sys;PavSRK.sys;C:\WINDOWS\system32\PavSRK.sys []

S3 PavTPK.sys;PavTPK.sys;C:\WINDOWS\system32\PavTPK.sys []

S3 VNICPKT5;VNICPKT5 Protocol Driver;C:\WINDOWS\system32\VNICPKT5.SYS [2002-08-15 21:30]

 

.

Contents of the 'Scheduled Tasks' folder

"2008-05-17 09:12:01 C:\WINDOWS\Tasks\HP Usg Daily.job"

- C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe

.

**************************************************************************

 

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-17 12:56:11

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

detected NTDLL code modification:

ZwClose

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\system32\verclsid.exe

.

**************************************************************************

.

Completion time: 2008-05-17 13:00:33 - machine was rebooted

ComboFix-quarantined-files.txt 2008-05-17 11:00:26

ComboFix2.txt 2008-05-17 07:51:14

 

Pre-Run: 41,916,665,856 bajtów wolnych

Post-Run: 41,914,310,656 bajt˘w wolnych

 

181 --- E O F --- 2008-05-16 05:28:05

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "HiJackThis"
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:40, on 2008-05-17

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

z:\PROGRA~1\DrWeb\spidernt.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Rafal\Pulpit\logi\HJT\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - z:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - Z:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [AntyVir] C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Wyslij SMS'a - {215940F1-E7E0-4801-BEE3-44D045534106} - C:\Program Files\Common Files\moje.js

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe

O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe

O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - z:\PROGRA~1\DrWeb\spidernt.exe

 

--

End of file - 6171 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "SilentRunner"
"Silent Runners.vbs", revision 57, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"AntyVir" = "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" ["Avira GmbH"]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"ISTray" = ""C:\Program Files\Spyware Doctor\pctsTray.exe"" ["PC Tools"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{000123B4-9B42-4900-B3F7-F4B073EFC214}\(Default) = "btorbit.com"

-> {HKLM...CLSID} = "Octh Class"

\InProcServer32\(Default) = "z:\Program Files\Orbitdownloader\orbitcth.dll" ["Orbitdownloader.com"]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Megaupload Toolbar"

\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

{ADECBED6-0366-4377-A739-E69DFBA04663}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Catcher Class"

\InProcServer32\(Default) = "Z:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll" ["Moyea Software Co., Ltd."]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Google Toolbar Notifier BHO"

\InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll" ["Google Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "Sony Ericsson File Manager"

-> {HKLM...CLSID} = "Sony Ericsson File Manager"

\InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll" ["Sony Ericsson Mobile Communications AB"]

"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{e7593602-124b-47c9-9f73-a69308edc973}" = "Shell Extension for DrWeb"

-> {HKLM...CLSID} = "Shell Extension for DrWeb"

\InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."]

 

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found]

DrWMenuHandlers\(Default) = "{e7593602-124b-47c9-9f73-a69308edc973}"

-> {HKLM...CLSID} = "Shell Extension for DrWeb"

\InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."]

Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}"

-> {HKLM...CLSID} = "Notepad++"

\InProcServer32\(Default) = "z:\Program Files\Notepad++\nppcm.dll" ["Burgaud.com"]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"

-> {HKLM...CLSID} = "7-Zip Shell Extension"

\InProcServer32\(Default) = "z:\Program Files\7-Zip\7-zip.dll" [file not found]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

DrWMenuHandlers\(Default) = "{e7593602-124b-47c9-9f73-a69308edc973}"

-> {HKLM...CLSID} = "Shell Extension for DrWeb"

\InProcServer32\(Default) = "z:\Program Files\DrWeb\drwsxtn.dll" ["Doctor Web, Ltd."]

Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"

-> {HKLM...CLSID} = "Shell Extension for Malware scanning"

\InProcServer32\(Default) = "C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

 

 

Group Policies {policy setting}:

--------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Rafal\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

AVSDVDMovieOnArrival\

"Provider" = "AVS DVD Player"

"InvokeProgID" = "DVD"

"InvokeVerb" = "PlayWithAVSDVDPlayer"

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithAVSDVDPlayer\Command\(Default) = ""C:\Program Files\AVSMedia\DVDPlayer\AVSDVDPlayer.EXE" "%L"" ["Online Media Technologies Ltd."]

 

MPCPlayCDAudioOnArrival\

"Provider" = "Media Player Classi"

"InvokeProgID" = "MPC.CDAudio"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\MPC.CDAudio\shell\play\command\(Default) = ""z:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /cd" ["Gabest"]

 

MPCPlayDVDMovieOnArrival\

"Provider" = "Media Player Classic"

"InvokeProgID" = "MPC.DVDMovie"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\MPC.DVDMovie\shell\play\command\(Default) = ""z:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /dvd" ["Gabest"]

 

NeroAutoPlay7VideoCapture\

"Provider" = "Nero Vision"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\Nero\Nero 7\Nero Vision\NeroVision.exe" /New:VideoCapture"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

 

WinampMTPHandler\

"Provider" = "Winamp"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

 

WinampPlayMediaOnArrival\

"Provider" = "Winamp"

"InvokeProgID" = "Winamp.File"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]

 

 

Enabled Scheduled Tasks:

------------------------

 

"HP Usg Daily" -> launches: "C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\pexpress\hphped05.exe" [empty string]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINDOWS\system32\DRWEBSP.DLL ["Doctor Web, Ltd."], 01 - 05, 22

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Toolbars

 

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{F2CF5485-4E02-4F68-819C-B92DE9277049}"

-> {HKLM...CLSID} = "&Links"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"

-> {HKLM...CLSID} = "Megaupload Toolbar"

\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)

-> {HKLM...CLSID} = "Megaupload Toolbar"

\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MEGAUPLOAD "]

 

Explorer Bars

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

 

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

 

{215940F1-E7E0-4801-BEE3-44D045534106}\

"ButtonText" = "Wyslij SMS'a"

"Script" = "C:\Program Files\Common Files\moje.js" [null data]

 

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"

 

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Miscellaneous IE Hijack Points

------------------------------

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<<H>> "Tabs" = "C:\Documents and Settings\Ewelina\Dane aplikacji\MEGAUPLOADTOOLBAR\tabwelcome.html" [file not found]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

AntiVir PersonalEdition Classic Guard, AntiVirService, ""C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]

AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ""C:\Program Files\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]

Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\pctsAuxs.exe" ["PC Tools"]

PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\pctsSvc.exe" ["PC Tools"]

SpIDer Guard for Windows, SPIDERNT, "z:\PROGRA~1\DrWeb\spidernt.exe" ["Doctor Web, Ltd."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

 

 

---------- (launch time: 2008-05-17 18:41:24)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 86 seconds.

---------- (total run time: 132 seconds)

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

Spyware nadal wykrywa:

- Adware.Advertising

- Hijacker.Affiliated_with_Browser_Hijackers

- Spyware.Rogue_Anti-Spyware_Products

- Spyware.Known_Bad_Sites

- Trojan.Generic

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Raport"

SDFix: Version 1.183

Run by Administrator on 2008-05-17 at 15:16

 

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting

 

 

Checking Files :

 

No Trojan Files Found

 

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-17 15:24:00

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

detected NTDLL code modification:

ZwClose

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:72,48,28,9a,cf,a2,bb,66,1a,ff,d8,08,b1,bb,47,6c,06,67,f7,77,3d,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,54,84,06,37,15,f3,44,fa,b4,a9,24,6b,28,8f,f7,2e,3a,..

"khjeh"=hex:fc,62,b8,2e,74,76,85,fa,8f,27,cf,8a,12,0f,a0,19,8c,ca,56,de,37,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:94,0e,9d,77,4e,dd,27,68,af,1c,be,ad,07,ea,af,ca,ca,9b,a7,b8,b3,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:8d,a1,2a,c8,2d,ed,5b,60,5b,fb,d2,29,a7,e5,c1,98,f1,6f,63,34,7c,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:72,48,28,9a,cf,a2,bb,66,1a,ff,d8,08,b1,bb,47,6c,06,67,f7,77,3d,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,54,84,06,37,15,f3,44,fa,b4,a9,24,6b,28,8f,f7,2e,3a,..

"khjeh"=hex:fc,62,b8,2e,74,76,85,fa,8f,27,cf,8a,12,0f,a0,19,8c,ca,56,de,37,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:94,0e,9d,77,4e,dd,27,68,af,1c,be,ad,07,ea,af,ca,ca,9b,a7,b8,b3,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]

"khjeh"=hex:8d,a1,2a,c8,2d,ed,5b,60,5b,fb,d2,29,a7,e5,c1,98,f1,6f,63,34,7c,..

 

scanning hidden registry entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"z:\\Program Files\\Orbitdownloader\\orbitdm.exe"="z:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"

"z:\\Program Files\\Orbitdownloader\\orbitnet.exe"="z:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"

"C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld-nt).exe"="C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld-nt).exe:*:Enabled:WebServ(mysqld-nt)"

"C:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe"="C:\\Program Files\\WebServ\\apache2\\bin\\WebServ(apache).exe:*:Enabled:Apache HTTP Server"

"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program g˘wny"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe"="C:\\Program Files\\WebServ\\ftp\\WebServ(ftp).exe:*:Enabled:WebServ(ftp)"

"Z:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe"="Z:\\Program Files\\GIMP-2.0\\lib\\gimp\\2.0\\plug-ins\\script-fu.exe:*:Enabled:script-fu"

"C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe"="C:\\Program Files\\WebServ\\mysql\\bin\\WebServ(mysqld).exe:*:Enabled:WebServ(mysqld)"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Tue 31 Jul 2007 262,144 A..H. --- "C:\Documents and Settings\LocalService\NTUSER.bak"

Tue 31 Jul 2007 229,376 A..H. --- "C:\Documents and Settings\NetworkService\NTUSER.bak"

Tue 31 Jul 2007 3,670,016 A..H. --- "C:\Documents and Settings\Waciciel\NTUSER.bak"

Thu 15 Nov 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Thu 15 Nov 2007 401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"

Mon 28 Jan 2008 2,097,488 A.SH. --- "C:\System Volume Information\_restore{2D6BAA92-BED3-4881-B1F1-F2C29C6B8B9E}\RP51\A0030325.exe"

Mon 28 Jan 2008 5,146,448 A.SH. --- "C:\System Volume Information\_restore{2D6BAA92-BED3-4881-B1F1-F2C29C6B8B9E}\RP51\A0030327.exe"

Mon 28 Jan 2008 1,404,240 A.SH. --- "C:\System Volume Information\_restore{2D6BAA92-BED3-4881-B1F1-F2C29C6B8B9E}\RP51\A0030332.exe"

Mon 10 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistributionOld\Download\f1d01f188c8132c12d35c3222b7723a4\BIT2.tmp"

Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05030212059e1b9876d47b8cf2fa5e95\BIT1.tmp"

Wed 19 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f1d01f188c8132c12d35c3222b7723a4\BIT2.tmp"

Thu 15 Nov 2007 4,348 ...H. --- "C:\Documents and Settings\Waciciel\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1key.bak"

Thu 15 Nov 2007 401 A..H. --- "C:\Documents and Settings\Waciciel\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv1lic.bak"

Sun 5 Aug 2007 312 A.SH. --- "C:\Documents and Settings\Waciciel\Moje dokumenty\Moja muzyka\Kopia zapasowa licencji\drmv2key.bak"

Wed 20 Jun 2007 262,144 A..H. --- "C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.bak"

Wed 20 Jun 2007 262,144 A..H. --- "C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.bak"

Tue 31 Jul 2007 262,144 A..H. --- "C:\Documents and Settings\Waciciel\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.bak"

 

Finished!

a pliki pousówane

Udostępnij tę odpowiedź


Odnośnik do odpowiedzi
Udostępnij na innych stronach

Gość
Ten temat został zamknięty. Brak możliwości dodania odpowiedzi.


×
×
  • Dodaj nową pozycję...