Michrz Opublikowano 10 Lipca 2009 Zgłoś Opublikowano 10 Lipca 2009 (edytowane) Wczoraj zaczęły mi się dziwne problemy z kompem. Kolega nagrywał u mnie płytkę, podpiął pendrive'a swojego... no i od tego czasu Explorer mi się resetuje non stop. Przeskanowałem kompa Arcavirem, AdAware i nic nie pomogło. ArcaVir wywalił ileśtam trojanów, ale same się tworzą na nowo. Udało mi się zrobić zrzut HijackThisem, ale SilentRunners tworzy plik, niemniej nie wiem czy kompletny. Tak czy siak, poniżej wklejam logi Hijck This : » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "log" Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:52:08, on 2009-07-10Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Windows\system32\wuauclt.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeD:\PROGRAM FILES\PROCESSEXPLORER\PROCEXP.EXEC:\Program Files\Windows Defender\MSASCui.exeD:\Program Files\foobar2000\foobar2000.exeC:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exeD:\Program Files\Mozilla Firefox\firefox.exeD:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhostO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dllO4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hideO4 - HKLM\..\Run: [ZoneAlarm Client] "d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exeO4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exeO4 - HKLM\..\Run: [ABRegmon] D:\Program Files\ArcaBit\ArcaVir\ABregmon.exeO4 - HKLM\..\Run: [AvMenu] D:\Program Files\ArcaBit\ArcaVir\AVMenu.exeO4 - HKLM\..\Run: [ArcaCheck] D:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startupO4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silentO4 - Global Startup: VirtuaWin.lnk = D:\Program Files\VirtuaWin\VirtuaWin.exeO8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200O9 - Extra button: ArcaVir >> - {40525A66-DB98-480D-BCF9-7AF88C1AF438} - D:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dllO9 - Extra 'Tools' menuitem: ArcaVir >> - {40525A66-DB98-480D-BCF9-7AF88C1AF438} - D:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\WEB2~1\Office12\REFIEBAR.DLLO9 - Extra button: Gladinet Side Panel - {A0BB3F12-4E51-4F7E-A7A2-6ADD8289C36B} - Shdocvw.dll (file missing)O13 - Gopher Prefix: O15 - ESC Trusted Zone: http://www.google-analytics.comO15 - ESC Trusted Zone: http://ads1.msn.comO15 - ESC Trusted Zone: http://rad.msn.comO15 - ESC Trusted Zone: http://runonce.msn.comO15 - ESC Trusted Zone: http://ad.thewitcher.comO15 - ESC Trusted Zone: http://m.webtrends.comO15 - ESC Trusted Zone: http://www.widzew.netO15 - ESC Trusted Zone: http://*.windowsupdate.comO15 - ESC Trusted Zone: http://www.wp.plO15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)O15 - ESC Trusted IP range: http://127.0.0.1O23 - Service: ArcaBit FileMonitor (ABFileMon) - ArcaBit - D:\Program Files\ArcaBit\ArcaVir\FileMonSV.exeO23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - D:\Program Files\ArcaBit\ArcaVir\NetMonSV.exeO23 - Service: ArcaBit.Core.Configurator - ArcaBit - D:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exeO23 - Service: ArcaBit.Core.LoggingService - ArcaBit - D:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exeO23 - Service: ArcaBit Control (ArcaRemoteService) - Unknown owner - D:\Program Files\ArcaBit\ArcaAgent\ArcaRemoteSvc.exeO23 - Service: ArcaBit Backup Service (AVBackup) - ArcaBit - D:\Program Files\ArcaBit\ArcaTools\arcabackup\ArcaBackupService.exeO23 - Service: ArcaBit Tasks Service (AVTasks2) - ArcaBit - D:\PROGRA~1\ArcaBit\Common\ARCATA~1.EXEO23 - Service: ArcaBit Update Service (AVUpdate) - ArcaBit - D:\PROGRA~1\ArcaBit\ARCAUP~1\update.exeO23 - Service: FanSpeedNT Service - Unknown owner - D:\dwl\FanSpeed1_2_0\fanspeedNT.exeO23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exeO23 - Service: NMSAccessU - Unknown owner - D:\Program Files\CDBurnerXP\NMSAccessU.exeO23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe--End of file - 5635 bytes Oraz to co z Silent Runners : [spoiler=log2] "Silent Runners.vbs", revision 59, http://www.silentrunners.org/Operating System: Windows VistaOutput limited to non-default values, except where indicated by "{++}"Startup items buried in registry:---------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}"Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide""ZoneAlarm Client" = ""d:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Check Point Software Technologies LTD"]"NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS]"NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS]"Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"]"RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"]"Ad-Watch" = "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" ["Lavasoft"]"ABRegmon" = "D:\Program Files\ArcaBit\ArcaVir\ABregmon.exe" ["ArcaBit"]"AvMenu" = "D:\Program Files\ArcaBit\ArcaVir\AVMenu.exe" ["ArcaBit"]"ArcaCheck" = "D:\Program Files\ArcaBit\ArcaVir\ArcaCheck.exe /startup" ["ArcaBit"]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}"Malwarebytes' Anti-Malware" = "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent" ["Malwarebytes Corporation"]HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\(Default) = "Applying Enhanced Security Configuration" \StubPath = "C:\Windows\system32\rundll32.exe iesetup.dll,IEHardenUser" [MS]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub" -> {HKLM...CLSID} = "Adobe PDF Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided) -> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper" \InProcServer32\(Default) = "D:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\"{4648F940-EFE3-4BAB-9211-3BE45CD5029D}" = "VSSShellExt" -> {HKLM...CLSID} = "VSSShellExt Class" \InProcServer32\(Default) = "C:\Windows\system32\vssui.dll" [MS]"{28F3AFB4-3232-4A69-AE48-03DC399B4C98}" = "VolAdvPageSHExt" -> {HKLM...CLSID} = "VolAdvPageSHExt Class" \InProcServer32\(Default) = "C:\Windows\system32\volshext.dll" [MS]"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "d:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\Program Files\Microsoft Expression\Web 2\Office12\msohevi.dll" [MS]"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]"{AB4F43CA-ADCD-4384-B9AF-3CECEA7D6544}" = "Web Sites" -> {HKLM...CLSID} = "Web Sites" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\12\BIN\FPNSE.DLL" [MS]"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""D:\Program Files\OpenOffice.ux.pl 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""D:\Program Files\OpenOffice.ux.pl 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""D:\Program Files\OpenOffice.ux.pl 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""D:\Program Files\OpenOffice.ux.pl 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search" -> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search" \InProcServer32\(Default) = "C:\Windows\System32\ieframe.dll" [MS]"{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{3035134F-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{30351350-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]"{C5994560-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{C5994561-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{C5994562-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{C5994563-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{C5994564-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{C5994565-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{C5994566-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{C5994567-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{C5994568-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]"{CAE41CE0-1855-4985-A332-7D83704A45B6}" = "Gladinet Copy Handler" -> {HKLM...CLSID} = "'CopyHandler Class" \InProcServer32\(Default) = "D:\Program Files\Gladinet\Gladinet Cloud Desktop\GlCopyHandler.dll" ["TODO: <Company name>"]"{28803F59-3A75-4058-995F-4EE5503B023C}" = "Wireless Devices" -> {HKLM...CLSID} = "Bluetooth Devices" \InProcServer32\(Default) = "C:\Windows\system32\FunctionDiscoveryFolder.dll" [MS]"{9113A02D-00A3-46B9-BC5F-9C04DADDD5D7}" = "Enhanced Storage Data Source" -> {HKLM...CLSID} = "Enhanced Storage Data Source" \InProcServer32\(Default) = "C:\Windows\system32\EhStorShell.dll" [MS]"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"]"{D7824897-C8DC-49b4-B790-30F7ED16A5FD}" = "ArcaVir Shell Extension" -> {HKLM...CLSID} = "ArcaVir Shell Extension" \InProcServer32\(Default) = "D:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]"{ABC70703-32AF-11d4-90C4-D483A70F4825}}" = "CMenuExtender by Revenger inc." -> {HKLM...CLSID} = "CMenuExtender by Revenger inc." \InProcServer32\(Default) = "CMenuExtender by Revenger inc." [file not found]"{ABC70703-32AF-11D4-90C4-D483A70F4825}" = "CMenuExtender by Revenger inc." -> {HKLM...CLSID} = "CMenuExtender by Revenger inc." \InProcServer32\(Default) = "C:\Windows\system32\cmext.dll" ["Revenger inc."]HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\<<!>> "Taskman" = "C:\RECYCLER\S-1-5-21-4491306500-6375264063-070290624-6764\winmap32.exe" [null data]HKLM\SYSTEM\CurrentControlSet\Control\Lsa\<<!>> "Notification Packages" = "scecli"|"RASSFM"HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided) -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""D:\Program Files\OpenOffice.ux.pl 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "d:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}" -> {HKLM...CLSID} = "ArcaVir Shell Extension" \InProcServer32\(Default) = "D:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]CMenuExtender\(Default) = "{ABC70703-32AF-11D4-90C4-D483A70F4825}" -> {HKLM...CLSID} = "CMenuExtender by Revenger inc." \InProcServer32\(Default) = "C:\Windows\system32\cmext.dll" ["Revenger inc."]LavasoftShellExt\(Default) = "{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}" -> {HKLM...CLSID} = "Lavasoft Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll" [null data]Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}" -> {HKLM...CLSID} = "Notepad++" \InProcServer32\(Default) = "d:\Program Files\Notepad++\nppcm.dll" ["Burgaud.com"]TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "d:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]CMenuExtender\(Default) = "{ABC70703-32AF-11D4-90C4-D483A70F4825}" -> {HKLM...CLSID} = "CMenuExtender by Revenger inc." \InProcServer32\(Default) = "C:\Windows\system32\cmext.dll" ["Revenger inc."]TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ArcaVirShell\(Default) = "{D7824897-C8DC-49b4-B790-30F7ED16A5FD}" -> {HKLM...CLSID} = "ArcaVir Shell Extension" \InProcServer32\(Default) = "D:\Program Files\ArcaBit\arcavir\avshell.dll" [null data]LavasoftShellExt\(Default) = "{DCE027F7-16A4-4BEE-9BE7-74F80EE3738F}" -> {HKLM...CLSID} = "Lavasoft Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Lavasoft\Ad-Aware\ShellExt.dll" [null data]MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "D:\Program Files\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}" -> {HKLM...CLSID} = "MBAMShlExt Class" \InProcServer32\(Default) = "D:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes Corporation"]Open With Gladinet\(Default) = "{81695C6B-C2CA-492F-951D-5469840B2098}" -> {HKLM...CLSID} = "ContextMenuHandler Class" \InProcServer32\(Default) = "D:\Program Files\Gladinet\Gladinet Cloud Desktop\GladinetShellProxy.dll" ["Gladinet, INC"]SimpleShlExt\(Default) = "{FCF358FC-8892-449e-A242-C78A98D59546}" -> {HKLM...CLSID} = "MediaShellImporter Class" \InProcServer32\(Default) = "D:\Program Files\Microsoft Expression\Media 2\MediaShx.dll" [MS]Group Policies {GPedit.msc branch and setting}:-----------------------------------------------Note: detected settings may not have any effect.HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\"ShowSuperHidden" = (REG_DWORD) dword:0x00000001{unrecognized setting}"BindDirectlyToPropertySetStorage" = (REG_DWORD) dword:0x00000000{unrecognized setting}HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = (REG_DWORD) dword:0x00000000{User Configuration|Administrative Templates|System|Prevent access to registry editing tools}HKCU\Software\Policies\Microsoft\Windows\System\"DisableCMD" = (REG_DWORD) dword:0x00000000{User Configuration|Administrative Templates|System|Prevent access to the command prompt}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\"ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode}"ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Behavior Of The Elevation Prompt For Standard Users}"EnableInstallerDetection" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Detect Application Installations And Prompt For Elevation}"EnableLUA" = (REG_DWORD) dword:0x00000000{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Run All Administrators In Admin Approval Mode}"EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Only elevate UIAccess applications that are installed in secure locations}"EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000{unrecognized setting}"EnableVirtualization" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Virtualize file and registry write failures to per-user locations}"PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Switch to the secure desktop when prompting for elevation}"disablecad" = (REG_DWORD) dword:0x00000001{unrecognized setting}"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000000{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Shutdown: Allow system to be shut down without having to log on}"undockwithoutlogon" = (REG_DWORD) dword:0x00000001{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|Devices: Allow undock without having to log on}"FilterAdministratorToken" = (REG_DWORD) dword:0x00000000{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|User Account Control: Admin Approval Mode for the Built-in Administrator Account}"verbosestatus" = (REG_DWORD) dword:0x00000000{unrecognized setting}Active Desktop and Wallpaper:-----------------------------Active Desktop may be disabled at this entry:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellStateDisplayed if Active Desktop disabled and wallpaper not set by Group Policy:HKCU\Control Panel\Desktop\"Wallpaper" = "C:\Users\Michal\AppData\Roaming\Mozilla\Firefox\Tapeta pulpitu.bmp"Enabled Screen Saver:---------------------HKCU\Control Panel\Desktop\"SCRNSAVE.EXE" = "C:\Windows\system32\logon.scr" [MS]Windows Portable Device AutoPlay Handlers-----------------------------------------HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\CDBurnerXP\"Provider" = "CDBurnerXP""InvokeProgID" = "CDBurnerXPOpen""InvokeVerb" = "open"HKLM\SOFTWARE\Classes\CDBurnerXPOpen\shell\open\command\(Default) = ""D:\Program Files\CDBurnerXP\cdbxpp.exe"" [null data]Microsoft.ExpressionMedia\"Provider" = "Microsoft Expression Media 2""InvokeProgID" = "Microsoft.ExpressionMedia.AutoPlay""InvokeVerb" = "AutoPlay"HKLM\SOFTWARE\Classes\Microsoft.ExpressionMedia.AutoPlay\shell\AutoPlay\Command\(Default) = "D:\Program Files\Microsoft Expression\Media 2\media.exe /autoplay-import %1" [MS]MSEnhancedStorageHandler\"Provider" = "@C:\Windows\system32\EhStorShell.dll,-108""ProgID" = "EhStorShell.AutoplayHandler""InitCmdLine" = "Authorize"HKLM\SOFTWARE\Classes\EhStorShell.AutoplayHandler\CLSID\(Default) = "{36F54939-CD3B-4C73-92D5-F9A389ED631C}" -> {HKLM...CLSID} = "Enhanced Storage Autoplay Handler Class" \InProcServer32\(Default) = "C:\Windows\system32\EhStorShell.dll" [MS]Picasa2ImportPicturesOnArrival\"Provider" = "Picasa3""InvokeProgID" = "picasa2.autoplay""InvokeVerb" = "import"HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "D:\Program Files\Google\Picasa3\Picasa3.exe "%1"" ["Google Inc."]VLCPlayCDAudioOnArrival\"Provider" = "VideoLAN VLC media player""InvokeProgID" = "VLC.CDAudio""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\VLC.CDAudio\shell\play\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file cdda://%1" ["the VideoLAN Team"]VLCPlayDVDMovieOnArrival\"Provider" = "VideoLAN VLC media player""InvokeProgID" = "VLC.DVDMovie""InvokeVerb" = "play"HKLM\SOFTWARE\Classes\VLC.DVDMovie\shell\play\command\(Default) = ""C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file dvd://%1" ["the VideoLAN Team"]WIA_{D3C020FD-57FF-4EAB-B69E-590A12DFB1EE}\"Provider" = "Picasa3""CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}""InitCmdLine" = "/WiaCmd;D:\Program Files\Google\Picasa3\Picasa3.exe /StiDevice:%1 /StiEvent:%2;" -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS]Startup items in "Michal" & "All Users" startup folders:--------------------------------------------------------C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"VirtuaWin" -> shortcut to: "D:\Program Files\VirtuaWin\VirtuaWin.exe" ["VirtuaWin"]Non-disabled Scheduled Tasks:-----------------------------C:\Windows\System32\Tasks"Ad-Aware Update (Weekly)" -> launches: "C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe update all silent" [null data]C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client"AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}" -> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth"UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient"SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]"UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]"UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program"Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\Server"ServerCeipAssistant" -> launches: "%windir%\system32\ceipdata.exe" [MS]"ServerRoleCollector" -> launches: "%windir%\system32\ceiprole.exe" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Defrag"ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i -g" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic"Microsoft-Windows-DiskDiagnosticDataCollector" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\MUI"LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia"SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}" -> {HKLM...CLSID} = "Microsoft PlaySoundService Class" \InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection"NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}" -> {HKLM...CLSID} = "Nap ITask Handler Implementation" \InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System"ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\RAC"RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Server Manager"ServerManager" -> launches: "%windir%\system32\ServerManagerLauncher.exe" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\SideShow"GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}" -> {HKLM...CLSID} = "GadgetsManager Class" \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]"SessionAgent" -> launches: "{45F26E9E-6199-477F-85DA-AF1EDfE067B1}" -> {HKLM...CLSID} = "SessionAgent Class" \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]"SystemDataProviders" -> launches: "{7CCA6768-8373-4D28-8876-83E8B4E3A969}" -> {HKLM...CLSID} = "SDPWmiJob Class" \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip"IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS]"IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework"MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}" -> {HKLM...CLSID} = "MsCtfMonitor task handler" \InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\UPnP"UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\WDI"ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}" -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler" \InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting"QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS]C:\Windows\System32\Tasks\Microsoft\Windows\Wired"GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data]C:\Windows\System32\Tasks\Microsoft\Windows Defender"MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]Winsock2 Service Provider DLLs:-------------------------------Namespace Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS]000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS]000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]000000000004\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]Transport Service ProvidersHKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:%SystemRoot%\system32\mswsock.dll [MS], 01 - 20Toolbars, Explorer Bars, Extensions:------------------------------------Explorer BarsHKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{52E729D7-DFFB-4011-97EE-D7E28212D901}\(Default) = (no title provided) -> {HKLM...CLSID} = "Gladinet Side Panel" \InProcServer32\(Default) = "Shdocvw.dll" [MS]HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]InProcServer32\(Default) = "D:\PROGRA~1\MICROS~4\WEB2~1\Office12\REFIEBAR.DLL" [MS]Extensions (Tools menu items, main toolbar menu buttons)HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{40525A66-DB98-480D-BCF9-7AF88C1AF438}\"ButtonText" = "ArcaVir >>""MenuText" = "ArcaVir >>""CLSIDExtension" = "{40525A66-DB98-480D-BCF9-7AF88C1AF438}" -> {HKLM...CLSID} = "ArcaExtIE Class" \InProcServer32\(Default) = "D:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dll" ["ArcaBit sp. z o.o"]{92780B25-18CC-41C8-B9BE-3C9C571A8263}\"ButtonText" = "Research"{A0BB3F12-4E51-4F7E-A7A2-6ADD8289C36B}\"ButtonText" = "Gladinet Side Panel"Miscellaneous IE Hijack Points------------------------------C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")<<H>> C:\WINDOWS\INF\IERESET.INF was not found!HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]Running Services (Display Name, Service Name, Path {Service DLL}):------------------------------------------------------------------ArcaBit Backup Service, AVBackup, "D:\Program Files\ArcaBit\ArcaTools\arcabackup\ArcaBackupService.exe" ["ArcaBit"]ArcaBit Control, ArcaRemoteService, "D:\Program Files\ArcaBit\ArcaAgent\ArcaRemoteSvc.exe" [null data]ArcaBit FileMonitor, ABFileMon, ""D:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe"" ["ArcaBit"]ArcaBit NetMonitor, ABNetMon, "D:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe" ["ArcaBit"]ArcaBit Tasks Service, AVTasks2, "D:\PROGRA~1\ArcaBit\Common\ARCATA~1.EXE" ["ArcaBit"]ArcaBit Update Service, AVUpdate, "D:\PROGRA~1\ArcaBit\ARCAUP~1\update.exe" [null data]ArcaBit.Core.Configurator, ArcaBit.Core.Configurator, ""D:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe"" [null data]ArcaBit.Core.LoggingService, ArcaBit.Core.LoggingService, ""D:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe"" [null data]Certificate Propagation, CertPropSvc, "C:\Windows\system32\svchost.exe -k netsvcs" {"C:\Windows\System32\certprop.dll" [MS]}Distributed Transaction Coordinator, MSDTC, "C:\Windows\System32\msdtc.exe" [MS]FanSpeedNT Service, FanSpeedNT Service, ""D:\dwl\FanSpeed1_2_0\fanspeedNT.exe" " [null data]Lavasoft Ad-Aware Service, Lavasoft Ad-Aware Service, ""C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe"" [null data]NMSAccessU, NMSAccessU, "D:\Program Files\CDBurnerXP\NMSAccessU.exe" [null data]NVIDIA Display Driver Service, nvsvc, "C:\Windows\system32\nvvsvc.exe" [null data]Remote Registry, RemoteRegistry, "C:\Windows\system32\svchost.exe -k regsvc" {"C:\Windows\system32\regsvc.dll" [MS]}Secure Socket Tunneling Protocol Service, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]}Terminal Services Configuration, SessionEnv, "C:\Windows\System32\svchost.exe -k netsvcs" {"C:\Windows\system32\sessenv.dll" [MS]}Terminal Services UserMode Port Redirector, UmRdpService, "C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\umrdp.dll" [MS]}TrueVector Internet Monitor, vsmon, "C:\Windows\System32\ZoneLabs\vsmon.exe -service" [null data]Windows Driver Foundation - User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]}Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]}Windows Remote Management (WS-Management), WinRM, "C:\Windows\System32\svchost.exe -k NetworkService" {"C:\Windows\system32\WsmSvc.dll" [MS]}Print Monitors:---------------HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\PCL hpz3llhn\Driver = "hpz3llhn.dll" ["Hewlett-Packard Company"]---------- (launch time: 2009-07-10 20:58:34)<<!>>: Suspicious data at a malware launch point.<<H>>: Suspicious data at a browser hijack point.+ This report excludes default entries except where indicated.+ To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter.+ The search for DESKTOP.INI DLL launch points on all local fixed drives took 598 seconds.---------- (total run time: 692 seconds) //edit1 udało się Silent Runnersów do końca puścić. //edit2 spoilery są Edytowane 10 Lipca 2009 przez Michrz Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
ULLISSES Opublikowano 10 Lipca 2009 Zgłoś Opublikowano 10 Lipca 2009 1. Logi umieszczaj w spoilerach. 2. ArcaVir nie jest od zwalczania robactwa. 3. Skorzystaj ze Spybot S&D. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 10 Lipca 2009 Zgłoś Opublikowano 10 Lipca 2009 Daj log z combofix. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Michrz Opublikowano 10 Lipca 2009 Zgłoś Opublikowano 10 Lipca 2009 ArcaVir się nie sprawdził, Malwarebytes powyrzucało dogłębniej. Combofix.. mam opory przed stosowaniem tego oprogramowania, zwłaszcza na systemie który nie jest przez ten program supportowany (Win 2008 Server - studencka licencja). Tak czy siak problem mam nadzieję, że zażegnany na dobre. Dziękuje za odpowiedzi pozdrawiam Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
ULLISSES Opublikowano 11 Lipca 2009 Zgłoś Opublikowano 11 Lipca 2009 Nie używaj ComboFix'a na 2008. Skorzystaj ze Spybot S&D. Wypróbuj antywirus firmy Avira. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Michrz Opublikowano 11 Lipca 2009 Zgłoś Opublikowano 11 Lipca 2009 Problem rozwiązał ten Malewarebytes. Spybota znam i lubię. Avira nie wchodzi w grę - darmowa wersja nie instaluje się na serwerowym systemie, Arcabita też mam z uczelni więc to moja jedyna rozsądna darmowa opcja. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 11 Lipca 2009 Zgłoś Opublikowano 11 Lipca 2009 W takim razie daj log z OTL. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
