Log Profilaktycznie do sprawdzenia

Kod:

"Silent Runners.vbs", revision 56, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" ["Nero AG"]
"ctfmon.exe" = "C:\windows\system32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"SoundMAX" = ""C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray" ["Analog Devices, Inc."]
"KEMailKb" = "C:\PROGRA~1\KEMailKb\KEMailKb.EXE" ["Dritek System Inc."]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll" ["Sun Microsystems, Inc."]
{85F685C3-20D9-4943-95E4-EB4224056C3F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Expressivo"
                   \InProcServer32\(Default) = "E:\Expressivo\IH_iexplore.dll" ["IVO Software Sp. z o.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                   \InProcServer32\(Default) = "C:\windows\system32\shdocvw.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "E:\WinRar\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
  -> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
  -> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
  -> {HKLM...CLSID} = "dBpShell Class"
                   \InProcServer32\(Default) = "E:\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
  -> {HKLM...CLSID} = "dMCIShell Class"
                   \InProcServer32\(Default) = "E:\dBpowerAMP\dMCShell.dll" [empty string]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Ochrona WWW"
  -> {HKLM...CLSID} = "Ochrona WWW"
                   \InProcServer32\(Default) = "E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "e:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
                   \InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "E:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\windows\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\windows\system32\klogon.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
  -> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "E:\WinRar\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "E:\WinRar\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll" ["Kaspersky Lab"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "e:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "E:\WinRar\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "e:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\windows\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Matush\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Startup items in "Matush" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\Matush\Menu Start\Programy\Autostart
"HDDlife" -> shortcut to: "C:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe" [file not found]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"
  -> {HKLM...CLSID} = "Winamp Toolbar"
                   \InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" [file not found]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Ochrona WWW"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

HKLM\SOFTWARE\Classes\CLSID\{A1A7E22D-1587-4230-8F16-081C68D21448}\(Default) = "Szybkie dostosowywanie programu"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll" [file not found]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Ochrona WWW"

{44627E97-789B-40D4-B5C2-58BD171129A1}\
"ButtonText" = "Szybkie dostosowywanie programu Outpost Firewall Pro"

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "Tabs" = "C:\Documents and Settings\Matush\Dane aplikacji\MEGAUPLOADTOOLBAR\tabwelcome.html" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

.NET Runtime Optimization Service v2.0.50727_X86, clr_optimization_v2.0.50727_32, "C:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe" [MS]
Netropa NHK Server, nhksrv, "C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe" [null data]
NVIDIA Display Driver Service, NVSvc, "C:\windows\system32\nvsvc32.exe" ["NVIDIA Corporation"]
StarWind AE Service, StarWindServiceAE, "E:\Alcohol 52\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = <<!>> "msikbd2k" ["Netropa Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-04-12 09:02:47)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 48 seconds.
---------- (total run time: 95 seconds)


I z HijackThis

Kod:

Logfile of HijackThis v1.99.1
Scan saved at 09:06:14, on 2008-04-12
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\windows\system32\nvsvc32.exe
E:\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\windows\system32\ctfmon.exe
C:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
E:\Gadu-Gadu\gg.exe
E:\Cleaner\EasyClea.exe
C:\windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Instalki\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - E:\Expressivo\IH_iexplore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: HDDlife.lnk = C:\Program Files\BinarySense\HDDlife 3\HDDlifePro.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Matush\Pulpit\BitComet_0.96\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Matush\Pulpit\BitComet_0.96\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Matush\Pulpit\BitComet_0.96\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - E:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{147996D3-F75D-4DDE-933B-47FD3D5A6529}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{147996D3-F75D-4DDE-933B-47FD3D5A6529}: NameServer = 194.204.159.1 217.98.63.164
O20 - AppInit_DLLs: E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\windows\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\windows\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Alcohol 52\StarWind\StarWindServiceAE.exe

[/code]

fix w hijackthis

O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - E:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll (file missing)

Pokaz log z Combofix

Kod:

ComboFix 08-04-11.5 - Matush 2008-04-12  9:55:52.4 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1250.1.1045.18.651 [GMT 2:00]
Running from: C:\Documents and Settings\Matush\Pulpit\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2008-03-12 to 2008-04-12  )))))))))))))))))))))))))))))))
.

2008-03-27 21:21 . 2004-03-09 01:00   224,016   --a------   C:\WINDOWS\system32\TabCtl32.ocx
2008-03-27 21:18 . 2004-07-14 18:26   152,848   --a------   C:\WINDOWS\system32\COMDLG32.OCX
2008-03-27 20:57 . 2008-03-27 20:59   <DIR>   d--------   C:\GTA San Andreas Music
2008-03-23 14:54 . 2008-03-30 20:10   <DIR>   d--------   C:\Program Files\MegauploadToolbar
2008-03-23 14:54 . 2008-03-29 21:29   <DIR>   d--------   C:\Documents and Settings\Matush\Dane aplikacji\MegauploadToolbar
2008-03-22 15:37 . 2008-04-12 09:00   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Ustawienia lokalne
2008-03-22 15:37 . 2007-09-02 11:54   <DIR>   d--------   C:\Documents and Settings\Administrator\Ulubione
2008-03-22 15:37 . 2007-09-02 10:00   <DIR>   d--h-----   C:\Documents and Settings\Administrator\Szablony
2008-03-22 15:37 . 2007-09-02 11:54   <DIR>   d--------   C:\Documents and Settings\Administrator\Pulpit
2008-03-22 15:37 . 2007-09-02 11:54   <DIR>   d--------   C:\Documents and Settings\Administrator\Moje dokumenty
2008-03-22 15:37 . 2007-09-02 11:54   <DIR>   dr-------   C:\Documents and Settings\Administrator\Menu Start
2008-03-22 15:37 . 2007-09-02 11:54   <DIR>   dr-h-----   C:\Documents and Settings\Administrator\Dane aplikacji
2008-03-21 20:17 . 2001-11-22 02:41   611,709   --a------   C:\WINDOWS\system32\Ekwador screensaver 2.scr
2008-03-21 20:17 . 2000-08-23 00:21   19,456   --a------   C:\WINDOWS\system32\jesterss.dll
2008-03-21 16:11 . 2006-03-02 14:00   112,128   --a------   C:\WINDOWS\system32\mai32.dll
2008-03-17 17:45 . 2008-03-17 17:45   <DIR>   d--------   C:\Program Files\Real Alternative
2008-03-17 16:56 . 2008-03-17 16:56   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-03-17 16:56 . 2008-03-17 16:56   1,409   --a------   C:\WINDOWS\QTFont.for
2008-03-16 20:23 . 2003-06-23 03:44   1,415,680   --a------   C:\WINDOWS\system32\WMV9VCM.dll
2008-03-16 20:23 . 2002-08-20 02:41   413,760   --a------   C:\WINDOWS\system32\mpg4c32.dll
2008-03-16 20:23 . 2003-04-21 16:09   245,408   --a------   C:\WINDOWS\system32\unicows.dll
2008-03-16 18:59 . 2008-03-16 18:59   <DIR>   d--------   C:\Program Files\ffdshow
2008-03-16 18:59 . 2007-12-24 14:49   7,680   --a------   C:\WINDOWS\system32\ff_vfw.dll
2008-03-16 18:59 . 2007-07-10 18:10   547   --a------   C:\WINDOWS\system32\ff_vfw.dll.manifest

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 07:57   660,512   --sha-w   C:\windows\system32\drivers\fidbox2.dat
2008-04-12 07:57   20,482,592   --sha-w   C:\windows\system32\drivers\fidbox.dat
2008-04-11 20:09   63,812   --sha-w   C:\windows\system32\drivers\fidbox2.idx
2008-04-11 20:09   281,168   --sha-w   C:\windows\system32\drivers\fidbox.idx
2008-04-08 14:54   ---------   d-----w   C:\Documents and Settings\Matush\Dane aplikacji\uTorrent
2008-03-30 18:10   ---------   d-----w   C:\Program Files\Winamp Toolbar
2008-03-30 15:20   ---------   d-----w   C:\Program Files\KEMailKb
2008-03-23 09:55   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-03-22 19:21   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Test Drive Unlimited
2008-03-21 14:06   ---------   d-----w   C:\Program Files\Winamp Remote
2008-03-20 08:09   1,845,504   ----a-w   C:\windows\system32\win32k.sys
2008-03-11 19:04   ---------   d-----w   C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2008-03-11 07:05   ---------   d-----w   C:\Program Files\Microsoft Visual Studio 8
2008-03-01 13:02   826,368   ----a-w   C:\windows\system32\wininet.dll
2008-02-25 18:51   ---------   d-----w   C:\Documents and Settings\Matush\Dane aplikacji\Skype
2008-02-20 06:51   282,624   ----a-w   C:\windows\system32\gdi32.dll
2008-02-20 05:38   45,568   ----a-w   C:\windows\system32\dnsrslvr.dll
2008-01-14 12:52   81,920   ----a-w   C:\windows\system32\frapsvid.dll
.

(((((((((((((((((((((((((((((   snapshot_2008-04-12_ 9.00.02,17   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-12 07:20:47   27,136   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\c6772fd12a581ad3be49e3f2a80b5622\Accessibility.ni.dll
+ 2008-04-12 07:20:48   884,736   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\a1d353edc300e3aff0784202f68a657b\AspNetMMCExt.ni.dll
+ 2008-04-12 07:20:49   237,568   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\c10ec9b4de2b366236ec83237dc31281\CustomMarshalers.ni.dll
+ 2008-04-12 07:20:48   15,360   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\837fe02bdcf637d5bf1e5ffb935ebb80\dfsvc.ni.exe
+ 2008-04-12 07:20:50   876,544   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\9710a3c0d11dd264c3a6b88977699e9b\Microsoft.Build.Engine.ni.dll
+ 2008-04-12 07:20:50   81,920   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\e2858a45971fb30b0c0523dbb52c1d4e\Microsoft.Build.Framework.ni.dll
+ 2008-04-12 07:20:53   1,695,744   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\63d69ffdf3c640d2d104a4b74e8115f8\Microsoft.Build.Tasks.ni.dll
+ 2008-04-12 07:20:53   167,936   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\11cb5418c06e30100616fbf205588489\Microsoft.Build.Utilities.ni.dll
+ 2008-04-12 07:20:55   1,740,800   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\923bd55258380eae77353d36a5a1b08f\Microsoft.VisualBasic.ni.dll
+ 2008-04-12 07:20:56   1,011,712   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\eee9b48577689e92db5a7b5c5de98d9b\System.Configuration.ni.dll
+ 2008-04-12 07:20:58   1,798,144   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\c7dea4895e1fa33d65e448c03de48d26\System.Deployment.ni.dll
+ 2008-04-12 07:20:59   1,224,704   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\914668b240550f529e54bb772c6fc881\System.DirectoryServices.ni.dll
+ 2008-04-12 07:21:00   512,000   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\f11bc82c09955cb8438d3885a99c297d\System.DirectoryServices.Protocols.ni.dll
+ 2008-04-12 07:21:01   659,456   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\646131eda5f21f4e6216733d49c22c56\System.EnterpriseServices.ni.dll
+ 2008-04-12 07:21:01   294,912   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\646131eda5f21f4e6216733d49c22c56\System.EnterpriseServices.Wrapper.dll
+ 2008-04-12 07:21:02   733,184   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\2b5994269cc5b996231c9b21afea9a91\System.Security.ni.dll
+ 2008-04-12 07:21:03   233,472   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\193ac978af569ad9ee45110b359961b9\System.ServiceProcess.ni.dll
+ 2008-04-12 07:21:04   679,936   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\12e0aa1030badf4524f897e3f57b037a\System.Transactions.ni.dll
+ 2008-04-12 07:21:20   2,342,912   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\37d87b3cab1c66ec4430ebb2abeaa570\System.Web.Mobile.ni.dll
+ 2008-04-12 07:21:20   237,568   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\b5b81faf46fc63c20d5339b36edd02fa\System.Web.RegularExpressions.ni.dll
+ 2008-04-12 07:21:22   1,986,560   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\38991368499e2109ea4099a0fe29c5a3\System.Web.Services.ni.dll
+ 2008-04-12 07:21:17   12,509,184   ----a-w   C:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\67cfb70213562afe2ca9b9066764af3a\System.Web.ni.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22 7618560]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 11:22 86016 C:\WINDOWS\system32\nvmctray.dll]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07 843776]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2006-04-10 09:19 729088]
"KEMailKb"="C:\PROGRA~1\KEMailKb\KEMailKb.EXE" [2003-10-21 20:47 401408]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 12:38 866816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 14:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=E:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
E:\Program Files\Ares\Ares.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Gadu-Gadu\\gg.exe"=
"E:\\Program Files\\BearShare\\BearShare.exe"=
"E:\\Test drive unlimited\\TestDriveUnlimited.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"E:\\NAPI-PROJEKT\\napisy.exe"=
"E:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"E:\\Program Files\\Winamp\\winamp.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\windows\system32\drivers\sfsync03.sys [2005-12-06 17:11]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\windows\system32\DRIVERS\msikbd2k.sys [2001-12-20 09:02]
R1 sdpiosys;sdpiosys;C:\windows\system32\drivers\sdpiosys.sys [2004-11-30 12:10]
R2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe [2001-08-06 06:41]
S1 SandBox;Outpost Firewall Sandbox Driver;E:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS []
S1 VFILT;Outpost Firewall Kernel Driver;E:\Program Files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS []
S3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL []
S3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\ARP.DLL []
S3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL []
S3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL []
S3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL []
S3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL []
S3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL []
S3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL []
S3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL []
S3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL []
S3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL []
S3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL []
S3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);E:\Program Files\Agnitum\Outpost Firewall\kernel\SECRET.DLL []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-05 13:17:01 C:\windows\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 09:57:32
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-12  9:58:08
ComboFix-quarantined-files.txt  2008-04-12 07:57:57
ComboFix2.txt  2008-04-12 07:00:27
ComboFix3.txt  2008-03-11 19:32:06
ComboFix4.txt  2007-11-08 18:57:58
Pre-Run: 44,030,156,800 bajtów wolnych
Post-Run: 44,019,744,768 bajtów wolnych
.
2008-04-12 06:53:01   --- E O F --- 

Log czysty

Dzieki bardzo za pomoc