log ..

przez **huber2t** » 03 Maj 2008, 10:48

przez **bigbercik** » 03 Maj 2008, 10:59

Kod: Zaznacz wszystko: "Silent Runners.vbs", revision 56, http://www.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Sidebar" = "D:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS] "WindowsWelcomeCenter" = "rundll32.exe oobefldr.dll,ShowWelcomeCenter" [MS] "Gadu-Gadu" = ""D:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."] "ehTray.exe" = "D:\Windows\ehome\ehTray.exe" [MS] "Komunikator" = "D:\Program Files\Tlen.pl\tlen.exe" ["o2.pl Sp. z o.o."] "Steam" = ""d:\program files\steam\steam.exe" -silent" ["Valve Corporation"] "swg" = "D:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."] "AQQ" = "D:\PROGRA~1\WapSter\AQQ\AQQ.exe" ["AQQ Sp. z o.o."] "DAEMON Tools Lite" = ""D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Windows Defender" = "D:\Program Files\Windows Defender\MSASCui.exe -hide" "StartCCC" = "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [null data] "GrooveMonitor" = ""D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS] "!AVG Anti-Spyware" = ""D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."] "VistaFirewallControl" = "D:\Program Files\VistaFirewallControl\VistaFirewallControl.exe" ["Sphinx Software"] "UnlockerAssistant" = ""D:\Program Files\Unlocker\UnlockerAssistant.exe"" [null data] "Onet.pl AutoUpdate" = ""D:\Program Files\Common Files\Onet.pl\NewAutoUpdate.exe" /updateexetsr" [file not found] "Adobe Reader Speed Launcher" = ""D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "SunJavaUpdateSched" = ""D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided) -> {HKLM...CLSID} = "Groove GFS Browser Helper" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "d:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS] "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension" -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL" [null data] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string] "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper" -> {HKLM...CLSID} = "Groove GFS Browser Helper" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar" -> {HKLM...CLSID} = "Groove Folder Synchronization" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler" -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook" -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler" -> {HKLM...CLSID} = "Groove XML Icon Handler" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS] "{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{4EB37360-49E8-11D3-95B5-004033382980}" = "ALZip 4.0 Context Menu Shell Extension" -> {HKCU...CLSID} = "ALZip 5.0 Context Menu Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL" [file not found] -> {HKLM...CLSID} = "ALZip 5.0 Context Menu Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL" [file not found] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data] "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "D:\Program Files\Unlocker\UnlockerCOM.dll" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook" -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}" -> {HKCU...CLSID} = "ALZip 5.0 Context Menu Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL" [file not found] -> {HKLM...CLSID} = "ALZip 5.0 Context Menu Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL" [file not found] AQQFileTransfer\(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" -> {HKLM...CLSID} = "AQQ File Transfer Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL" [null data] AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}" -> {HKCU...CLSID} = "ALZip 5.0 Context Menu Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL" [file not found] -> {HKLM...CLSID} = "ALZip 5.0 Context Menu Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL" [file not found] AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}" -> {HKCU...CLSID} = "ALZip 5.0 Context Menu Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL" [file not found] -> {HKLM...CLSID} = "ALZip 5.0 Context Menu Shell Extension" \InProcServer32\(Default) = "D:\PROGRA~1\ESTsoft\ALZip\AZCTM.DLL" [file not found] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "D:\Program Files\Unlocker\UnlockerCOM.dll" [null data] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "D:\Program Files\Unlocker\UnlockerCOM.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "ConsentPromptBehaviorAdmin" = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptBehaviorUser" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "D:\Windows\system32\config\systemprofile\Desktop\56332.jpg" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "D:\Users\kicii\Desktop\56332.jpg" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "D:\Windows\system32\logon.scr" [MS] Startup items in "kicii" & "All Users" startup folders: ------------------------------------------------------- D:\Users\kicii\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup "Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007" -> shortcut to: "D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS] Non-disabled Scheduled Tasks: ----------------------------- D:\Windows\System32\Tasks "User_Feed_Synchronization-{5DF67957-D34F-46F9-9229-A49C48A3D00B}" -> (HIDDEN!) launches: "D:\Windows\system32\msfeedssync.exe sync" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth "UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient "SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "D:\Windows\system32\dimsjob.dll" [MS] "UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "D:\Windows\system32\dimsjob.dll" [MS] "UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "D:\Windows\system32\dimsjob.dll" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program "Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS] "OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Defrag "ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic "Microsoft-Windows-DiskDiagnosticDataCollector" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Media Center "ehDRMInit" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DRMInit" [MS] "mcupdate" -> launches: "%SystemRoot%\ehome\mcupdate $(Arg0) -gc" [MS] "OCURActivate" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate" [MS] "OCURDiscovery" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery" [MS] "UpdateRecordPath" -> launches: "%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\MobilePC "HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}" -> {HKLM...CLSID} = "HotStart User Agent" \InProcServer32\(Default) = "D:\Windows\System32\HotStartUserAgent.dll" [MS] "TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}" -> {HKLM...CLSID} = "Transient Multi-Monitor Manager" \InProcServer32\(Default) = "D:\Windows\System32\TMM.dll" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\MUI "LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Multimedia "SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}" -> {HKLM...CLSID} = "Microsoft PlaySoundService Class" \InProcServer32\(Default) = "D:\Windows\System32\PlaySndSrv.dll" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection "NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}" -> {HKLM...CLSID} = "Nap ITask Handler Implementation" \InProcServer32\(Default) = "D:\Windows\System32\QAgent.dll" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\PLA\System "ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\RAC "RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance "RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Shell "CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}" -> {HKLM...CLSID} = "CrawlStartPages Task Handler" \InProcServer32\(Default) = "D:\Windows\System32\srchadmin.dll" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\SideShow "GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}" -> {HKLM...CLSID} = "GadgetsManager Class" \InProcServer32\(Default) = "D:\Windows\System32\AuxiliaryDisplayServices.dll" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore "SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Tcpip "IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS] "IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework "MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}" -> {HKLM...CLSID} = "MsCtfMonitor task handler" \InProcServer32\(Default) = "D:\Windows\system32\MsCtfMonitor.dll" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\UPnP "UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\WDI "ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}" -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler" \InProcServer32\(Default) = "D:\Windows\System32\wdi.dll" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting "QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\WindowsCalendar "Reminders - kicii" -> launches: "D:\Program Files\Windows Calendar\wincal.exe /reminder" [MS] D:\Windows\System32\Tasks\Microsoft\Windows\Wired "GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data] D:\Windows\System32\Tasks\Microsoft\Windows\Wireless "GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data] D:\Windows\System32\Tasks\Microsoft\Windows Defender "MP Scheduled Scan" -> (HIDDEN!) launches: "d:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 18 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{37B85A29-692B-4205-9CAD-2626E4993404}" -> {HKLM...CLSID} = "My Global Search Bar" \InProcServer32\(Default) = "D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL" [file not found] "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "d:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "d:\program files\google\googletoolbar1.dll" ["Google Inc."] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS] HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}" -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05" \InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."] {2670000A-7350-4F3C-8081-5663EE0C6C49}\ "ButtonText" = "Wyślij do programu OneNote" "MenuText" = "Wyślij &do programu OneNote" "CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}" -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button" \InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati External Event Utility, Ati External Event Utility, "D:\Windows\system32\Ati2evxx.exe" ["ATI Technologies Inc."] Autokonfiguracja sieci WLAN, Wlansvc, "D:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"D:\Windows\System32\wlansvc.dll" [MS]} AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."] Izolacja klucza CNG, KeyIso, "D:\Windows\system32\lsass.exe" [MS] Protokół uwierzytelniania rozszerzonego (EAP), EapHost, "D:\Windows\System32\svchost.exe -k netsvcs" {"D:\Windows\System32\eapsvc.dll" [MS]} Przeglądarka komputera, Browser, "D:\Windows\System32\svchost.exe -k netsvcs" {"D:\Windows\System32\browser.dll" [MS]} Usługa powiadamiania SL UI, SLUINotify, "D:\Windows\system32\svchost.exe -k LocalService" {"D:\Windows\system32\SLUINotify.dll" [MS]} VistaFirewallService, VistaFirewallService, ""D:\Program Files\VistaFirewallControl\VistaFirewallService.exe"" ["Sphinx Software"] Windows Image Acquisition (WIA), stisvc, "D:\Windows\system32\svchost.exe -k imgsvc" {"D:\Windows\System32\wiaservc.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS] ---------- (launch time: 2008-05-03 10:56:36) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 51 seconds, including 5 seconds for message boxes)

przez **huber2t** » 03 Maj 2008, 11:05

wklej do Notatnika:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanmgr.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ICQLite.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\userinit.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmine.exe]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe]

Z menu Notatnika >>> Plik >>> Zapisz jako >>> Ustaw rozszerzenie na Wszystkie pliki >>> Zapisz jako FIX.REG

Następnie po tym usuń ten plik:

C:\WINDOWS\services.exe

przez **bigbercik** » 03 Maj 2008, 11:31

recznie usunac?

przez **huber2t** » 03 Maj 2008, 11:34

Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:

Kod: Zaznacz wszystko: File:: C:\WINDOWS\services.exe

Plik

zapisz jako

CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe)
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu

Powinno się rozpocząć usuwanie i powstanie log, daj ten log na forum.

przez **bigbercik** » 03 Maj 2008, 11:59

cos chyba zle poszlo .. co tera zrobic?

Kod: Zaznacz wszystko: pushd "D:\327882R2FWJFW\" ============================================= ALLUSERSPROFILE=D:\ProgramData APPDATA=D:\Users\kicii\AppData\Roaming cfldr=327882R2FWJFW CommonProgramFiles=D:\Program Files\Common Files COMPUTERNAME=KICII-PC ComSpec=D:\Windows\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=D: HOMEPATH=\Users\kicii kmd=CF17350.exe LOCALAPPDATA=D:\Users\kicii\AppData\Local LOGONSERVER=\\KICII-PC NUMBER_OF_PROCESSORS=2 OS=Windows_NT Path=D:\327882R2FWJFW;D:\Windows\system32;D:\Windows;D:\Windows\system32\wbem;D:\Windows\system32;D:\Windows;D:\Windows\System32\Wbem;D:\Program Files\ATI Technologies\ATI.ACE\Core-Static;D:\Program Files\ESTsoft\ALZip\;D:\Program Files\ESTsoft\ALZip\ PATHEXT=.cfexe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 13, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=0f0d ProgramData=D:\ProgramData ProgramFiles=D:\Program Files PROMPT=$ PUBLIC=D:\Users\Public SESSIONNAME=Console sfxname=D:\Users\kicii\Desktop\ComboFix.exe system=D:\Windows\system32 SystemDrive=D: SystemRoot=D:\Windows TEMP=D:\Users\kicii\AppData\Local\Temp TMP=D:\Users\kicii\AppData\Local\Temp USERDOMAIN=kicii-PC USERNAME=kicii USERPROFILE=D:\Users\kicii windir=D:\Windows ============================================= if not defined sfxname goto END Nircmd win close ititle "ComboFix" If [D:\Users\kicii\Desktop\CFScript.txt] == [] Set "SfxCmd=" if /I "D:\327882R2FWJFW" NEQ "D:\327882R2FWJFW" goto Abort if exist "D:\Users\kicii\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" del "D:\Users\kicii\AppData\Local\Temp\327882R2FWJFW327882R2FWJFW.log" SteelWerX Extended Configuration Access Control Lists Written by Bobbi Flekman 2006 (C) Ownerchange for "D:\Windows\system32\cmd.exe" to Administrators group was successful copy /y "D:\Windows\system32\cmd.exe" "D:\Windows\system32\CF17350.exe" Liczba skopiowanych plik˘w: 1. if not exist "D:\Windows\system32\CF17350.exe" catchme -l nul -c "D:\Windows\system32\cmd.exe" "D:\Windows\system32\CF17350.exe" For /F "tokens=*" %g in ("D:\Users\kicii\Desktop\ComboFix.exe") do @( set "FileName=%~ng" set "FilePath=%~dpg" ) Set FileName 2>nul | GREP -Gisqx "FileName=[-[:alnum:]@.]*" || ( nircmd infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name, preferbaly made up of alphanumeric characters" "" goto END ) DIR /AD/B D:\* | FindStr.exe -IVX ComboFix 1>dirname00 FindStr.exe -LIXC:"ComboFix" dirname00 1>nul && call :NameChk If exist dirname0? del /Q dirname0? If exist "\ComboFix" DIR /AD "\ComboFix" 1>nul && ( rd /s/q "\ComboFix" If exist "\ComboFix" ( PV -kf findstr.exe *.cfexe rd /s/q "\ComboFix" ) If exist "\ComboFix" ( handle "D:\ComboFix" | SED -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00 for /F "tokens=1,2" %g in (temp00) do @echo.y | Handle -p %g -c %h del /q temp00 rd /s/q "\ComboFix" ) ) If exist "\ComboFix" rd /s/q "\ComboFix" If exist "\ComboFix" goto :eof VER | Findstr.exe -ic:"[Version 6.0" && (Call :Vista ) || CD .. Set "comspec=D:\Windows\system32\CF17350.exe" ( echo.md "\ComboFix" echo.Move /y "\327882R2FWJFW\*" "\ComboFix" echo.RD /S/Q "\327882R2FWJFW" echo.Start "." /d"D:\ComboFix" "D:\Windows\system32\CF17350.exe" /k c.bat echo.pv -kf cmd.exe ) 1>Start_.cmd NirCmd exec hide "D:\Windows\system32\CF17350.exe" /f:off /d /c call Start_.cmd NirCmd execmd del "\327882R2FWJFW\prep.cmd" EXIT

a i czemu mam Czarne tlo tera?

przez **huber2t** » 03 Maj 2008, 12:04

a dodałeś fix.reg do rejestru, bio jeśli tego nie zrobiłeś to tak się mogło stać z tym tłem

przez **bigbercik** » 03 Maj 2008, 12:05

no dalem oczywiscie ale mnialem 2 ikonki opuscic ?

i jak przywrucic normalny obraz?

przez **huber2t** » 03 Maj 2008, 12:12

ale gdzie nie masz obrazu

przez **bigbercik** » 03 Maj 2008, 12:13

na pulpicie jak przywrocic obraz jaki mnialem

przez **huber2t** » 03 Maj 2008, 12:22

Wybierz ponownie tapete

przez **bigbercik** » 03 Maj 2008, 12:23

prubowałęm dalej to samo..

przez **huber2t** » 03 Maj 2008, 12:27

No własnie po usuneciu tego wirusa tak bywa przykro mi

przez **bigbercik** » 03 Maj 2008, 12:31

a idzie przywrócic obraz ?? taki mam dokladnie.

przez **huber2t** » 03 Maj 2008, 12:33

no teraz się nic nie dziwie to co ci podąłem było na xp a na viscie mogło inaczej działać pzrepraszam

log ..

Kto jest na forum