Regulamin forum
1. Każdy temat powinien odzwierciedlać treść wątku.2. W przypadku wklejania logów; należy je wykonać od razu przynajmniej z dwóch narzędzi: FRST oraz z GMER
3. Wszelkie logi proszę publikować na przeznaczonych do tego stronach a w poście wklejać tylko link.
4. Nie wskazane jest skracanie logów, należy wkleić cały - od początku, do końca.
5. Nie wskazane jest podczepianie się do tematów innych użytkowników - proszę założyć nowy temat w dziale Bezpieczeństwo, ułatwi to pomoc sprawdzającemu.
6. Osoby nie posiadające odpowiedniej wiedzy, nie powinny sprawdzać logów, ponieważ grozi to poważnym uszkodzeniem systemu lub aplikacji zainstalowanych na komputerze.
7. Należy dokładnie opisać problem, występujące objawy oraz wszelkie podjęte działania.
8. Każdy skrypt jest unikatowy, napisany dla każdego przypadku z osobna, więc nie może być stosowany przez innych.
9. W przypadku zamieszczenia zrzutu ekranu (screenshot'a) proszę korzystać z zewnętrznego serwisu oferującego hosting zdjęć.
Problem chyba drzemiący w Xp.Help
18 Gru 2007, 22:59
Scan saved at 21:57:27, on 2007-12-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\WapSter\AQQ\AQQ.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 3817 bytes
Niech mi ktoś powie jak ewentualnie coś usunąć bo tępy w tym jestem.
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\PROGRA~1\WapSter\AQQ\AQQ.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AQQ] C:\PROGRA~1\WapSter\AQQ\AQQ.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 3817 bytes
Niech mi ktoś powie jak ewentualnie coś usunąć bo tępy w tym jestem.
18 Gru 2007, 23:36
C:\WINDOWS\svchost.exe - usuwasz plik (prawdziwy plik svchost jest w system32)
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe - odinstalowywujesz z dodaj /usun i usuwasz folder
wszystko w awaryjnym i przy wylaczonym przywracaniu sys.
C:\Program Files\RALINK\Common\RaUI.exe - wiesz co to?
no i to by było na tyle.
daj logi z ComboFix i Silent Runners to sprawdzi pp albo slake, bo ja tylko kumam hijacka
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe - odinstalowywujesz z dodaj /usun i usuwasz folder
wszystko w awaryjnym i przy wylaczonym przywracaniu sys.
C:\Program Files\RALINK\Common\RaUI.exe - wiesz co to?
no i to by było na tyle.
daj logi z ComboFix i Silent Runners to sprawdzi pp albo slake, bo ja tylko kumam hijacka
18 Gru 2007, 23:56
Nie da rady usunąć tego pliku.
To najprawdopodobniej proces pochodzący od mojej karty sieciowej.
C:\Program Files\RALINK\Common\RaUI.exe - wiesz co to?
To najprawdopodobniej proces pochodzący od mojej karty sieciowej.
Ostatnio edytowany przez mateusz x man 18 Gru 2007, 23:59, edytowano w sumie 2 razy
18 Gru 2007, 23:57
ComboFix 07-12-19.2 - Mateusz P 2007-12-18 22:52:58.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.641 [GMT 1:00]
Running from: C:\Documents and Settings\Mateusz P\Moje dokumenty\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\svchost.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_POWERMANAGER
-------\PowerManager
((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.
2007-12-18 22:09 . 2007-12-18 22:09 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Thunderbird
2007-12-18 22:09 . 2007-12-18 22:09 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Talkback
2007-12-18 21:57 . 2007-12-18 21:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 19:28 . 2007-12-18 19:28 <DIR> d-------- C:\Documents and Settings\LocalService\Pulpit
2007-12-17 23:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-17 23:52 . 2007-12-17 23:53 <DIR> d-------- C:\Program Files\Java
2007-12-17 23:45 . 2007-12-17 23:45 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-17 20:21 . 2007-12-17 20:21 82,875 --a------ C:\WINDOWS\system32\bez˙tytuˆu.JPG
2007-12-16 21:57 . 2007-12-16 21:57 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2007-12-16 21:30 . 2007-12-16 21:30 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-12-16 19:27 . 2007-12-16 19:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-16 19:27 . 2007-12-16 19:29 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\MoyeaFLV2Video
2007-12-16 19:15 . 2007-12-16 19:29 <DIR> d-------- C:\Program Files\Moyea
2007-12-16 19:15 . 2007-12-16 19:15 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Moyea
2007-12-16 18:42 . 2007-12-16 18:42 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Media Player Classic
2007-12-16 18:32 . 2007-12-16 18:32 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-12-16 18:32 . 2007-12-16 18:32 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-16 18:32 . 2007-12-16 18:32 <DIR> d-------- C:\Program Files\Media Player Classic
2007-12-16 18:32 . 2004-09-23 18:57 6,676,480 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-16 18:32 . 2004-09-23 18:57 747,008 --a------ C:\WINDOWS\system32\Indeo4.qtx
2007-12-16 18:32 . 2004-09-23 18:57 430,592 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-16 18:32 . 2005-06-10 17:40 360,504 --a------ C:\WINDOWS\system32\QTPlugin.ocx
2007-12-16 18:32 . 2004-09-23 18:57 323,072 --a------ C:\WINDOWS\system32\QuickTime.cpl
2007-12-16 18:32 . 2002-11-08 20:04 225,280 --a------ C:\WINDOWS\system32\qtmlClient.dll
2007-12-16 18:32 . 2004-09-23 18:57 70,144 --a------ C:\WINDOWS\system32\QuickTimeCheck.ocx
2007-12-16 18:07 . 2007-12-16 18:07 <DIR> d-------- C:\Program Files\MarBit
2007-12-16 18:03 . 2007-12-16 18:03 <DIR> d-------- C:\Program Files\Real Alternative
2007-12-16 15:40 . 2007-12-16 17:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-16 15:39 . 2007-03-18 21:00 215,040 --a------ C:\WINDOWS\system32\CNMLM8S.DLL
2007-12-16 15:29 . 2007-12-16 19:50 <DIR> d-------- C:\Program Files\Acala 3GP Movies Free
2007-12-16 15:29 . 2004-01-27 20:50 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-12-16 15:29 . 2004-01-27 20:51 290,816 --a------ C:\WINDOWS\system32\3ivxDSDecoder.ax
2007-11-24 23:59 . 2007-12-16 19:51 116 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-24 22:20 . 2007-11-24 22:21 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-11-24 22:20 . 2007-04-04 23:02 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Ahead
2007-11-24 22:18 . 2007-11-24 22:18 <DIR> d-------- C:\Program Files\Nero
2007-11-24 22:18 . 2007-11-24 22:20 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-11-24 22:18 . 2007-11-24 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Nero
2007-11-24 15:00 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-24 13:25 . 2007-04-03 21:29 <DIR> d-------- C:\Program Files\Deluxe Ski Jump
2007-11-24 10:12 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-24 10:12 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-24 10:12 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-24 10:12 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-24 09:48 . 2007-11-24 09:48 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-23 23:53 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-11-23 23:53 . 2007-11-23 23:53 421 --a------ C:\WINDOWS\ODBC.INI
2007-11-23 19:59 . 2003-03-19 05:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-23 19:59 . 2004-01-12 00:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-23 19:57 . 2007-11-15 13:29 1,374 --a------ C:\WINDOWS\system32\wpa.bak
2007-11-23 19:49 . 2007-12-16 17:50 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-11-23 19:47 . 2007-11-11 13:06 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-11-23 19:40 . 2007-11-24 22:14 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-23 19:34 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-23 19:34 . 2001-10-26 16:57 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-11-23 19:34 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-11-23 19:34 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 09:22 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-16 20:21 --------- d-----w C:\Documents and Settings\Mateusz P\Dane aplikacji\Winamp
2007-12-16 17:32 --------- d-----w C:\Documents and Settings\Mateusz P\Dane aplikacji\Apple Computer
2007-12-16 17:32 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-11-21 22:30 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-21 22:29 --------- d-----w C:\Program Files\Usługi online
2007-11-15 20:51 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-11-15 19:30 --------- d-----w C:\Program Files\Lavalys
2007-11-15 15:58 --------- d-----w C:\Program Files\Winamp
2007-11-15 14:08 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-15 13:54 --------- d-----w C:\Program Files\Carbon
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 12:07 --------- d-----w C:\Program Files\ATI Technologies
2007-11-11 12:03 --------- d-----w C:\Program Files\Realtek Sound Manager
2007-11-11 12:03 --------- d-----w C:\Program Files\Realtek AC97
2007-11-11 12:03 --------- d-----w C:\Program Files\AvRack
2007-11-11 12:00 --------- d-----w C:\Program Files\VIA
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]
"AQQ"="C:\PROGRA~1\WapSter\AQQ\AQQ.exe" [2007-02-28 13:18]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DaemonTools_WhenUSave_Installer"="C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 09:22 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2007-04-05 16:59:10]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 04:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 04:39]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2007-04-05 00:00]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 08:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 08:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 08:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 08:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 08:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e29ac05-9a15-11dc-9035-cb0cd1d44cd0}]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
*Newly Created Service* - POWERMANAGER
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 22:55:29
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-19 22:55:51 - machine was rebooted
.
2007-12-18 19:11:55 --- E O F ---
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.641 [GMT 1:00]
Running from: C:\Documents and Settings\Mateusz P\Moje dokumenty\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\svchost.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_POWERMANAGER
-------\PowerManager
((((((((((((((((((((((((( Files Created from 2007-11-19 to 2007-12-19 )))))))))))))))))))))))))))))))
.
2007-12-18 22:09 . 2007-12-18 22:09 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Thunderbird
2007-12-18 22:09 . 2007-12-18 22:09 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Talkback
2007-12-18 21:57 . 2007-12-18 21:57 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-18 19:28 . 2007-12-18 19:28 <DIR> d-------- C:\Documents and Settings\LocalService\Pulpit
2007-12-17 23:53 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-17 23:52 . 2007-12-17 23:53 <DIR> d-------- C:\Program Files\Java
2007-12-17 23:45 . 2007-12-17 23:45 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-17 20:21 . 2007-12-17 20:21 82,875 --a------ C:\WINDOWS\system32\bez˙tytuˆu.JPG
2007-12-16 21:57 . 2007-12-16 21:57 <DIR> d-------- C:\Program Files\WinAVIVideoConverter
2007-12-16 21:30 . 2007-12-16 21:30 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-12-16 19:27 . 2007-12-16 19:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2007-12-16 19:27 . 2007-12-16 19:29 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\MoyeaFLV2Video
2007-12-16 19:15 . 2007-12-16 19:29 <DIR> d-------- C:\Program Files\Moyea
2007-12-16 19:15 . 2007-12-16 19:15 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Moyea
2007-12-16 18:42 . 2007-12-16 18:42 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Media Player Classic
2007-12-16 18:32 . 2007-12-16 18:32 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-12-16 18:32 . 2007-12-16 18:32 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-16 18:32 . 2007-12-16 18:32 <DIR> d-------- C:\Program Files\Media Player Classic
2007-12-16 18:32 . 2004-09-23 18:57 6,676,480 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-16 18:32 . 2004-09-23 18:57 747,008 --a------ C:\WINDOWS\system32\Indeo4.qtx
2007-12-16 18:32 . 2004-09-23 18:57 430,592 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-16 18:32 . 2005-06-10 17:40 360,504 --a------ C:\WINDOWS\system32\QTPlugin.ocx
2007-12-16 18:32 . 2004-09-23 18:57 323,072 --a------ C:\WINDOWS\system32\QuickTime.cpl
2007-12-16 18:32 . 2002-11-08 20:04 225,280 --a------ C:\WINDOWS\system32\qtmlClient.dll
2007-12-16 18:32 . 2004-09-23 18:57 70,144 --a------ C:\WINDOWS\system32\QuickTimeCheck.ocx
2007-12-16 18:07 . 2007-12-16 18:07 <DIR> d-------- C:\Program Files\MarBit
2007-12-16 18:03 . 2007-12-16 18:03 <DIR> d-------- C:\Program Files\Real Alternative
2007-12-16 15:40 . 2007-12-16 17:50 <DIR> d-------- C:\Program Files\QuickTime
2007-12-16 15:39 . 2007-03-18 21:00 215,040 --a------ C:\WINDOWS\system32\CNMLM8S.DLL
2007-12-16 15:29 . 2007-12-16 19:50 <DIR> d-------- C:\Program Files\Acala 3GP Movies Free
2007-12-16 15:29 . 2004-01-27 20:50 1,024,000 --a------ C:\WINDOWS\system32\3ivx.dll
2007-12-16 15:29 . 2004-01-27 20:51 290,816 --a------ C:\WINDOWS\system32\3ivxDSDecoder.ax
2007-11-24 23:59 . 2007-12-16 19:51 116 --a------ C:\WINDOWS\NeroDigital.ini
2007-11-24 22:20 . 2007-11-24 22:21 <DIR> d-------- C:\Program Files\Common Files\LightScribe
2007-11-24 22:20 . 2007-04-04 23:02 <DIR> d-------- C:\Documents and Settings\Mateusz P\Dane aplikacji\Ahead
2007-11-24 22:18 . 2007-11-24 22:18 <DIR> d-------- C:\Program Files\Nero
2007-11-24 22:18 . 2007-11-24 22:20 <DIR> d-------- C:\Program Files\Common Files\Ahead
2007-11-24 22:18 . 2007-11-24 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Nero
2007-11-24 15:00 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-11-24 13:25 . 2007-04-03 21:29 <DIR> d-------- C:\Program Files\Deluxe Ski Jump
2007-11-24 10:12 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-11-24 10:12 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-11-24 10:12 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-24 10:12 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-24 09:48 . 2007-11-24 09:48 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-23 23:53 . 2003-06-19 01:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2007-11-23 23:53 . 2007-11-23 23:53 421 --a------ C:\WINDOWS\ODBC.INI
2007-11-23 19:59 . 2003-03-19 05:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-23 19:59 . 2004-01-12 00:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-23 19:57 . 2007-11-15 13:29 1,374 --a------ C:\WINDOWS\system32\wpa.bak
2007-11-23 19:49 . 2007-12-16 17:50 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2007-11-23 19:47 . 2007-11-11 13:06 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2007-11-23 19:40 . 2007-11-24 22:14 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-23 19:34 . 2001-10-26 16:57 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-11-23 19:34 . 2001-10-26 16:57 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-11-23 19:34 . 2001-08-17 22:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-11-23 19:34 . 2001-08-17 22:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 09:22 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-16 20:21 --------- d-----w C:\Documents and Settings\Mateusz P\Dane aplikacji\Winamp
2007-12-16 17:32 --------- d-----w C:\Documents and Settings\Mateusz P\Dane aplikacji\Apple Computer
2007-12-16 17:32 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer
2007-11-21 22:30 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-21 22:29 --------- d-----w C:\Program Files\Usługi online
2007-11-15 20:51 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-11-15 19:30 --------- d-----w C:\Program Files\Lavalys
2007-11-15 15:58 --------- d-----w C:\Program Files\Winamp
2007-11-15 14:08 --------- d-----w C:\Program Files\MSXML 4.0
2007-11-15 13:54 --------- d-----w C:\Program Files\Carbon
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 12:07 --------- d-----w C:\Program Files\ATI Technologies
2007-11-11 12:03 --------- d-----w C:\Program Files\Realtek Sound Manager
2007-11-11 12:03 --------- d-----w C:\Program Files\Realtek AC97
2007-11-11 12:03 --------- d-----w C:\Program Files\AvRack
2007-11-11 12:00 --------- d-----w C:\Program Files\VIA
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 19:04]
"AQQ"="C:\PROGRA~1\WapSter\AQQ\AQQ.exe" [2007-02-28 13:18]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DaemonTools_WhenUSave_Installer"="C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 09:22 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2007-04-05 16:59:10]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 04:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 04:39]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [2007-04-05 00:00]
S3 w200bus;Sony Ericsson W200 driver (WDM);C:\WINDOWS\system32\DRIVERS\w200bus.sys [2006-11-07 08:42]
S3 w200mdfl;Sony Ericsson W200 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w200mdfl.sys [2006-11-07 08:42]
S3 w200mdm;Sony Ericsson W200 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w200mdm.sys [2006-11-07 08:42]
S3 w200mgmt;Sony Ericsson W200 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w200mgmt.sys [2006-11-07 08:42]
S3 w200obex;Sony Ericsson W200 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w200obex.sys [2006-11-07 08:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0e29ac05-9a15-11dc-9035-cb0cd1d44cd0}]
\Shell\AutoRun\command - F:\SETUP.EXE /AUTORUN
\Shell\configure\command - F:\SETUP.EXE
\Shell\install\command - F:\SETUP.EXE
*Newly Created Service* - POWERMANAGER
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-19 22:55:29
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-19 22:55:51 - machine was rebooted
.
2007-12-18 19:11:55 --- E O F ---
19 Gru 2007, 00:00
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
"AQQ" = "C:\PROGRA~1\WapSter\AQQ\AQQ.exe" ["AQQ Sp. z o.o."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DaemonTools_WhenUSave_Installer" = "C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe" [file not found]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
{HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
{HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
{HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
{HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
{HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension"
{HKLM...CLSID} = "AQQ File Transfer Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
{HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AQQFileTransfer\(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}"
{HKLM...CLSID} = "AQQ File Transfer Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Mateusz P\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Startup items in "Mateusz P" & "All Users" startup folders:
-----------------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Ralink Wireless Utility" shortcut to: "C:\Program Files\RALINK\Common\RaUI.exe -s" ["Ralink Technology, Corp."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
{HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP210 series\Driver = "CNMLM8S.DLL" ["CANON INC."]
---------- (launch time: 2007-12-19 23:00:10)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 30 seconds, including 5 seconds for message boxes)
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]
"AQQ" = "C:\PROGRA~1\WapSter\AQQ\AQQ.exe" ["AQQ Sp. z o.o."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DaemonTools_WhenUSave_Installer" = "C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe" [file not found]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
{HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
{HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
{HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
{HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
{HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension"
{HKLM...CLSID} = "AQQ File Transfer Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
{HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" ["Nero AG"]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AQQFileTransfer\(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}"
{HKLM...CLSID} = "AQQ File Transfer Shell Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\WapSter\AQQ\System\AQQSHE~1.DLL" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Mateusz P\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Startup items in "Mateusz P" & "All Users" startup folders:
-----------------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Ralink Wireless Utility"
shortcut to: "C:\Program Files\RALINK\Common\RaUI.exe -s" ["Ralink Technology, Corp."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
{HKCU...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
{HKLM...CLSID} = "Java Plug-in 1.6.0_03"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP210 series\Driver = "CNMLM8S.DLL" ["CANON INC."]
---------- (launch time: 2007-12-19 23:00:10)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 30 seconds, including 5 seconds for message boxes)
19 Gru 2007, 13:37
C:\WINDOWS\system32\bez˙tytuˆu.JPG
Usuń ten plik.
Usuń ten plik.
19 Gru 2007, 18:49
Tylko tyle?
Przeskanowałem kompa antywirusem i teraz gdy chcę uruchomić Everesta pojawia się takie okno i znika.
Spróbuję jeszcze raz nadpisać ten program może będzie już ok.
Jak macie jeszcze jakieś pomysły to napiszcie.
Przeskanowałem kompa antywirusem i teraz gdy chcę uruchomić Everesta pojawia się takie okno i znika.
Spróbuję jeszcze raz nadpisać ten program może będzie już ok.
Jak macie jeszcze jakieś pomysły to napiszcie.