Regulamin forum
1. Każdy temat powinien odzwierciedlać treść wątku.2. W przypadku wklejania logów; należy je wykonać od razu przynajmniej z dwóch narzędzi: FRST oraz z GMER
3. Wszelkie logi proszę publikować na przeznaczonych do tego stronach a w poście wklejać tylko link.
4. Nie wskazane jest skracanie logów, należy wkleić cały - od początku, do końca.
5. Nie wskazane jest podczepianie się do tematów innych użytkowników - proszę założyć nowy temat w dziale Bezpieczeństwo, ułatwi to pomoc sprawdzającemu.
6. Osoby nie posiadające odpowiedniej wiedzy, nie powinny sprawdzać logów, ponieważ grozi to poważnym uszkodzeniem systemu lub aplikacji zainstalowanych na komputerze.
7. Należy dokładnie opisać problem, występujące objawy oraz wszelkie podjęte działania.
8. Każdy skrypt jest unikatowy, napisany dla każdego przypadku z osobna, więc nie może być stosowany przez innych.
9. W przypadku zamieszczenia zrzutu ekranu (screenshot'a) proszę korzystać z zewnętrznego serwisu oferującego hosting zdjęć.
Wątpliwości co do log`a.
24 Paź 2007, 16:16
No więc tak troszkę mi komp muli.
I czasami tak z lekka błędy różne mi wywala.
Więc log leci
I czasami tak z lekka błędy różne mi wywala.
Więc log leci
- Kod:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:27, on 2007-10-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\AutoConnect\AutoConnect.exe
D:\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Winamp\winamp.exe
D:\Internet Download Manager\IDMan.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.entretieneteds.vze.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - (no file)
O2 - BHO: Peer2Mail Toolbar Helper - {4FB971C4-99FB-480d-BA3F-55B8263010FB} - C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll (file missing)
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb123\Dealio.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\OFFICE~1\Office12\GRA8E1~1.DLL
O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll
O3 - Toolbar: (no name) - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - (no file)
O3 - Toolbar: Peer2Mail Toolbar - {43F2A7F9-06F6-48a5-B0DC-8530BF29CE66} - C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb123\Dealio.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [IDMan] D:\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutoConnect.lnk = C:\Program Files\AutoConnect\AutoConnect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\TiReX1\Dane aplikacji\Dealio\kb123\res\DealioSearch.html
O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download All Links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\Office12\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb123\Dealio.dll (file missing)
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb123\Dealio.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192342949625
O17 - HKLM\System\CCS\Services\Tcpip\..\{B65DC1AF-2508-438A-8542-91FC657617EF}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD040481-4E7C-4278-A05C-2A38DA3FCC29}: NameServer = 212.85.112.32,193.110.121.20
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\OFFICE~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - D:\spd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Service Host Controller (r_server) - Unknown owner - C:\WINDOWS\system\svchost.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
24 Paź 2007, 16:43
Odinstaluj najlepiej: Yahoo! Toolbar, Dealio, Groove GFS... i nie wiem jaki jeszcze tam "shit" a wraz z tym te wpisy (najlepiej te wszystkie toolbary chyba ze ci cos potrzebne... 
):
Teraz najlepiej start do systemu awaryjnego i usuniecie pliku: C:\WINDOWS\system\svchost.exe oraz nastepnie wpisu jesli bedzie:
PS. Po tej operacji pokaz nowy log z Hijackthis oraz Combofix...
):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.entretieneteds.vze.com
R3 - URLSearchHook: (no name) - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - (no file)
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)
O2 - BHO: (no name) - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - (no file)
O2 - BHO: Peer2Mail Toolbar Helper - {4FB971C4-99FB-480d-BA3F-55B8263010FB} - C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll (file missing)
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb123\Dealio.dll (file missing)
O2 - BHO: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll
O3 - Toolbar: Expressivo - {85F685C3-20D9-4943-95E4-EB4224056C3F} - C:\Program Files\ivo\Expressivo\integr\ih-iexplorer\IH_iexplorer.dll
O3 - Toolbar: (no name) - {40d1c3a7-4ffb-4443-b3a0-a64b2df7fc3b} - (no file)
O3 - Toolbar: Peer2Mail Toolbar - {43F2A7F9-06F6-48a5-B0DC-8530BF29CE66} - C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb123\Dealio.dll (file missing)
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\TiReX1\Dane aplikacji\Dealio\kb123\res\DealioSearch.html
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb123\Dealio.dll (file missing)
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb123\Dealio.dll (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
Teraz najlepiej start do systemu awaryjnego i usuniecie pliku: C:\WINDOWS\system\svchost.exe oraz nastepnie wpisu jesli bedzie:
O23 - Service: Service Host Controller (r_server) - Unknown owner - C:\WINDOWS\system\svchost.exe
PS. Po tej operacji pokaz nowy log z Hijackthis oraz Combofix...
27 Paź 2007, 19:25
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:18, on 2007-10-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe
C:\Program Files\AutoConnect\AutoConnect.exe
D:\Internet Download Manager\IEMonitor.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\OFFICE~1\Office12\GRA8E1~1.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [IDMan] D:\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutoConnect.lnk = C:\Program Files\AutoConnect\AutoConnect.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download All Links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2342949625
O17 - HKLM\System\CCS\Services\Tcpip\..\{B65DC1AF-2508-438A-8542-91FC657617EF}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD040481-4E7C-4278-A05C-2A38DA3FCC29}: NameServer = 212.85.112.32,193.110.121.20
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\OFFICE~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - D:\spd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Service Host Controller (r_server) - Unknown owner - C:\WINDOWS\system\svchost.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
--
End of file - 6291 bytes
A tego pliku nie mogłem znaleźć.
28 Paź 2007, 10:06
Pobierz KillBox. W polu Full Patch of File to Delete wklej:
Zaznacz pole przy opcji Delete on reboot, naciśnij czerwony znak X i zrestartuj komputer.
Następnie nowy log + log z Silent Runners i ComboFix.
- Kod:
C:\WINDOWS\system\svchost.exe
Zaznacz pole przy opcji Delete on reboot, naciśnij czerwony znak X i zrestartuj komputer.
Następnie nowy log + log z Silent Runners i ComboFix.
28 Paź 2007, 15:17
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:36, on 2007-10-28
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\AutoConnect\AutoConnect.exe
D:\Internet Download Manager\IDMan.exe
D:\Internet Download Manager\IEMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.entretieneteds.vze.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\OFFICE~1\Office12\GRA8E1~1.DLL
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [IDMan] D:\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutoConnect.lnk = C:\Program Files\AutoConnect\AutoConnect.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Download All Links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://D:\OFFICE~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Statystyki dla ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\OFFICE~1\Office12\ONBttnIE.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - D:\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\OFFICE~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2342949625
O17 - HKLM\System\CCS\Services\Tcpip\..\{B65DC1AF-2508-438A-8542-91FC657617EF}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CCS\Services\Tcpip\..\{FD040481-4E7C-4278-A05C-2A38DA3FCC29}: NameServer = 212.85.112.32,193.110.121.20
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\OFFICE~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - D:\spd.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Service Host Controller (r_server) - Unknown owner - C:\WINDOWS\system\svchost.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
--
End of file - 6214 bytes
ComboFix 07-10-25.4 - TiReX1 2007-10-28 13:50:33.1 - NTFSx86
Running from: D:\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\TiReX1\Dane aplikacji\ShoppingReport
C:\Documents and Settings\TiReX1\Dane aplikacji\ShoppingReport\cs\Config.xml
C:\Documents and Settings\TiReX1\Dane aplikacji\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\TiReX1\Dane aplikacji\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\TiReX1\Dane aplikacji\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\TiReX1\Dane aplikacji\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\TiReX1\Dane aplikacji\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\TiReX1\Dane aplikacji\ShoppingReport\cs\res1\WhiteList.dbs
.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-28 )))))))))))))))))))))))))))))))
.
2007-10-26 22:10 <DIR> d-------- C:\Program Files\Winamp Toolbar
2007-10-26 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Winamp Toolbar
2007-10-26 17:40 <DIR> d-------- C:\VideoOutput
2007-10-26 17:24 <DIR> d-------- C:\Documents and Settings\TiReX1\Dane aplikacji\Canopus
2007-10-26 17:24 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Canopus
2007-10-26 17:23 665,600 --a------ C:\WINDOWS\system32\drivers\hardlock.sys
2007-10-26 17:23 90,112 --------- C:\WINDOWS\unvise32.exe
2007-10-26 17:23 47,616 --a------ C:\WINDOWS\system32\drivers\Haspnt.sys
2007-10-26 17:23 6,656 --a------ C:\WINDOWS\system32\haspvdd.dll
2007-10-26 17:23 383 --a------ C:\WINDOWS\system32\haspdos.sys
2007-10-26 17:20 <DIR> d-------- C:\Program Files\Common Files\Canopus Shared
2007-10-26 17:20 1,089,625 --a------ C:\WINDOWS\system32\csedvh.dll
2007-10-26 17:20 385,108 --a------ C:\WINDOWS\system32\csedv.dll
2007-10-26 17:20 376,832 --a------ C:\WINDOWS\system32\hlcdvc.dll
2007-10-26 17:20 159,832 --a------ C:\WINDOWS\system32\csccdvc.dll
2007-10-26 17:20 147,456 --a------ C:\WINDOWS\system32\csccdvcx.dll
2007-10-26 17:20 73,728 --a------ C:\cmpgmux.dll
2007-10-26 17:20 32,256 --a------ C:\WINDOWS\system32\cdvccodc.dll
2007-10-26 17:20 22,528 --a------ C:\WINDOWS\system32\csthread.dll
2007-10-25 21:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-22 22:35 <DIR> d-------- C:\Program Files\Common Files\Invictus
2007-10-22 22:08 <DIR> d-------- C:\Program Files\D-Tools
2007-10-20 22:16 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-10-20 22:10 <DIR> d-------- C:\Program Files\Winamp Remote
2007-10-20 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\OrbNetworks
2007-10-20 22:01 <DIR> d-------- C:\Program Files\Winamp
2007-10-20 22:01 <DIR> d-------- C:\Documents and Settings\TiReX1\Dane aplikacji\Winamp
2007-10-20 17:50 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-10-20 17:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-10-18 15:20 <DIR> d-------- C:\Documents and Settings\TiReX1\Dane aplikacji\Ashampoo
2007-10-18 15:19 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\ashampoo
2007-10-18 15:15 <DIR> d-------- C:\WINDOWS\system32\ebay
2007-10-18 15:14 <DIR> d-------- C:\Program Files\Ashampoo
2007-10-16 08:10 <DIR> d-------- C:\Program Files\Common Files\PocketSoft
2007-10-14 19:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-14 07:32 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-10-14 07:21 <DIR> d---s---- C:\Documents and Settings\TiReX1\UserData
2007-10-11 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\.Beniamin
2007-10-08 19:38 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\DFX
2007-10-05 13:38 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Hamachi
2007-10-05 13:36 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Gadu-Gadu
2007-10-04 22:14 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-10-04 22:13 <DIR> d-------- C:\Program Files\Microsoft Works
2007-10-04 22:07 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-10-04 22:03 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2007-10-04 21:58 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-10-04 21:54 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2007-10-04 19:29 <DIR> d-------- C:\Documents and Settings\Administrator\Gadu-Gadu
2007-10-04 19:27 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\IDM
2007-10-04 19:27 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\DMCache
2007-10-04 19:18 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2007-10-04 19:18 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Dealio
2007-10-04 19:15 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-10-04 19:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Ustawienia lokalne
2007-10-04 19:14 <DIR> dr------- C:\Documents and Settings\Administrator\Ulubione
2007-10-04 19:14 <DIR> d--h----- C:\Documents and Settings\Administrator\Szablony
2007-10-04 19:14 <DIR> d-------- C:\Documents and Settings\Administrator\Pulpit
2007-10-04 19:14 <DIR> dr------- C:\Documents and Settings\Administrator\Moje dokumenty
2007-10-04 19:14 <DIR> dr------- C:\Documents and Settings\Administrator\Menu Start
2007-10-04 19:14 <DIR> dr-h----- C:\Documents and Settings\Administrator\Dane aplikacji
2007-10-03 21:45 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-10-03 21:40 <DIR> d-------- C:\Documents and Settings\TiReX1\Dane aplikacji\Dealio
2007-10-03 21:38 720,896 --a------ C:\WINDOWS\iun6002.exe
2007-10-02 05:35 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-10-02 05:35 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-10-02 05:34 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-10-02 05:34 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-10-01 22:30 <DIR> d-------- C:\Documents and Settings\TiReX1\Dane aplikacji\InstallShield
2007-09-30 21:32 <DIR> d-------- C:\Program Files\Alcohol Soft
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-28 12:48 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\DMCache
2007-10-28 12:31 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2007-10-28 12:30 --------- d-----w C:\Program Files\AutoConnect
2007-10-28 12:00 4,680,736 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-27 17:03 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2007-10-26 16:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-22 21:09 58,448 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-10-22 21:09 202,016 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-10-22 21:09 10,064 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-13 16:09 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\uTorrent
2007-10-11 13:38 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\.Beniamin
2007-10-05 14:32 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\Hamachi
2007-09-29 19:01 --------- d-----w C:\Program Files\Odkurzacz
2007-09-26 20:23 82,061 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2007-09-26 20:23 81,549 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2007-09-26 20:15 --------- d-----w C:\Program Files\Kaspersky Lab
2007-09-26 13:43 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\ACD Systems
2007-09-26 13:40 --------- d-----w C:\Program Files\Common Files\ACD Systems
2007-09-26 13:40 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
2007-09-23 21:02 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\IDM
2007-09-23 20:24 --------- d-----w C:\Program Files\Lavalys
2007-09-23 20:02 --------- d-----w C:\Program Files\Gadu-Gadu
2007-09-23 12:57 --------- d-----w C:\Program Files\Intelli HyperSpeed 2005
2007-09-21 13:01 --------- d-----w C:\Program Files\WUUP!
2007-09-20 13:36 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-09-16 11:58 --------- d-----w C:\Program Files\Aspyr
2007-09-15 20:45 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\GetRightToGo
2007-09-15 15:21 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\RapidGet
2007-09-15 12:45 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\vlc
2007-09-15 12:42 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\BitTorrent
2007-09-12 22:08 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\Reasonable Software House Ltd
2007-09-12 21:59 --------- d-----w C:\Program Files\1-abc
2007-09-12 20:30 --------- d-----w C:\Program Files\HP
2007-09-11 13:41 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-09-05 18:25 --------- d-----w C:\Documents and Settings\TiReX1\Dane aplikacji\Screaming Bee
2007-09-05 18:25 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Screaming Bee
2007-09-05 18:22 --------- d-----w C:\Program Files\Common Files\Screaming Bee
2007-09-03 17:07 --------- d-----w C:\Program Files\YourWare Solutions
2007-09-03 15:35 685,816 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-08-24 09:16 231,302 ----a-w C:\WINDOWS\Peer2Mail_Toolbar_Uninstaller_2765.exe
2004-09-28 01:00 26,240 ----a-w C:\WINDOWS\inf\RAMDSK.SYS
2005-06-21 09:45:24 90,112 --sha-r C:\WINDOWS\system\admdll.dll
2005-06-21 09:45:28 29,408 --sha-r C:\WINDOWS\system\raddrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 21:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 21:06 1135968]
[HKEY_CLASSES_ROOT\CLSID\{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 23:43]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 11:51]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" [2006-12-03 00:14]
"IDMan"="D:\Internet Download Manager\IDMan.exe" [2007-09-23 19:48]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"NoLowDiscSpaceChecks"=000000000000f03f
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoSMBalloonTip"=0 (0x0)
"NoInstrumentation"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^TiReX1^Menu Start^Programy^Autostart^daemon.lnk]
path=C:\Documents and Settings\TiReX1\Menu Start\Programy\Autostart\daemon.lnk
backup=C:\WINDOWS\pss\daemon.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAU.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"D:\BitTorrent\bittorrent.exe" --force_start_minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cFosSpeed]
D:\cFosSpeed.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"C:\Program Files\D-Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Expressivo]
"C:\Program Files\ivo\Expressivo\expressivo.exe" -t
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Flashget]
C:\Program Files\FlashGet\flashget.exe /min
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
"C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gadu-Gadu]
"C:\Program Files\Gadu-Gadu\gg.exe" /tray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
"D:\office 2007\Office12\GrooveMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
D:\Internet Download Manager\IDMan.exe /onboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KasowaniePlikowTymczasowych]
cmd /c del/s/q %windir%\temp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kis]
"C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemOptimizer]
C:\Program Files\Pointstone\MemOptimizer 3\MemOptimizer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NexusServer]
"C:\Program Files\Common Files\Canopus Shared\ProCoder 2\Kernel\PNXSERVR.exe" -SelfLaunch
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Odkurzacz-MCD]
C:\Program Files\Odkurzacz\odk_mcd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\WINDOWS\system32\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegDoctor]
C:\Program Files\RegDoctor\RegDoctor.exe -Quick
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SIDEBAR]
"C:\WINDOWS\Resources\Themes\DameK UltraBlue\Desktop Sidebar\sidebar.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
"C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tguard]
C:\Program Files\Beniamin\tguard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"C:\Program Files\Save\Save.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Program Files\Winamp\winampa.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WooCnxMon]
C:\PROGRA~1\Neostrada TP\CnxMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]
C:\PROGRA~1\Neostrada TP\TaskbarIcon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]
C:\PROGRA~1\Neostrada TP\Watch.exe
R0 d343bus;d343bus;C:\WINDOWS\system32\DRIVERS\d343bus.sys
R0 d343port;d343port;C:\WINDOWS\system32\DRIVERS\d343port.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
R3 SCREAMINGBDRIVER;Screaming Bee Audio;C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
S2 r_server;Service Host Controller;"C:\WINDOWS\system\svchost.exe" /service
S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 sony_ssm.sys;sony_ssm.sys;\??\C:\DOCUME~1\TiReX1\USTAWI~1\Temp\sony_ssm.sys
S3 WINIO;WINIO;\??\C:\Documents and Settings\TiReX1\Pulpit\lcdinfo_test\lcdinfo_test\winio.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-09-21 20:04:38 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 13:57:22
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-28 14:00:22
.
--- E O F ---
"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AutoConnect" = "C:\Program Files\AutoConnect\AutoConnect.exe" ["http://autoconnect.prv.pl"]
"IDMan" = "D:\Internet Download Manager\IDMan.exe /onboot" ["Tonec Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0055C089-8582-441B-A0BF-17B458C2A3A8}\(Default) = "IDM Helper"
{HKLM...CLSID} = "IDMIEHlprObj Class"
\InProcServer32\(Default) = "D:\Internet Download Manager\IDMIECC.dll" ["Tonec Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}\(Default) = "Winamp Toolbar BHO"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]
{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}\(Default) = (no title provided)
\InProcServer32\(Default) = "D:\BitComet\tools\BitCometBHO_1.1.7.4.dll" ["BitComet"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
\InProcServer32\(Default) = "C:\Program Files\ACE Mega CoDecS Pack\SystemS\RealMedia\rpshell.dll" ["RealNetworks, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}" = "TuneUp Shredder Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
"{44440D00-FF19-4AFC-B765-9A0970567D97}" = "TuneUp Theme Extension"
\InProcServer32\(Default) = "C:\WINDOWS\System32\uxtuneup.dll" ["TuneUp Software GmbH"]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki dla ochrony WWW"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
\InProcServer32\(Default) = "D:\office 2007\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Shredder Shell Extension\(Default) = "{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}"
\InProcServer32\(Default) = "C:\Program Files\TuneUp Utilities 2007\SDShelEx-win32.dll" ["TuneUp Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoSMHelp" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}
"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoSMBalloonTip" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoInstrumentation" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoSMHelp" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoLowDiscSpaceChecks" = (REG_BINARY) hex:00 00 00 00 00 00 F0 3F
{unrecognized setting}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\TiReX1\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
Startup items in "TiReX1" & "All Users" startup folders:
--------------------------------------------------------
C:\Documents and Settings\TiReX1\Menu Start\Programy\Autostart
"AutoConnect"
Enabled Scheduled Tasks:
------------------------
"1-Click Maintenance"
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{43F2A7F9-06F6-48A5-B0DC-8530BF29CE66}"
\InProcServer32\(Default) = "C:\Program Files\Peer2Mail Toolbar\v2.0.0.0\Peer2Mail_Toolbar.dll" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}" = "Winamp Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Winamp Toolbar\winamptb.dll" ["AOL LLC"]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{5C4C24D0-28B6-4B6B-B70F-E09848367F10}\(Default) = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Dealio\kb123\Dealio.dll" [file not found]
HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\OFFICE~1\Office12\GRA8E1~1.DLL" [MS]
HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki dla ochrony WWW"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\CLSID\{E7A829CC-671F-4C3D-B590-8C0AEA72E6B2}\(Default) = "BitComet Search"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\BitComet\tools\BitCometBHO_1.1.7.4.dll" ["BitComet"]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\OFFICE~1\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statystyki dla ochrony WWW"
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Wyślij do programu OneNote"
"MenuText" = "Wyślij &do programu OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
\InProcServer32\(Default) = "D:\OFFICE~1\Office12\ONBttnIE.dll" [MS]
{461CC20B-FB6E-4F16-8FE8-C29359DB100E}\
"ButtonText" = "BitComet Search"
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Kaspersky Internet Security 7.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r" ["Kaspersky Lab"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data]
SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\system32\UAService7.exe" ["Sony DADC Austria AG."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]
Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]
---------- (launch time: 2007-10-28 14:11:41)
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 128 seconds.
---------- (total run time: 260 seconds)