nie mogę rozpakować tego DelDomains .. Logfile of HijackThis v1.99.0
Scan saved at 22:19:08, on 2005–02–17
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32LXSUPMON.EXE
C:Program FilesAheadInCDInCD.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
C:Program FilesAVERTV2KQuickTV.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004AVENGINE.EXE
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004WebProxy.exe
C:WINDOWSSystem32wuauclt.exe
C:Program FilesantywirNowy folderHijackThis.exe

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gogle.pl/
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O4 – HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSystem32LXSUPMON.EXE RUN
O4 – HKLM..Run: [NeroCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [InCD] C:Program FilesAheadInCDInCD.exe
O4 – HKLM..Run: [APVXDWIN] "C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE" /s
O4 – HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – Global Startup: Microtek Scanner Finder.lnk = C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
O4 – Global Startup: QuickTV.lnk = C:Program FilesAVERTV2KQuickTV.exe
O4 – Global Startup: TeleSA.lnk = C:Program FilesAVer TeletextAVerSA.exe
O12 – Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O23 – Service: avast! iAVS4 Control Service – Unknown – C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 – Service: Ati HotKey Poller – Unknown – C:WINDOWSSystem32Ati2evxx.exe
O23 – Service: ATI Smart – Unknown – C:WINDOWSsystem32ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown – C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 – Service: LexBce Server – Lexmark International, Inc. – C:WINDOWSsystem32LEXBCES.EXE
O23 – Service: Panda Process Protection Service – Unknown – C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
O23 – Service: Panda anti–virus service – Unknown – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
O23 – Service: Panda IManager Service – Panda Software Internacional – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–16 21:05 dllcache
2005–02–16 17:58 231842 s2rs0c97ef.dll
2005–02–15 20:54 232211 lvpq0975e.dll
2005–02–15 20:52 231836 t68ulgl916q.dll
2005–02–15 20:50 228958 irrql5951.dll
2005–02–15 19:23 230586 i8240ifqe82e0.dll
2005–02–14 20:37 228623 jt4807hue.dll
2005–02–13 22:06 231526 p44uleh91h4.dll
2005–02–13 20:25 231052 lvrq0995e.dll
2005–02–13 18:39 230038 hrr8059ue.dll
2005–02–08 15:31 417792 w?aclt.exe
2004–05–26 10:15 Microsoft
10 plik(w) 2494464 bajtw
2 katalog(w) 24389500928 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–16 21:05 dllcache
2005–02–15 19:52 GroupPolicy
2005–02–08 15:31 417792 w?aclt.exe
2004–05–26 10:06 488 WindowsLogon.manifest
2004–05–26 10:06 488 logonui.exe.manifest
2004–05–26 10:06 749 sapi.cpl.manifest
2004–05–26 10:06 749 cdplayer.exe.manifest
2004–05–26 10:06 749 wuaucpl.cpl.manifest
2004–05–26 10:06 749 nwc.cpl.manifest
2004–05–26 10:06 749 ncpa.cpl.manifest
8 plik(w) 422513 bajtw
2 katalog(w) 24389500928 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–17 20:29 231123 guard.tmp
1 plik(w) 231123 bajtw
0 katalog(w) 24389496832 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–17 20:29 231123 guard.tmp
2002–09–28 23:00 2596 CONFIG.TMP
2001–08–28 13:00 10240 regsvr32.exe.tmp
3 plik(w) 243959 bajtw
0 katalog(w) 24389496832 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]


–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyAtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyReinstall]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


–––––––––––––––– Xfind Locked Files –––––––––––––––

Dobra ostani raz napisze bo dziewczyna jestes
W innym wypadku juz dawno bym ustapił

W Hijack This zaznaczasz i FIX:

O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: IEMenuExtension toolbar – {6b95678d–30a4–4ff8–a72f–4208340c1f7f} – C:Program FilesIEMenuExtension bextn.dll (file missing)
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.185.246
O15 – Trusted IP range: 67.19.185.246 (HKLM)

Sciagnij DelDomains.rar i uzyj

W Killboxie:

C:WINDOWSsystem32dllcaches2rs0c97ef.dll
C:WINDOWSsystem32dllcachelvpq0975e.dll
C:WINDOWSsystem32dllcache 68ulgl916q.dll
C:WINDOWSsystem32dllcacheirrql5951.dll
C:WINDOWSsystem32dllcachei8240ifqe82e0.dll
C:WINDOWSsystem32dllcachejt4807hue.dll
C:WINDOWSsystem32dllcachep44uleh91h4.dll
C:WINDOWSsystem32dllcachelvrq0995e.dll
C:WINDOWSsystem32dllcachehrr8059ue.dll
C:WINDOWSsystem32dllcachew?aclt.exe

W rejestrze:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyReinstall
:arrow: C:\WINDOWS\system32\q8rq0i95e8.dll

Przypominam o wylaczeniu przywracania i odłaczeniu kabla od neta

Dobra ostani raz napisze bo dziewczyna jestes
W innym wypadku juz dawno bym ustapił

W Hijack This zaznaczasz i FIX:

O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: IEMenuExtension toolbar – {6b95678d–30a4–4ff8–a72f–4208340c1f7f} – C:Program FilesIEMenuExtension bextn.dll (file missing)
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.185.246
O15 – Trusted IP range: 67.19.185.246 (HKLM)

Sciagnij DelDomains.rar i uzyj

W Killboxie:

C:WINDOWSsystem32dllcaches2rs0c97ef.dll
C:WINDOWSsystem32dllcachelvpq0975e.dll
C:WINDOWSsystem32dllcache 68ulgl916q.dll
C:WINDOWSsystem32dllcacheirrql5951.dll
C:WINDOWSsystem32dllcachei8240ifqe82e0.dll
C:WINDOWSsystem32dllcachejt4807hue.dll
C:WINDOWSsystem32dllcachep44uleh91h4.dll
C:WINDOWSsystem32dllcachelvrq0995e.dll
C:WINDOWSsystem32dllcachehrr8059ue.dll
C:WINDOWSsystem32dllcachew?aclt.exe

W rejestrze:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyReinstall
:arrow: C:\WINDOWS\system32\q8rq0i95e8.dll

Przypominam o wylaczeniu przywracania i odłaczeniu kabla od neta

jeszcze poprawkiLogfile of HijackThis v1.99.0
Scan saved at 21:29:20, on 2005–02–17
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32LXSUPMON.EXE
C:Program FilesAheadInCDInCD.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
C:Program FilesAVERTV2KQuickTV.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004AVENGINE.EXE
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004WebProxy.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesantywirNowy folderHijackThis.exe

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gogle.pl/
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: IEMenuExtension toolbar – {6b95678d–30a4–4ff8–a72f–4208340c1f7f} – C:Program FilesIEMenuExtension bextn.dll (file missing)
O4 – HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSystem32LXSUPMON.EXE RUN
O4 – HKLM..Run: [NeroCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [InCD] C:Program FilesAheadInCDInCD.exe
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [APVXDWIN] "C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE" /s
O4 – HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – Global Startup: Microtek Scanner Finder.lnk = C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
O4 – Global Startup: QuickTV.lnk = C:Program FilesAVERTV2KQuickTV.exe
O4 – Global Startup: TeleSA.lnk = C:Program FilesAVer TeletextAVerSA.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O12 – Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.185.246
O15 – Trusted IP range: 67.19.185.246 (HKLM)
O23 – Service: avast! iAVS4 Control Service – Unknown – C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 – Service: Ati HotKey Poller – Unknown – C:WINDOWSSystem32Ati2evxx.exe
O23 – Service: ATI Smart – Unknown – C:WINDOWSsystem32ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown – C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 – Service: LexBce Server – Lexmark International, Inc. – C:WINDOWSsystem32LEXBCES.EXE
O23 – Service: Panda Process Protection Service – Unknown – C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
O23 – Service: Panda anti–virus service – Unknown – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
O23 – Service: Panda IManager Service – Panda Software Internacional – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe

nie ma run once Logfile of HijackThis v1.99.0
Scan saved at 21:10:12, on 2005–02–17
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32LXSUPMON.EXE
C:Program FilesAheadInCDInCD.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
C:Program FilesAVERTV2KQuickTV.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004AVENGINE.EXE
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004WebProxy.exe
C:WINDOWSSystem32wuauclt.exe
C:Program FilesantywirNowy folderHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gogle.pl/
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: IEMenuExtension toolbar – {6b95678d–30a4–4ff8–a72f–4208340c1f7f} – C:Program FilesIEMenuExtension bextn.dll (file missing)
O4 – HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSystem32LXSUPMON.EXE RUN
O4 – HKLM..Run: [NeroCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [InCD] C:Program FilesAheadInCDInCD.exe
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [APVXDWIN] "C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE" /s
O4 – HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – Global Startup: Microtek Scanner Finder.lnk = C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
O4 – Global Startup: QuickTV.lnk = C:Program FilesAVERTV2KQuickTV.exe
O4 – Global Startup: TeleSA.lnk = C:Program FilesAVer TeletextAVerSA.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O12 – Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.185.246
O15 – Trusted IP range: 67.19.185.246 (HKLM)
O16 – DPF: {0878B424–1F95–4E26–B5AB–F0D349D89650} – http://download.bargain–buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ9.cab
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge–c18.cab
O16 – DPF: {205FF73B–CA67–11D5–99DD–444553540000} (CInstall Class) – http://www.spywarestormer.com/files2/Install.cab
O16 – DPF: {386A771C–E96A–421F–8BA7–32F1B706892F} (Installer Class) – http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108499602500
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://67.19.185.246/i/8/loader2.ocx
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=3548
O23 – Service: avast! iAVS4 Control Service – Unknown – C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 – Service: Ati HotKey Poller – Unknown – C:WINDOWSSystem32Ati2evxx.exe
O23 – Service: ATI Smart – Unknown – C:WINDOWSsystem32ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown – C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 – Service: LexBce Server – Lexmark International, Inc. – C:WINDOWSsystem32LEXBCES.EXE
O23 – Service: Panda Process Protection Service – Unknown – C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
O23 – Service: Panda anti–virus service – Unknown – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
O23 – Service: Panda IManager Service – Panda Software Internacional – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–16 21:05 dllcache
2005–02–16 17:58 231842 s2rs0c97ef.dll
2005–02–15 20:54 232211 lvpq0975e.dll
2005–02–15 20:52 231836 t68ulgl916q.dll
2005–02–15 20:50 228958 irrql5951.dll
2005–02–15 19:23 230586 i8240ifqe82e0.dll
2005–02–14 20:37 228623 jt4807hue.dll
2005–02–13 22:06 231526 p44uleh91h4.dll
2005–02–13 20:25 231052 lvrq0995e.dll
2005–02–13 18:39 230038 hrr8059ue.dll
2005–02–08 15:31 417792 w?aclt.exe
2004–05–26 10:15 Microsoft
10 plik(w) 2494464 bajtw
2 katalog(w) 24392138752 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–16 21:05 dllcache
2005–02–15 19:52 GroupPolicy
2005–02–08 15:31 417792 w?aclt.exe
2004–05–26 10:06 488 WindowsLogon.manifest
2004–05–26 10:06 488 logonui.exe.manifest
2004–05–26 10:06 749 sapi.cpl.manifest
2004–05–26 10:06 749 cdplayer.exe.manifest
2004–05–26 10:06 749 wuaucpl.cpl.manifest
2004–05–26 10:06 749 nwc.cpl.manifest
2004–05–26 10:06 749 ncpa.cpl.manifest
8 plik(w) 422513 bajtw
2 katalog(w) 24392138752 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–17 20:29 231123 guard.tmp
1 plik(w) 231123 bajtw
0 katalog(w) 24392134656 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–17 20:29 231123 guard.tmp
2002–09–28 23:00 2596 CONFIG.TMP
2001–08–28 13:00 10240 regsvr32.exe.tmp
3 plik(w) 243959 bajtw
0 katalog(w) 24392134656 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]


–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyAtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyReinstall]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\q8rq0i95e8.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


–––––––––––––––– Xfind Locked Files –––––––––––––––––


–––––––––––––– XFind Qoologic Results –––––––––––––

Do usuniecia

z system32:
q8rq0i95e8.dll
ir22l5fo1.dll
aza8059ue.dll
hcui.dll

Z dllcache:
s2rs0c97ef.dll
lvpq0975e.dll
t68ulgl916q.dll
irrql5951.dll
i8240ifqe82e0.dll
jt4807hue.dll
p44uleh91h4.dll
lvrq0995e.dll
hrr8059ue.dll
w?aclt.exe

Usuwasz Killboxem, ale wczesniej odłaczasz zywcem kabel od neta

Klucze do usuniecia:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
{518971F6–D79E–472F–8F83–48740BF0A3B1}

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyRunOnce]
"C:\WINDOWS\system32\ir22l5fo1.dll"

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–17 19:52 229898 q8rq0i95e8.dll
2005–02–17 19:26 231123 ir22l5fo1.dll
2005–02–17 17:53 231861 aza8059ue.dll
2005–02–16 21:43 230653 hcui.dll
2005–02–16 21:05 dllcache
2005–02–16 17:58 231842 s2rs0c97ef.dll
2005–02–15 20:54 232211 lvpq0975e.dll
2005–02–15 20:52 231836 t68ulgl916q.dll
2005–02–15 20:50 228958 irrql5951.dll
2005–02–15 19:23 230586 i8240ifqe82e0.dll
2005–02–14 20:37 228623 jt4807hue.dll
2005–02–13 22:06 231526 p44uleh91h4.dll
2005–02–13 20:25 231052 lvrq0995e.dll
2005–02–13 18:39 230038 hrr8059ue.dll
2005–02–08 15:31 417792 w?aclt.exe
2004–05–26 10:15 Microsoft
14 plik(w) 3417999 bajtw
2 katalog(w) 24390848512 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–16 21:05 dllcache
2005–02–15 19:52 GroupPolicy
2005–02–08 15:31 417792 w?aclt.exe
2004–05–26 10:06 488 WindowsLogon.manifest
2004–05–26 10:06 488 logonui.exe.manifest
2004–05–26 10:06 749 sapi.cpl.manifest
2004–05–26 10:06 749 cdplayer.exe.manifest
2004–05–26 10:06 749 wuaucpl.cpl.manifest
2004–05–26 10:06 749 nwc.cpl.manifest
2004–05–26 10:06 749 ncpa.cpl.manifest
8 plik(w) 422513 bajtw
2 katalog(w) 24390848512 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32


––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2002–09–28 23:00 2596 CONFIG.TMP
2001–08–28 13:00 10240 regsvr32.exe.tmp
2 plik(w) 12836 bajtw
0 katalog(w) 24390844416 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{518971F6–D79E–472F–8F83–48740BF0A3B1}"=""


–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyAtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyRunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\ir22l5fo1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


–––––––––––––––– Xfind Locked Files –––––––––––––––––


–––––––––––––– XFind Qoologic Results ––––––––––––––


–––––––––––––– XFind Aspack Results –––––––––––––––


–––––––––––––– Locate.com Results –––––––––––––––

Troche pousuwałas ale nadal duzo zostało
Wpisy od VX2 dalej sa
Trusted dalej sa
Całosc z R1 do skoszenia
Kontrolki (016) dalej są
To tak z grubsza do "kosmetyki" tez troche

Powtarzal sie nie bede, przeczytaj raz jeszcze to co napisałem i usuwaj co wypisałem

Zgłos sie jeszcze raz w logiem od FindIt bo podejrzewam sie pliki odtwarzajce syf albo sie jeszcze rozmnozyły albo pozmieniały nazwy

Logfile of HijackThis v1.99.0
Scan saved at 19:55:53, on 2005–02–17
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32 undll32.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32LXSUPMON.EXE
C:Program FilesAheadInCDInCD.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesGadu–Gadugg.exe
C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
C:Program FilesAVERTV2KQuickTV.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004AVENGINE.EXE
C:WINDOWSSystem32svchost.exe
C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004WebProxy.exe
C:WINDOWSSystem32wuauclt.exe
C:Program FilesantywirNowy folderHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gogle.pl/
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: IEMenuExtension toolbar – {6b95678d–30a4–4ff8–a72f–4208340c1f7f} – C:Program FilesIEMenuExtension bextn.dll (file missing)
O4 – HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSystem32LXSUPMON.EXE RUN
O4 – HKLM..Run: [NeroCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [InCD] C:Program FilesAheadInCDInCD.exe
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [APVXDWIN] "C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE" /s
O4 – HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – Global Startup: Microtek Scanner Finder.lnk = C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
O4 – Global Startup: QuickTV.lnk = C:Program FilesAVERTV2KQuickTV.exe
O4 – Global Startup: TeleSA.lnk = C:Program FilesAVer TeletextAVerSA.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O12 – Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.185.246
O15 – Trusted IP range: 67.19.185.246 (HKLM)
O16 – DPF: {0878B424–1F95–4E26–B5AB–F0D349D89650} – http://download.bargain–buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ9.cab
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge–c18.cab
O16 – DPF: {205FF73B–CA67–11D5–99DD–444553540000} (CInstall Class) – http://www.spywarestormer.com/files2/Install.cab
O16 – DPF: {386A771C–E96A–421F–8BA7–32F1B706892F} (Installer Class) – http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108499602500
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://67.19.185.246/i/8/loader2.ocx
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=3548
O23 – Service: avast! iAVS4 Control Service – Unknown – C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 – Service: Ati HotKey Poller – Unknown – C:WINDOWSSystem32Ati2evxx.exe
O23 – Service: ATI Smart – Unknown – C:WINDOWSsystem32ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown – C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 – Service: LexBce Server – Lexmark International, Inc. – C:WINDOWSsystem32LEXBCES.EXE
O23 – Service: Panda Process Protection Service – Unknown – C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
O23 – Service: Panda anti–virus service – Unknown – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
O23 – Service: Panda IManager Service – Panda Software Internacional – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe


nie wszystkie instrukcje wykonałam
Co jeszcze mam zrobić? Mimo wszystko coś mi się samo włącza z netu, ale raportu o błędzie nie ma

"Wporzo" :lol:

Kosmetycznie tylko to:
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k

U mnie wszystko w porzadku:>

Logfile of HijackThis v1.99.0
Scan saved at 22:37:27, on 2005–02–16
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
C:Program FilesWinampwinampa.exe
C:Program FilesJavajre1.5.0_01injusched.exe
C:PROGRA~1NEOSTR~1CnxMon.exe
C:Program FilesThomsonSpeedTouch USBDragdiag.exe
C:PROGRA~1NEOSTR~1TaskbarIcon.exe
C:WINDOWSSystem32ctfmon.exe
C:WINDOWSSystem32devldr32.exe
C:WINDOWSSystem32 vsvc32.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Program FilesWinampwinamp.exe
C:DownloadsHijackThis.exe

R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.neostrada.pl
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Neostrada TP
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 – URLSearchHook: Search Class – {08C06D61–F1F3–4799–86F8–BE1A89362C85} – C:PROGRA~1NEOSTR~1SEARCH~1.DLL
O2 – BHO: (no name) – {53707962–6F74–2D53–2644–206D7942484F} – C:Program FilesSpybot – Search & DestroySDHelper.dll
O2 – BHO: (no name) – {A5366673–E8CA–11D3–9CD9–0090271D075B} – (no file)
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: FlashGet Bar – {E0E899AB–F487–11D5–8D29–0050BA6940E3} – C:PROGRA~1FlashGetfgiebar.dll
O4 – HKLM..Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 – HKLM..Run: [nwiz] nwiz.exe /install
O4 – HKLM..Run: [WinampAgent] C:Program FilesWinampwinampa.exe
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [WheelMouse] C:PROGRA~1A4TechMouseAmoumain.exe
O4 – HKLM..Run: [SunJavaUpdateSched] C:Program FilesJavajre1.5.0_01injusched.exe
O4 – HKLM..Run: [WooCnxMon] C:PROGRA~1NEOSTR~1CnxMon.exe
O4 – HKLM..Run: [SpeedTouch USB Diagnostics] "C:Program FilesThomsonSpeedTouch USBDragdiag.exe" /icon
O4 – HKLM..Run: [WOOWATCH] C:PROGRA~1NEOSTR~1Watch.exe
O4 – HKLM..Run: [WOOTASKBARICON] C:PROGRA~1NEOSTR~1TaskbarIcon.exe
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Steam] "d:grysteamsteam.exe" –silent
O4 – HKCU..Run: [SpybotSD TeaTimer] C:Program FilesSpybot – Search & DestroyTeaTimer.exe
O8 – Extra context menu item: Download All by FlashGet – C:Program FilesFlashGetjc_all.htm
O8 – Extra context menu item: Download using FlashGet – C:Program FilesFlashGetjc_link.htm
O9 – Extra button: (no name) – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavajre1.5.0_01in pjpi150_01.dll
O9 – Extra 'Tools' menuitem: Sun Java Console – {08B0E5C0–4FCB–11CF–AAA5–00401C608501} – C:Program FilesJavajre1.5.0_01in pjpi150_01.dll
O9 – Extra button: FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:PROGRA~1FlashGetflashget.exe
O9 – Extra 'Tools' menuitem: &FlashGet – {D6E814A0–E0C5–11d4–8D29–0050BA6940E3} – C:PROGRA~1FlashGetflashget.exe
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLMSystemCCSServicesTcpip..{6556E4DC–7713–488E–90A6–A52C3E723E7C}: NameServer = 194.204.152.34 217.98.63.164
O23 – Service: NVIDIA Driver Helper Service – NVIDIA Corporation – C:WINDOWSSystem32 vsvc32.exe

aniaz:

nie mogę ściągnąć tego killboxa

Jak nie jak tak
http://www.downloads.subratam.org/KillBox.zip

nie mogę ściągnąć tego killboxa.na dalsze wskazówki i pomoc będę czekać jutro po 16–tej. DZiękuję :)

Nie usunełas prawie nic jesli chodzi o log. Czeka nas chyba trudna przeprawa

Pozbyłas sie plikow o ktorych pisałem??
Jesli nie to na co czekasz ??, uruchom system w trybie awaryjnym (F8 parokrotnie wciskasz po starcie komputera i wybierasz tryb awaryjny)
Usuwasz pliki ktore wymieniłem wczesniej, ponadto zaznaczasz pozycje w Hijack This przedstawione w moim poscie w ramce >> Kod i wciskasz przycisk fix checked

Sciagasz Pocked Killbox i wpisujesz (wszystko masz na screenie ponizej)
C:WINDOWSSystem32e0200afmed2a0.dll pozniej C:WINDOWSSystem32k6pm0g71e6.dll

Pozniej masz inna sciezke czyli C:WINDOWSsystem32dllcache
Przykladowo: C:WINDOWSsystem32dllcachelvpq0975e.dll
Itd... z nazwami ponizej
t68ulgl916q.dll
irrql5951.dll
i8240ifqe82e0.dll
jt4807hue.dll
p44uleh91h4.dll
lvrq0995e.dll
hrr8059ue.dll
w?aclt.exe

Teraz odpalasz edytor rejestru (start >> uruchom >> regedit)
PO kolei otwierasz klucze:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform
i przy zaznaczonym ostatnim usuwasz z prawej:
{518971F6–D79E–472F–8F83–48740BF0A3B1}

Nastepnie w kluczu:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyModuleUsage
POd spodem bedziesz miała:
C:\WINDOWS\system32\k6pm0g71e6.dll
To tez usuwasz

Ad screen:
1 – wklejasz tam sciezki
2 – zaznaczasz

Uff mam nadzieje ze rozumiesz, prosciej nie umiem

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

––––––– System Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–16 17:58 230477 e0200afmed2a0.dll
2005–02–16 15:46 230653 k6pm0g71e6.dll
2005–02–15 21:45 dllcache
2005–02–15 20:54 232211 lvpq0975e.dll
2005–02–15 20:52 231836 t68ulgl916q.dll
2005–02–15 20:50 228958 irrql5951.dll
2005–02–15 19:23 230586 i8240ifqe82e0.dll
2005–02–14 20:37 228623 jt4807hue.dll
2005–02–13 22:06 231526 p44uleh91h4.dll
2005–02–13 20:25 231052 lvrq0995e.dll
2005–02–13 18:39 230038 hrr8059ue.dll
2005–02–08 15:31 417792 w?aclt.exe
2004–05–26 10:15 Microsoft
11 plik(w) 2723752 bajtw
2 katalog(w) 24432607232 bajtw wolnych

––––––– Hidden Files in System32 Directory –––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–15 21:45 dllcache
2005–02–15 19:52 GroupPolicy
2005–02–08 15:31 417792 w?aclt.exe
2004–05–26 10:06 488 WindowsLogon.manifest
2004–05–26 10:06 488 logonui.exe.manifest
2004–05–26 10:06 749 sapi.cpl.manifest
2004–05–26 10:06 749 cdplayer.exe.manifest
2004–05–26 10:06 749 wuaucpl.cpl.manifest
2004–05–26 10:06 749 nwc.cpl.manifest
2004–05–26 10:06 749 ncpa.cpl.manifest
8 plik(w) 422513 bajtw
2 katalog(w) 24432607232 bajtw wolnych

–––––––––– Files Named "Guard" –––––––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–16 17:58 231842 guard.tmp
1 plik(w) 231842 bajtw
0 katalog(w) 24432603136 bajtw wolnych

––––––––– Temp Files in System32 Directory ––––––––

Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 18B5–EBC7

Katalog: C:WINDOWSSystem32

2005–02–16 17:58 231842 guard.tmp
2002–09–28 23:00 2596 CONFIG.TMP
2001–08–28 13:00 10240 regsvr32.exe.tmp
3 plik(w) 244678 bajtw
0 katalog(w) 24432603136 bajtw wolnych

–––––––––––––––– User Agent ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionInternet SettingsUser AgentPost Platform]
"{518971F6–D79E–472F–8F83–48740BF0A3B1}"=""


–––––––––––– Keys Under Notify ––––––––––––

REGEDIT4

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify]

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyAtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycrypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifycscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyModuleUsage]
"Asynchronous"=dword:00000000
"DllName"="C:\WINDOWS\system32\k6pm0g71e6.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifyScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySchedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifysclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify ermsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifywlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


–––––––––––––––– Xfind Locked Files –––––––––––––––––


–––––––––––––– XFind Qoologic Results ––––––––––––––

–––––––––––––– XFind Aspack Results –––––––––––––––


–––––––––––––– Locate.com Results –––––––––––––––

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSSystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32LEXBCES.EXE
C:WINDOWSsystem32 undll32.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSsystem32LEXPPS.EXE
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
C:WINDOWSSystem32LXSUPMON.EXE
C:Program FilesAheadInCDInCD.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE
C:PROGRA~1ALWILS~1Avast4ashDisp.exe
C:WINDOWSSystem32ctfmon.exe
C:Program FilesSkypePhoneSkype.exe
C:Program FilesGadu–Gadugg.exe
C:Documents and SettingsKLIENTDane aplikacjioera.exe
C:WINDOWSSystem32w?aclt.exe
C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
C:Program FilesAVERTV2KQuickTV.exe
C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
C:Program FilesAlwil SoftwareAvast4ashServ.exe
C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004WebProxy.exe
C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004AVENGINE.EXE
C:WINDOWSSystem32ap9h4qmo.exe
C:Program FilesAdTools ServiceAdToolsKeep.exe
C:Program FilesNaviSearchin ls.exe
C:Program FilesAdTools ServiceAdTools.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesantywirNowy folderHijackThis.exe

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gogle.pl/
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R0 – HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – C:Program FilesSurfSideKick 2SskBho.dll
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O3 – Toolbar: &Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:WINDOWSSystem32msdxm.ocx
O3 – Toolbar: IEMenuExtension toolbar – {6b95678d–30a4–4ff8–a72f–4208340c1f7f} – C:Program FilesIEMenuExtension bextn.dll (file missing)
O4 – HKLM..Run: [ATIPTA] C:Program FilesATI TechnologiesATI Control Panelatiptaxx.exe
O4 – HKLM..Run: [LXSUPMON] C:WINDOWSSystem32LXSUPMON.EXE RUN
O4 – HKLM..Run: [NeroCheck] C:WINDOWSsystem32NeroCheck.exe
O4 – HKLM..Run: [InCD] C:Program FilesAheadInCDInCD.exe
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [APVXDWIN] "C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004APVXDWIN.EXE" /s
O4 – HKLM..Run: [avast!] C:PROGRA~1ALWILS~1Avast4ashDisp.exe
O4 – HKLM..Run: [AdTools Service] C:Program FilesAdTools ServiceAdTools.exe
O4 – HKCU..Run: [CTFMON.EXE] C:WINDOWSSystem32ctfmon.exe
O4 – HKCU..Run: [Skype] "C:Program FilesSkypePhoneSkype.exe" /nosplash /minimized
O4 – HKCU..Run: [Gadu–Gadu] "C:Program FilesGadu–Gadugg.exe" /tray
O4 – HKCU..Run: [SurfSideKick 2] C:Program FilesSurfSideKick 2Ssk.exe
O4 – Global Startup: Microtek Scanner Finder.lnk = C:Program FilesMicrotekScanWizard 5ScannerFinder.exe
O4 – Global Startup: QuickTV.lnk = C:Program FilesAVERTV2KQuickTV.exe
O4 – Global Startup: TeleSA.lnk = C:Program FilesAVer TeletextAVerSA.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O12 – Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.185.246
O15 – Trusted IP range: 67.19.185.246 (HKLM)
O16 – DPF: {0878B424–1F95–4E26–B5AB–F0D349D89650} – http://download.bargain–buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ9.cab
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge–c18.cab
O16 – DPF: {205FF73B–CA67–11D5–99DD–444553540000} (CInstall Class) – http://www.spywarestormer.com/files2/Install.cab
O16 – DPF: {386A771C–E96A–421F–8BA7–32F1B706892F} (Installer Class) – http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108499602500
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://67.19.185.246/i/8/loader2.ocx
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=3548
O23 – Service: avast! iAVS4 Control Service – Unknown – C:Program FilesAlwil SoftwareAvast4aswUpdSv.exe
O23 – Service: Ati HotKey Poller – Unknown – C:WINDOWSSystem32Ati2evxx.exe
O23 – Service: ATI Smart – Unknown – C:WINDOWSsystem32ati2sgag.exe
O23 – Service: avast! Antivirus – Unknown – C:Program FilesAlwil SoftwareAvast4ashServ.exe
O23 – Service: avast! Mail Scanner – ALWIL Software – C:Program FilesAlwil SoftwareAvast4ashMaiSv.exe
O23 – Service: LexBce Server – Lexmark International, Inc. – C:WINDOWSsystem32LEXBCES.EXE
O23 – Service: Panda Process Protection Service – Unknown – C:Program FilesCommon FilesPanda SoftwarePavShldpavprsrv.exe
O23 – Service: Panda anti–virus service – Unknown – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004pavsrv51.exe
O23 – Service: Panda IManager Service – Panda Software Internacional – C:Program FilesPanda SoftwarePanda Titanium Antivirus 2004PsImSvc.exe

wszysto ok poza tym źe nie mogę z medźera zakończyć AddTools.exe

Aniu przeciez moglas kontynuowac w Twoim poprzednim temacie

Zapowiada sie katorga intelektualna, standardowy zestaw syfu

Na poczatek
Sciagasz FIndIt dla XP stad
:arrow: KLIK
Rozpakuj i uruchom plik find.bat
Log z tego programu podaj do nastepnego posta

Na teraz

Wylacz przywracanie systemu

Zakoncz procesy (alt+ctrl+del >> zakłądka procesy):
AdTools.exe
nls.exe
AdToolsKeep.exe
w?aclt.exe
ap9h4qmo.exe

Usun z dysku:
C:Program FilesSurfSideKick2
oybkk.dll
mscb.dll
nvms.dll
C:Program FilesInternet Optimizer
C:PROGRA~1IEMENU~1
C:Program FilesAdTools Service
salm.exe
herahsd.exe
C:Program FilesBullsEye Network
C:Program FilesNaviSearch
ap9h4qmo.exe
w?aclt.exe
amcdcb.dll
oera.exe
C:Program FilesCashBack


Zaznaczasz i wciskasz FIX CHECKED:

R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R0 – HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.gogle.pl/
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerSearch,SearchAssistant = file://C:DOCUME~1KLIENTUSTAWI~1Tempsp.html
R1 – HKCUSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R1 – HKLMSoftwareMicrosoftInternet ExplorerMain,HomeOldSP = about:blank
R3 – URLSearchHook: (no name) – {CA0E28FA–1AFD–4C21–A8DC–70EB5BE2F076} – C:Program FilesSurfSideKick 2SskBho.dll
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch
O1 – Hosts: 69.20.16.183 ieautosearch
O2 – BHO: (no name) – {19D36937–D9DD–F45A–D4EB–F10A730AF2CC} – C:WINDOWSSystem32oybkk.dll
O2 – BHO: NLS UrlCatcher Class – {AEECBFDA–12FA–4881–BDCE–8C3E1CE4B344} – C:WINDOWSSystem32 vms.dll
O2 – BHO: CB UrlCatcher Class – {CE188402–6EE7–4022–8868–AB25173A3E14} – C:WINDOWSSystem32mscb.dll
O3 – Toolbar: IEMenuExtension toolbar – {6b95678d–30a4–4ff8–a72f–4208340c1f7f} – C:Program FilesIEMenuExtension bextn.dll (file missing)
O4 – HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 –k
O4 – HKLM..Run: [Internet Optimizer] "C:Program FilesInternet Optimizeroptimize.exe"
O4 – HKLM..Run: [IE Menu Extension toolbar] rundll32.exe "C:PROGRA~1IEMENU~1 bextn.dll" DllShowTB
O4 – HKLM..Run: [AdTools Service] C:Program FilesAdTools ServiceAdTools.exe
O4 – HKLM..Run: [salm] c: empsalm.exe
O4 – HKLM..Run: [herahsd] C:WINDOWSherahsd.exe
O4 – HKLM..Run: [SurfSideKick 2] C:Program FilesSurfSideKick 2Ssk.exe
O4 – HKLM..Run: [BullsEye Network] C:Program FilesBullsEye Networkinargains.exe
O4 – HKLM..Run: [NaviSearch] C:Program FilesNaviSearchin ls.exe
O4 – HKLM..Run: [CashBack] C:Program FilesCashBackincashback.exe
O4 – HKLM..Run: [ap9h4qmo] C:WINDOWSSystem32ap9h4qmo.exe
O4 – HKCU..Run: [Atoc] C:Documents and SettingsKLIENTDane aplikacjioera.exe
O4 – HKCU..Run: [Gcki] C:WINDOWSSystem32w?aclt.exe
O4 – HKCU..Run: [SurfSideKick 2] C:Program FilesSurfSideKick 2Ssk.exe
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:WINDOWSweb elated.htm

O15 – Trusted Zone: *.blazefind.com
O15 – Trusted Zone: *.clickspring.net
O15 – Trusted Zone: *.flingstone.com
O15 – Trusted Zone: *.mt–download.com
O15 – Trusted Zone: *.my–internet.info
O15 – Trusted Zone: *.searchbarcash.com
O15 – Trusted Zone: *.searchmiracle.com
O15 – Trusted Zone: *.skoobidoo.com
O15 – Trusted Zone: *.slotch.com
O15 – Trusted Zone: *.slotchbar.com
O15 – Trusted Zone: *.windupdates.com
O15 – Trusted Zone: *.xxxtoolbar.com
O15 – Trusted Zone: *.ysbweb.com
O15 – Trusted Zone: *.blazefind.com (HKLM)
O15 – Trusted Zone: *.clickspring.net (HKLM)
O15 – Trusted Zone: *.flingstone.com (HKLM)
O15 – Trusted Zone: *.mt–download.com (HKLM)
O15 – Trusted Zone: *.my–internet.info (HKLM)
O15 – Trusted Zone: *.searchbarcash.com (HKLM)
O15 – Trusted Zone: *.searchmiracle.com (HKLM)
O15 – Trusted Zone: *.skoobidoo.com (HKLM)
O15 – Trusted Zone: *.slotch.com (HKLM)
O15 – Trusted Zone: *.slotchbar.com (HKLM)
O15 – Trusted Zone: *.windupdates.com (HKLM)
O15 – Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 – Trusted Zone: *.ysbweb.com (HKLM)
O15 – Trusted IP range: 67.19.185.246
O15 – Trusted IP range: 67.19.185.246 (HKLM)
O16 – DPF: {0878B424–1F95–4E26–B5AB–F0D349D89650} – http://download.bargain–buddy.net/download/bargain_buddy/cab/installer_MEDIAWHIZ9.cab
O16 – DPF: {15AD4789–CDB4–47E1–A9DA–992EE8E6BAD6} – http://static.windupdates.com/cab/DownloadsUnlimited/ie/bridge–c18.cab
O16 – DPF: {205FF73B–CA67–11D5–99DD–444553540000} (CInstall Class) – http://www.spywarestormer.com/files2/Install.cab
O16 – DPF: {386A771C–E96A–421F–8BA7–32F1B706892F} (Installer Class) – http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_adult.cab
O16 – DPF: {79849612–A98F–45B8–95E9–4D13C7B6B35C} (Loader2 Control) – http://67.19.185.246/i/8/loader2.ocx
O16 – DPF: {9EB320CE–BE1D–4304–A081–4B4665414BEF} (MediaTicketsInstaller Control) – http://www.mt–download.com/MediaTicketsInstaller.cab?refid=3548
O18 – Filter: text/html – {9DF09FF1–368C–499D–8B70–89BFC6A9574C} – C:WINDOWSSystem32amcdcb.dll
O18 – Filter: text/plain – {9DF09FF1–368C–499D–8B70–89BFC6A9574C} – C:WINDOWSSystem32amcdcb.dll

Pozniej podajesz nowego loga z Hijack This i FindIt