Prosze o sprawdzenie Loga
Logfile of HijackThis v1.99.1
Scan saved at 00:25:44, on 2005–09–09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool32.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\taskmgs.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Documents and Settings\Administrator\Pulpit\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2k.net/search.php?qq=%1
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2k.net/search.php?qq=%1
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = blank.htm
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = blank.htm
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O3 – Toolbar: @msdxmLC.dll,–1@1033,&Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINNT\system32\msdxm.ocx
O4 – HKLM\..\Run: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKLM\..\Run: [Task service] taskmgs.exe
O4 – HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 – HKLM\..\Run: [winrapid] winrapid.exe
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 – HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 – HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 – HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKLM\..\RunServices: [Task service] taskmgs.exe
O4 – HKLM\..\RunServices: [winrapid] winrapid.exe
O4 – HKCU\..\Run: [internat.exe] internat.exe
O4 – HKCU\..\Run: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKCU\..\Run: [winrapid] winrapid.exe
O4 – HKCU\..\Run: [Task service] taskmgs.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\RunServices: [winrapid] winrapid.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O23 – Service: Usługa administracyjna Menedźera dysków logicznych (dmadmin) – VERITAS Software Corp. – C:\WINNT\System32\dmadmin.exe
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINNT\system32\nvsvc32.exe
O23 – Service: TrueVector Internet Monitor (vsmon) – Zone Labs, LLC – C:\WINNT\system32\ZONELABS\vsmon.exe
–> Zainstalowalem Zone Alarm, bo na poczatku cos wysylalo strasznie duzo pakietow ;/ (tak scinalo net jakbym cos sciagal, ledwo strony sie wlaczaly) na w98 tak nie bylo, po zainstalowaniu ZA, zablokowal mi spool32 i winrapid i przestaly sie wysylac owe pakiety, niestety cos nadal lekko zamula mi net, z gory dzieki za pomoc ;) Pozdro!
Scan saved at 00:25:44, on 2005–09–09
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spool32.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\taskmgs.exe
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Documents and Settings\Administrator\Pulpit\hijackthis\HijackThis.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2k.net/search.php?qq=%1
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2k.net/search.php?qq=%1
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = blank.htm
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = blank.htm
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
F2 – REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O3 – Toolbar: @msdxmLC.dll,–1@1033,&Radio – {8E718888–423F–11D2–876E–00A0C9082467} – C:\WINNT\system32\msdxm.ocx
O4 – HKLM\..\Run: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKLM\..\Run: [Task service] taskmgs.exe
O4 – HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 – HKLM\..\Run: [winrapid] winrapid.exe
O4 – HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 – HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 – HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 – HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\Launcher\CTLauncher.exe
O4 – HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 – HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 – HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 – HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" –atboottime
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 – HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKLM\..\RunServices: [Task service] taskmgs.exe
O4 – HKLM\..\RunServices: [winrapid] winrapid.exe
O4 – HKCU\..\Run: [internat.exe] internat.exe
O4 – HKCU\..\Run: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKCU\..\Run: [winrapid] winrapid.exe
O4 – HKCU\..\Run: [Task service] taskmgs.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – HKCU\..\RunServices: [winrapid] winrapid.exe
O4 – Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 – DPF: {17492023–C23A–453E–A040–C7C580BBF700} (Windows Genuine Advantage Validation Tool) – http://go.microsoft.com/fwlink/?linkid=39204
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O23 – Service: Usługa administracyjna Menedźera dysków logicznych (dmadmin) – VERITAS Software Corp. – C:\WINNT\System32\dmadmin.exe
O23 – Service: NVIDIA Driver Helper Service (NVSvc) – NVIDIA Corporation – C:\WINNT\system32\nvsvc32.exe
O23 – Service: TrueVector Internet Monitor (vsmon) – Zone Labs, LLC – C:\WINNT\system32\ZONELABS\vsmon.exe
–> Zainstalowalem Zone Alarm, bo na poczatku cos wysylalo strasznie duzo pakietow ;/ (tak scinalo net jakbym cos sciagal, ledwo strony sie wlaczaly) na w98 tak nie bylo, po zainstalowaniu ZA, zablokowal mi spool32 i winrapid i przestaly sie wysylac owe pakiety, niestety cos nadal lekko zamula mi net, z gory dzieki za pomoc ;) Pozdro!
Odpowiedzi: 4
Dzieki za pomoc Bobi !!! :)
wieczorem z tym powalcze;)
wieczorem z tym powalcze;)
Korni, wyłacz procesy: spool32.exe, taskmgs.exe
Wszytko co nizej wyboldowane usuwasz, wpisy równieź.
Dodatkowo ubij wartość o nazwie "notepad.exe" w kluczu: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Wszytko co nizej wyboldowane usuwasz, wpisy równieź.
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2k.net/search.php?qq=%1
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2k.net/search.php?qq=%1
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = blank.htm
R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = blank.htm
F2 – REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O4 – HKLM\..\Run: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKLM\..\Run: [Task service] taskmgs.exe
O4 – HKLM\..\Run: [winrapid] winrapid.exe
O4 – HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 – HKLM\..\RunServices: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKLM\..\RunServices: [Task service] taskmgs.exe
O4 – HKLM\..\RunServices: [winrapid] winrapid.exe
O4 – HKCU\..\Run: [NTSF MICROSOFT SYSTEM] spool32.exe
O4 – HKCU\..\Run: [winrapid] winrapid.exe
O4 – HKCU\..\Run: [Task service] taskmgs.exe
O4 – HKCU\..\RunServices: [winrapid] winrapid.exe
Dodatkowo ubij wartość o nazwie "notepad.exe" w kluczu: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"Task service" = "taskmgs.exe" [null data]
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["sms–express.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"notepad.exe" = "msmsgs.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Task service" = "taskmgs.exe" [null data]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"HPDJ Taskbar Utility" = "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe" ["HP"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]
"Creative Launcher" = "C:\Program Files\Creative\Launcher\CTLauncher.exe" [file not found]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" –atboottime" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{52B87208–9CCF–42C9–B88E–069281105805}" = "Trojan Remover Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Trojan Remover\(Default) = "{52B87208–9CCF–42C9–B88E–069281105805}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Trojan Remover\(Default) = "{52B87208–9CCF–42C9–B88E–069281105805}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Startup items in "Administrator" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Miscellaneous IE Hijack Points
––––––––––––––––––––––––––––––
C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")
Missing lines (compared with English–language version):
[DeleteAutosearch.reg]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
NVIDIA Driver Helper Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]
System zdarzeń COM+, EventSystem, "C:\WINNT\system32\svchost.exe –k netsvcs" {"C:\WINNT\system32\es.dll" [null data]}
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZONELABS\vsmon.exe –service" ["Zone Labs, LLC"]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 29 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 9 seconds.
–––––––––– (total run time: 64 seconds)
Mhm, napisalo ze Spool32 jest niebezpieczny, Added as a result of the YAB.A VIRUS!
Usunac go jakims programem czy wywalic recznie ?
Operating System: Windows 2000
Output limited to non–default values, except where indicated by "{++}"
Startup items buried in registry:
–––––––––––––––––––––––––––––––––
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"Task service" = "taskmgs.exe" [null data]
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["sms–express.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"notepad.exe" = "msmsgs.exe" [null data]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Task service" = "taskmgs.exe" [null data]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"HPDJ Taskbar Utility" = "C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb06.exe" ["HP"]
"Disc Detector" = "C:\Program Files\Creative\ShareDLL\CtNotify.exe" ["Creative Technology Ltd."]
"AudioHQ" = "C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" ["Creative Technology Ltd."]
"Creative Launcher" = "C:\Program Files\Creative\Launcher\CTLauncher.exe" [file not found]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"NeroFilterCheck" = "C:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" –atboottime" [file not found]
"NvCplDaemon" = "RUNDLL32.EXE NvQTwk,NvCplDaemon initialize" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{52B87208–9CCF–42C9–B88E–069281105805}" = "Trojan Remover Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Trojan Remover\(Default) = "{52B87208–9CCF–42C9–B88E–069281105805}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Trojan Remover\(Default) = "{52B87208–9CCF–42C9–B88E–069281105805}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1\Trshlex.dll" [file not found]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Startup items in "Administrator" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" –> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]
Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 – 03, 06 – 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05
Miscellaneous IE Hijack Points
––––––––––––––––––––––––––––––
C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")
Missing lines (compared with English–language version):
[DeleteAutosearch.reg]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––
NVIDIA Driver Helper Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]
System zdarzeń COM+, EventSystem, "C:\WINNT\system32\svchost.exe –k netsvcs" {"C:\WINNT\system32\es.dll" [null data]}
TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZONELABS\vsmon.exe –service" ["Zone Labs, LLC"]
––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 29 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 9 seconds.
–––––––––– (total run time: 64 seconds)
Mhm, napisalo ze Spool32 jest niebezpieczny, Added as a result of the YAB.A VIRUS!
Usunac go jakims programem czy wywalic recznie ?
Wstepnie skorzystaj z analizatora: http://forum.centrumxp.pl/viewtopic.php?t=37513
Nie dasz rady sam wrzuć dwa logi: HJT i Silent Runners bo czuje ze jeszcze kupa syfu jest poukrywana.
Nie dasz rady sam wrzuć dwa logi: HJT i Silent Runners bo czuje ze jeszcze kupa syfu jest poukrywana.
Strona 1 / 1