BUNCH:

Tylko nie wiedziałem co jeszcze. Któe mam wywalić.

EL NINO:

BUNCH, wspomogles sie drugim przyklejonym tematem ? Nie. Gdyby tak bylo, usunalbys to, o czym pisalem wyzej.

O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\S29tcHV0ZXI\command.exe (file missing)

Wejdz kurna do tematu FAQ..., przeczytaj o HiJacku i bedziesz wiedzial w jaki sposob usuwa sie przy jego pomocy "uslugi".

Logfile of HijackThis v1.99.1
Scan saved at 19:34:09, on 06–03–30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
D:\Programy\Winamp\Winampa.exe
D:\Programy\Gadu–Gadu\gg.exe
D:\Programy\Opera\Opera.exe
D:\Bunch – dokumenty\Programy\Anty Wirusy, Ad–aware itp\HijackThis.exe

R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 – BHO: AcroIEHlprObj Class – {06849E9F–C8D7–4D59–B87D–784B7D6BE0B3} – C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 – BHO: bho2gr Class – {31FF080D–12A3–439A–A2EF–4BA95A3148E8} – D:\Programy\GetRight\xx2gr.dll
O2 – BHO: SSVHelper Class – {761497BB–D6F0–462C–B6EB–D4DAF1D92D43} – C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 – HKLM\..\Run: [WinampAgent] "D:\Programy\Winamp\Winampa.exe"
O4 – HKCU\..\Run: [Gadu–Gadu] "D:\Programy\Gadu–Gadu\gg.exe" /tray
O9 – Extra button: ShopperReports – Compare travel rates – {946B3E9E–E21A–49c8–9F63–900533FAFE14} – C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll (file missing)
O9 – Extra button: Related – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra 'Tools' menuitem: Show &Related Links – {c95fe080–8f5d–11d2–a20b–00aa003c157a} – C:\WINDOWS\web\related.htm
O9 – Extra button: ShopperReports – Compare product prices – {E77EDA01–3C56–4a96–8D08–02B42891C169} – C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll (file missing)
O16 – DPF: {2B323CD9–50E3–11D3–9466–00A0C9700498} (Yahoo! Audio Conferencing) – http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 – DPF: {3D8700FB–86A4–4CB4–B738–6F0FC016AC7D} (MainControl Class) – http://arcaonline.arcabit.com/ArcaOnline.cab
O16 – DPF: {631FF594–EC25–4CFF–B869–402DF294E1D6} (Instalator oprogramowania Onet.pl) – http://slimak.onet.pl/_m/kamerzysta/OnetInstalator012s.ocx
O16 – DPF: {7D1E9C49–BD6A–11D3–87A8–009027A35D73} (Yahoo! Audio UI1) – http://chat.yahoo.com/cab/yacsui.cab
O16 – DPF: {8714912E–380D–11D5–B8AA–00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) – http://chat.yahoo.com/cab/yuplapp.cab
O16 – DPF: {9A9307A0–7DA4–4DAF–B042–5009F29E09E1} (ActiveScan Installer Class) – http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 – DPF: {E504EE6E–47C6–11D5–B8AB–00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) – http://chat.yahoo.com/cab/yvwrctl.cab
O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\System32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – C:\WINDOWS\system32\ati2sgag.exe
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\S29tcHV0ZXI\command.exe (file missing)
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: Windows User Mode Driver Framework (UMWdf) – Unknown owner – C:\WINDOWS\System32\wdfmgr.exe (file missing)

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non–default values, except where indicated by "{++}"


Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Gadu–Gadu" = ""D:\Programy\Gadu–Gadu\gg.exe" /tray" ["Gadu–Gadu Sp. z oo"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WinampAgent" = ""D:\Programy\Winamp\Winampa.exe"" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{8b15971b–5355–4c82–8c07–7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8–2d59–4f1b–883e–79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F–C8D7–4D59–B87D–784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{31FF080D–12A3–439A–A2EF–4BA95A3148E8}\(Default) = "bho2gr Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\GetRight\xx2gr.dll" ["Headlight Software, Inc."]
{761497BB–D6F0–462C–B6EB–D4DAF1D92D43}\(Default) = "SSVHelper Class" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{97FA8AA2–EE77–4FF2–9449–424D8924EF21}" = "IntelliType Pro Zooming Control Panel Property Page"
–> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplzm.dll"" [MS]
"{111D8120–25EB–4E1C–A4DF–C9EE5FCA35CB}" = "IntelliType Pro Scrolling Control Panel Property Page"
–> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwhl.dll"" [MS]
"{ED6E87C6–8A83–43aa–8208–8DBC8247F4D2}" = "IntelliType Pro Key Settings Control Panel Property Page"
–> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplkey.dll"" [MS]
"{A2569D1F–4E06–43EC–9825–0088B471BE47}" = "IntelliType Pro Wireless Control Panel Property Page"
–> {CLSID}\InProcServer32\(Default) = ""C:\Program Files\Microsoft IntelliType Pro\itcplwir.dll"" [MS]
"{4CCEFB41–18FA–11D3–9EF3–00A0C9E897FD}" = "Skladnik rozszerzenia powloki CorelDRAW"
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\Corel Draw\DRAW\CDRVIEWER\CrlShell110.dll" [null data]
"{5E2121EE–0300–11D4–8D3B–444553540000}" = "st"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [file not found]
"{B327765E–D724–4347–8B16–78AE18552FC3}" = "NeroDigitalIconHandler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" [file not found]
"{7F1CF152–04F8–453A–B34C–E609530A9DC8}" = "NeroDigitalPropSheetHandler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll" [file not found]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\WinRar\rarext.dll" [null data]
"{32020A01–506E–484D–A2A8–BE3CF17601C3}" = "AlcoholShellEx"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]
"{00020000–0000–1011–8004–0000C06B5161}" = "WIBU–SYSTEMS Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WIBU–SYSTEMS\System\WibuShellExt.dll" ["WIBU–SYSTEMS AG"]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{42042206–2D85–11D3–8CFF–005004838597}" = "Microsoft Office HTML Icon Handler"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5–5146–11D5–A672–00B0D022E945}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
sysacpildap\(Default) = "{5E2121EE–0300–11D4–8D3B–444553540000}"
–> {CLSID}\InProcServer32\(Default) = "C:\windows\system32\winacpi.dll" [file not found]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\WinRar\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "D:\Programy\WinRar\rarext.dll" [null data]


Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\IrfanView_Wallpaper.bmp"

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "C:\WINDOWS\System32\ad.html"
"SubscribedURL" = ""


Enabled Screen Saver:
–––––––––––––––––––––

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Enabled Scheduled Tasks:
––––––––––––––––––––––––

"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 13


Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{77FBF9B8–1D37–4FF2–9CED–192D8E3ABA6F}" = "Toolbar888" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Toolbar888\ToolBar888.dll" [file not found]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{7E66936C–FEA0–4984–AD26–7B6661AC5B2E}\ = "Hotbar Information Window" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\HbTools\Bin\4.7.1.0\HbtHostIE.dll" [file not found]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{2178C864–B8BC–41AE–A1FB–EB6A32F87EB1}\ = "ShopperReports Price Comparison"
Implemented Categories\{00021493–0000–0000–C000–000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll" [file not found]

HKLM\Software\Classes\CLSID\{66B90ADB–0BE3–40AE–8680–84A6F0577CA0}\ = "Web Assistant"
Implemented Categories\{00021493–0000–0000–C000–000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\HbTools\Bin\4.7.1.0\HbtHostIE.dll" [file not found]

HKLM\Software\Classes\CLSID\{FF059E31–CC5A–4E2E–BF3B–96E929D65503}\ = "&Badanie"
Implemented Categories\{00021493–0000–0000–C000–000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{946B3E9E–E21A–49C8–9F63–900533FAFE14}\
"ButtonText" = "ShopperReports – Compare travel rates"
"CLSIDExtension" = "{454b4812–e572–4703–a1bb–63490809eac0}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll" [file not found]

{E77EDA01–3C56–4A96–8D08–02B42891C169}\
"ButtonText" = "ShopperReports – Compare product prices"
"CLSIDExtension" = "{580a1f3f–89b4–433b–bbdb–b97aeb13f3fc}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ShopperReports\Bin\1.0.8.0\ShprRprt.dll" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Message Queuing, MSMQ, "C:\WINDOWS\System32\mqsvc.exe" [MS]
Message Queuing Triggers, MSMQTriggers, "C:\WINDOWS\System32\mqtgsvc.exe" [MS]


––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 59 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 20 seconds.
–––––––––– (total run time: 150 seconds)

BUNCH:

Dobra, to przenieś