- Kod: Zaznacz wszystko
Logfile of HijackThis v1.99.1
Scan saved at 00:42:50, on 2006-08-29
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\TopSearch\TopSearch.exe
C:\Program Files\Konnekt\konnekt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Radeon Omega Drivers\v2.6.83\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\The All-Seeing Eye\eye.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.384\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ws1.appswebservice.com/index.php?tpid=10301&ttid=104
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://firefox.pl/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TopSearch] C:\Program Files\TopSearch\TopSearch.exe
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker] "C:\Program Files\EbatesMoeMoneyMaker4\EbatesMoeMoneyMaker.exe"
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Radeon Omega Drivers\v2.6.83\ATI Tray Tools\atitray.exe"
O4 - Startup: ATI Tray Tools.lnk = C:\Program Files\Radeon Omega Drivers\v2.6.83\2KXP_INF\SwpDrv\DelRad.exe
O8 - Extra context menu item: Ebates. - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Ebates - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC} - file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm (file missing) (HKCU)
O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (HKCU)
O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
Silent Runners
- Kod: Zaznacz wszystko
"Silent Runners.vbs", revision 46, http://www.silentrunners.org/
Operating System: Windows Server 2003 (interpreted as Windows XP)
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = (empty string)
"C:\Program Files\NetMeter\NetMeter.exe" = "C:\Program Files\NetMeter\NetMeter.exe" [null data]
"AtiTrayTools" = ""C:\Program Files\Radeon Omega Drivers\v2.6.83\ATI Tray Tools\atitray.exe"" ["Ray Adams"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSConfig" = ""C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto" [MS]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}\(Default) = "%IEHARDENADMIN_BASE_DESC%"
\StubPath = "C:\WINDOWS\system32\rundll32.exe iesetup.dll,IEHardenAdmin" [MS]
{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}\(Default) = "%IEHARDENUSER_DESC%"
\StubPath = "C:\WINDOWS\system32\rundll32.exe iesetup.dll,IEHardenUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "hticons.dll" [file not found]
"{4648F940-EFE3-4BAB-9211-3BE45CD5029D}" = "VSSShellExt"
-> {HKLM...CLSID} = "VSSShellExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\vssui.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! dimsntfy\DLLName = "dimsntfy.dll" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\Vista.scr" [MS]
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
"ATI Tray Tools" -> shortcut to: "C:\Program Files\Radeon Omega Drivers\v2.6.83\2KXP_INF\SwpDrv\DelRad.exe" [empty string]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 11
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKCU\Software\Microsoft\Internet Explorer\Extensions\
{7F241C00-DAB6-11D5-AAA8-0001028DF1BC}\
"ButtonText" = "Ebates"
"Script" = "file://C:\Program Files\EbatesMoeMoneyMaker\System\Temp\ebates_script0.htm" [file not found]
{F2B441CC-E026-47FB-BDC3-A07750FA3D2C}\
"ButtonText" = "Ebates"
"Script" = "file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" [file not found]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Application Experience Lookup Service, AeLookupSvc, "C:\WINDOWS\system32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\aelupsvc.dll" [MS]}
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 64 seconds, including 11 seconds for message boxes)
