prosze o sprawdzenie loga

[Krs-01]

Witam! J/w, komp mi strasznie muli i bardzo mi to przeszkadza ;/ A oto log:

Logfile of HijackThis v1.99.1
Scan saved at 20:08:05, on 2007-05-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\nano\qttask.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Opera\Opera.exe
C:\DOCUME~1\Admin\USTAWI~1\Temp\Rar$EX02.249\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {85F685C3-20D9-4943-95E4-EB4224056C3F} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: (no name) - {85F685C3-20D9-4943-95E4-EB4224056C3F} - (no file)
O4 - HKLM\..\Run: [ATLIEHELPER] lpt.exe
O4 - HKLM\..\Run: [prgsys0984] backd.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\nano\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MONITER] TemplateDongle.exe
O4 - HKCU\..\Run: [AQQ] D:\PROGRA~1\AQQ\AQQ.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Documents and Settings\Admin\Pulpit\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Microsoft AntiSpyware helper - {52ED0311-8176-4284-9144-351C5D51C9EE} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {52ED0311-8176-4284-9144-351C5D51C9EE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {52ED0311-8176-4284-9144-351C5D51C9EE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {52ED0311-8176-4284-9144-351C5D51C9EE} - (no file) (HKCU)
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55453301-0F4D-4FEF-A04C-FBF055D62E99}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CCS\Services\Tcpip\..\{B226B370-ED38-49AB-93D4-7C66FBF8A71F}: NameServer = 85.255.116.149,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F42942-7FFC-429B-BBB4-B761EFE21D06}: NameServer = 85.255.116.149,85.255.112.187
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)

[wojtas]

Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach)
Start do awaryjnego ( F8 ) przy starcie komputera.

Użyj WWDC :
http://www.firewallleaktester.com/wwdc.htm
Zmień opcje z disable na enable. Uruchom ponownie komputer.
Tak powinny wyglądać porty (NetBIOS może być żółty) :
http://www.firewallleaktester.com/images_site/wwdc.jpg

O2 - BHO: (no name) - {85F685C3-20D9-4943-95E4-EB4224056C3F} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: (no name) - {85F685C3-20D9-4943-95E4-EB4224056C3F} - (no file)
O4 - HKLM\..\Run: [ATLIEHELPER] lpt.exe
O4 - HKLM\..\Run: [prgsys0984] backd.exe
O4 - HKCU\..\Run: [MONITER] TemplateDongle.exe
O9 - Extra button: Microsoft AntiSpyware helper - {52ED0311-8176-4284-9144-351C5D51C9EE} - (no file)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {52ED0311-8176-4284-9144-351C5D51C9EE} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {52ED0311-8176-4284-9144-351C5D51C9EE} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {52ED0311-8176-4284-9144-351C5D51C9EE} - (no file) (HKCU)
O17 - HKLM\System\CCS\Services\Tcpip\..\{B226B370-ED38-49AB-93D4-7C66FBF8A71F}: NameServer = 85.255.116.149,85.255.112.187
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7F42942-7FFC-429B-BBB4-B761EFE21D06}: NameServer = 85.255.116.149,85.255.112.187
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

Odpalasz hijackthis i zaznaczasz ptaszkami powyższe wpisy i dajesz Fix checked.
Pogrubione pliki usuwasz ręcznie z dysku

Ściągnij program http://downloads.subratam.org/Fixwareout.exe i zastosuj go

potem nowe logi z Hijack This oraz Silent runners

[Krs-01]

Logfile of HijackThis v1.99.1
Scan saved at 21:48:34, on 2007-05-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
D:\Program Files\nano\qttask.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
D:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Winamp\winamp.exe
C:\DOCUME~1\Admin\USTAWI~1\Temp\Rar$EX00.270\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O4 - HKLM\..\Run: [ATLIEHELPER] lpt.exe
O4 - HKLM\..\Run: [prgsys0984] backd.exe
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\nano\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [AQQ] D:\PROGRA~1\AQQ\AQQ.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Documents and Settings\Admin\Pulpit\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{55453301-0F4D-4FEF-A04C-FBF055D62E99}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe (file missing)

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{90A2E36A-0426-1045-0130-021107200030}" = ""C:\Program Files\Common Files\{90A2E36A-0426-1045-0130-021107200030}\Update.exe" te-110-12-0000208" [file not found]

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AQQ" = "D:\PROGRA~1\AQQ\AQQ.exe" [file not found]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"msnmsgr" = ""C:\Documents and Settings\Admin\Pulpit\msnmsgr.exe" /background" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATLIEHELPER" = "lpt.exe" [file not found]
"prgsys0984" = "backd.exe" [file not found]
"avast!" = ""C:\Program Files\Alwil Software\Avast4\ashDisp.exe"" ["ALWIL Software"]
"QuickTime Task" = ""D:\Program Files\nano\qttask.exe" -atboottime" ["Apple Inc."]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Megaupload Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "PhoneBrowser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll" ["Nokia"]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{AD392E40-428C-459F-961E-9B147782D099}" = "UltraISO"
-> {HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
"{24849E2F-0A86-40CD-A62A-B12F161882DB}" = "ZEN V Series Media Explorer"
-> {HKLM...CLSID} = "ZEN V Series Media Explorer"
\InProcServer32\(Default) = "D:\Program Files\zen\ZEN V Series Media Explorer\SHCTMTP.dll" [file not found]
"{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}" = "AQQ File Transfer Shell Extension"
-> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\AQQ\System\AQQSHE~1.DLL" [file not found]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AQQFileTransfer\(Default) = "{453D1B6D-BD6A-4FA1-B876-9E4DD848D434}"
-> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\AQQ\System\AQQSHE~1.DLL" [file not found]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
CMCUTIL\(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"
-> {HKLM...CLSID} = "Cool MP3 Converter ContextMenu"
\InProcServer32\(Default) = "C:\PROGRA~1\COOLMP~1\CMCUtil.dll" [null data]
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" [file not found]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
-> {HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
CTMTPMediaExplorer\(Default) = "{7895F317-A125-42CC-BD3E-5830765CE577}"
-> {HKLM...CLSID} = "CtMtpContextMenu Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Creative\SHARED~1\CtCmeCtx.dll" [file not found]
UltraISO\(Default) = "{AD392E40-428C-459F-961E-9B147782D099}"
-> {HKLM...CLSID} = "UIContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\UltraISO\isoshell.dll" ["EZB Systems, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktopChanges" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|Desktop / Active Desktop|
Prohibit changes}

"NoToolbarCustomize" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Toolbars|
Disable customizing browser toolbar buttons}

"NoControlPanel" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSMHelp" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"NoInternetIcon" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Desktop|
Hide Internet Explorer icon on desktop}

"NoDesktop" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoFavoritesMenu" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Favorites menu from Start Menu}

"NoLogOff" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|Logon/Logoff|
Disable Logoff}

"NoRecentDocsMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoInstrumentation" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoStartBanner" = (REG_BINARY) hex:01 00 00 00
{Remove "Click here to begin" from Start button}

"ClassicShell" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Enable Classic Shell / Turn on Classic Shell}

"NoFileUrl" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSimpleStartMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoStartMenuMFUprogramsList" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoStartMenuMorePrograms" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove All Programs list from the Start menu}

"MemCheckBoxInRunDlg" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDFSTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSecurityTab" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Security tab}

"NoHardwareTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSMConfigurePrograms" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSharedDocuments" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}

"NoTrayContextMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"LockTaskbar" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoTrayItemsDisplay" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Hide the notification area}

"NoToolbarsOnTaskbar" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoStrCmpLogical" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoChangeKeyboardNavigationIndicators" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoChangeAnimation" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSMConfigurePrograms" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSharedDocuments" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoTrayContextMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"LockTaskbar" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoTrayItemsDisplay" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoUserNameInStartMenu" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSetTaskbar" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoStartMenuEjectPC" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"StartMenuLogoff" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"ForceStartMenuLogoff" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoRecentDocsNetHood" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoStartMenuNetworkPlaces" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoNetworkConnections" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"DisablePersonalDirChange" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"DisableMyPicturesDirChange" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"DisableMyMusicDirChange" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"DisableFavoritesDirChange" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoSMMyDocs" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoWindowsUpdate" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"GreyMSIAds" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoStartMenuPinnedList" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoPropertiesRecycleBin" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoStrCmpLogical" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Control Panel|Display|
Hide Desktop tab}

"NoSecCPL" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoConfigPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoVirtMemPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoDevMgrPage" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"DisableLockWorkstation" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoCommonGroups" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

"Disable Advanced" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Allow Browse" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0\

"DragAndDrop" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"RunStartupScriptSync" = (REG_DWORD) hex:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Admin\Dane aplikacji\Microsoft\Internet Explorer\Tapeta programu Internet Explorer.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Admin" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}"
-> {HKLM...CLSID} = "Megaupload Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" = (no title provided)
-> {HKLM...CLSID} = "Megaupload Toolbar"
\InProcServer32\(Default) = "C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL" ["MegaUpload"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
-> {HKLM...CLSID} = "Search Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Kerio Personal Firewall 4, KPF4, ""C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"" ["Kerio Technologies"]
LicCtrl Service, LicCtrlService, "C:\WINDOWS\runservice.exe" [null data]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Monitor języka PJL\Driver = "PJLMON.DLL" [MS]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 93 seconds.
---------- (total run time: 224 seconds)

[wojtas]

wklej do notatnika:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"{90A2E36A-0426-1045-0130-021107200030}"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATLIEHELPER"=-
"prgsys0984"=-

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

Klikasz dwa razy na powstały plik fix i dodajesz go do rejestru....


daj loga z:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

[Krs-01]

Niestety ale wyskakuje mi ze nie mozna zaimportowac, blad przy dostepie do rejestru

[wojtas]

wklej:

REGEDIT 4

[HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"{90A2E36A-0426-1045-0130-021107200030}"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATLIEHELPER"=-
"prgsys0984"=-

[Krs-01]

Poszlo Tyle ze tym razem odpalajac combofixa wyskakuje mi komunikat Terminal Error - Missing File C:\windows\regedit.exe is missing

[wojtas]

wklej:

REGEDIT 4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools"=–
"DisableRegedit"=–

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools"=–
"DisableRegedit"=–

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> Uruchom plik FIX.REG

potem wklej:

REGEDIT 4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy ObjectsLocalUserSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableTaskMgr"=dword:00000000
"**del.DisableTaskMgr"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableTaskMgr"=dword:00000000

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> Uruchom plik FIX.REG



daj loga z :

http://www.techsupportforum.com/sectools/Deckard/dss.exe

[Krs-01]

Deckard's System Scanner v20070426.43
Run by Admin on 2007-05-25 at 17:29:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


Backed up registry hives.

Performed disk cleanup.


-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-05-25 17:32:52
Platform: Windows XP Dodatek Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.0.2900.2180)

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\Runservice.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\nano\qttask.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\AutoConnect\AutoConnect.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Documents and Settings\Admin\Dane aplikacji\Opera\Opera\profile\cache4\temporary_download\dss.exe
C:\Program Files\Winamp\winamp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.fr
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\Program Files\MegauploadToolbar\megauploadtoolbar.dll
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\nano\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [AQQ] D:\PROGRA~1\AQQ\AQQ.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [msnmsgr] "C:\Documents and Settings\Admin\Pulpit\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O15 - ProtocolDefaults: Unknown 'about' protocol is in Restricted Zone (HKLM)
O15 - ProtocolDefaults: Unknown 'about:' protocol is in Restricted Zone (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} () - http://arcaonline.arcabit.com/ArcaOnline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} () - http://www.mks.com.pl/skaner/SkanerOnline.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{55453301-0F4D-4FEF-A04C-FBF055D62E99}: NameServer = 194.204.159.1 217.98.63.164
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
O23 - Service: avast! Antivirus - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
O23 - Service: avast! Mail Scanner - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
O23 - Service: avast! Web Scanner - ALWIL Software - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
O23 - Service: Usługa administracyjna Menedżera dysków logicznych (dmadmin) - Microsoft Corp., Veritas Software - C:\WINDOWS\System32\dmadmin.exe /com
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
O23 - Service: iPod Service - Unknown owner - "C:\Program Files\iPod\bin\iPodService.exe"
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - "C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe"
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\Runservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: ServiceLayer - Nokia. - "C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe"
O23 - Service: StyleXPService - Unknown owner - "C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe"


-- File Associations -----------------------------------------------------------

.bat - batfile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-153
.hlp - hlpfile - DefaultIcon - C:\WINDOWS\hh.exe,0
.inf - inffile - DefaultIcon - C:\WINDOWS\System32\shell32.dll,-151
.ini - inifile - DefaultIcon - C:\Program Files\TGTSoft\StyleXP\Icons\Current\Documents & Settings Folder.ico
.reg - regfile - DefaultIcon - C:\WINDOWS\regedit.exe,1
.txt - txtfile - DefaultIcon - C:\Program Files\TGTSoft\StyleXP\Icons\Current\Document.ico
.txt - txtfile - shell\open\command - Notepad.exe %1
.vbs - VBSFile - shell\open\command - c:\windows\system32\wscript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 fwdrv (Firewall Driver) - c:\windows\system32\drivers\fwdrv.sys
R2 STEC3 - c:\windows\system32\stec3.sys <Not Verified; AntiCracking; SVKP driver for NT>

S0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys (file missing)
S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys (file missing)
S3 BlueletSCOAudio (Bluetooth SCO Audio Service) - c:\windows\system32\drivers\blueletscoaudio.sys (file missing)
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys (file missing)
S3 BTCAMDRV (Mobiola Web Camera driver) - c:\windows\system32\drivers\btcamdrv.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys (file missing)
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 FilterService (UVC Filter Service) - c:\windows\system32\drivers\lvuvcflt.sys (file missing)
S3 hamachi (Hamachi Network Interface) - c:\windows\system32\drivers\hamachi.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver>
S3 LVcKap (Logitech AEC Driver) - c:\windows\system32\drivers\lvckap.sys (file missing)
S3 LVMVDrv (Logitech Machine Vision Engine Loader) - c:\windows\system32\drivers\lvmvdrv.sys (file missing)
S3 lvpopflt (Logitech POP Suppression Filter) - c:\windows\system32\drivers\lvpopflt.sys (file missing)
S3 LVPr2Mon (Logitech LVPr2Mon Driver) - c:\windows\system32\drivers\lvpr2mon.sys (file missing)
S3 lvselsus (Logitech Selective Suspend Filter) - c:\windows\system32\drivers\lvselsus.sys (file missing)
S3 LVUSBSta (Logitech USB Monitor Filter) - c:\windows\system32\drivers\lvusbsta.sys (file missing)
S3 LVUVC (Logitech QuickCam Fusion(UVC)) - c:\windows\system32\drivers\lvuvc.sys (file missing)
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys (file missing)
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 LicCtrlService (LicCtrl Service) - c:\windows\runservice.exe

S2 LVPrcSrv (Logitech Process Monitor) - c:\program files\common files\logitech\lvmvfm\lvprcsrv.exe (file missing)
S2 StyleXPService - "c:\program files\tgtsoft\stylexp\stylexpservice.exe" (file missing)
S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)
S3 ServiceLayer - "c:\program files\common files\pcsuite\services\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Scheduled Tasks -------------------------------------------------------------

2007-05-19 20:32:18 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-04-25 and 2007-05-25 -----------------------------

2007-05-24 21:15:15 9840 --a------ C:\dnsbak.reg
2007-05-21 23:00:46 0 d-------- C:\Documents and Settings\Admin\WapSter
2007-05-16 20:32:57 0 dr-h----- C:\Documents and Settings\Admin\Recent
2007-05-10 21:10:16 0 d-------- C:\Program Files\Winamp
2007-05-08 17:51:15 0 d-------- C:\Program Files\Apple Software Update
2007-04-25 18:16:23 41984 -----n--- C:\WINDOWS\Ctregrun.exe <Not Verified; Creative Technology Ltd; Creative On-line Registration System>
2007-04-25 18:05:33 0 d-------- C:\Program Files\Common Files\DEVConcept Shared
2007-04-25 18:03:30 0 d-------- C:\Program Files\Red Chair Software
2007-04-25 18:03:29 0 d-------- C:\Documents and Settings\Admin\Application Data\Red Chair Software
2007-04-25 15:20:10 0 d-------- C:\Program Files\Creative
2007-04-25 13:41:07 25088 -----n--- C:\WINDOWS\system32\CTSVCCTL.EXE <Not Verified; Creative Technology Ltd; Creative Service Control>
2007-04-25 13:41:07 44032 -----n--- C:\WINDOWS\system32\CTSVCCDA.EXE <Not Verified; Creative Technology Ltd; Creative Service for CDROM Access>
2007-04-25 13:40:14 0 d-------- C:\Program Files\Common Files\Creative
2007-04-25 13:40:02 0 d--h----- C:\Program Files\Creative Installation Information


-- Find3M Report ---------------------------------------------------------------

2007-05-25 15:23:00 745 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-05-23 21:06:02 0 d-------- C:\Documents and Settings\Admin\Dane aplikacji\SopCast
2007-04-25 13:49:00 0 d-------- C:\Documents and Settings\Admin\Dane aplikacji\Creative
2007-04-05 11:16:14 0 d-------- C:\Program Files\hamachi
2007-04-02 17:12:50 20480 --a------ C:\WINDOWS\system32\H@tKeysH@@k.DLL
2007-04-01 17:08:18 32 --a------ C:\WINDOWS\go
2007-03-01 20:28:34 52736 --a------ C:\WINDOWS\ipuninst.exe <Not Verified; Interplay Productions; Interplay Uninstaller for Windows 95>


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="\"C:\\Program Files\\Alwil Software\\Avast4\\ashDisp.exe\""
"QuickTime Task"="\"D:\\Program Files\\nano\\qttask.exe\" -atboottime"
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AQQ"="D:\\PROGRA~1\\AQQ\\AQQ.exe"
"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"
"msnmsgr"="\"C:\\Documents and Settings\\Admin\\Pulpit\\msnmsgr.exe\" /background"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"RunStartupScriptSync"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=dword:00000000
"NoSecCPL"=dword:00000000
"NoConfigPage"=dword:00000000
"NoVirtMemPage"=dword:00000000
"NoDevMgrPage"=dword:00000000
"DisableLockWorkstation"=dword:00000000
"NoCommonGroups"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000000
"NoChangeKeyboardNavigationIndicators"=dword:00000000
"NoChangeAnimation"=dword:00000000
"NoSMConfigurePrograms"=dword:00000000
"NoSharedDocuments"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"LockTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"NoUserNameInStartMenu"=dword:00000000
"NoSetTaskbar"=dword:00000000
"NoStartMenuEjectPC"=dword:00000000
"StartMenuLogoff"=dword:00000000
"ForceStartMenuLogoff"=dword:00000000
"NoRecentDocsNetHood"=dword:00000000
"NoStartMenuNetworkPlaces"=dword:00000000
"NoNetworkConnections"=dword:00000000
"DisablePersonalDirChange"=dword:00000000
"DisableMyPicturesDirChange"=dword:00000000
"DisableMyMusicDirChange"=dword:00000000
"DisableFavoritesDirChange"=dword:00000000
"NoSMMyDocs"=dword:00000000
"NoWindowsUpdate"=dword:00000000
"GreyMSIAds"=dword:00000000
"NoStartMenuPinnedList"=dword:00000000
"NoPropertiesRecycleBin"=dword:00000000
"NoStrCmpLogical"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
"NoToolbarCustomize"=dword:00000000
"NoRecentDocsHistory"=dword:00000000
"ClearRecentDocsOnExit"=dword:00000000
"NoSMHelp"=dword:00000000
"NoInternetIcon"=dword:00000000
"NoDesktop"=dword:00000000
"NoFavoritesMenu"=dword:00000000
"NoLogOff"=dword:00000000
"NoRecentDocsMenu"=dword:00000000
"NoInstrumentation"=dword:00000000
"NoRun"=dword:00000000
"NoStartBanner"=hex:01,00,00,00
"NoFileUrl"=dword:00000000
"NoSimpleStartMenu"=dword:00000000
"NoStartMenuMFUprogramsList"=dword:00000000
"NoStartMenuMorePrograms"=dword:00000000
"MemCheckBoxInRunDlg"=dword:00000000
"NoDFSTab"=dword:00000000
"NoSecurityTab"=dword:00000000
"NoHardwareTab"=dword:00000000
"NoResolveSearch"=dword:00000000
"NoSMConfigurePrograms"=dword:00000000
"NoSharedDocuments"=dword:00000000
"NoTrayContextMenu"=dword:00000000
"LockTaskbar"=dword:00000000
"NoTrayItemsDisplay"=dword:00000000
"NoToolbarsOnTaskbar"=dword:00000000
"NoStrCmpLogical"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{90A2E36A-0426-1045-0130-021107200030}"="\"C:\\Program Files\\Common Files\\{90A2E36A-0426-1045-0130-021107200030}\\Update.exe\" te-110-12-0000208"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Documents and Settings\\Admin\\Pulpit\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of Deckard's System Scanner: finished at 2007-05-25 at 17:33:59 ---------

[wojtas]

sprawdz ten plik:

C:\WINDOWS\system32\H@tKeysH@@k.DLL

tutaj i daj raporty:

http://virusscan.jotti.org/
http://www.virustotal.com/

wklej do notatnika:

REGEDIT 4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{90A2E36A-0426-1045-0130-021107200030}"=-

w notatniku u góry>>>plik zapisz jako>>>Zmien rozszerzenie z TXT na Wszystkie pliki *.* >>> Zapisz pod nazwą FIX.REG

[Krs-01]

Virusscantotal

AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.25.2007 no virus found
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.25.2007 Application.Hotkeyshook.A
CAT-QuickHeal 9.00 05.25.2007 CrackTool.HotHook.dll (Not a Virus)
ClamAV devel-20070416 05.25.2007 Trojan.W32.HotKeysHook.A-2
DrWeb 4.33 05.25.2007 no virus found
eSafe 7.0.15.0 05.24.2007 no virus found
eTrust-Vet 30.7.3663 05.25.2007 no virus found
Ewido 4.0 05.25.2007 no virus found
FileAdvisor 1 05.25.2007 No threat detected
Fortinet 2.85.0.0 05.25.2007 W32/Hotkeys.B!tr
F-Prot 4.3.2.48 05.24.2007 W32/Keylogger.BQ

Druga strona nie chce sie wlaczyc

[wojtas]

czyli skasuj plik:

C:\WINDOWS\system32\H@tKeysH@@k.DLL