autoruns programele imeciau i binarius, nereiks nei hijackthis
"Arturas langucentras.lt" <arturas@langucentras.lt> parase naujienu news:h0vpt9$gnk$1@trimpas.omnitel.net...
>
>
>
> Wana to kill fck subj :) Hellp :)
>
>
> BUGAS
> Atidarant per My Computer C diska meta Rundll reror can not open
> .\desktop.dll
>
> SITUACIJA
> Windows XP
> Antivirusas anskciau buvo rades trjoanus,
> Antivirusine Antivir DABAR neranda nieko
> Registru cleneris Tune Up Utilites 2009 palieka ta MountPoints2 Key
> registruose
>
> VEIKSMAS
> Blin kazkokiu budu PERKLAUNANT Registruose vis susikuria MountPoints2
> Atidarant C diska meta Rundll reror can not open .\desktop.dll kas lb
> nervina moralishkai
>
> MORALAS
> ishtrynus registruose MountPoints2 keyjus viskas ok iki ...perkrauni kompa
> :)
> Blin tai kur jis slepiasi? Beje !!!!!!!!!!!!!!!!!!! Perinstaliavus windous
> XP = :) ant svariu (fresh instalo? ) tas bugas ishlieka
>
> IN FO
> HKEY_USERS\S-1-5-21-507921405-2146650191-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bea66670-82c8-11dc-a26e-806d6172696f}\Shell\open\Command
> ====== rundll32.exe .\desktop.dll,InstallM
>
>
> DAR SIEK TIEK INFO
> "Silent Runners.vbs", revision 59,
> http://www.silentrunners.org/
> Operating System: Windows XP
> Output limited to non-default values, except where indicated by "{++}"
>
>
> Startup items buried in registry:
> ---------------------------------
>
> HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
> "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
> "RegServer" = "regserve.exe" [null data]
> "PmProxy" = "C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" ["adi"]
> "avgnt" = ""C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira
> GmbH"]
> "UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe""
> [null data]
> "TrueImageMonitor.exe" = "C:\Program
> Files\Acronis\TrueImageHome\TrueImageMonitor.exe" ["Acronis"]
> "AcronisTimounterMonitor" = "C:\Program
> Files\Acronis\TrueImageHome\TimounterMonitor.exe" ["Acronis"]
> "Acronis Scheduler2 Service" = ""C:\Program Files\Common
> Files\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]
>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
> Objects\
> {22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on
> (mastermind)"
> -> {HKLM...CLSID} = "Skype add-on (mastermind)"
> \InProcServer32\(Default) = "C:\Program
> Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype
> Technologies S.A."]
>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
> "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
> -> {HKLM...CLSID} = "Display Panning CPL Extension"
> \InProcServer32\(Default) = "deskpan.dll" [file not
> found]
> "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
> -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
> \InProcServer32\(Default) =
> "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
> "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
> -> {HKLM...CLSID} = "History Band"
> \InProcServer32\(Default) =
> "C:\WINDOWS\system32\shdocvw.dll" [MS]
> "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware
> scanning"
> -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
> \InProcServer32\(Default) = "C:\Program
> Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
> "{4838CD50-7E5D-4811-9B17-C47A85539F28}" = "TuneUp Disk Space Explorer Shell
> Extension"
> -> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension"
> \InProcServer32\(Default) = "C:\Program Files\TuneUp
> Utilities 2009\DseShExt-x86.dll" ["TuneUp Software"]
> "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon
> Handler"
> -> {HKLM...CLSID} = (no title provided)
> \InProcServer32\(Default) = "C:\Program Files\Microsoft
> Office\Office10\msohev.dll" [MS]
> "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
> Handler"
> -> {HKLM...CLSID} = "Outlook File Icon Extension"
> \InProcServer32\(Default) = "C:\Program Files\Microsoft
> Office\Office10\OLKFSTUB.DLL" [MS]
> "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
> -> {HKLM...CLSID} = "UnlockerShellExtension"
> \InProcServer32\(Default) = "C:\Program
> Files\Unlocker\UnlockerCOM.dll" [null data]
> "{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data
> Source for Windows Search"
> -> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows
> Search"
> \InProcServer32\(Default) =
> "C:\WINDOWS\system32\ieframe.dll" [MS]
> "{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context
> Menu Extension"
> -> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension"
> \InProcServer32\(Default) = "C:\Program
> Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
> "{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell
> Extension"
> -> {HKLM...CLSID} = "Acronis True Image Shell Extension"
> \InProcServer32\(Default) = "C:\Program
> Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
> "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
> -> {HKLM...CLSID} = "WPDShServiceObj Class"
> \InProcServer32\(Default) =
> "C:\WINDOWS\system32\wpdshserviceobj.dll" [MS]
>
> HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
> Shell Extension for Malware scanning\(Default) =
> "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
> -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
> \InProcServer32\(Default) = "C:\Program
> Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
>
> HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
> TuneUp Disk Space Explorer Shell Extension\(Default) =
> "{4838CD50-7E5D-4811-9B17-C47A85539F28}"
> -> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension"
> \InProcServer32\(Default) = "C:\Program Files\TuneUp
> Utilities 2009\DseShExt-x86.dll" ["TuneUp Software"]
>
> HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
> Shell Extension for Malware scanning\(Default) =
> "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
> -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
> \InProcServer32\(Default) = "C:\Program
> Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
> UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
> -> {HKLM...CLSID} = "UnlockerShellExtension"
> \InProcServer32\(Default) = "C:\Program
> Files\Unlocker\UnlockerCOM.dll" [null data]
>
> HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
> UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
> -> {HKLM...CLSID} = "UnlockerShellExtension"
> \InProcServer32\(Default) = "C:\Program
> Files\Unlocker\UnlockerCOM.dll" [null data]
>
>
> Group Policies {GPedit.msc branch and setting}:
> -----------------------------------------------
>
> Note: detected settings may not have any effect.
>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
>
> "HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
> {unrecognized setting}
>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
>
> "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
> {Computer Configuration|Windows Settings|Security Settings|Local
> Policies|Security Options|
> Shutdown: Allow system to be shut down without having to log on}
>
> "undockwithoutlogon" = (REG_DWORD) dword:0x00000001
> {Computer Configuration|Windows Settings|Security Settings|Local
> Policies|Security Options|
> Devices: Allow undock without having to log on}
>
>
> Active Desktop and Wallpaper:
> -----------------------------
>
> Active Desktop may be disabled at this entry:
> HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
>
>
> Enabled Screen Saver:
> ---------------------
>
> HKCU\Control Panel\Desktop\
> "SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
>
>
> Windows Portable Device AutoPlay Handlers
> -----------------------------------------
>
> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
>
> MSWPDShellNamespaceHandler\
> "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
> "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
> "InitCmdLine" = " "
> -> {HKLM...CLSID} = "WPDShextAutoplay"
> \LocalServer32\(Default) =
> "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
>
>
> Enabled Scheduled Tasks:
> ------------------------
>
> "1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities
> 2009\OneClickStarter.exe /schedulestart" ["TuneUp Software GmbH"]
>
>
> Winsock2 Service Provider DLLs:
> -------------------------------
>
> Namespace Service Providers
>
> HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
> {++}
> 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
> 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
> 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
>
> Transport Service Providers
>
> HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
> {++}
> 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
> %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
> %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
>
>
> Toolbars, Explorer Bars, Extensions:
> ------------------------------------
>
> Extensions (Tools menu items, main toolbar menu buttons)
>
> HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
> {77BF5300-1474-4EC7-9980-D32B190E9B07}\
> "ButtonText" = "Skype"
> "CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
> -> {HKLM...CLSID} = "Skype add-on (button)"
> \InProcServer32\(Default) = "C:\Program
> Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype
> Technologies S.A."]
>
> {E2E2DD38-D088-4134-82B7-F2BA38496583}\
> "MenuText" = "@xpsp3res.dll,-20001"
> "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
>
> {FB5F1910-F110-11D2-BB9E-00C04F795683}\
> "ButtonText" = "Messenger"
> "MenuText" = "Windows Messenger"
> "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
>
>
> Miscellaneous IE Hijack Points
> ------------------------------
>
> C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
>
> Added lines (compared with English-language version):
> [Strings]:
> START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
> [Strings]:
> MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
>
> Missing lines (compared with English-language version):
> [Strings]: 2 lines
>
> HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
> <<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]
>
>
> Running Services (Display Name, Service Name, Path {Service DLL}):
> ------------------------------------------------------------------
>
> Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Common
> Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
> Avira AntiVir Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir
> Desktop\avguard.exe"" ["Avira GmbH"]
> Avira AntiVir Scheduler, AntiVirSchedulerService, ""C:\Program
> Files\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"]
> SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program
> Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
> TuneUp Program Statistics Service, TuneUp.ProgramStatisticsSvc,
> "C:\WINDOWS\System32\TUProgSt.exe" ["TuneUp Software"]
>
>
> ---------- (launch time: 2009-06-12 12:00:09)
> <<H>>: Suspicious data at a browser hijack point.
>
> + This report excludes default entries except where indicated.
> + To see *everywhere* the script checks and *everything* it finds,
> launch it from a command prompt or a shortcut with the -all parameter.
> + To search all directories of local fixed drives for DESKTOP.INI
> DLL launch points, use the -supp parameter or answer "No" at the
> first message box and "Yes" at the second message box.
> ---------- (total run time: 121 seconds, including 22 seconds for message
> boxes)
>
>
>
>
>
>