prosze o sprawdzenie loga

[waglik]

Prosze o sprawdzenie bo ciagle mi jakies popundery wyskakuja i przekierowywanie strony na jakies buzki casina itp;/


Logfile of HijackThis v1.99.1
Scan saved at 19:26:39, on 2005-11-14
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\shttps\http.exe
E:\programy\Winamp\winampa.exe
C:\windows\adtech2005.exe
C:\Documents and Settings\Administrator\Gadu-Gadu\Gadu-Gadu\gg.exe
C:\PROGRA~1\COMMON~1\riuf\riufm.exe
C:\Program Files\AntiVirenKit\AVKService.exe
C:\Program Files\AntiVirenKit\AVKWCtl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\AntiVirenKit\AVK.exe
D:\Tlen.pl\tlen.exe
E:\programy\Nowy folder\firefox.exe
C:\WINDOWS\system32\rundll32.exe
E:\programy\Spybot - Search & Destroy\SpybotSD.exe
E:\dawnloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nnnun.pl:8181
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [W3KNetwork] RunDll32.exe w3knet.dll,DLLInitRun
O4 - HKLM\..\Run: [fdbgzfumfl] C:\WINDOWS\System32\irykzy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [NetDy] C:\WINDOWS\VisualGuard.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Internet Explorer] c:\Program Files\Internet Explorer\shttps\http.exe
O4 - HKLM\..\Run: [WinampAgent] E:\programy\Winamp\winampa.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\RunServices: [Office XP hack] c:\office_patch.exe hack
O4 - HKLM\..\RunServices: [leeman] C:\WINDOWS\System32\leeman.exe
O4 - HKCU\..\Run: [key] C:\WINDOWS\System32\winxp.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Documents and Settings\Administrator\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [leeman] C:\WINDOWS\System32\leeman.exe
O4 - HKCU\..\Run: [riuf] C:\PROGRA~1\COMMON~1\riuf\riufm.exe
O4 - HKCU\..\Run: [AVKBar] "C:\Program Files\AntiVirenKit\AVKBar.exe"
O4 - Global Startup: Microsoft Office.lnk = E:\Office\Office10\OSA.EXE
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{879791DC-05F3-4AFE-8451-75DDC36C54AF}: NameServer = 194.204.159.1,10.0.0.1
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\fpnm0351e.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AntiVirenKit\AVKService.exe
O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d+pnaWVyZWs\command.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Red]

nie jest ok ale jak bedziesz chciał to damy rade
Wstepnie potrzebny jest log z l2mfix

1. Sciagnij i uruchom (wypakuj) programik
http://www.atribune.org/downloads/l2mfix.exe
2. Odpal go przez l2mfix.bat z jego folderu
3. Uruchom w nim opcje 1 (Run Find Log)
4. Pokaz log ktory dostaniesz po zakonczeniu
i raz jeszcze podeslesz do kompletu pełny log z hijack this

Autor postu otrzymał pochwałę

[waglik]

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv0s09d7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3]
"DLLName"="C:\\WINDOWS\\system32\\st3.dll"
"logoff"="WACLEventLogoff"
"lock"="WACLEventLock"
"logon"="WACLEventLogon"
"startup"="WACLEventStartup"
"shutdown"="WACLEventShutdown"
"startshell"="WACLEventStartShell"
"unlock"="WACLEventUnlock"
"startscreensaver"="WACLEventStartScreenSaver"
"stopscreensaver"="WACLEventStopScreenSaver"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-NI) ALLOW Full access BUILTIN\Administratorzy
(ID-IO) ALLOW Full access BUILTIN\Administratorzy
(ID-NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access TWŕRCA-WťA—CICIEL


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A8DFB377-7514-9D01-DE81-E862D800B205}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Foldery w sieci Web"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}"="Mobile"
"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}"="Mobile ContextMenuHandler"
"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}"="Mobile PropertySheetHandler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"
"{3C2FF43C-FFE6-43D4-A246-330771AA5003}"=""
"{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\aqtodisc.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Directory Listing of system files:
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: E02A-FA40

Katalog: C:\WINDOWS\System32

2005-11-14 21:42 234˙981 aqtodisc.dll
2005-11-14 19:51 234˙272 lv8209loe.dll
2005-11-14 17:00 234˙981 lv0s09d7e.dll
2005-09-18 12:31 <DIR> dllcache
3 plik(˘w) 704˙234 bajt˘w
1 katalog(˘w) 234˙565˙632 bajt˘w wolnych

[ Dodano: Dzisiaj o 21:56 ]
Logfile of HijackThis v1.99.1
Scan saved at 21:51:00, on 2005-11-14
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\shttps\http.exe
E:\programy\Winamp\winampa.exe
C:\windows\adtech2005.exe
C:\Documents and Settings\Administrator\Gadu-Gadu\Gadu-Gadu\gg.exe
C:\PROGRA~1\COMMON~1\riuf\riufm.exe
C:\Program Files\AntiVirenKit\AVKService.exe
C:\Program Files\AntiVirenKit\AVKWCtl.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Tlen.pl\tlen.exe
E:\programy\Nowy folder\firefox.exe
E:\dawnloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nnnun.pl:8181
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [W3KNetwork] RunDll32.exe w3knet.dll,DLLInitRun
O4 - HKLM\..\Run: [fdbgzfumfl] C:\WINDOWS\System32\irykzy.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [NetDy] C:\WINDOWS\VisualGuard.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Internet Explorer] c:\Program Files\Internet Explorer\shttps\http.exe
O4 - HKLM\..\Run: [WinampAgent] E:\programy\Winamp\winampa.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\RunServices: [Office XP hack] c:\office_patch.exe hack
O4 - HKLM\..\RunServices: [leeman] C:\WINDOWS\System32\leeman.exe
O4 - HKCU\..\Run: [key] C:\WINDOWS\System32\winxp.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Documents and Settings\Administrator\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [leeman] C:\WINDOWS\System32\leeman.exe
O4 - HKCU\..\Run: [riuf] C:\PROGRA~1\COMMON~1\riuf\riufm.exe
O4 - HKCU\..\Run: [AVKBar] "C:\Program Files\AntiVirenKit\AVKBar.exe"
O4 - Global Startup: Microsoft Office.lnk = E:\Office\Office10\OSA.EXE
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{879791DC-05F3-4AFE-8451-75DDC36C54AF}: NameServer = 194.204.159.1,10.0.0.1
O20 - Winlogon Notify: Controls Folder - C:\WINDOWS\system32\lv0s09d7e.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AntiVirenKit\AVKService.exe
O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d+pnaWVyZWs\command.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Red]

generalnie masakra
wylacz przywracanie systemu ,wejdz w tryb awaryjny windowsa f8 i usuwasz

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe
O4 - HKLM\..\Run: [W3KNetwork] RunDll32.exe w3knet.dll,DLLInitRun
O4 - HKLM\..\Run: [fdbgzfumfl] C:\WINDOWS\System32\irykzy.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [NetDy] C:\WINDOWS\VisualGuard.exe
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe

co to jest? kombinowales cos przy windowsie?:

O4 - HKCU\..\Run: [key] C:\WINDOWS\System32\winxp.exe
O4 - HKLM\..\RunServices: [Office XP hack] c:\office_patch.exe hack

usun jeszcze to:

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\d+pnaWVyZWs\command.exe (file missing)

wejdz>>> Start > Uruchom >wpisz>> services.msc >>> zatrzymaj i wyłącz
ten proces>>> Command Service wlasciwosci>>tryb uruchamiania>>wylaczony)
Otwierasz HijackThis >>>open the Misc Tools >>> Delete NT Service >>> wklepujesz (cmdService)>>> zatwierdzasz. Potem ten wpis usuwasz hijackiem

koniecznie przelec system szczepionkami:
http://securityresponse.symantec.com/avcenter/FxNetsky.exe
http://securityresponse.symantec.com/avcenter/FxBeagle.exe

dalej wykonasz jeszcze jedno zadanie :
odłaczysz kompa od sieci ,wejdzw awaryjny f8 i zapuscisz raz jeszcze


http://www.atribune.org/downloads/l2mfix.exe

ale tym razem z opcji 2
Czekaj cierpliwie na zakonczenie
jesli "wywali" pulpit nie przejmuj sie
i raz jeszcze dajesz dwa logi kontrolnie

[waglik]

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Extensions]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\o4660ejseho60.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\st3]
"DLLName"="C:\\WINDOWS\\system32\\st3.dll"
"logoff"="WACLEventLogoff"
"lock"="WACLEventLock"
"logon"="WACLEventLogon"
"startup"="WACLEventStartup"
"shutdown"="WACLEventShutdown"
"startshell"="WACLEventStartShell"
"unlock"="WACLEventUnlock"
"startscreensaver"="WACLEventStartScreenSaver"
"stopscreensaver"="WACLEventStopScreenSaver"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administratorzy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-NI) ALLOW Full access BUILTIN\Administratorzy
(ID-IO) ALLOW Full access BUILTIN\Administratorzy
(ID-NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access TWŕRCA-WťA—CICIEL


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A8DFB377-7514-9D01-DE81-E862D800B205}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Foldery w sieci Web"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}"="Mobile"
"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}"="Mobile ContextMenuHandler"
"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}"="Mobile PropertySheetHandler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"
"{3C2FF43C-FFE6-43D4-A246-330771AA5003}"=""
"{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}"=""
"{8C1C0917-E94A-4143-869D-EEB0337A8CE7}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\iIsnap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}\InprocServer32]
@="C:\\WINDOWS\\system32\\LDCASUI.DLL"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: E02A-FA40

Katalog: C:\WINDOWS\System32

2005-11-15 19:04 235˙645 LDCASUI.DLL
2005-11-15 19:04 236˙254 lv0609dse.dll
2005-11-15 19:01 235˙645 o4660ejseho60.dll
2005-11-15 18:54 234˙272 umrsdpia.dll
2005-11-15 17:27 234˙272 iIsnap.dll
2005-09-18 12:31 <DIR> dllcache
5 plik(˘w) 1˙176˙088 bajt˘w
1 katalog(˘w) 231˙514˙112 bajt˘w wolnych

Logfile of HijackThis v1.99.1
Scan saved at 19:18:50, on 2005-11-15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\shttps\http.exe
E:\programy\Winamp\winampa.exe
C:\Documents and Settings\Administrator\Gadu-Gadu\Gadu-Gadu\gg.exe
C:\PROGRA~1\COMMON~1\riuf\riufm.exe
C:\Program Files\AntiVirenKit\AVKService.exe
C:\Program Files\AntiVirenKit\AVKWCtl.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Tlen.pl\tlen.exe
E:\programy\Nowy folder\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
E:\dawnloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nnnun.pl:8181
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Internet Explorer] c:\Program Files\Internet Explorer\shttps\http.exe
O4 - HKLM\..\Run: [WinampAgent] E:\programy\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [Office XP hack] c:\office_patch.exe hack
O4 - HKLM\..\RunServices: [leeman] C:\WINDOWS\System32\leeman.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Documents and Settings\Administrator\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [leeman] C:\WINDOWS\System32\leeman.exe
O4 - HKCU\..\Run: [riuf] C:\PROGRA~1\COMMON~1\riuf\riufm.exe
O4 - HKCU\..\Run: [AVKBar] "C:\Program Files\AntiVirenKit\AVKBar.exe"
O4 - Global Startup: Microsoft Office.lnk = E:\Office\Office10\OSA.EXE
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{879791DC-05F3-4AFE-8451-75DDC36C54AF}: NameServer = 194.204.159.1,10.0.0.1
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\o4660ejseho60.dll
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll
O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AntiVirenKit\AVKService.exe
O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[ Dodano: Dzisiaj o 19:25 ]
biestety cos jest jeszcze nie tak;/

[Red]

wylacz przywracanie systemu ,wejdz w tryb awaryjny windowsa f8 i usuwasz

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

>>to wszystko usuwasz hijackiem

nastepnie sciagasz program:
http://www.bleepingcomputer.com/files/killbox.php
Uruchomić Pocket Killbox
zaznaczyć Standard File fill + End explorer shell wkleic sciezkę C:\WINDOWS\system32\st3.dll
zatwierdzic X i restart kompa

a co do L2MFIX to zapusc go z opcji 2 :
odłacz internet, startuj do trybu awaryjnego, uruchom to narzędzie i wklep opcję 2 (Run Fix), usuwanie automatycznie sie zrobi a po resecie kompa powstanie log
i podaj mi ten log oraz log hijacka po działaniu fix i po działaniu killboxa

[waglik]

Logfile of HijackThis v1.99.1
Scan saved at 20:48:53, on 2005-11-15
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\shttps\http.exe
E:\programy\Winamp\winampa.exe
C:\Documents and Settings\Administrator\Gadu-Gadu\Gadu-Gadu\gg.exe
C:\PROGRA~1\COMMON~1\riuf\riufm.exe
C:\Program Files\AntiVirenKit\AVKService.exe
C:\Program Files\AntiVirenKit\AVKWCtl.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\Tlen.pl\tlen.exe
E:\programy\Nowy folder\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\dawnloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = nnnun.pl:8181
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Internet Explorer] c:\Program Files\Internet Explorer\shttps\http.exe
O4 - HKLM\..\Run: [WinampAgent] E:\programy\Winamp\winampa.exe
O4 - HKLM\..\RunServices: [Office XP hack] c:\office_patch.exe hack
O4 - HKLM\..\RunServices: [leeman] C:\WINDOWS\System32\leeman.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Documents and Settings\Administrator\Gadu-Gadu\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [leeman] C:\WINDOWS\System32\leeman.exe
O4 - HKCU\..\Run: [riuf] C:\PROGRA~1\COMMON~1\riuf\riufm.exe
O4 - HKCU\..\Run: [AVKBar] "C:\Program Files\AntiVirenKit\AVKBar.exe"
O4 - Global Startup: Microsoft Office.lnk = E:\Office\Office10\OSA.EXE
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.com.pl/SkanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{879791DC-05F3-4AFE-8451-75DDC36C54AF}: NameServer = 194.204.159.1,10.0.0.1
O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\d80m0id1e80.dll (file missing)
O20 - Winlogon Notify: st3 - C:\WINDOWS\system32\st3.dll (file missing)
O23 - Service: AVK Service (AVKService) - Unknown owner - C:\Program Files\AntiVirenKit\AVKService.exe
O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[ Dodano: Dzisiaj o 21:02 ]
dobra to chyba nie to sorki;/, ale tak wlaczam kompa na tryb awaryjny uruchamiam 2 opcje i po 15s komputer sie restartuje...wlacza sie w trybie normalnym i gdzie mam szukac tego loga;/??

[Red]

i gdzie mam szukac tego loga;/??

bedzie w folderach programu L2MFIX
widze ze masz (file missing) przy wpisach 020.Czy reklamy jeszcze wyskakują?Jesli tak to daj log w tym momencie z opcji 1,jesli nie wyskakują to nic nie musisz wysyłac

[waglik]

Niestety ciągle wyskakują;/



L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administratorzy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-NI) ALLOW Full access BUILTIN\Administratorzy
(ID-IO) ALLOW Full access BUILTIN\Administratorzy
(ID-NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access TWŕRCA-WťA—CICIEL


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A8DFB377-7514-9D01-DE81-E862D800B205}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Foldery w sieci Web"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{ED65AB21-B24F-11d3-BA80-00C0CA16AA37}"="Mobile"
"{ED65AB22-B24F-11d3-BA80-00C0CA16AA37}"="Mobile ContextMenuHandler"
"{ED65AB23-B24F-11d3-BA80-00C0CA16AA37}"="Mobile PropertySheetHandler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{A70C977A-BF00-412C-90B7-034C51DA2439}"="NvCpl DesktopContext Class"
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}"="Play on my TV helper"
"{1CDB2949-8F65-4355-8456-263E7C208A5D}"="Desktop Explorer"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}"="Desktop Explorer Menu"
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}"="nView Desktop Context Menu"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="st"
"{3C2FF43C-FFE6-43D4-A246-330771AA5003}"=""
"{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}"=""
"{8C1C0917-E94A-4143-869D-EEB0337A8CE7}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\iIsnap.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}\InprocServer32]
@="C:\\WINDOWS\\system32\\pUnmap.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:
Locate .tmp files:
Directory Listing of system files:
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: E02A-FA40

Katalog: C:\WINDOWS\System32

2005-11-16 15:39 236˙930 ejs.dll
2005-11-15 21:49 236˙930 aKd.dll
2005-11-15 20:38 236˙930 guard.tmp
2005-11-15 20:37 236˙930 pUnmap.dll
2005-11-15 20:35 233˙725 lvr4099qe.dll
2005-11-15 20:33 233˙725 dosrslvr.dll
2005-11-15 20:28 236˙930 kedmac.dll
2005-11-15 20:25 235˙645 uarrtosa.dll
2005-11-15 20:13 236˙254 wedconns.dll
2005-11-15 19:59 236˙254 wxnmm.dll
2005-11-15 19:04 235˙645 LDCASUI.DLL
2005-11-15 18:54 234˙272 umrsdpia.dll
2005-11-15 17:27 234˙272 iIsnap.dll
2005-09-18 12:31 <DIR> dllcache
13 plik(˘w) 3˙064˙442 bajt˘w
1 katalog(˘w) 214˙118˙400 bajt˘w wolnych

[ Dodano: Dzisiaj o 15:51 ]
L2Mfix 1.04a

Running From:
E:\dawnloads\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administratorzy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-NI) ALLOW Full access BUILTIN\Administratorzy
(ID-IO) ALLOW Full access BUILTIN\Administratorzy
(ID-NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access TWŕRCA-WťA—CICIEL



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(IO) access for predefined group "Administrators"
- adding new ACCESS DENY entry
- removing existing ACCESS DENY entry
- changing existing entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-CI) DENY --C------- BUILTIN\Administratorzy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy
(ID-NI) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-IO) ALLOW Read BUILTIN\Uľytkownicy zaawansowani
(ID-NI) ALLOW Full access BUILTIN\Administratorzy
(ID-IO) ALLOW Full access BUILTIN\Administratorzy
(ID-NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(ID-IO) ALLOW Full access TWŕRCA-WťA—CICIEL



Setting up for Reboot


Starting Reboot!

[Red]

trudno ,wiec trzeba walczyc recznie
otworz notatnik i wklej w nim 1-1:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{A8DFB377-7514-9D01-DE81-E862D800B205}"=-


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{3C2FF43C-FFE6-43D4-A246-330771AA5003}"=-
"{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}"=-
"{8C1C0917-E94A-4143-869D-EEB0337A8CE7}"=-

[HKEY_CLASSES_ROOT\CLSID\{3C2FF43C-FFE6-43D4-A246-330771AA5003}]

[HKEY_CLASSES_ROOT\CLSID\{4C236C07-C224-4E23-A2C4-D4FD5CD4D8B0}]

[HKEY_CLASSES_ROOT\CLSID\{8C1C0917-E94A-4143-869D-EEB0337A8CE7}]

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG

nastepnie poczytaj o konsola
wykonasz w niej zestawik komend:
CD C:\WINDOWS\system32

ATTRIB -R-S-H ejs.dll
ATTRIB -R-S-H aKd.dll
ATTRIB -R-S-H guard.tmp
ATTRIB -R-S-H pUnmap.dll
ATTRIB -R-S-H lvr4099qe.dll
ATTRIB -R-S-H dosrslvr.dll
ATTRIB -R-S-H kedmac.dll
ATTRIB -R-S-H uarrtosa.dll
ATTRIB -R-S-H wedconns.dll
ATTRIB -R-S-H wxnmm.dll
ATTRIB -R-S-H LDCASUI.DLL
ATTRIB -R-S-H umrsdpia.dll
ATTRIB -R-S-H iIsnap.dll

DEL ejs.dll
DEL aKd.dll
DEL guard.tmp
DEL pUnmap.dll
DEL lvr4099qe.dll
DEL dosrslvr.dll
DEL kedmac.dll
DEL uarrtosa.dll
DEL wedconns.dll
DEL wxnmm.dll
DEL LDCASUI.DLL
DEL umrsdpia.dll
DEL iIsnap.dll

EXIT

Reset do TRYBU AWARYJNEGO w Windows i uruchomienie pliku FIX.REG

i napisz jak ci poszło

[waglik]

hmm...chyba jakos sobie poradzilem zadne okienka juz nie wyskakuja i wszystko dziala ok wielkie dzieki!!;)

[Red]

to dobrze ,ciesze sie i zrob jeszcze obowiazkowo scan tym programem dla swietego spokoju(wszystko co znajdzie wywalasz)
http://www.ewido.net/en/download/