Ziuk Opublikowano 22 Lipca 2007 Zgłoś Opublikowano 22 Lipca 2007 Witam Wczoraj zanotowałem dziwne zjawiska na moim komputerze. Zaczęło się od tego że gg samo się wyłączyło i wyrzuciło jakiś błąd, przeglądarki internetowe ( Firefox, Opera) również zamykały się z jakiś niejasnych przyczyn, Spybot został zmieniony i sygnalizował obecność jakiegoś wirusa tudzież innych zagrożeń. Jak tylko skanowałem programami antywirusowymi dyski to po jakimś czasie skanowania następował restart tak samo było w przypadku programów antyspyware. AVG znalazło tylko coś takiego dropper.agent.asf i usunęło ale to nie pomogło i dalej system był niestabilny. Dopiero jak go wyłączyłem i odczekałem trochę to zaczął chodzić jakby na nim wcześniej się nic nie działo więc nieco zgłupiałem i do tej pory nie wiem czy czasem coś w nim nie siedzi dlatego też proszę o sprawdzenie logów. Logfile of HijackThis v1.99.1 Scan saved at 22:54:39, on 2007-07-22 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: F:\WINDOWS\System32\smss.exe F:\WINDOWS\system32\winlogon.exe F:\WINDOWS\system32\services.exe F:\WINDOWS\system32\lsass.exe F:\WINDOWS\system32\Ati2evxx.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\System32\svchost.exe F:\WINDOWS\system32\Ati2evxx.exe F:\WINDOWS\system32\spoolsv.exe F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe F:\WINDOWS\system32\BootDSvc.exe F:\WINDOWS\system32\CTsvcCDA.EXE F:\WINDOWS\system32\crypserv.exe F:\WINDOWS\runservice.exe F:\Program Files\Common Files\LightScribe\LSSrvc.exe F:\Program Files\Eset\nod32krn.exe F:\Program Files\Agnitum\Outpost Firewall\outpost.exe F:\WINDOWS\system32\svchost.exe F:\WINDOWS\Explorer.EXE F:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe F:\WINDOWS\system32\Rundll32.exe F:\Program Files\Eset\nod32kui.exe F:\WINDOWS\system32\wscntfy.exe F:\Program Files\D-Tools\daemon.exe F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe F:\WINDOWS\system32\ctfmon.exe F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe F:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe F:\Program Files\Gadu-Gadu\gg.exe F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe F:\Program Files\OpenOffice.org 2.1\program\soffice.exe F:\Program Files\OpenOffice.org 2.1\program\soffice.BIN F:\Program Files\Ventrilo1\Ventrilo.exe F:\Program Files\Mozilla Firefox\firefox.exe F:\Documents and Settings\totalcmd\TOTALCMD.EXE F:\Program Files\DAP\DAP.EXE F:\Documents and Settings\ppp\Pulpit\do logow\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - F:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - F:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [CTSysVol] F:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [updReg] F:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [NeroFilterCheck] F:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [nod32kui] "F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [DAEMON Tools-1033] "F:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" O4 - HKLM\..\Run: [Outpost Firewall] F:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice O4 - HKLM\..\Run: [OutpostFeedBack] F:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Creative Detector] F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R O4 - HKCU\..\Run: [AtiTrayTools] "F:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe" O4 - HKCU\..\Run: [Gadu-Gadu] "F:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [sUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Startup: OpenOffice.org 2.1.lnk = F:\Program Files\OpenOffice.org 2.1\program\quickstart.exe O8 - Extra context menu item: &Clean Traces - F:\Program Files\DAP\Privacy Package\dapcleanerie.htm O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - F:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing) O23 - Service: Critical System Service BootDrv (BootDrv) - Unknown owner - F:\WINDOWS\system32\BootDSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - F:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Crypkey License - Kenonic Controls Ltd. - F:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - F:\WINDOWS\runservice.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - F:\Program Files\Eset\nod32krn.exe O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - F:\Program Files\Agnitum\Outpost Firewall\outpost.exe "Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "F:\WINDOWS\system32\ctfmon.exe" [MS] "Creative Detector" = "F:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R" ["Creative Technology Ltd"] "AtiTrayTools" = ""F:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"" ["Ray Adams"] "Steam" = "(empty string)" [file not found] "Gadu-Gadu" = ""F:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."] "SUPERAntiSpyware" = "F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "QuickTime Task" = ""F:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."] "CTSysVol" = "F:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"] "P17Helper" = "Rundll32 P17.dll,P17Helper" [MS] "UpdReg" = "F:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."] "NeroFilterCheck" = "F:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] "nod32kui" = ""F:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" ["Eset "] "RegistryMechanic" = "(empty string)" [file not found] "DAEMON Tools-1033" = ""F:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"] "AVP" = ""F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"" ["Kaspersky Lab"] "Outpost Firewall" = "F:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice" ["Agnitum Ltd."] "OutpostFeedBack" = "F:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup" ["Agnitum Ltd."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "AcroIEHlprObj Class" \InProcServer32\(Default) = "F:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] {C451C08A-EC37-45DF-AAAD-18B51AB5E837}\(Default) = (no title provided) -> {HKLM...CLSID} = "PDFCreator Toolbar Helper" \InProcServer32\(Default) = "F:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{DB6EB118-BE52-4560-A710-55592142ED59}" = "TS2 menu extension" -> {HKLM...CLSID} = "CTSShellMenu Class" \InProcServer32\(Default) = "blank" [file not found] "{5E99F9A3-F74D-11d6-815E-DF759368C375}" = "Niszczarka plików" -> {HKLM...CLSID} = "Niszczarka plików" \InProcServer32\(Default) = "blank" [file not found] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "F:\PROGRA~2\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "F:\PROGRA~2\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "F:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{8FF88D21-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension" -> {HKLM...CLSID} = "WinAceContext Menu Extension" \InProcServer32\(Default) = "F:\Program Files\WinAce\arcext.dll" [file not found] "{8FF88D25-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 DragDrop Shell Extension" -> {HKLM...CLSID} = "WinAceDrag-Drop Extension" \InProcServer32\(Default) = "F:\Program Files\WinAce\arcext.dll" [file not found] "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Context Menu Shell Extension" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "F:\Program Files\WinAce\arcext.dll" [file not found] "{8FF88D23-7BD0-11D1-BFB7-00AA00262A11}" = "WinAce Archiver 2.65 Property Sheet Shell Extension" -> {HKLM...CLSID} = "WinAceProperty Sheet Extension" \InProcServer32\(Default) = "F:\Program Files\WinAce\arcext.dll" [file not found] "{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Copy Hook" -> {HKLM...CLSID} = "SmartFTP Copy Hook" \InProcServer32\(Default) = "F:\Program Files\SmartFTP Client\smarthook.dll" ["SmartSoft Ltd."] "{EB47FF00-225E-11D2-9E1D-00A0C9AB0EEE}" = "eLicense Control" -> {HKLM...CLSID} = "eLicense Control" \InProcServer32\(Default) = "F:\WINDOWS\lcmmfu.cpl" [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5" -> {HKLM...CLSID} = "CShellExecuteHookImpl Object" \InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."] <<!>> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided) -> {HKLM...CLSID} = "SABShellExecuteHook Class" \InProcServer32\(Default) = "F:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"] HKLM\System\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> !SASWinLogon\DLLName = "F:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"] <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\Software\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "F:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""F:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}" -> {HKLM...CLSID} = "Outpost.ASWShellExt Component" \InProcServer32\(Default) = "F:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."] AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}" -> {HKLM...CLSID} = "DAPMenuShellExt Class" \InProcServer32\(Default) = "F:\PROGRA~2\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."] Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll" ["Kaspersky Lab"] NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "F:\Program Files\Eset\nodshex.dll" [null data] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "F:\Program Files\WinAce\arcext.dll" [file not found] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}" -> {HKLM...CLSID} = "Outpost.ASWShellExt Component" \InProcServer32\(Default) = "F:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."] AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}" -> {HKLM...CLSID} = "CContextScan Object" \InProcServer32\(Default) = "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."] DAP_ShredMenu\(Default) = "{BED4C38B-F765-45AC-8C56-613F76BBF43E}" -> {HKLM...CLSID} = "DAPMenuShellExt Class" \InProcServer32\(Default) = "F:\PROGRA~2\DAP\PRIVAC~1\DAPCTX~1.DLL" ["Speedbit Ltd."] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data] ZFAdd\(Default) = "{8FF88D27-7BD0-11D1-BFB7-00AA00262A11}" -> {HKLM...CLSID} = "WinAceContext Menu (Add) Extension" \InProcServer32\(Default) = "F:\Program Files\WinAce\arcext.dll" [file not found] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}" -> {HKLM...CLSID} = "Outpost.ASWShellExt Component" \InProcServer32\(Default) = "F:\Program Files\Agnitum\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."] Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\ShellEx.dll" ["Kaspersky Lab"] NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "F:\Program Files\Eset\nodshex.dll" [null data] TSCtxM\(Default) = "{DB6EB118-BE52-4560-A710-55592142ED59}" -> {HKLM...CLSID} = "CTSShellMenu Class" \InProcServer32\(Default) = "blank" [file not found] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "F:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "DisableRegistryTools" = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "F:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "F:\Documents and Settings\ppp\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "F:\WINDOWS\system32\sstext3d.scr" [MS] Startup items in "ppp" & "All Users" startup folders: ----------------------------------------------------- F:\Documents and Settings\ppp\Menu Start\Programy\Autostart "OpenOffice.org 2.1" -> shortcut to: "F:\Program Files\OpenOffice.org 2.1\program\quickstart.exe" [null data] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "F:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: F:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}" -> {HKLM...CLSID} = "PDFCreator Toolbar" \InProcServer32\(Default) = "F:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}" = "PDFCreator Toolbar" -> {HKLM...CLSID} = "PDFCreator Toolbar" \InProcServer32\(Default) = "F:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID\{A1A7E22D-1587-4230-8F16-081C68D21448}\(Default) = "Szybkie dostosowywanie programu" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "F:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll" ["Agnitum Ltd."] HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "F:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_01" \InProcServer32\(Default) = "F:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_01" \InProcServer32\(Default) = "F:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll" ["Sun Microsystems, Inc."] {44627E97-789B-40D4-B5C2-58BD171129A1}\ "ButtonText" = "Szybkie dostosowywanie programu Outpost Firewall Pro" {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Badanie" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "F:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "F:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."] Creative Service for CDROM Access, Creative Service for CDROM Access, "F:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"] Critical System Service BootDrv, BootDrv, "F:\WINDOWS\system32\BootDSvc.exe" [null data] Crypkey License, Crypkey License, "crypserv.exe" ["Kenonic Controls Ltd."] Kaspersky Anti-Virus 6.0, AVP, ""F:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r" ["Kaspersky Lab"] LicCtrl Service, LicCtrlService, "F:\WINDOWS\runservice.exe" [null data] LightScribeService Direct Disc Labeling Service, LightScribeService, ""F:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"] NOD32 Kernel Service, NOD32krn, ""F:\Program Files\Eset\nod32krn.exe"" ["Eset "] Outpost Firewall Service, OutpostFirewall, "F:\Program Files\Agnitum\Outpost Firewall\outpost.exe /service" ["Agnitum Ltd."] Windows User Mode Driver Framework, UMWdf, "F:\WINDOWS\system32\wdfmgr.exe" [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ PDFCreator\Driver = "pdfcmnnt.dll" [null data] ---------- <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 82 seconds. ---------- (total run time: 114 seconds) Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
kmk2000 Opublikowano 23 Lipca 2007 Zgłoś Opublikowano 23 Lipca 2007 zacznijmy od tego - po co ci kilka AV? podejrzane jak dla mnie są: F:\WINDOWS\system32\BootDSvc.exe F:\WINDOWS\system32\crypserv.exe F:\Documents and Settings\totalcmd\TOTALCMD.EXE - nie powinien być w program files, ew. c? O23 - Service: Critical System Service BootDrv (BootDrv) - Unknown owner - F:\WINDOWS\system32\BootDSvc.exe Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Ziuk Opublikowano 23 Lipca 2007 Zgłoś Opublikowano 23 Lipca 2007 Kasperskiego 30-dniowego mam do dodatkowego skanowania ( służy jako skaner na życzenie ) Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
CatchMe Opublikowano 30 Lipca 2007 Zgłoś Opublikowano 30 Lipca 2007 Czysto. 8O Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
