Luk@s Opublikowano 22 Maja 2008 Zgłoś Opublikowano 22 Maja 2008 (edytowane) Loga z Combofix nie dam, bo po uruchomieniu Combofix posypal mi trochę Vistę 8O Ma ktoś pomysł jak to naprawić? (jak skanował to zginęła tapeta i teraz nie mam tapety w ogóle i miniaturki w systemie nie działają, a w czasie skana komputer zaliczył BSODa). » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Log:" Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:18:52, on 2008-05-22 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v7.00 (7.00.6001.18000) Boot mode: Normal Running processes: C:\Program Files\ASUS\GamerOSD\ATKFastUserSwitching.exe C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\RtHDVCpl.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\A4Tech\Mouse\Amoumain.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\Windows\WindowsMobile\wmdSync.exe C:\Windows\System32\rundll32.exe C:\Program Files\ASUS\GamerOSD\GamerOSD.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe C:\Windows\system32\conime.exe C:\Windows\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Opera\Opera.exe C:\Windows\system32\DllHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe O4 - HKCU\..\Run: [sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'USŁUGA SIECIOWA') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: ASDR - Unknown owner - C:\Windows\System32\ASDR.exe O23 - Service: ATK Fast User Switch Service (ATKFUSService) - ASUSTeK COMPUTER INC. - C:\Windows\system32\ATKFUSService.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\Windows\system32\lkcitdl.exe O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\Windows\system32\lkads.exe O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\Windows\system32\lktsrv.exe O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\Windows\system32\nisvcloc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Silent Runners" "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "Sidebar" = "C:\Program Files\Windows Sidebar\sidebar.exe /autoRun" [MS] "IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020" ["Nero AG"] "DAEMON Tools Lite" = ""C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Windows Defender" = "C:\Program Files\Windows Defender\MSASCui.exe -hide" "RtHDVCpl" = "RtHDVCpl.exe" ["Realtek Semiconductor"] "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] "GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS] "WheelMouse" = "C:\Program Files\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."] "NBKeyScan" = ""C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"" ["Nero AG"] "egui" = ""C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice" ["ESET"] "Windows Mobile-based device management" = "C:\Windows\WindowsMobile\wmdSync.exe" "NvCplDaemon" = "RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup" [MS] "NvMediaCenter" = "RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit" [MS] "ASUSGamerOSD" = "C:\Program Files\ASUS\GamerOSD\GamerOSD.exe" ["ASUSTeK Computer Inc."] "IAAnotif" = ""C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"" ["Intel Corporation"] "JMB36X IDE Setup" = "C:\Windows\RaidTool\xInsIDE.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on (mastermind)" -> {HKLM...CLSID} = "Skype add-on (mastermind)" \InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."] {72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided) -> {HKLM...CLSID} = "Groove GFS Browser Helper" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{00020d75-0000-0000-c000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\MLSHEXT.DLL" [MS] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper" -> {HKLM...CLSID} = "Groove GFS Browser Helper" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar" -> {HKLM...CLSID} = "Groove Folder Synchronization" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler" -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook" -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler" -> {HKLM...CLSID} = "Groove XML Icon Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Outlook File Icon Extension" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\OLKFSTUB.DLL" [MS] "{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\ONFILTER.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}" = "AIMP2: ShellExt" -> {HKLM...CLSID} = "AIMP2: ShellExt" \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"] "{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons" -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"] "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "Eset Smart Security - Context Menu Shell Extension" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\Windows\system32\nvcpl.dll" ["NVIDIA Corporation"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook" -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}" -> {HKLM...CLSID} = "AIMP2: ShellExt" \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"] Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}" -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class" \InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"] Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ AIMPClassic\(Default) = "{1F77B17B-F531-44DB-ACA4-76ABB5010A28}" -> {HKLM...CLSID} = "AIMP2: ShellExt" \InProcServer32\(Default) = "C:\PROGRA~1\AIMP2\System\AIMP_S~1.DLL" ["AIMP DevTeam"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Eset Smart Security - Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "Eset Smart Security - Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll" ["ESET"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}" -> {HKLM...CLSID} = "Groove GFS Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "disableregistrytools" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKCU\Software\Policies\Microsoft\Windows\System\ "DisableCMD" = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to the command prompt} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "ConsentPromptbehaviorAdmin" = (REG_DWORD) dword:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} "ConsentPromptbehaviorUser" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: behavior Of The Elevation Prompt For Standard Users} "EnableInstallerDetection" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} "EnableLUA" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} "EnableSecureUIAPaths" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} "EnableVirtualization" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} "PromptOnSecureDesktop" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Switch to the secure desktop when prompting for elevation} "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "FilterAdministratorToken" = (REG_DWORD) dword:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} "EnableUIADesktopToggle" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows Photo Gallery\Tapeta z Galerii fotografii systemu Windows.jpg" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Windows\web\Wallpaper\img20.jpg" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ WIA_{A36A2ACF-697E-47B4-9CC0-3EAC9C910D5C}\ "Provider" = "Photoshop" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = "/WiaCmd;C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe /StiDevice:%1 /StiEvent:%2;" -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS] WIA_{E6204D55-1E10-40FA-AA51-6D945167ABE4}\ "Provider" = "Microsoft Office Word" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = "/WiaCmd;C:\Program Files\Microsoft Office\Office12\WINWORD.EXE /IMG_WIA;" -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\Windows\system32\WPDShextAutoplay.exe" [MS] Startup items in "Luk@s" & "All Users" startup folders: ------------------------------------------------------- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup "Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."] Non-disabled Scheduled Tasks: ----------------------------- C:\Windows\System32\Tasks\Microsoft\Windows\Active Directory Rights Management Services Client "AD RMS Rights Policy Template Management (Manual)" -> launches: "{BF5CB148-7C77-4d8a-A53E-D81C70CF743C}" -> {HKLM...CLSID} = "AD RMS Rights Policy Template Management (Manual) Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\msdrm.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth "UninstallDeviceTask" -> launches: "BthUdTask.exe $(Arg0)" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient "SystemTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] "UserTask" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] "UserTask-Roam" -> launches: "{58fb76b9-ac85-4e55-ac04-427593b1d060}" -> {HKLM...CLSID} = "Certificate Services Client Task Handler" \InProcServer32\(Default) = "C:\Windows\system32\dimsjob.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program "Consolidator" -> launches: "%SystemRoot%\System32\wsqmcons.exe" [MS] "OptinNotification" -> launches: "%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Defrag "ManualDefrag" -> launches: "%windir%\system32\defrag.exe \\?\Volume{d88238df-1c8f-11dd-bddf-806e6f6e6963}\" [MS] "ScheduledDefrag" -> launches: "%windir%\system32\defrag.exe -c -i" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\DiskDiagnostic "Microsoft-Windows-DiskDiagnosticDataCollector" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC "HotStart" -> launches: "{06DA0625-9701-43da-BFD7-FBEEA2180A1E}" -> {HKLM...CLSID} = "HotStart User Agent" \InProcServer32\(Default) = "C:\Windows\System32\HotStartUserAgent.dll" [MS] "TMM" -> launches: "{35EF4182-F900-4632-B072-8639E4478A61}" -> {HKLM...CLSID} = "Transient Multi-Monitor Manager" \InProcServer32\(Default) = "C:\Windows\System32\TMM.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MUI "LPRemove" -> launches: "%windir%\system32\lpremove.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia "SystemSoundsService" -> launches: "{2DEA658F-54C1-4227-AF9B-260AB5FC3543}" -> {HKLM...CLSID} = "Microsoft PlaySoundService Class" \InProcServer32\(Default) = "C:\Windows\System32\PlaySndSrv.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection "NAPStatus UI" -> launches: "{f09878a1-4652-4292-aa63-8c7d4fd7648f}" -> {HKLM...CLSID} = "Nap ITask Handler Implementation" \InProcServer32\(Default) = "C:\Windows\System32\QAgent.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\PLA\System "ConvertLogEntries" -> (HIDDEN!) launches: "%windir%\system32\rundll32.exe %windir%\system32\pla.dll,PlaConvertLogEntries" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RAC "RACAgent" -> (HIDDEN!) launches: "%windir%\system32\RacAgent.exe" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance "RemoteAssistanceTask" -> (HIDDEN!) launches: "%windir%\system32\RAServer.exe /offerraupdate" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Shell "CrawlStartPages" -> launches: "{51653423-e62d-4ff7-894a-dabb2b8e21e2}" -> {HKLM...CLSID} = "CrawlStartPages Task Handler" \InProcServer32\(Default) = "C:\Windows\System32\srchadmin.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SideShow "GadgetManager" -> launches: "{FF87090D-4A9A-4f47-879B-29A80C355D61}" -> {HKLM...CLSID} = "GadgetsManager Class" \InProcServer32\(Default) = "C:\Windows\System32\AuxiliaryDisplayServices.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore "SR" -> launches: "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip "IpAddressConflict1" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem" [MS] "IpAddressConflict2" -> launches: "rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework "MsCtfMonitor" -> (HIDDEN!) launches: "{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}" -> {HKLM...CLSID} = "MsCtfMonitor task handler" \InProcServer32\(Default) = "C:\Windows\system32\MsCtfMonitor.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\UPnP "UPnPHostConfig" -> launches: "sc.exe config upnphost start= auto" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WDI "ResolutionHost" -> (HIDDEN!) launches: "{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}" -> {HKLM...CLSID} = "DiagnosticInfrastructureCustomHandler" \InProcServer32\(Default) = "C:\Windows\System32\wdi.dll" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting "QueueReporting" -> launches: "%windir%\system32\wermgr.exe -queuereporting" [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Wired "GatherWiredInfo" -> launches: "%windir%\system32\gatherWiredInfo.vbs" [null data] C:\Windows\System32\Tasks\Microsoft\Windows\Wireless "GatherWirelessInfo" -> launches: "%windir%\system32\gatherWirelessInfo.vbs" [null data] C:\Windows\System32\Tasks\Microsoft\Windows Defender "MP Scheduled Scan" -> (HIDDEN!) launches: "c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\system32\NLAapi.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\system32\napinsp.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000004\LibraryPath = "%SystemRoot%\system32\pnrpnsp.dll" [MS] 000000000005\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000006\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 20 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS] HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {2670000A-7350-4F3C-8081-5663EE0C6C49}\ "ButtonText" = "Wyślij do programu OneNote" "MenuText" = "Wyślij &do programu OneNote" "CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}" -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll" [MS] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ "ButtonText" = "Skype" "CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}" -> {HKLM...CLSID} = "Skype add-on (button)" \InProcServer32\(Default) = "C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype Technologies S.A."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ASDR, ASDR, "C:\Windows\System32\ASDR.exe" [null data] ATK Fast User Switch Service, ATKFUSService, "C:\Windows\system32\ATKFUSService.exe" ["ASUSTeK COMPUTER INC."] Eset Service, ekrn, ""C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"" ["ESET"] Intel® Matrix Storage Event Monitor, IAANTMON, "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe" ["Intel Corporation"] Lookout Citadel Server, LkCitadelServer, "C:\Windows\system32\lkcitdl.exe" ["National Instruments, Inc."] National Instruments Domain Service, NIDomainService, ""C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe"" ["National Instruments, Inc."] National Instruments PSP Server Locator, lkClassAds, "C:\Windows\system32\lkads.exe" ["National Instruments, Inc."] National Instruments Time Synchronization, lkTimeSync, "C:\Windows\system32\lktsrv.exe" ["National Instruments, Inc."] Nero BackItUp Scheduler 3, Nero BackItUp Scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"] NI Service Locator, niSvcLoc, "C:\Windows\system32\nisvcloc.exe -s" ["National Instruments Corp."] NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe"" ["Nero AG"] NVIDIA Display Driver Service, nvsvc, "C:\Windows\system32\nvvsvc.exe" ["NVIDIA Corporation"] PLFlash DeviceIoControl Service, PLFlash DeviceIoControl Service, "C:\Windows\system32\IoctlSvc.exe" ["Prolific Technology Inc."] PnkBstrA, PnkBstrA, "C:\Windows\system32\PnkBstrA.exe" [null data] Usługa Protokół SSTP, SstpSvc, "C:\Windows\system32\svchost.exe -k LocalService" {"C:\Windows\system32\sstpsvc.dll" [MS]} Windows Driver Foundation — User-mode Driver Framework, wudfsvc, "C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted" {"C:\Windows\System32\WUDFSvc.dll" [MS]} Windows Image Acquisition (WIA), stisvc, "C:\Windows\system32\svchost.exe -k imgsvc" {"C:\Windows\System32\wiaservc.dll" [MS]} Łączność urządzeń z systemem Windows Mobile, RapiMgr, "C:\Windows\system32\svchost.exe -k WindowsMobile" {"C:\Windows\WindowsMobile\rapimgr.dll" [MS]} Łączność z urządzeniem z systemem Windows Mobile 2003, WcesComm, "C:\Windows\system32\svchost.exe -k WindowsMobile" {"C:\Windows\WindowsMobile\wcescomm.dll" [MS]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ PCL hpz3llhn\Driver = "hpz3llhn.dll" ["Hewlett-Packard Company"] Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS] ---------- (launch time: 2008-05-22 13:47:23) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 119 seconds. ---------- (total run time: 156 seconds) A przykładowe okienko z NODA: Aha, co ciekawe NOD32 w kółko kilka plików rozpoznaje, że są niby zainfekowane w ten sposób. Zastanawiam, się czy to aby na pewno wirus. I robiłem jeszcze Panda Activescan, ale też nie znaleziono nic. Edytowane 22 Maja 2008 przez Luk@s Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Luk@s Opublikowano 22 Maja 2008 Zgłoś Opublikowano 22 Maja 2008 Zacznijmy od tego, że nagle problem ustał sam 8O Ale dla pewności: http://www.virustotal.com/pl/analisis/8a59...474aa2b28ff2d67 http://www.virustotal.com/pl/analisis/5cf4...dba110fe1117dcc Po odinstalowaniu Combofixa Vista się "naprawiła" - miniaturki i tapeta wróciły. 8O Podejrzewam, że to były fałszywe alarmy NODa, a tyle się namęczyłem z tym dzisiaj. Oczywiście na bieżąco aktualizowany jest. Dziękuję za pomoc i rady :) PS. Tak też mi to wyglądało, że to wcale nie wirus, bo nie raz ludziom kompy czyściłem itp. i trochę się tych logów naczytałem, a tutaj czysto wszystko i antywirusy też nic nie znajdywały, no ale potrzebowałem pewności... Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
