Marecki306 Opublikowano 10 Kwietnia 2009 Zgłoś Opublikowano 10 Kwietnia 2009 Witam Sytuacja wygląda tak: pewien okres czasu jechałem na avaście (jak wiadomo wielkie sito), postanowailem go zmienić na Avirę. Po skanowaniu kompa Avirą niedziała mi ponad połowa zainstalowanych programów 8O wywalilo także svchost.exe (taki komunikat pokazuje się przy włączeniu kompa). Do tego Avira nie chce się aktualizować. Teraz mam zamiar ściągnąć AVG. Podejrzewam, że mam nadal mnóstwo wirusów, więc proszę o sprawdzenie logów: » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "HijackThis" Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 16:27:45, on 2009-04-10 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system\svchost.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe C:\Program Files\DAEMON Tools Lite\daemon.exe C:\WINDOWS\system\wupdmgr.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Opera\opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Tłumaczenie - {2F7DB8D7-9BE7-4666-901E-F380555BCAC7} - C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll (file missing) O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.20\RivaTuner.exe" /S O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\FONTS\VTT.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [Prec] C:\Program Files\Prec\PrecStarter.exe O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe O4 - HKCU\..\Run: [cbvcs] C:\WINDOWS\system32\urretnd.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {94C70A96-012C-4171-98FC-C1971511F20D} - C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll (file missing) O9 - Extra 'Tools' menuitem: @C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll,-103 - {94C70A96-012C-4171-98FC-C1971511F20D} - C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Windows CardSpace (idsvc) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (file missing) O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- End of file - 6269 bytes » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Silent Runners" "Silent Runners.vbs", revision 59, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "LDM" = "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [null data] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"" [file not found] "DAEMON Tools Lite" = ""C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"] "Prec" = "C:\Program Files\Prec\PrecStarter.exe" [file not found] "amva" = "C:\WINDOWS\system32\amvo.exe" [null data] "cbvcs" = "C:\WINDOWS\system32\urretnd.exe" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "Logitech Utility" = "Logi_MwX.Exe" [file not found] "RTHDCPL" = "RTHDCPL.EXE" [file not found] "Alcmtr" = "ALCMTR.EXE" [file not found] "RivaTunerStartupDaemon" = ""C:\Program Files\RivaTuner v2.20\RivaTuner.exe" /S" [file not found] "StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun" [file not found] "KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" "RavTimeXP" = "C:\WINDOWS\FONTS\VTT.exe" [file not found] "avgnt" = ""C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira GmbH"] "SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."] "Adobe Reader Speed Launcher" = ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"" ["Adobe Systems Incorporated"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = "AcroIEHelperStub" -> {HKLM...CLSID} = "Adobe PDF Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"] {DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided) -> {HKLM...CLSID} = "Java Plug-In 2 SSV Helper" \InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."] {E7E6F031-17CE-4C07-BC86-EABFE594F69C}\(Default) = "JQSIEStartDetectorImpl" -> {HKLM...CLSID} = "JQSIEStartDetectorImpl Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll" ["Sun Microsystems, Inc."] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension" -> {HKLM...CLSID} = "SimpleShlExt Class" \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."] "{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu" -> {HKLM...CLSID} = "Portable Media Devices Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoResolveTrack" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\Marek i Arek\Dane aplikacji\Opera\Opera\profile\skin\Opel_Calibra_by_roobi.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ MPCPlayCDAudioOnArrival\ "Provider" = "Media Player Classi" "InvokeProgID" = "MPC.CDAudio" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\MPC.CDAudio\shell\play\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /cd" [file not found] MPCPlayDVDMovieOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MPC.DVDMovie" "InvokeVerb" = "play" HKLM\SOFTWARE\Classes\MPC.DVDMovie\shell\play\command\(Default) = ""C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %L /dvd" [file not found] MSWMEncVCArrival\ "Provider" = "Windows Media Encoder Seria 9" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "C:\Program Files\Windows Media Components\Encoder\WMEnc.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] MxMuMaMixedContentOnArrival\ "Provider" = "MAGIX Music Maker 2008 silver" "InvokeProgID" = "Magix.MusicMaker" "InvokeVerb" = "Show" HKLM\SOFTWARE\Classes\Magix.MusicMaker\shell\Show\DropTarget\CLSID = "{7F1EF3AE-1431-45F9-996A-8BC0CD826485}" -> {HKLM...CLSID} = "MusicMaker Autoplay Class" \LocalServer32\(Default) = "C:\Program Files\MAGIX\MusicMaker14_silver\MusicMaker.exe" [file not found] MxMuMaPlayCDAudioOnArrival\ "Provider" = "MAGIX Music Maker 2008 silver" "InvokeProgID" = "Magix.MusicMaker" "InvokeVerb" = "Show" HKLM\SOFTWARE\Classes\Magix.MusicMaker\shell\Show\DropTarget\CLSID = "{7F1EF3AE-1431-45F9-996A-8BC0CD826485}" -> {HKLM...CLSID} = "MusicMaker Autoplay Class" \LocalServer32\(Default) = "C:\Program Files\MAGIX\MusicMaker14_silver\MusicMaker.exe" [file not found] MxMuMaPlayMusicFilesOnArrival\ "Provider" = "MAGIX Music Maker 2008 silver" "InvokeProgID" = "Magix.MusicMaker" "InvokeVerb" = "Show" HKLM\SOFTWARE\Classes\Magix.MusicMaker\shell\Show\DropTarget\CLSID = "{7F1EF3AE-1431-45F9-996A-8BC0CD826485}" -> {HKLM...CLSID} = "MusicMaker Autoplay Class" \LocalServer32\(Default) = "C:\Program Files\MAGIX\MusicMaker14_silver\MusicMaker.exe" [file not found] NeroAutoPlay7AudioToNeroDigital\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks /Drive:%L" [file not found] NeroAutoPlay7CDAudio\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "CDAudio_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe /New:AudioCD" [file not found] NeroAutoPlay7CopyCD\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:DiscCopy /Drive:%L" [file not found] NeroAutoPlay7DataDisc\ "Provider" = "Nero Express" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "DataDisc_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe /New:ISODisc" [file not found] NeroAutoPlay7LaunchNeroStartSmart\ "Provider" = "Nero StartSmart" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe /AutoPlay" [file not found] NeroAutoPlay7PlayAudioCD\ "Provider" = "Nero ShowTime" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play /Drive:%L" [file not found] NeroAutoPlay7PlayDVD\ "Provider" = "Nero ShowTime" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero ShowTime\ShowTime.exe /Play /Drive:%L" [file not found] NeroAutoPlay7RipCD\ "Provider" = "Nero Burning ROM" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "RipCD_PlayCDAudioOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe /Dialog:SaveTracks /Drive:%L" [file not found] NeroAutoPlay7TranscodeVideo\ "Provider" = "Nero Recode" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero Recode\Recode.exe /New:CopyDVDVideo" [file not found] NeroAutoPlay7VideoCapture\ "Provider" = "Nero Vision" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "/New:VideoCapture" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] NeroAutoPlay7ViewPhotos\ "Provider" = "Nero PhotoSnap Viewer" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero PhotoSnap\PhotoSnapViewer.exe /" [file not found] Startup items in "Marek i Arek" & "All Users" startup folders: -------------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart "Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" [file not found] "Logitech Desktop Messenger" -> shortcut to: "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe /start" [file not found] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{32099AAC-C132-4136-9E9A-4E364A424E17}" -> {HKLM...CLSID} = "DAEMON Tools Toolbar" \InProcServer32\(Default) = "C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll" [null data] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ "{2F7DB8D7-9BE7-4666-901E-F380555BCAC7}" = (no title provided) -> {HKLM...CLSID} = "&Tłumaczenie" \InProcServer32\(Default) = "C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll" [file not found] "{32099AAC-C132-4136-9E9A-4E364A424E17}" = (no title provided) -> {HKLM...CLSID} = "DAEMON Tools Toolbar" \InProcServer32\(Default) = "C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll" [null data] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{720E6864-6D18-48EC-A154-A0E4E50670E4}\(Default) = "&Ramka Tłumaczenia" Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32\(Default) = "C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll" [file not found] HKLM\SOFTWARE\Classes\CLSID\{959F1BF8-8EF0-4139-A147-FD3FF0044C3A}\(Default) = "&Słownik Podręczny" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll" [file not found] HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Badanie" {94C70A96-012C-4171-98FC-C1971511F20D}\ "MenuText" = "@C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll,-103" "CLSIDExtension" = "{94C70A96-012C-4171-98FC-C1971511F20D}" -> {HKLM...CLSID} = "InternetTranslatorProperties Class" \InProcServer32\(Default) = "C:\Program Files\Russkij Translator\InternetTranslatorRusPol.dll" [file not found] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [file not found] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."] CreateProcess Service, CreateProcess, "C:\WINDOWS\system\svchost.exe" [MS] Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."] Karta wydajności WMI, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] PnkBstrA, PnkBstrA, "C:\WINDOWS\system32\PnkBstrA.exe" [null data] Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."] ---------- (launch time: 2009-04-10 16:30:17) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 57 seconds. ---------- (total run time: 68 seconds) Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 10 Kwietnia 2009 Zgłoś Opublikowano 10 Kwietnia 2009 Daj log z combofix. Sprawdz, ktorys z zainfekowanych plikow na jotti i napisz czym dokladnie jest zainfekowany. Zrob pelny skan przy pomocy Dr.Web CureIt Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Marecki306 Opublikowano 12 Kwietnia 2009 Zgłoś Opublikowano 12 Kwietnia 2009 » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "ComboFix" ComboFix 09-04-13.06 - Administrator 2009-04-12 23:36.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.2046.1641 [GMT 2:00] Uruchomiony z: C:\ComboFix.exe AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Autorun.inf c:\windows\autorun.inf c:\windows\system\mmtaskclean.log c:\windows\system\win32in.dll c:\windows\system\win32out.dll c:\windows\system32\amvo1.dll c:\windows\system32\Dvbpws.dll c:\windows\system32\Panel sterowania.{21EC2020-3AEA-1069-A2DD-08002B30309D} c:\windows\system32\settings.dll c:\windows\system32\vcmgcd32.dl_ E:\Autorun.inf F:\Autorun.inf . ((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_CREATEPROCESS -------\Service_CreateProcess ((((((((((((((((((((((((( Pliki utworzone od 2009-03-13 do 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-12 21:34 . 2009-04-12 21:34 -------- d-----w c:\documents and settings\Administrator.MAREK.000\Ustawienia lokalne\Dane aplikacji\Opera 2009-04-12 21:33 . 2009-04-12 21:30 3080785 ----a-r C:\ComboFix.exe 2009-04-12 21:11 . 2009-04-12 21:23 89601 ----a-w c:\windows\system32\drivers\klick.dat 2009-04-12 21:11 . 2009-04-12 21:23 101287 ----a-w c:\windows\system32\drivers\klin.dat 2009-04-12 21:11 . 2009-04-13 21:39 131104 --sha-w c:\windows\system32\drivers\fidbox2.dat 2009-04-12 21:11 . 2009-04-13 21:39 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab 2009-04-12 21:11 . 2009-04-13 21:39 1528 --sha-w c:\windows\system32\drivers\fidbox2.idx 2009-04-12 21:11 . 2009-04-13 21:38 9784 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-04-12 21:11 . 2009-04-13 21:38 845856 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-04-12 21:11 . 2009-04-12 21:11 -------- d-----w c:\program files\Kaspersky Lab 2009-04-12 20:58 . 2009-04-12 20:58 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Kaspersky Lab Setup Files 2009-04-11 06:26 . 2008-07-30 17:22 89088 --sh--r C:\uis.com 2009-04-10 22:29 . 2009-04-10 22:29 -------- d-----w c:\documents and settings\Marek i Arek\Ustawienia lokalne\Dane aplikacji\ESET 2009-04-10 22:29 . 2009-04-10 22:29 -------- d-----w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\ESET 2009-04-10 22:28 . 2009-04-10 22:28 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\ESET 2009-04-10 22:08 . 2009-04-10 22:08 -------- d-----w c:\windows\BEAD140D65134B00AE0FD4A7222F0BF9.TMP 2009-04-10 21:51 . 2009-04-10 21:53 -------- d-----w c:\program files\mks_vir_9 2009-04-10 20:59 . 2009-04-10 20:59 -------- d-s---w c:\documents and settings\Marek i Arek\UserData 2009-04-10 14:26 . 2009-04-10 14:26 -------- d-----w c:\program files\Trend Micro 2009-04-09 13:08 . 2009-04-09 13:08 319 ----a-w c:\windows\game.ini 2009-04-09 12:15 . 2009-04-09 12:15 -------- d-----w c:\documents and settings\Marek i Arek\.gstreamer-0.10 2009-04-08 13:25 . 2009-04-08 13:25 -------- d-----w c:\documents and settings\Marek i Arek\Ustawienia lokalne\Dane aplikacji\EA Games 2009-04-04 19:28 . 2009-04-04 19:28 -------- d-----w c:\documents and settings\Marek i Arek\Dane aplikacji\Disney Interactive Studios 2009-04-04 15:53 . 2009-04-04 15:53 -------- d-----w c:\program files\DAEMON Tools Toolbar 2009-04-01 21:19 . 2009-04-01 21:19 -------- d-----w c:\program files\SopFilter 2009-04-01 20:52 . 2009-04-03 19:49 -------- d-----w c:\program files\SopCast 2009-04-01 18:24 . 2009-04-01 18:24 -------- d-----w c:\windows\Sun 2009-04-01 18:21 . 2009-04-01 18:21 73728 ----a-w c:\windows\system32\javacpl.cpl 2009-04-01 18:21 . 2009-04-01 18:21 410984 ----a-w c:\windows\system32\deploytk.dll 2009-04-01 18:21 . 2009-04-01 18:21 -------- d-----w c:\program files\Java 2009-04-01 16:39 . 2009-04-12 20:42 189072 ----a-w c:\windows\system32\PnkBstrB.xtr 2009-03-31 22:29 . 2004-08-03 22:44 159232 ----a-w c:\windows\system32\ptpusd.dll 2009-03-31 22:29 . 2004-08-03 20:58 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys 2009-03-31 22:29 . 2004-08-03 20:58 15104 ----a-w c:\windows\system32\drivers\usbscan.sys 2009-03-31 22:29 . 2001-10-26 15:29 5632 ----a-w c:\windows\system32\ptpusb.dll 2009-03-31 18:51 . 2009-04-09 14:13 -------- d-----w c:\documents and settings\Marek i Arek\Ustawienia lokalne\Dane aplikacji\PunkBuster 2009-03-31 18:48 . 2009-03-31 18:48 -------- d-----w c:\documents and settings\Marek i Arek\Dane aplikacji\id Software 2009-03-31 18:46 . 2009-03-31 18:46 2246144 ----a-w c:\windows\system32\pbsvc.exe 2009-03-31 18:46 . 2009-03-31 18:46 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\id Software 2009-03-31 18:16 . 2009-03-31 18:16 -------- d-----w c:\documents and settings\Marek i Arek\Ustawienia lokalne\Dane aplikacji\Opera 2009-03-31 18:16 . 2009-03-31 18:16 -------- d-----w c:\program files\Opera 2009-03-31 18:04 . 2009-04-12 13:27 -------- d-----w c:\documents and settings\Marek i Arek\Dane aplikacji\The Bat! 2009-03-31 18:03 . 2009-03-31 18:03 -------- d-----w c:\program files\The Bat! 2009-03-31 17:38 . 2009-03-31 18:23 -------- d-----w c:\documents and settings\Marek i Arek\Dane aplikacji\Nowe Gadu-Gadu 2009-03-31 17:11 . 2009-02-13 09:31 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys 2009-03-31 17:11 . 2009-03-31 17:11 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Avira 2009-03-31 16:24 . 2009-03-31 18:20 -------- d-----w c:\program files\Nowe Gadu-Gadu 2009-03-31 15:44 . 2009-03-31 15:44 -------- d-----w C:\Kaspersky Personal Security Suite 2009-03-31 15:17 . 2009-03-31 15:17 0 ----a-w c:\windows\nsreg.dat 2009-03-31 15:17 . 2009-03-31 15:17 -------- d-----w c:\documents and settings\Marek i Arek\Ustawienia lokalne\Dane aplikacji\Mozilla 2009-03-31 09:10 . 2004-08-03 20:31 20992 -c--a-w c:\windows\system32\dllcache\rtl8139.sys 2009-03-31 09:10 . 2004-08-03 20:31 20992 ----a-w c:\windows\system32\drivers\RTL8139.sys 2009-03-31 08:57 . 2009-03-31 08:57 -------- d-----w c:\windows\Downloaded Installations 2009-03-31 08:53 . 2005-02-14 08:39 176128 ----a-r c:\windows\system32\nvunrm.exe 2009-03-31 08:52 . 2009-03-31 09:00 8 ----a-w C:\DFIMB.DAT 2009-03-29 13:24 . 2009-03-29 13:24 -------- d-----w c:\documents and settings\Administrator.MAREK.000\Dane aplikacji\Media Player Classic 2009-03-29 13:24 . 2009-03-29 13:24 -------- d-----w c:\documents and settings\Administrator.MAREK.000\Dane aplikacji\DivX 2009-03-28 13:28 . 2009-03-28 13:47 -------- d-----w c:\documents and settings\Marek i Arek\Ustawienia lokalne\Dane aplikacji\QWAK 2009-03-28 13:23 . 2009-03-28 13:23 -------- d-----w c:\windows\EFC1B35CFFF241D8A70ACE6037F8040B.TMP 2009-03-27 17:30 . 2009-03-27 17:30 54156 ---ha-w c:\windows\QTFont.qfn 2009-03-27 17:30 . 2009-03-27 17:30 1409 ----a-w c:\windows\QTFont.for 2009-03-18 18:49 . 2009-03-18 18:49 72 --sh--w C:\desktop.ini 2009-03-17 17:03 . 2009-03-17 17:03 1917 ----a-w c:\windows\imsins.BAK . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-12 21:23 . 2008-01-29 15:29 33808 ----a-w c:\windows\system32\drivers\klbg.sys 2009-04-12 20:42 . 2008-12-13 11:24 189072 ----a-w c:\windows\system32\PnkBstrB.exe 2009-04-12 20:17 . 2008-12-13 11:24 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-04-10 21:59 . 2009-04-10 21:59 0 ----a-w C:\mksbasel.cpp.log 2009-04-10 21:51 . 2009-04-10 21:51 0 ----a-w C:\mon-mksbasel.cpp.log 2009-04-10 21:49 . 2009-01-05 21:45 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-09 14:13 . 2008-12-13 11:24 75064 ----a-w c:\windows\system32\PnkBstrA.exe 2009-04-09 13:08 . 2008-09-13 13:58 22328 ----a-w c:\documents and settings\Marek i Arek\Dane aplikacji\PnkBstrK.sys 2009-04-09 13:08 . 2008-09-12 17:28 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-09 12:53 . 2009-01-17 11:43 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Codemasters 2009-04-08 13:19 . 2009-03-14 12:39 7792 ----a-w c:\windows\system32\ealregsnapshot1.reg 2009-04-05 20:38 . 2008-12-06 13:44 -------- d-----w c:\program files\Futuremark 2009-04-05 07:35 . 2009-01-26 11:27 -------- d-----w c:\program files\DAEMON Tools Lite 2009-04-04 15:59 . 2009-01-15 18:29 -------- d-----w c:\program files\Microsoft Games for Windows - LIVE 2009-04-04 13:11 . 2008-09-12 18:13 -------- d-----w c:\program files\Common Files\Ahead 2009-03-31 19:11 . 2009-02-13 20:51 -------- d-----w c:\program files\ViOrb 2009-03-31 19:11 . 2009-01-17 11:41 -------- d-----w c:\program files\OpenAL 2009-03-29 08:48 . 2002-09-28 22:00 82230 ----a-w c:\windows\system32\perfc015.dat 2009-03-29 08:48 . 2002-09-28 22:00 484978 ----a-w c:\windows\system32\perfh015.dat 2009-03-14 12:39 . 2009-03-14 12:39 -------- d-----w c:\program files\Electronic Arts 2009-03-11 18:54 . 2009-03-11 18:54 -------- d-----w c:\documents and settings\Marek i Arek\Dane aplikacji\Xfire 2009-03-11 18:54 . 2009-03-11 18:54 -------- d-s---w c:\program files\Xfire 2009-03-08 16:04 . 2008-10-07 15:58 4 ----a-w c:\documents and settings\Marek i Arek\WFSCHDL.dat 2009-03-08 16:04 . 2008-10-07 15:58 9540 ----a-w c:\documents and settings\Marek i Arek\FMCodec.dat 2009-03-08 15:35 . 2009-03-08 15:35 -------- d-----w c:\documents and settings\Marek i Arek\Dane aplikacji\Summer Athletics 2008 2009-03-07 11:36 . 2009-03-07 11:36 -------- d-----w c:\program files\Metin2_PL 2009-03-01 10:12 . 2009-03-01 10:12 -------- d-----w c:\program files\Common Files\DAZ 2009-03-01 10:12 . 2009-03-01 10:12 -------- d-----w c:\program files\DAZ 2009-02-24 17:38 . 2009-02-24 17:38 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Magix Shared 2009-02-24 16:53 . 2009-02-24 16:53 63488 ----a-w c:\windows\xobglu16.dll 2009-02-24 16:53 . 2009-02-24 16:53 23552 ----a-w c:\windows\xobglu32.dll 2009-02-20 16:26 . 2009-02-13 20:50 -------- d-----w c:\program files\ViStart 2009-02-15 20:42 . 2009-01-15 18:38 1124136 ----a-w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat 2009-02-13 20:50 . 2009-02-13 20:50 -------- d-----w c:\documents and settings\Marek i Arek\Dane aplikacji\ViStart 2009-02-08 16:20 . 2008-09-28 14:23 1964 ----a-w c:\windows\unins001.dat 2009-02-04 20:49 . 2009-02-04 20:43 66208 ----a-w c:\documents and settings\Administrator.MAREK.000\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-02-04 20:48 . 2008-09-12 17:54 66208 ----a-w c:\documents and settings\Marek i Arek\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2009-01-23 11:26 . 2009-01-23 11:26 1700352 ----a-w c:\windows\system32\gdiplus.dll 2009-01-23 11:26 . 2009-01-23 11:26 1060864 ----a-w c:\windows\system32\mfc71.dll 2009-01-17 11:41 . 2008-12-06 13:45 444952 ----a-w c:\windows\system32\wrap_oal.dll 2009-01-17 11:41 . 2008-12-06 13:45 109080 ----a-w c:\windows\system32\OpenAL32.dll 2009-01-15 18:40 . 2008-11-14 19:06 107888 ----a-w c:\windows\system32\CmdLineExt.dll 2009-04-13 21:38 . 2009-04-12 21:11 845856 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-04-13 21:39 . 2009-04-12 21:11 131104 --sha-w c:\windows\system32\drivers\fidbox2.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] "LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-09-12 36864] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-01 148888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696] "AVP"="c:\program files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2009-04-12 206088] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax "VIDC.X264"= x264vfw.dll "VIDC.3iv2"= 3ivxVfWCodec.dll "VIDC.VP31"= vp31vfw.dll "msacm.l3fhg"= mp3fhg.acm "msacm.l3acm"= l3codecp.acm "msacm.ac3filter"= ac3filter.acm [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"= "e:\\Program Files\\Rockstar Games\\Rockstar Games Social Club\\RGSCLauncher.exe"= "e:\\Program Files\\EA Sports\\FIFA 09\\FIFA09.exe"= "e:\\Program Files\\Electronic Arts\\Burnout Paradise The Ultimate Box\\BurnoutLauncher.exe"= "e:\\Program Files\\Electronic Arts\\Burnout Paradise The Ultimate Box\\BurnoutConfigTool.exe"= "e:\\Program Files\\Electronic Arts\\Burnout Paradise The Ultimate Box\\BurnoutParadise.exe"= "e:\\Program Files\\Ubisoft\\Tom Clancy's H.A.W.X\\HAWX.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\SopCast\\adv\\SopAdver.exe"= "c:\\Program Files\\SopCast\\SopCast.exe"= "c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\Program Files\\Opera\\opera.exe"= "e:\\Program Files\\Metin2_PL\\metin2.bin"= "e:\\pure\\Pure\\Pure.exe"= "e:\\Program Files\\Counter-Strike\\hl.exe"= "e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= R2 mks_services;mks_vir; [x] R3 AVPsys;AVPsys; [x] R3 st3bus28;st3bus28; [x] R3 WFIOCTL;WFIOCTL; [x] S0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-04-12 33808] S1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2008-09-08 18336] S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-05-21 93696] S3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{989492fa-d761-11dd-9308-eddd5263376c}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL explore.exe . - - - - USUNIĘTO PUSTE WPISY - - - - Toolbar-{32099AAC-C132-4136-9E9A-4E364A424E17} - (no file) HKLM-Run-RivaTunerStartupDaemon - c:\program files\RivaTuner v2.20\RivaTuner.exe HKLM-Run-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe HKLM-Run-avgnt - c:\program files\Avira\AntiVir Desktop\avgnt.exe HKLM-Run-Logitech Utility - Logi_MwX.Exe HKLM-Run-RTHDCPL - RTHDCPL.EXE . ------- Skan uzupełniający ------- . uInternet Settings,ProxyOverride = localhost IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 IE: {{94C70A96-012C-4171-98FC-C1971511F20D} - {94C70A96-012C-4171-98FC-C1971511F20D} - c:\program files\Russkij Translator\InternetTranslatorRusPol.dll DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - . ************************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 23:39 Windows 5.1.2600 Dodatek Service Pack 3 NTFS skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(948) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(4000) c:\docume~1\ADMINI~1.000\USTAWI~1\Temp\IadHide4.dll c:\windows\system32\msi.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Pozostałe uruchomione procesy ------------------------ . c:\windows\system32\ati2evxx.exe c:\windows\system32\ati2evxx.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\windows\system32\PnkBstrA.exe c:\windows\system32\PnkBstrB.exe c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe c:\windows\system32\wscntfy.exe c:\windows\system32\wbem\wmiapsrv.exe c:\windows\system32\imapi.exe . ************************************************************************** . Czas ukończenia: 2009-04-13 23:39 - komputer został uruchomiony ponownie ComboFix-quarantined-files.txt 2009-04-13 21:39 Przed: 17 225 908 224 bajtów wolnych Po: 17,503,813,632 bajtów wolnych Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4 259 Zrob pelny skan przy pomocy Dr.Web CureItNie chce się otworzyć ten program, błędy przy rozpakowywaniu. Pobierałem kilka razy i to samo. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
Kolobos Opublikowano 12 Kwietnia 2009 Zgłoś Opublikowano 12 Kwietnia 2009 Podlacz zainfekowane nosniki i uzyj Flash Disinfector. Usun resztki mks oraz kaspersky'iego, zostaw tylko jeden antywirus. Usun z dysku: C:\uis.com Wpisz w uruchom: sc delete mks_services sc delete AVPsys sc delete st3bus28 sc delete WFIOCTL Wklej do notatnika: REGEDIT4 [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{989492fa-d761-11dd-9308-eddd5263376c}] Zapisz jako fix.reg i uruchom. Zablokuj dostep do klucza mountpoints2. Dr.Web sciagnij w trybie awaryjnym i tam sprobuj uruchomic. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach Więcej opcji udostępniania...
