falar Napisano 25 Kwietnia 2009 Zgłoś Napisano 25 Kwietnia 2009 Witam Do mojego komputera podłączony był pendrive, na którym znajdował się trojan. Proszę o sprawdzenie logów. » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "HijackThis" Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:18:13, on 2009-04-25 Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\Firewall\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\antivirus\aswUpdSv.exe C:\antivirus\ashServ.exe C:\WINDOWS\RTHDCPL.EXE C:\ANTIVI~1\ashDisp.exe C:\Program Files\COMODO\Firewall\cfp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\antivirus\ashWebSv.exe C:\Program Files\Mozilla Firefox\firefox.exe F:\instalatory\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - F:\Free Download Manager\iefdm2.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [avast!] C:\ANTIVI~1\ashDisp.exe O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: Download video with Free Download Manager - file://F:\Free Download Manager\dlfvideo.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://F:\OFFICE\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Pobierz w Free Download Manager - file://F:\Free Download Manager\dllink.htm O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://F:\Free Download Manager\dlall.htm O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://F:\Free Download Manager\dlselected.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\OFFICE\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virussca...can_unicode.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1193779393968 O17 - HKLM\System\CCS\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1 O17 - HKLM\System\CS1\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1 O17 - HKLM\System\CS2\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1 O17 - HKLM\System\CS3\Services\Tcpip\..\{1C190836-0C23-4653-B98F-362834B21FA8}: NameServer = 10.101.1.1,62.233.128.17,194.204.159.1 O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll O20 - AppInit_DLLs: O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\antivirus\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\antivirus\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\antivirus\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\antivirus\ashWebSv.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing) O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- End of file - 6898 bytes » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Combofix" ComboFix 09-04-25.A3 - użytkownik 2009-04-25 22:13.3 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.2047.1556 [GMT 2:00] Uruchomiony z: f:\instalatory\ComboFix.exe AV: avast! antivirus 4.8.1335 [VPS 090425-0] *On-access scanning disabled* (Updated) FW: COMODO Firewall *enabled* * Utworzono nowy punkt przywracania UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !! . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\IE4 Error Log.txt . ((((((((((((((((((((((((( Pliki utworzone od 2009-05-25 do 2009-4-25 ))))))))))))))))))))))))))))))) . 2009-04-23 20:45 . 2009-04-23 20:45 -------- d-----w c:\program files\Common Files\PCSuite 2009-04-23 20:45 . 2009-04-23 20:45 -------- d-----w c:\program files\Common Files\Nokia 2009-04-23 20:44 . 2008-08-26 08:26 18816 ----a-w c:\windows\system32\drivers\pccsmcfd.sys 2009-04-23 20:44 . 2009-04-23 20:44 -------- d-----w c:\program files\PC Connectivity Solution 2009-04-22 19:02 . 2009-04-22 19:02 -------- d-----w c:\program files\FormatFactory 2009-04-19 16:13 . 2009-04-19 16:13 -------- d-----w c:\documents and settings\użytkownik\Ustawienia lokalne\Dane aplikacji\Opera 2009-04-19 16:13 . 2009-04-19 16:13 -------- d-----w c:\program files\Opera 2009-04-18 22:12 . 2009-04-18 22:12 -------- d-----w c:\program files\VUGames 2009-04-18 16:29 . 2009-04-18 16:29 52216 ---ha-w c:\windows\system32\mlfcache.dat 2009-04-18 16:27 . 2009-04-18 16:27 -------- d-----w c:\program files\Safari 2009-04-18 16:26 . 2009-04-18 16:26 -------- d-----w c:\documents and settings\użytkownik\Ustawienia lokalne\Dane aplikacji\Apple 2009-04-18 16:26 . 2009-04-18 16:26 -------- d-----w c:\program files\Apple Software Update 2009-04-18 16:26 . 2009-04-18 16:26 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Apple 2009-04-16 15:30 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-16 15:30 . 2009-03-06 14:22 285696 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-16 15:30 . 2009-02-09 11:25 111104 -c----w c:\windows\system32\dllcache\services.exe 2009-04-16 15:30 . 2009-02-09 10:53 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-16 15:30 . 2009-02-09 10:53 731136 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-16 15:30 . 2009-02-09 10:53 686592 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-16 15:30 . 2009-02-09 10:53 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-16 15:30 . 2009-02-09 10:53 722944 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-16 15:30 . 2009-02-09 10:53 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-16 15:29 . 2009-03-27 06:58 1203922 -c----w c:\windows\system32\dllcache\sysmain.sdb 2009-04-16 15:29 . 2008-04-21 21:16 218112 -c----w c:\windows\system32\dllcache\wordpad.exe 2009-03-29 19:42 . 2009-03-29 19:56 -------- d-----w c:\program files\Battle for Wesnoth 1.6 . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-25 20:05 . 2001-10-26 18:15 99364 ----a-w c:\windows\system32\perfc015.dat 2009-04-25 20:05 . 2001-10-26 18:15 526266 ----a-w c:\windows\system32\perfh015.dat 2009-04-23 20:45 . 2008-11-23 11:25 -------- d-----w c:\program files\Nokia 2009-04-23 20:43 . 2008-11-23 11:23 -------- d-----w c:\documents and settings\All Users\Dane aplikacji\Installations 2009-04-22 17:48 . 2009-03-22 16:55 -------- d-----w c:\documents and settings\użytkownik\Dane aplikacji\DC++ 2009-04-18 22:21 . 2007-09-12 18:04 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-18 16:27 . 2007-09-17 17:53 -------- d-----w c:\documents and settings\użytkownik\Dane aplikacji\Apple Computer 2009-04-10 13:12 . 2008-12-20 22:00 -------- d-----w c:\program files\Odkurzacz 2009-04-10 13:07 . 2009-03-14 17:10 -------- d-----w c:\program files\Onimedia 2009-03-13 13:46 . 2007-09-30 16:14 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-03-13 13:45 . 2008-04-19 12:05 -------- d-----w c:\program files\AGEIA Technologies 2009-03-06 14:22 . 2004-08-03 22:44 285696 ----a-w c:\windows\system32\pdh.dll 2009-03-03 14:22 . 2008-07-10 15:00 155384 ----a-w c:\windows\system32\guard32.dll 2009-03-03 14:22 . 2008-07-10 15:00 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys 2009-03-03 00:10 . 2004-08-03 22:44 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-27 12:17 . 2008-03-07 20:14 -------- d-----w c:\program files\Microsoft Silverlight 2009-02-20 17:13 . 2004-08-03 22:44 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-09 14:07 . 2004-08-03 22:37 1847040 ----a-w c:\windows\system32\win32k.sys 2009-02-09 11:26 . 2004-08-04 00:39 2025472 ----a-w c:\windows\system32\ntkrnlpa.exe 2009-02-09 11:26 . 2004-08-03 22:38 2146816 ----a-w c:\windows\system32\ntoskrnl.exe 2009-02-09 11:25 . 2004-08-03 22:44 111104 ----a-w c:\windows\system32\services.exe 2009-02-09 10:53 . 2004-08-03 22:44 401408 ----a-w c:\windows\system32\rpcss.dll 2009-02-09 10:53 . 2004-08-03 22:44 731136 ----a-w c:\windows\system32\lsasrv.dll 2009-02-09 10:53 . 2004-08-03 22:43 686592 ----a-w c:\windows\system32\advapi32.dll 2009-02-09 10:53 . 2004-08-03 22:43 722944 ----a-w c:\windows\system32\ntdll.dll 2009-02-09 05:37 . 2008-11-23 11:25 91136 ----a-w c:\windows\system32\nmwcdcls.dll 2009-02-06 10:39 . 2001-10-26 19:30 35328 ----a-w c:\windows\system32\sc.exe 2009-02-03 19:58 . 2004-08-03 22:44 56832 ----a-w c:\windows\system32\secur32.dll 2008-09-24 16:47 . 2007-09-14 17:46 72296 ----a-w c:\documents and settings\użytkownik\Ustawienia lokalne\Dane aplikacji\GDIPFONTCACHEV1.DAT 2008-03-20 21:56 . 2008-03-20 21:56 22328 ----a-w c:\documents and settings\użytkownik\Dane aplikacji\PnkBstrK.sys 2008-03-07 20:02 . 2008-03-07 20:02 161824 ----a-w c:\documents and settings\LocalService\Ustawienia lokalne\Dane aplikacji\FontCache3.0.0.0.dat 2007-09-15 09:38 . 2007-09-15 09:38 135 ----a-w c:\documents and settings\użytkownik\Ustawienia lokalne\Dane aplikacji\fusioncache.dat 2008-09-23 17:48 . 2008-09-23 17:49 32768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008092320080924\index.dat . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-03-20 1312256] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144] "avast!"="c:\antivi~1\ashDisp.exe" [2009-02-05 81000] "COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-03 1851128] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016] "COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-03-03 1851128] "RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-03-21 16126464] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 00:42 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"= [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^DualCoreCenter.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\DualCoreCenter.lnk backup=c:\windows\pss\DualCoreCenter.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Image Zone - szybkie uruchamianie.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\HP Image Zone - szybkie uruchamianie.lnk backup=c:\windows\pss\HP Image Zone - szybkie uruchamianie.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Logitech Desktop Messenger.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Logitech Desktop Messenger.lnk backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Logitech SetPoint.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Logitech SetPoint.lnk backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk backup=c:\windows\pss\Microsoft Office.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Windows Search.lnk] path=c:\documents and settings\All Users\Menu Start\Programy\Autostart\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^użytkownik^Pulpit^skróty^Autostart^Adobe Gamma.lnk] path=c:\documents and settings\użytkownik\Pulpit\skróty\Autostart\Adobe Gamma.lnk backup=c:\windows\pss\Adobe Gamma.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "UPS"=3 (0x3) "TapiSrv"=3 (0x3) "RDSessMgr"=3 (0x3) "RasMan"=3 (0x3) "RasAuto"=3 (0x3) "ose"=3 (0x3) "iPod Service"=3 (0x3) "Harmonogram automatycznej usługi LiveUpdate"=2 (0x2) "FastUserSwitchingCompatibility"=3 (0x3) "Apple Mobile Device"=2 (0x2) "CLTNetCnService"=2 (0x2) "Adobe LM Service"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "RichVideo"=2 (0x2) "nTuneService"=2 (0x2) "LBTServ"=3 (0x3) "ERSvc"=2 (0x2) "helpsvc"=2 (0x2) "RemoteRegistry"=2 (0x2) "seclogon"=2 (0x2) "SCardSvr"=3 (0x3) "idsvc"=3 (0x3) "IDriverT"=3 (0x3) "FLEXnet Licensing Service"=3 (0x3) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"= "f:\\DC++\\DCPlusPlus.exe"= "f:\\Gadu-Gadu\\gg.exe"= "f:\\totalcmd\\TOTALCMD.EXE"= "f:\\gry\\burn\\BurnoutLauncher.exe"= "f:\\gry\\burn\\BurnoutConfigTool.exe"= "f:\\gry\\burn\\BurnoutParadise.exe"= "c:\\Program Files\\VUGames\\SWAT 4\\ContentExpansion\\System\\Swat4X.exe"= "c:\\Program Files\\VUGames\\SWAT 4\\ContentExpansion\\System\\Swat4XDedicatedServer.exe"= R3 CrystalSysInfo;CrystalSysInfo; [x] R3 EverestDriver;Lavalys EVEREST Kernel Driver; [x] S1 aswSP;avast! Self Protection; [x] S1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2009-03-03 110992] S1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2009-02-22 24336] S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{caa51aa2-25aa-11dd-9076-0019dbb544af}] \Shell\AutoRun\command - G:\LaunchU3.exe -a . . ------- Skan uzupełniający ------- . uStart Page = hxxp://www.wp.pl/ uInternet Connection Wizard,ShellNext = iexplore uInternet Settings,ProxyOverride = *.local IE: Download video with Free Download Manager - file://f:\free download manager\dlfvideo.htm IE: E&ksport do programu Microsoft Excel - f:\office\OFFICE11\EXCEL.EXE/3000 IE: Pobierz w Free Download Manager - file://f:\free download manager\dllink.htm IE: Pobierz wszystkie pliki w Free Download Manager - file://f:\free download manager\dlall.htm IE: Pobierz zaznaczone w Free Download Manager - file://f:\free download manager\dlselected.htm TCP: {1C190836-0C23-4653-B98F-362834B21FA8} = 10.101.1.1,62.233.128.17,194.204.159.1 Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll FF - ProfilePath - c:\documents and settings\użytkownik\Dane aplikacji\Mozilla\Firefox\Profiles\wyuf9n5d.default\ FF - prefs.js: browser.startup.homepage - dobreprogramy.pl FF - component: c:\documents and settings\użytkownik\Dane aplikacji\Mozilla\Firefox\Profiles\wyuf9n5d.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - component: c:\program files\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll FF - plugin: f:\adobe\Reader\browser\nppdf32.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-25 22:15 Windows 5.1.2600 Dodatek Service Pack 3 NTFS detected NTDLL code modification: ZwClose, ZwOpenFile skanowanie ukrytych procesów ... skanowanie ukrytych wpisów autostartu ... skanowanie ukrytych plików ... skanowanie pomyślnie ukończone ukryte pliki: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver] "ImagePath"="\??\c:\program files\Lavalys\EVEREST Ultimate Edition\kerneld.wnt" . --------------------- ZABLOKOWANE KLUCZE REJESTRU --------------------- [HKEY_USERS\S-1-5-21-343818398-1336601894-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-343818398-1336601894-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:aa,cf,30,64,9f,aa,3f,b5,69,4c,60,93,86,a7,14,7f,55,4f,c6,68,53,14,63, 82,e5,b4,ed,5b,55,34,12,e2,dc,eb,75,26,94,36,6d,fa,6d,49,e2,17,f1,a9,f0,b3,\ "??"=hex:29,23,be,84,e1,6c,d6,ae,52,90,49,f1,f1,bb,e9,eb [HKEY_USERS\S-1-5-21-343818398-1336601894-839522115-1003\Software\SecuROM\License information*] "datasecu"=hex:44,90,63,7d,c6,7f,c8,5d,c0,ba,4f,4b,be,e4,d7,4f,e1,e0,77,be,d0, 87,2a,79,6b,3a,49,21,59,00,4e,45,a9,b8,ab,c3,94,87,b7,d1,72,2b,18,eb,99,ee,\ "rkeysecu"=hex:bb,9d,a4,3d,54,9a,9b,c9,99,4c,3f,f7,0c,43,a9,03 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,c3,11,74,f5,63, 3a,f0,1e,c8,28,51,af,b0,29,a3,98,af,d2,4f,b1,23,f6,71,e7,e2,63,26,f1,3f,c8,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,aa,7a,a1,dc,78, b2,34,9f,71,3b,04,66,8b,46,0d,96,91,cf,6f,12,0e,35,3f,61,6a,9c,d6,61,af,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,9c,6b,13,22,38, 67,b8,24,25,da,ec,7e,55,20,c9,26,d9,4d,dd,dd,94,1d,64,ce,ff,7c,85,e0,43,d4,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,07,48,81,52,a9, d2,99,47,3e,1e,9e,e0,57,5a,93,61,27,1f,bf,7d,20,59,49,52,86,8c,21,01,be,91,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,aa,0c,4f,9d,65, 88,c7,de,cd,44,cd,b9,a6,33,6c,cd,13,b3,8e,b8,ed,c0,26,58,f5,1d,4d,73,a8,13,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,8a,a2,8c,6a,9c, 78,44,7f,b0,18,ed,a7,3f,8d,37,a4,2e,16,01,2a,f2,6a,7d,6b,df,20,58,62,78,6b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,09,67,87,90,4d, f7,79,28,31,77,e1,ba,b1,f8,68,02,47,07,d6,4f,ef,06,8a,8c,fb,a7,78,e6,12,2f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,45,81,07,c0,90, 8f,8c,d6,83,6c,56,8b,a0,85,96,ab,1d,b5,1f,9d,7e,6a,2b,3b,01,3a,48,fc,e8,04,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,ce,19,4a,8b,fa, 9a,2d,d8,51,fa,6e,91,28,9e,14,cc,ba,f5,88,43,5e,f6,9f,ce,f6,0f,4e,58,98,5b,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,e7,95,12,a2,a6, 5d,b6,51,b1,cd,45,5a,a8,c4,f8,b9,9e,8c,0f,9f,da,9c,af,46,3d,ce,ea,26,2d,45,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,5d,5f,95,2a,a9, 34,f6,34,e3,0e,66,d5,eb,bc,2f,6b,97,35,80,54,a5,e7,c5,e5,2a,b7,cc,b5,b9,7f,\ [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*] "ThreadingModel"="Apartment" @="c:\\WINDOWS\\system32\\OLE32.DLL" "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,d0,f9,d7,0f,12, 9b,17,d7,fa,ea,66,7f,d4,3b,6b,70,9e,3a,8b,f9,01,4e,17,4d,6c,43,2d,1e,aa,22,\ . --------------------- Pliki DLL ładowane pod uruchomionymi procesami --------------------- - - - - - - - > 'winlogon.exe'(872) c:\windows\system32\guard32.dll c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll - - - - - - - > 'lsass.exe'(936) c:\windows\system32\guard32.dll . Czas ukończenia: 2009-04-25 22:16 ComboFix-quarantined-files.txt 2009-04-25 20:16 ComboFix2.txt 2008-12-18 21:56 Przed: 22 209 593 344 bajtów wolnych Po: 22 403 371 008 bajtów wolnych 305 --- E O F --- 2009-04-16 17:36 » Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Silent Runners" "Silent Runners.vbs", revision 58, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "PC Suite Tray" = ""C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray" ["Nokia"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "avast!" = "C:\ANTIVI~1\ashDisp.exe" ["ALWIL Software"] "Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech, Inc."] "COMODO Firewall Pro" = ""C:\Program Files\COMODO\Firewall\cfp.exe" -h" ["COMODO"] "Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech, Inc."] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "COMODO Internet Security" = ""C:\Program Files\COMODO\Firewall\cfp.exe" -h" ["COMODO"] HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express" \StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided) -> {HKLM...CLSID} = "FDMIECookiesBHO Class" \InProcServer32\(Default) = "F:\Free Download Manager\iefdm2.dll" [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind" -> {HKLM...CLSID} = "Microsoft Office Binder Unbind" \InProcServer32\(Default) = "F:\OFFICE\Office\1045\UNBIND.DLL" [MS] "{FEB7DAE0-E111-11D0-BFD7-444553540000}" = "ICEOWS" -> {HKLM...CLSID} = "Folder Iceows" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "F:\7-Zip\7-zip.dll" ["Igor Pavlov"] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "F:\OFFICE\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "F:\OFFICE\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "F:\OFFICE\OFFICE11\msohev.dll" [MS] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\antivirus\ashShell.dll" ["ALWIL Software"] "{F49C55B9-D417-45A1-A6E7-D6E057946280}" = "FdmUplShlExt" -> {HKLM...CLSID} = "FdmUplShlExt Class" \InProcServer32\(Default) = "F:\Free Download Manager\FUM\fumshext.dll" [null data] "{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension" -> {HKLM...CLSID} = "KbLogiExt Class" \InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech, Inc."] "{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension" -> {HKLM...CLSID} = "LogiExt Class" \InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech, Inc."] "{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "Windows Search Deskbar" -> {HKCU...CLSID} = "Pasek pulpitu programu Windows Search" \InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS] -> {HKLM...CLSID} = "Windows Search Deskbar" \InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\deskbar.dll" [MS] "{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search" -> {HKLM...CLSID} = "Windows Desktop Search" \InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\msnlExt.dll" [MS] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser" -> {HKLM...CLSID} = "Nokia Phone Browser" \InProcServer32\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll" ["Nokia"] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <<!>> "{56F9679E-7826-4C84-81F3-532071A8BCC5}" = (no title provided) -> {HKLM...CLSID} = "Windows Desktop Search Namespace Manager" \InProcServer32\(Default) = "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <<!>> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS] <<!>> LBTWlgn\DLLName = "c:\program files\common files\logitech\bluetooth\LBTWlgn.dll" ["Logitech, Inc."] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "F:\7-Zip\7-zip.dll" ["Igor Pavlov"] avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\antivirus\ashShell.dll" ["ALWIL Software"] ICEOWS\(Default) = "{FEB7DAE0-E111-11D0-BFD7-444553540000}" -> {HKLM...CLSID} = "Folder Iceows" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "F:\7-Zip\7-zip.dll" ["Igor Pavlov"] ICEOWS\(Default) = "{FEB7DAE0-E111-11D0-BFD7-444553540000}" -> {HKLM...CLSID} = "Folder Iceows" \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "C:\antivirus\ashShell.dll" ["ALWIL Software"] HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ FdmUplShlExt\(Default) = "{F49C55B9-D417-45A1-A6E7-D6E057946280}" -> {HKLM...CLSID} = "FdmUplShlExt Class" \InProcServer32\(Default) = "F:\Free Download Manager\FUM\fumshext.dll" [null data] Default executables: -------------------- <<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile" Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoDrives" = (REG_DWORD) dword:0x00000000 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoDrives" = (REG_DWORD) dword:0x00000000 {unrecognized setting} "HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} "DisableRegistryTools" = (REG_DWORD) dword:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\użytkownik\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ BridgeCS3ImportMediaOnArrival\ "Provider" = "Adobe Bridge CS3" "InvokeProgID" = "Adobe.adobebridge" "InvokeVerb" = "launch" HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "F:\dreamwavear\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."] HPUnloadAutoplay\ "Provider" = "Przesyłanie HP i Szybki wydruk" "InvokeProgID" = "HpqUnApl.Autoplay" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = "{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = "F:\DRUKARKA\Digital Imaging\Unload\HpqUnApl.exe" ["Hewlett-Packard"] MPCPlayCDAudioOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayCDAudio" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""F:\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"] MPCPlayDVDMovieOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayDVDMovie" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""F:\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"] MPCPlayMusicFilesOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayMusicFiles" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""F:\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"] MPCPlayVideoFilesOnArrival\ "Provider" = "Media Player Classic" "InvokeProgID" = "MediaPlayerClassic.Autorun" "InvokeVerb" = "PlayVideoFiles" HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""F:\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"] MSWPDShellNamespaceHandler\ "Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501" "CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}" "InitCmdLine" = " " -> {HKLM...CLSID} = "WPDShextAutoplay" \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS] NeroAutoPlay7CDAudio\ "Provider" = "Nero Express Essentials" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "CDAudio_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:AudioCD" ["Nero AG"] NeroAutoPlay7CopyCD\ "Provider" = "Nero Express Essentials" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:DiscCopy" ["Nero AG"] NeroAutoPlay7DataDisc\ "Provider" = "Nero Express Essentials" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "DataDisc_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\DataDisc_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Core\nero.exe -w /New:ISODisc" ["Nero AG"] NeroAutoPlay7LaunchNeroStartSmart\ "Provider" = "Nero StartSmart Essentials" "InvokeProgID" = "Nero.AutoPlay7" "InvokeVerb" = "LaunchNeroStartSmart_HandleCDBurningOnArrival" HKLM\SOFTWARE\Classes\Nero.AutoPlay7\shell\LaunchNeroStartSmart_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero 7\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"] NMMPlayCDAudioOnArrival\ "Provider" = "Nokia Music Manager" "InvokeProgID" = "NokiaMusicManager" "InvokeVerb" = "NMMPlayCD" HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /playCD "%L"" ["Nokia"] NMMRipCDAudioOnArrival\ "Provider" = "Nokia Music Manager" "InvokeProgID" = "NokiaMusicManager" "InvokeVerb" = "NMMRipCD" HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "C:\Program Files\Nokia\Nokia PC Suite 7\MusicManager.exe /ripCD "%L"" ["Nokia"] PDVDPlayCDAudioOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "AudioCD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%L"" ["CyberLink Corp."] PDVDPlayDVDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] PDVDPlayVCDMovieOnArrival\ "Provider" = "PowerDVD" "InvokeProgID" = "VCD" "InvokeVerb" = "PlayWithPowerDVD" HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"" ["CyberLink Corp."] PPCDBurningOnArrival\ "Provider" = "PowerProducer" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerProducer" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"] PPDCameraArrival\ "Provider" = "PowerProducer" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerProducer" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerProducer\Command\(Default) = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" ["CyberLink"] PPDVArrival\ "Provider" = "PowerProducer" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = ""C:\Program Files\CyberLink\PowerProducer\Producer.exe"" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] PStarterBlankCDArrival\ "Provider" = "DVD Suite" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerStarter" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" [empty string] PStarterDVDBurningOnArrival\ "Provider" = "DVD Suite" "InvokeProgID" = "BlankDVD" "InvokeVerb" = "OpenWithPowerStarter" HKLM\SOFTWARE\Classes\BlankDVD\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" [empty string] PStarterMixedCDArrival\ "Provider" = "DVD Suite" "InvokeProgID" = "MixedContent" "InvokeVerb" = "OpenWithPowerStarter" HKLM\SOFTWARE\Classes\MixedContent\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" [empty string] PStarterMusicFilesArrival\ "Provider" = "DVD Suite" "InvokeProgID" = "MusicFiles" "InvokeVerb" = "OpenWithPowerStarter" HKLM\SOFTWARE\Classes\MusicFiles\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" [empty string] PStarterPicturesArrival\ "Provider" = "DVD Suite" "InvokeProgID" = "Picture" "InvokeVerb" = "OpenWithPowerStarter" HKLM\SOFTWARE\Classes\Picture\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" [empty string] PStarterPlayCDAudioOnArrival\ "Provider" = "DVD Suite" "InvokeProgID" = "AudioCD" "InvokeVerb" = "PlayWithPowerStarter" HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" [empty string] PStarterPlayDVDMovieOnArrival\ "Provider" = "DVD Suite" "InvokeProgID" = "DVD" "InvokeVerb" = "PlayWithPowerStarter" HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe" "%L"" [empty string] PStarterVideoFilesArrival\ "Provider" = "DVD Suite" "InvokeProgID" = "VideoFiles" "InvokeVerb" = "OpenWithPowerStarter" HKLM\SOFTWARE\Classes\VideoFiles\shell\OpenWithPowerStarter\Command\(Default) = ""C:\Program Files\CyberLink\DVD Suite\PowerStarter.exe"" [empty string] WinampMTPHandler\ "Provider" = "Winamp" "ProgID" = "Shell.HWEventHandlerShellExecute" "InitCmdLine" = "F:\Winamp\winamp.exe" HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" -> {HKLM...CLSID} = "ShellExecute HW Event Handler" \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS] WinampPlayMediaOnArrival\ "Provider" = "Winamp" "InvokeProgID" = "Winamp.File" "InvokeVerb" = "Play" HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""F:\Winamp\winamp.exe" "%1"" ["Nullsoft"] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}" -> {HKLM...CLSID} = (no title provided) \LocalServer32\(Default) = ""F:\Winamp\winamp.exe"" ["Nullsoft"] DESKTOP.INI DLL launch in local fixed drive directories: -------------------------------------------------------- WARNING! D: is an unreadable partition! Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "F:\OFFICE\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_06" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_06" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll" ["Sun Microsystems, Inc."] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Badanie" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ""C:\antivirus\ashServ.exe"" ["ALWIL Software"] avast! iAVS4 Control Service, aswUpdSv, ""C:\antivirus\aswUpdSv.exe"" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""C:\antivirus\ashWebSv.exe" /service" ["ALWIL Software"] COMODO Internet Security Helper Service, cmdAgent, ""C:\Program Files\COMODO\Firewall\cmdagent.exe"" ["COMODO"] Lavasoft Ad-Aware Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"" ["Lavasoft"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"] ServiceLayer, ServiceLayer, ""C:\Program Files\PC Connectivity Solution\ServiceLayer.exe"" ["Nokia."] Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]} Windows Search, WSearch, "C:\WINDOWS\system32\SearchIndexer.exe /Embedding" [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] Monitor 2 języka BJ\Driver = "CNBJMON2.DLL" [MS] PCL Language Monitor\Driver = "hpz3l3xu.dll" ["Hewlett-Packard Company"] ---------- (launch time: 2009-04-25 22:19:42) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 69 seconds. ---------- (total run time: 106 seconds) Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
Kolobos Napisano 25 Kwietnia 2009 Zgłoś Napisano 25 Kwietnia 2009 Dlaczego masz Avast oraz Cmodo IS? Logi sa ok. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
falar Napisano 26 Kwietnia 2009 Zgłoś Napisano 26 Kwietnia 2009 Avasta używam jako AV. Z Comodo mam zainstalowane jedynie firewall'a (no i ten ich Defense+) A ta linijka jest w porządku? detected NTDLL code modification: ZwClose, ZwOpenFile Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
Kolobos Napisano 26 Kwietnia 2009 Zgłoś Napisano 26 Kwietnia 2009 Modyfikacja jak modyfikacja, o niczym to nie swiadczy. Cytuj Udostępnij tę odpowiedź Odnośnik do odpowiedzi Udostępnij na innych stronach More sharing options...
