Infekcja z pendrive - logi

yonagold · 21 Grudzień 2008 09:31

Witam. Od roku nie miałem problemów z żadnymi infekcjami do czasu kiedy podłączyłem obcy pendrive do komputera. Mam Kasperskiego - te nic nie wykrywa.

Ale ja widziałem że coś dzieje się nie tak…

OBJAWY:

1- Zeżarło mi cały pakiet offica, po prostu się wysypał bez przyczyny i nie chciał działać.

2- W opcjach folderów nie mogłem ustawić “Pokaż ukryte pliki”

tyle zauważyłem ale chciałbym mieć pewność, że wszystko inne jest okey…

WSTAWIAM LOGI Z HiJack This, Combofix, SR,

HiJack

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:44:11, on 2008-12-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.lexmark.com/MD/?func=newreg〈=20&prtr=4476005&ctry=00000415&os=5&src=1

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll

O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Download All by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm

O8 - Extra context menu item: &Download by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm

O8 - Extra context menu item: &Pobierz wszystko przez FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm

O8 - Extra context menu item: &Pobrane przez FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm

O8 - Extra context menu item: Dodaj do listy blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Konwersja do formatu Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Konwertuj do istniejącego pliku PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Konwertuj docelowe łącza do istniejącego pliku PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Konwertuj docelowe łącze do formatu Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Konwertuj wybrane łącza do formatu Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Konwertuj wybrane łącza do istniejącego pliku PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Konwertuj zaznaczenie do formatu Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Konwertuj zaznaczenie do istniejącego PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{3BC4895A-61AA-49E3-BDD2-36861B6D4F40}: NameServer = 194.204.159.1,194.204.152.34

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe

O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe


--

End of file - 7203 bytes

COMBOFIX

ComboFix 08-12-20.03 - MIE 2008-12-21 9:55:14.2 - [color=red][b]FAT32[/b][/color]x86

Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.2046.1710 [GMT 1:00]

Uruchomiony z: c:\documents and settings\MIE\Pulpit\ComboFix.exe


[COLOR=RED][B]UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA [/B][/COLOR]

.


((((((((((((((((((((((((( Pliki utworzone od 2008-11-21 do 2008-12-21 )))))))))))))))))))))))))))))))

.


2008-12-21 09:33 . 2008-12-21 09:33	




SILENT RUNERS

[code]“Silent Runners.vbs”, revision 59, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMAXPnP” = “C:\Program Files\Analog Devices\Core\smax4pnp.exe” [“Analog Devices, Inc.”] “SoundMAX” = ““C:\Program Files\Analog Devices\SoundMAX\Smax4.exe” /tray” [“Analog Devices, Inc.”] “AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe”” [“Kaspersky Lab”] HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {1F364306-AA45-47B5-9F9D-39A8B94E7EF1}(Default) = “flashget2 urlcatch” -> {HKLM…CLSID} = “FG2CatchUrl” \InProcServer32(Default) = “C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll” [“FlashGet”] {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}(Default) = “IEVkbdBHO” -> {HKLM…CLSID} = “IEVkbdBHO Class” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll” [“Kaspersky Lab”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AE7CD045-E861-484f-8273-0445EE161910}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEToolbarHelper Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll” [“Adobe Systems Incorporated”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{3028902F-6374-48b2-8DC6-9725E775B926}” = “IE Microsoft AutoComplete” -> {HKLM…CLSID} = “IE Microsoft AutoComplete” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band” -> {HKLM…CLSID} = “History Band” \InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}” = “PhotoToys” -> {HKCU…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\phototoys.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{280CFDE1-1354-4431-92F3-03073BA593FB}” = “TotalConverter Context Menu Shell Extension” -> {HKLM…CLSID} = “TotalConverter Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\TotalAudioConverter\axTotalConverter.dll” [empty string] “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” = “PDFTransformer2ContextMenu” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] “{1944F5A1-2835-45B0-91E6-FA3EDDAF539E}” = “Graph Shell Extension” -> {HKLM…CLSID} = “Graph Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\Graph\THUMBN~1.DLL” [“Ivan Johansen”] “{8A0BC933-7552-42E2-A228-3BE055777227}” = “AutoCAD DWG Column Handler” -> {HKLM…CLSID} = “AcColumnHandler” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll” [“Autodesk”] “{5800AD5B-72C1-477B-9A08-CA112DF06D97}” = “AutoCAD DWG InfoTip Handler” -> {HKLM…CLSID} = “AcInfoTipHandler” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll” [“Autodesk”] “{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview” -> {HKLM…CLSID} = “ACTHUMBNAIL” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk, Inc.”] “{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “Uchwyt nakładania ikony podpisu cyfrowego” -> {HKLM…CLSID} = “AcSignIcon” \InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk, Inc.”] “{ADC46291-D8A1-4486-A24C-86FFB392AEFA}” = “Autodesk Dgn File Preview” -> {HKLM…CLSID} = “AcDgnImageExtractor” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcDgnCOM17.dll” [“Autodesk”] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2008\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”] “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” = “Adobe.Acrobat.ContextMenu” -> {HKLM…CLSID} = “Acrobat Elements Context Menu” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Statystyki ochrony WWW” -> {HKLM…CLSID} = “Statystyki ochrony WWW” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll” [“Kaspersky Lab”] HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “PDBoot.exe” [“Raxco Software, Inc.”]|“autocheck autochk *” HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {8A0BC933-7552-42E2-A228-3BE055777227}(Default) = “AutoCAD DWG column info” -> {HKLM…CLSID} = “AcColumnHandler” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll” [“Autodesk”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ Adobe.Acrobat.ContextMenu(Default) = “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” -> {HKLM…CLSID} = “Acrobat Elements Context Menu” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”] Autodesk.DWF.ContextMenu(Default) = “{6C18531F-CA85-45F7-8278-FF33CF0A5964}” -> {HKLM…CLSID} = “DWFShellExt Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\dwf Common\DWFShellExtension.dll” [“Autodesk, Inc.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll” [“Kaspersky Lab”] PDFTransformer2ContextMenu(Default) = “{4FED14EE-8086-4b0c-A0DE-C27042ED1296}” -> {HKLM…CLSID} = “PDFTransformer2.PDFTContextMenu.1” \InProcServer32(Default) = “C:\Program Files\ABBYY PDF Transformer 2.0\PDFTContextMenu.dll” [“ABBYY Software”] TotalConverter(Default) = “{280CFDE1-1354-4431-92F3-03073BA593FB}” -> {HKLM…CLSID} = “TotalConverter Context Menu Shell Extension” \InProcServer32(Default) = “C:\Program Files\TotalAudioConverter\axTotalConverter.dll” [empty string] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2008\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinUHA(Default) = “{095177B8-8097-4D32-9081-A8949C47020E}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\WinUHA\SHELLW~1.DLL” [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\Program Files\TuneUp Utilities 2008\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinUHA(Default) = “{095177B8-8097-4D32-9081-A8949C47020E}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\PROGRA~1\WinUHA\SHELLW~1.DLL” [null data] Default executables: -------------------- <> HKCU\Software\Classes.scr(Default) = “AutoCADLTScriptFile” <> HKCU\Software\Classes\AutoCADLTScriptFile\shell\open\command(Default) = "“C:\WINDOWS\system32\NOTEPAD.EXE” “%1"” [MS] <> HKLM\SOFTWARE\Classes\AutoCADLTScriptFile\shell\open\command(Default) = "C:\WINDOWS\NOTEPAD.EXE “%1"” [MS] <> HKLM\SOFTWARE\Classes.scr(Default) = “AutoCADLTScriptFile” <> HKCU\Software\Classes\AutoCADLTScriptFile\shell\open\command(Default) = "“C:\WINDOWS\system32\NOTEPAD.EXE” “%1"” [MS] <> HKLM\SOFTWARE\Classes\AutoCADLTScriptFile\shell\open\command(Default) = "C:\WINDOWS\NOTEPAD.EXE “%1"” [MS] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoLowDiskSpaceChecks” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “NoSharedDocuments” = (REG_DWORD) dword:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Remove Shared Documents from My Computer} “NoChangeKeyboardNavigationIndicators” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “ClassicShell” = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “ForceClassicControlPanel” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “NoStartMenuMFUprogramsList” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “NoRecentDocsHistory” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “NoRecentDocsMenu” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “NoSMMyDocs” = (REG_DWORD) dword:0x00000001 {User Configuration|Administrative Templates|Start Menu and Taskbar| Remove Documents menu from Start Menu} “ClearRecentDocsOnExit” = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “ClassicShell” = (REG_DWORD) dword:0x00000000 {unrecognized setting} “ClearRecentDocsOnExit” = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} “DisableTaskMgr” = (REG_DWORD) dword:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\ “No_LaunchMediaBar” = (REG_DWORD) dword:0x00000001 {unrecognized setting} “AlwaysPromptWhenDownload” = (REG_DWORD) dword:0x00000001 {unrecognized setting} HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “NoInternetOpenWith” = (REG_DWORD) dword:0x00000001 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ AlcoholAutoPlayV2.BurnDisc\ “Provider” = “Alcohol 120%” “InvokeProgID” = “AlcoholAutoPlayV2” “InvokeVerb” = “BurnDisc” HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command(Default) = ““C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe” %1” [“Alcohol Soft Development Team”] AlcoholAutoPlayV2.ReadDisc\ “Provider” = “Alcohol 120%” “InvokeProgID” = “AlcoholAutoPlayV2” “InvokeVerb” = “ReadDisc” HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command(Default) = ““C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe” %1” [“Alcohol Soft Development Team”] NeroAutoPlay2CDAudio\ “Provider” = “Nero Express” “InvokeProgID” = “Nero.AutoPlay2” “InvokeVerb” = “HandleCDBurningOnArrival_CDAudio” HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L” [“Ahead Software AG”] NeroAutoPlay2CopyCD\ “Provider” = “Nero Express” “InvokeProgID” = “Nero.AutoPlay2” “InvokeVerb” = “PlayCDAudioOnArrival_CopyCD” HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L” [“Ahead Software AG”] NeroAutoPlay2DataDisc\ “Provider” = “Nero Express” “InvokeProgID” = “Nero.AutoPlay2” “InvokeVerb” = “HandleCDBurningOnArrival_DataDisc” HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L” [“Ahead Software AG”] NeroAutoPlay2LaunchNeroStartSmart\ “Provider” = “Nero StartSmart” “InvokeProgID” = “Nero.AutoPlay2” “InvokeVerb” = “HandleCDBurningOnArrival_LaunchNeroStartSmart” HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command(Default) = “C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L” [“Ahead Software AG”] TVPPlayDVDMovieOnArrival\ “Provider” = “Total Video Player” “InvokeProgID” = “totalplayer.dvd” “InvokeVerb” = “open” HKLM\SOFTWARE\Classes\totalplayer.dvd\shell\open\command(Default) = “C:\Program Files\Total Video Converter\tvp.exe -dvd %1” [empty string] WinampMTPHandler\ “Provider” = “Winamp” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = “C:\Program Files\Winamp\winamp.exe” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “ShellExecute HW Event Handler” \LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “C:\Program Files\TuneUp Utilities 2008\OneClick.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SYSTEMROOT%\system32\nvappfilter.dll [“NVIDIA”], 01 - 03, 09 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 10 - 23 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ “{47833539-D0C5-4125-9FA8-0819E2EAAC93}” = (no title provided) -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll” [“Adobe Systems Incorporated”] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ {182EC0BE-5110-49C8-A062-BEB1D02A220B}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll” [“Adobe Systems Incorporated”] HKLM\SOFTWARE\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Statystyki ochrony WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll” [“Kaspersky Lab”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_07” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_07” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll” [“Sun Microsystems, Inc.”] {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Statystyki ochrony WWW” Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ForceWare Intelligent Application Manager (IAM), ForceWare Intelligent Application Manager (IAM), “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe” [empty string] ForceWare IP service, nSvcIp, “C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe” [“NVIDIA Corporation”] Kaspersky Internet Security, AVP, ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe” -r” [“Kaspersky Lab”] LexBce Server, LexBceS, “C:\WINDOWS\system32\LEXBCES.EXE” [“Lexmark International, Inc.”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Adobe PDF Port\Driver = “C:\WINDOWS\system32\AdobePDF.dll” [“Adobe Systems Incorporated.”] Lexmark Network Port\Driver = “LEXLMPM.DLL” [“Lexmark International, Inc.”] PDF-XChange\Driver = “C:\WINDOWS\system32\pxc25pm.dll” [“Tracker Software”] PDFCreator\Driver = “pdfcmnnt.dll” [null data] ---------- (launch time: 2008-12-21 09:47:28) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 23 seconds. ---------- (total run time: 49 seconds)

Z góry dziękuję za pomoc.

huber2t · 21 Grudzień 2008 10:02

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::


Folder::

C:\FOUND.005

C:\FOUND.004

C:\FOUND.003


Driver::

AVPsys

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

Rozpocznie się usuwanie i powstanie log, który dasz na forum + log z Hijackthis

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

yonagold · 21 Grudzień 2008 13:08

Wcześniej usunąłem te foldery:

C:\FOUND.005

C:\FOUND.004

C:\FOUND.003

dobrze zrobiłem ??

Były puste…

huber2t · 21 Grudzień 2008 13:11

Dobrze ale pokaz log z usuwania z combofix