Podejrzenie infekcji przez Kaspersky Online Scanner


(Agatonster) #1

Ociągałem się ze zgłoszeniem problemu, mając na uwadze nawał pracy jaki obserwuję w związku z zalewem tematu gg , ale jednak mam problem, Kaspersky Online Scanner zgłasza mi w poniżej przedstawionych lokalizacjach infekcję ;


C:\System Volume Information_restore{D9528359-EC7C-44B2-AC0E-7115A90C8AC2}\RP686\A0057957.exe/stream/data0002 Zainfekowanych: not-a-virus:RiskTool.Win32.PsKill.q

C:\System Volume Information_restore{D9528359-EC7C-44B2-AC0E-7115A90C8AC2}\RP686\A0057957.exe/stream Zainfekowanych: Win32.PsKill.q

C:\System Volume Information_restore{D9528359-EC7C-44B2-AC0E-7115A90C8AC2}\RP686\A0057957.exe NSIS: zainfekowany - 2

C:\System Volume Information_restore{D9528359-EC7C-44B2-AC0E-7115A90C8AC2}\RP686\A0057957.exe UPX: zainfekowany - 2


Coś może być na rzeczy, bowiem wyczytałem na którymś z forów, że robal taki znajdUje się w Płycie serwisowej PC World Komputer 1.0 pl której obraz ISO ściągnąłem i przegrałem na CD.Przeskanowałem Kasprem on-line napęd z płytą i potwierdził istnienie trojanów, ale znowu - mks_vir on-line wykazał zero...i komu dać wiarę ?..

Dostać się do tych lokalizacji nie mogę mimo konta administratora.

Avast , oraz mks_vir 2006 skaner on-line, faktu zainfekowania nie potwierdzają, jednakże mając na uwadze renomę, jaką posiada Kaspersky. martwi mnie trochę info przez niego przekazane, wobec powyższego mam wielką prośbę o sprawdzenie loga ...

Logfile of HijackThis v1.99.1

Scan saved at 20:40:59, on 2006-11-21

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Documents and Settings\net\Moje dokumenty\moje pliki\Secure\hijackthis...Silent Runners\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: (no name) - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O4 - HKLM..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE

O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

O4 - HKLM..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: Subskrybuj w domyślnym agregatorze - C:\Documents and Settings\net\Dane aplikacji\RssBandit\iecontext_subscribefeed.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://\*.mks.com.pl

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus ... nicode.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: ewido anti-spyware 4.0 guard - Unknown owner - D:\Program Files\ewido anti-spyware 4.0\guard.exe (file missing)

O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]

"AlcWzrd" = "ALCWZRD.EXE" ["RealTek Semicoductor Corp."]

"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"IgfxTray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]

"HotKeysCmds" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]

"High Definition Audio Property Page Shortcut" = "HDAudPropShortcut.exe" ["Windows ® Server 2003 DDK provider"]

"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM...CLSID} = "AcroIEHlprObj Class"

\InProcServer32(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "D:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{ABC70703-32AF-11d4-90C4-D483A70F4825}" = "CMenuExtender"

-> {HKLM...CLSID} = "CMenuExtender"

\InProcServer32(Default) = "D:\WINDOWS\BricoPacks\Vista Inspirat\iColorFolder\CMExt.dll" ["Revenger inc."]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

-> {HKLM...CLSID} = "UnlockerShellExtension"

\InProcServer32(Default) = "D:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

"{71A466B0-65CC-4B41-9043-6090F2C830D3}" = "QCD IconHandler"

-> {HKLM...CLSID} = "QIconHandler Class"

\InProcServer32(Default) = "D:\Program Files\Quintessential Media Player\QMPShell.dll" ["Quinnware"]

"{71A068F3-2DC9-438D-8944-6B4FF540D2F5}" = "QCD ContextMenu"

-> {HKLM...CLSID} = "QContextMenu Class"

\InProcServer32(Default) = "D:\Program Files\Quintessential Media Player\QMPShell.dll" ["Quinnware"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"

-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

\InProcServer32(Default) = "D:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

<> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"

-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"

\InProcServer32(Default) = "C:\PROGRA~1\WINDOW~4\MpShHook.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"| [file not found]| [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

ewido anti-spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32(Default) = "D:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

IZArcCM(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

-> {HKLM...CLSID} = "IZArc Shell Context Menu"

\InProcServer32(Default) = "D:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

CMenuExtender(Default) = "{ABC70703-32AF-11d4-90C4-D483A70F4825}"

-> {HKLM...CLSID} = "CMenuExtender"

\InProcServer32(Default) = "D:\WINDOWS\BricoPacks\Vista Inspirat\iColorFolder\CMExt.dll" ["Revenger inc."]

ewido anti-spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

-> {HKLM...CLSID} = "CContextScan Object"

\InProcServer32(Default) = "D:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]

IZArcCM(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"

-> {HKLM...CLSID} = "IZArc Shell Context Menu"

\InProcServer32(Default) = "D:\PROGRA~1\IZArc\IZArcCM.dll" [null data]

QMPlayer(Default) = "{71A068F3-2DC9-438D-8944-6B4FF540D2F5}"

-> {HKLM...CLSID} = "QContextMenu Class"

\InProcServer32(Default) = "D:\Program Files\Quintessential Media Player\QMPShell.dll" ["Quinnware"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

-> {HKLM...CLSID} = "avast"

\InProcServer32(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

UnlockerShellExtension(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

-> {HKLM...CLSID} = "UnlockerShellExtension"

\InProcServer32(Default) = "D:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

UnlockerShellExtension(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

-> {HKLM...CLSID} = "UnlockerShellExtension"

\InProcServer32(Default) = "D:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

Group Policies {policy setting}:


Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoControlPanel" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

"NoViewContextMenu" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

"NoSaveSettings" = (REG_DWORD) hex:0x00000000

{Don't save settings at exit}

"ClearRecentDocsOnExit" = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableTaskMgr" = (REG_DWORD) hex:0x00000000

{Remove Task Manager}

"NoDispCPL" = (REG_DWORD) hex:0x00000000

{Remove Display in Control Panel}

"NoDispBackgroundPage" = (REG_DWORD) hex:0x00000000

{Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

"NoDispAppearancePage" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

"NoDispSettingsPage" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{Prevent access to registry editing tools}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) hex:0x00000000

{Disable the command prompt}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000

{unrecognized setting}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\net\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\ssmypics.scr" [MS]

Startup items in "net" & "All Users" startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe" [empty string]

Enabled Scheduled Tasks:


"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]

Sunbelt Kerio Personal Firewall 4, KPF4, ""D:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe"" ["Sunbelt Software"]

Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt10\Driver = "hpzsnt10.dll" ["HP"]


<>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points, use the -supp parameter or answer "No" at the

first message box and "Yes" at the second message box.

---------- (total run time: 53 seconds, including 23 seconds for message boxes)


(Bbieniol) #2

Usuń Hijackiem ten wpis:

Kosmetycznie: Otwórz edytor rejestru Start >>> Uruchom >>> regedit i przejdź do klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager

Tam kliknij podwójnie na wartość BootExecute i z okienka usuń wszystko z wyjątkiem autocheck autochk *

Wyłącz na chwilę przywracanie systemu, wtedy folder C:\System Volume Information automatycznie się opróżni :slight_smile:

Panel sterowania --> System --> Przywracanie systemu

Tam zaznacz opcję Turn off System Restore lub Turn off System Restore on all drives (Wyłącz przywracanie na wszystkich dyskach). Zatwierdzasz wszystkie zmiany.


(Agatonster) #3

Dziękuję Bieniol bardzo za okazane zainteresowanie tematem. Zalecenia wykonałem z wyjątkiem usunięcia podanych przez Ciebie składników w wartości BootExecute - nie ma takiej w podanym przez Ciebie kluczu... mam kolejno :

AppCompatibility

AppPatches

DOS Devices...nie wiem, czy to dobrze ale BootExecute nie ma...

Proszę jeszcze o informację, czy rzeczywiście w płytce tej mogą być robale - miałem zamiar ją dać znajomemu, ale teraz oczywiście mu nie dam...

Pozdrawiam serdecznie


(Joan Sunshine) #4

Jest, tylko musisz kliknąć na sam folder Session Manager :slight_smile:

I wtedy już to, co napisał Bieniol.


(Agatonster) #5

Joan - bardzo dziękuję za podpowiedź, teraz znalazłem , w aplikacji Edytowanie wielociągu znalazłem tylko wpis autocheck autochk * ,który w/g

zaleceń Mistrza Bieniol powinienem pozostawić . Mam nadzieję , że temat zamknięty.

Swoją drogą obserwując Twoją aktywność i kompetencje w temacie Bezpieczeństwo i logi HiackThis nasuwa mi się skojarzenie z forum searchengines - Picasso...

Pozdrawiam serdecznie