Problem z MP3 (Downloader.Zlob, Addler-Fam)

Doody · 6 Lipiec 2008 12:19

Witam.

Sprawa zaczęła się wczoraj, kiedy to pojawił się u mnie prob lem z odtwarzaniem plików mp3. Okazało się, że “coś” podmieniło je dodając komentarze asf, nie zmieniając rozszerzenia. Sposób naprawy plików, to oczywiście ręczna zmiana rozszerzenia na wmv i ponowna konwersja do mp3 np. programem WinFF, ale bardziej interesująca dla mnie informacja to, co za brzydal jest odpowiedzialny za narobienie mi tego bałaganu, może ktoś będzie mi w stanie pomóc?

Do tej pory przeskanowałem kompa Avastem (nic nie wykrył), Skanerem on-line Kaspersy’ego (wykrył trojana w pliku wingsa32.dll w katalogu system32 - usunąłem wpis za pomocą hijack’a, a plik za pomocą killbox’a), Webroot AntiVirus (wykrył: trojana Addler-Fam w plikach wingsa32.dll, winopn32.dll i kilka ciastek - usunięte przez wspomniany program), SpybotS&D wykrył parę ciasteczek które usunąłem, sprawdziałem logi Hijack’iem i wyczyściłem ze zbędnych wpisów.

Na forum przeczytałem, że za taką podmianę mp3 może być odpowiedzialny też Downloader.Zlob którego jednak u siebie nie znalazłem.

Może ktoś wie coś więcej na ten temat albo dopatrzy się czegoś więcej w moich logach. Nie jestem jak widzę odosobniony w tym problemie z MP3, a nie mogę na necie nic więcej na ten temat znaleźć.

Proszę o wsparcie i analizę moich logów. Zanim zacznę bawić się w odzyskanie moich mp3 (a jest tego dużo) chciałbym upewnić się, że nie ma już źródła problemu.

Poniżej moje logi z Hijackthis i Silent Runners

Hijackthis 2.0.2

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:07:26, on 06-07-2008

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avast4\aswUpdSv.exe

C:\Program Files\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\SYSTEM32\S3Trayp.exe

C:\Program Files\D-Tools\daemon.exe

C:\PROGRA~1\Avast4\ashDisp.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\Labtec Wireless Desktop\MagicKey.exe

C:\Program Files\Labtec Wireless Desktop\MulMouse.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Labtec Wireless Desktop\OSD.EXE

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Avast4\ashMaiSv.exe

C:\Program Files\Avast4\ashWebSv.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\system32\ctfmon.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL

O4 - HKLM\..\Run: [S3Trayp] "C:\WINDOWS\SYSTEM32\S3Trayp.exe"

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Webroot Desktop Firewall] "C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"

O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: BlueSoleil.lnk = ?

O4 - Global Startup: Enable Labtec Wireless Desktop.lnk = C:\Program Files\Labtec Wireless Desktop\MagicKey.exe

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar1.google.com/data/pl/big/1.1.62-big/GoogleNav.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Avast4\ashWebSv.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Webroot Desktop Firewall network service (WDFNet) - Webroot Software Inc (www.webroot.com) - C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe

O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--

End of file - 7579 bytes

Silent Runners

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"swg" = ""C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"" ["Google Inc."]

"ctfmon.exe" = ""C:\WINDOWS\system32\ctfmon.exe"" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"S3Trayp" = ""C:\WINDOWS\SYSTEM32\S3Trayp.exe"" ["S3 Graphics Co., Ltd."]

"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]

"avast!" = "C:\PROGRA~1\Avast4\ashDisp.exe" ["ALWIL Software"]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"(Default)" = "(empty string)" [file not found]

"Webroot Desktop Firewall" = ""C:\Program Files\Webroot\Webroot Desktop Firewall\WDF.exe"" ["Webroot Software Inc (www.webroot.com)"]

"SpySweeper" = ""C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray" ["Webroot Software, Inc."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEToolbarHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"

                   \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll" ["Google Inc."]

{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\(Default) = "Ask Toolbar BHO"

  -> {HKLM...CLSID} = "Ask Toolbar BHO"

                   \InProcServer32\(Default) = "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" ["Ask.com"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{51550900-DCAC-11d4-AA0F-0080C87C465B}" = "WayTech MultiMouse"

  -> {HKLM...CLSID} = "WayTech MultiMouse Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Labtec Wireless Desktop\CPDll.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"

  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"

  -> {HKLM...CLSID} = "ImageExtractorShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"

  -> {HKLM...CLSID} = "CInfoTipShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"

  -> {HKLM...CLSID} = "Haali Column Provider"

                   \InProcServer32\(Default) = "C:\Program Files\Codec\Haali\mmfinfo.dll" [null data]

"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page"

  -> {HKLM...CLSID} = "Haali Matroska Shell Property Page"

                   \InProcServer32\(Default) = "C:\Program Files\Codec\Haali\mmfinfo.dll" [null data]

"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Extractor"

  -> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor"

                   \InProcServer32\(Default) = "C:\Program Files\Codec\Haali\mmfinfo.dll" [null data]

"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}" = "Webroot Spy Sweeper Context Menu Integration"

  -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"

                   \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]


HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"

  -> {HKLM...CLSID} = "Haali Column Provider"

                   \InProcServer32\(Default) = "C:\Program Files\Codec\Haali\mmfinfo.dll" [null data]

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" ["ALWIL Software"]

SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"

  -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"

                   \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

SpySweeper\(Default) = "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"

  -> {HKLM...CLSID} = "Webroot Spy Sweeper Context Menu Integration"

                   \InProcServer32\(Default) = "C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll" ["Webroot Software, Inc."]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001

{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\ACD Wallpaper.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssstars.scr" [MS]



Windows Portable Device AutoPlay Handlers

-----------------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\


ACDSeeShowPicturesOnArrival\

"Provider" = "ACDSee"

"InvokeProgID" = "ACDSee.AutoPlayHandler"

"InvokeVerb" = "Open"

HKLM\SOFTWARE\Classes\ACDSee.AutoPlayHandler\shell\Open\command\(Default) = ""C:\Program Files\ACD Systems\ACDSee\5.0\ACDSee5.exe" "%1"" ["ACD Systems, Ltd."]


BSMediaPlayerOnArrival\

"Provider" = "BearShare"

"ProgID" = "BearShare.LauncherEventHandler"

HKLM\SOFTWARE\Classes\BearShare.LauncherEventHandler\CLSID\(Default) = "{A7A4A19A-00AC-473c-8225-1B97D1FDD43E}"

  -> {HKLM...CLSID} = "CLauncherEventHandler Object"

                   \LocalServer32\(Default) = ""C:\PROGRA~1\BEARSH~1\BEARSH~1\Launcher.exe"" ["MusicLab LLC"]


BSPlayCDAudioOnArrival\

"Provider" = "BearShare"

"InvokeProgID" = "BearShare.AudioCD"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\play\Command\(Default) = "C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --playdrive %L" ["MusicLab, LLC"]


BSRipCDAudioOnArrival\

"Provider" = "BearShare"

"InvokeProgID" = "BearShare.AudioCD"

"InvokeVerb" = "rip"

HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\rip\Command\(Default) = "C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --ripdrive %L" ["MusicLab, LLC"]


BSShowCDAudioOnArrival\

"Provider" = "BearShare"

"InvokeProgID" = "BearShare.AudioCD"

"InvokeVerb" = "show"

HKLM\SOFTWARE\Classes\BearShare.AudioCD\shell\show\Command\(Default) = "C:\PROGRA~1\BEARSH~1\BEARSH~1\BearShare.exe --showdrive %L" ["MusicLab, LLC"]


DVDDecrypterPlayDVDMovieOnArrival\

"Provider" = "DVD Decrypter"

"InvokeProgID" = "DVDDecrypter"

"InvokeVerb" = "Decrypt using DVD Decrypter"

HKLM\SOFTWARE\Classes\DVDDecrypter\shell\Decrypt using DVD Decrypter\Command\(Default) = ""C:\PROGRA~1\GORDIA~1\DVDDecrypter\dvddecrypter.exe" /MODE READ /SOURCE "%1"" [file not found]


MSPlayCDAudioOnArrival\

"Provider" = "ALLPlayer"

"InvokeProgID" = "AllPlayerFile"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\AllPlayerFile\shell\play\command\(Default) = ""C:\Program Files\MarBit\ALLPlayer\ALLPlayer.exe" "%1"" ["MarBit"]


NeroAutoPlay2CDAudio\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay2CopyCD\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay2DataDisc\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]


NeroAutoPlay2LaunchNeroStartSmart\

"Provider" = "Nero StartSmart"

"InvokeProgID" = "Nero.AutoPlay2"

"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]



Startup items in "Doody" & "All Users" startup folders:

-------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"BlueSoleil" -> shortcut to: "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]

"Enable Labtec Wireless Desktop" -> shortcut to: "C:\Program Files\Labtec Wireless Desktop\MagicKey.exe" [empty string]



Enabled Scheduled Tasks:

------------------------


"wrSpySweeperFullSweep" -> launches: "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /ScheduleSweep=wrSpySweeperFullSweep" ["Webroot Software, Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 28

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"

  -> {HKLM...CLSID} = "Ask Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" ["Ask.com"]


HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)

  -> {HKLM...CLSID} = "Ask Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL" ["Ask.com"]


Explorer Bars


HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]


HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Avast4\ashServ.exe"" ["ALWIL Software"]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Avast4\aswUpdSv.exe"" ["ALWIL Software"]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

Webroot Desktop Firewall network service, WDFNet, "C:\Program Files\Webroot\Webroot Desktop Firewall\wdfsvc.exe" ["Webroot Software Inc (www.webroot.com)"]

Webroot Spy Sweeper Engine, WebrootSpySweeperService, ""C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe"" ["Webroot Software, Inc. (www.webroot.com)"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]



---------- (launch time: 2008-07-06 14:16:51)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 85 seconds, including 4 seconds for message boxes)

huber2t · 6 Lipiec 2008 12:38

W logach nic nie widze

Pokaz log z Combofix

Doody · 6 Lipiec 2008 13:27

Poniżej log z Combofix’a

ComboFix 08-07-05.1 - Doody 2008-07-06 14:47:30.1 - NTFSx86

huber2t · 6 Lipiec 2008 13:31

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

Folder::

C:\Program Files\AskSBar

Plik -> zapisz jako -> CFScript.txt (najwygodniej będzie, jeśli zapiszesz w takiej lokalizacji, by ikonka CFScript.txt znalazła się obok ikonki ComboFix.exe )

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu ->

Rozpocznie się usuwanie i powstanie log, daj ten log na forum.

Logi dajesz na http://wklejto.pl a w poście dajesz tylko link

Doody · 6 Lipiec 2008 15:08

Usuwanie i tworzenie loga właśnie trwa, a w międzyczasie pytanie czy ktoś może wie jaki śmieć był przyczyną tej dziwnej podmiany mp3, bo do tej pory nic się na ten temat nie dowiedziałem? Jak już powstał taki temat miło by było wyjaśnić przyczynę, a nie tylko usunąć skótki.

W dniu 06.07.2008 , o godzinie 17:08 został dopisany post przez Doody

Oto nowy log http://wklejto.pl/5054

huber2t · 6 Lipiec 2008 15:12

Log wyglada na czysty

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum

lub

Dr.WEB CureIt!

asterisk · 6 Lipiec 2008 15:34

Zapoznaj się proszę z tą stroną i zmień tytuł na

konkretny. Inaczej temat poleci do śmietnika.

Doody · 6 Lipiec 2008 16:21

Oto raport z Kaspersky’ego:

6 lipiec 2008 18:10:46

System operacyjny: Microsoft Windows XP Professional, Dodatek Service Pack 2 (Build 2600)

Kaspersky Online Scanner wersja: 5.0.98.0

Ostatnia aktualizacja Kaspersky Anti-Virus 6/07/2008

Liczba wpisów w bazie danych Kaspersky Anti-Virus918651



Ustawienia skanowania 

Skanowanie przy użyciu następujących baz danych rozszerzone 

Skanuj archiwa tak 

Skanuj pocztowe bazy danych tak 


Obszar skanowania Obszary krytyczne 

C:\WINDOWS

C:\DOCUME~1\Doody\USTAWI~1\Temp\  


Statystyki skanowania 

Liczba skanowanych obiektów 15139 

Liczba wykrytych wirusów 0 

Liczba zainfekowanych obiektów 0 

Liczba podejrzanych obiektów 0 

Czas trwania skanowania 00:25:04 


Nazwa zainfekowanego obiektu Nazwa wirusa Ostatnie działanie 

C:\WINDOWS\Debug\PASSWD.LOG Object is locked pominięty  


C:\WINDOWS\SchedLgU.Txt Object is locked pominięty  


C:\WINDOWS\Sti_Trace.log Object is locked pominięty  


C:\WINDOWS\system32\CatRoot2\edb.log Object is locked pominięty  


C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked pominięty  


C:\WINDOWS\system32\config\Antivirus.Evt Object is locked pominięty  


C:\WINDOWS\system32\config\AppEvent.Evt Object is locked pominięty  


C:\WINDOWS\system32\config\default Object is locked pominięty  


C:\WINDOWS\system32\config\default.LOG Object is locked pominięty  


C:\WINDOWS\system32\config\SAM Object is locked pominięty  


C:\WINDOWS\system32\config\SAM.LOG Object is locked pominięty  


C:\WINDOWS\system32\config\SecEvent.Evt Object is locked pominięty  


C:\WINDOWS\system32\config\SECURITY Object is locked pominięty  


C:\WINDOWS\system32\config\SECURITY.LOG Object is locked pominięty  


C:\WINDOWS\system32\config\software Object is locked pominięty  


C:\WINDOWS\system32\config\software.LOG Object is locked pominięty  


C:\WINDOWS\system32\config\SysEvent.Evt Object is locked pominięty  


C:\WINDOWS\system32\config\system Object is locked pominięty  


C:\WINDOWS\system32\config\system.LOG Object is locked pominięty  


C:\WINDOWS\system32\h323log.txt Object is locked pominięty  


C:\WINDOWS\system32\SsiEfr.exe Object is locked pominięty  


C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked pominięty  


C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked pominięty  


C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked pominięty  


C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked pominięty  


C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked pominięty  


C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked pominięty  


C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked pominięty  


C:\WINDOWS\system32\wrLZMA.dll Object is locked pominięty  


C:\WINDOWS\Temp\Perflib_Perfdata_578.dat Object is locked pominięty  


C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked pominięty  


C:\WINDOWS\wiadebug.log Object is locked pominięty  


C:\WINDOWS\wiaservc.log Object is locked pominięty  


C:\DOCUME~1\Doody\USTAWI~1\Temp\JET434D.tmp Object is locked pominięty  


C:\DOCUME~1\Doody\USTAWI~1\Temp\~ROMFN_000007C4 Object is locked pominięty  


Proces skanowania został zakończony.

Chyba już wszystko ok. Dzięki za pomoc (mimo że nie dowiedziałem się co spowodowało te problemy )

Pozdrawiam

spandaupol · 6 Lipiec 2008 16:22

Przeskanuj obszar Mój komputer