mirus7
(Mirus7)
26 Czerwiec 2007 19:30
#1
Witam
mam problem z procesem svhost.exe - jestem pewny że jest to jakiś robak - pisze się przez samo “h” a nie “ch” jak inne procesy svchost.exe. Jest wiele objawów na moim komputerze które świadczą o tym że jest coś nie tak:
Przy uruchamianiu komputera wyskakuje mi na sekunde biała tabelka z kratkami - nie wiem co to jest na pewno sam tego nie instalowałem
W internet exporerze w historii pojawiają się rożne dziwne strony których sam nie otwierałem - w firewallu zablokowałem proces svhost.exe dzięki czemu nie moga sie otworzyc - jak wyłanczam w menadzerze zadan proces svhost.exe to wtedy nie pokazują sie juz w historii
Nie mogę w widoku plikow i folderow ustawic zeby były widoczne ukryte pliki i foldery
w folderze system32 tworzy mi sie tez plik winscok.dll ktorego nie moge usunąc bo sie odnawia
Za pomocą funkcji wyszukaj znalazłem dwa pliki svhost.exe i jak je usuwam to tez sie odnawiają - wydaje mi sie że po ich usunięciu przez jakis czas nie pojawiała sie przy uruchamianiu kompa ta biała ale tabelka
W folderze Temp pojawiały sie jakies dziwne pliki - wykrywał je AVG ale odkąd nie mogę zobaczyć plików ukrytych to nie wiem czy jeszcze tam sie tworza bo juz ich nie wykrywa
Skanowałem już komputer kilka razy i czasami wykrywa mi trojana PSW.Generic2.DZW i pokazuje że to plik winscok.dll ale jak pisałem wcześniej ten plik sie ciągle odnawia.
Najbardziej niepokoją mnie te stronki w historii ktore proboja sie otworzyc.
Może ktoś miał podobny problem i ma pojęcie jak to wszystko usunąc bo ja sie nie znam zupełnie na tych sprawch a zadne antywirusy sobie z tym nieradzą.
Będę bardzo wdzieczny za pomoc.
Pozdrawiam
Pawel_85
(Paweł_85)
26 Czerwiec 2007 20:43
#2
Wrzuć logi z Hijackthis i SilentRunners.
W dziale Bezpieczeństwo i logi HijackThis
Tutaj wszystko na temat
mirus7
(Mirus7)
26 Czerwiec 2007 21:15
#3
podaje loga z hijackthis:
Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 23:12:47, on 2007-06-26 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe C:\WINDOWS\system32\tcpsvcs.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Mirek\Pulpit\hijackthis\hijackthis_v2.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.bearshare.com/sidebar.html?src=ssb R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.parkiet.com.pl/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Adobe\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Adobe\Acrobat\AcroIEFavClient.dll O4 - HKLM…\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM…\Run: [AVSCHED32] C:\Programy\AVPersonal\AVSCHED32.EXE /min O4 - HKLM…\Run: [cleaner] lib.exe O4 - HKLM…\Run: [Acrobat Assistant 7.0] “D:\Adobe\Distillr\Acrotray.exe” O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM…\Run: [funk] funk.exe O4 - HKLM…\Run: [yaemu.exe] C:\WINDOWS\System32\yaemu.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon O4 - HKLM…\Run: [dmtoi.exe] C:\WINDOWS\system32\dmtoi.exe O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM…\Run: [iut75] c:\windows\system32\drivers\uzcx.exe O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM…\Run: [Outpost Firewall] “C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe” /waitservice O4 - HKLM…\Run: [net32] C:\WINDOWS\svhost.exe O4 - HKLM…\Run: [soundMam] C:\WINDOWS\system32\SVOHOST.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-19…\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’) O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://D:\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted IP range: 213.159.117.202 O15 - Trusted IP range: 213.159.117.202 (HKLM) O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {A6916797-7ABD-4F07-93AE-098B6F543129} (CO2Player Class) - http://www.lemontv.pl/lmctrlp.cab O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.150 85.255.112.70 O20 - Winlogon Notify: bnreg - C:\Documents and Settings\All Users\Dokumenty\Settings\bn.dll (file missing) O22 - SharedTaskScheduler: Moduł wstępnego ładowania interfejsu Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Demon buforu kategorii składników - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Klient DNS DnscacheBrowser (DnscacheBrowser) - Unknown owner - C:\WINDOWS\system32\kdcomj.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Rozpoznawanie lokalizacji w sieci (NLA) NlaSCardDrv (NlaSCardDrv) - Unknown owner - C:\WINDOWS\system32\c_437x.exe (file missing) O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: Wykrywanie sprzętu powłoki ShellHWDetectionBITS (ShellHWDetectionBITS) - Unknown owner - C:\WINDOWS\system32\lz32f.exe (file missing) O23 - Service: Wykrywanie sprzętu powłoki ShellHWDetectionBITS ShellHWDetectionBITSHidServ (ShellHWDetectionBITSHidServ) - Unknown owner - C:\WINDOWS\system32\olethk32j.exe – End of file - 8249 bytes Złączono Posta: 26.06.2007 (Wto) 23:25 i silent runners: “Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NeroCheck” = “C:\WINDOWS\System32\NeroCheck.exe” [“Ahead Software Gmbh”] “AVSCHED32” = “C:\Programy\AVPersonal\AVSCHED32.EXE /min” [file not found] “cleaner” = “lib.exe” [file not found] “Acrobat Assistant 7.0” = ““D:\Adobe\Distillr\Acrotray.exe”” [“Adobe Systems Inc.”] “(Default)” = “(empty string)” [file not found] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “funk” = “funk.exe” [file not found] “yaemu.exe” = “C:\WINDOWS\System32\yaemu.exe” [file not found] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “Synchronization Manager” = “C:\WINDOWS\system32\mobsync.exe /logon” “dmtoi.exe” = “C:\WINDOWS\system32\dmtoi.exe” [file not found] “PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup” [“Nokia”] “iut75” = “c:\windows\system32\drivers\uzcx.exe” [file not found] “AVG7_CC” = “C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP” [“GRISOFT, s.r.o.”] “Outpost Firewall” = ““C:\Program Files\Agnitum\Outpost Firewall 1.0\outpost.exe” /waitservice” [“Agnitum”] “net32” = “C:\WINDOWS\svhost.exe” [file not found] “SoundMam” = “C:\WINDOWS\system32\SVOHOST.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\Adobe\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AE7CD045-E861-484f-8273-0445EE161910}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEToolbarHelper Class” \InProcServer32(Default) = “D:\Adobe\Acrobat\AcroIEFavClient.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Eksplorator pulpitów” -> {HKLM…CLSID} = “Eksplorator pulpitów” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play” -> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play” \InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS] “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” = “Adobe.Acrobat.ContextMenu” -> {HKLM…CLSID} = “Acrobat Elements Context Menu” \InProcServer32(Default) = “D:\Adobe\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”] “{D3796116-94D3-4009-96D7-51578411CC7D}” = “Outpost Shell Extension” -> {HKLM…CLSID} = “oshdlr.ShellHandler” \InProcServer32(Default) = “C:\PROGRA~1\Agnitum\OUTPOS~1.0\oshdlr.dll” [“Agnitum Ltd.”] “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Shell Extension” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] “{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}” = “AVG7 Find Extension” -> {HKLM…CLSID} = “AVG7 Find Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> bnreg\DLLName = “C:\Documents and Settings\All Users\Dokumenty\Settings\bn.dll” [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Adobe\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Adobe.Acrobat.ContextMenu(Default) = “{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}” -> {HKLM…CLSID} = “Acrobat Elements Context Menu” \InProcServer32(Default) = “D:\Adobe\Acrobat Elements\ContextMenu.dll” [“Adobe Systems Inc.”] AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ AVG7 Shell Extension(Default) = “{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}” -> {HKLM…CLSID} = “AVG7 Shell Extension Class” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG7\avgse.dll” [“GRISOFT, s.r.o.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options| Remove Task Manager} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Mirek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Mirek” & “All Users” startup folders: ------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “Adobe Acrobat Speed Launcher” -> shortcut to: “C:\WINDOWS\Installer{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{47833539-D0C5-4125-9FA8-0819E2EAAC93}” -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “D:\Adobe\Acrobat\AcroIEFavClient.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{47833539-D0C5-4125-9FA8-0819E2EAAC93}” = (no title provided) -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “D:\Adobe\Acrobat\AcroIEFavClient.dll” [“Adobe Systems Incorporated”] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {182EC0BE-5110-49C8-A062-BEB1D02A220B}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF” \InProcServer32(Default) = “D:\Adobe\Acrobat\AcroIEFavClient.dll” [“Adobe Systems Incorporated”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.5.0_06” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AVG E-mail Scanner, AVGEMS, “C:\PROGRA~1\Grisoft\AVG7\avgemc.exe” [“GRISOFT, s.r.o.”] AVG7 Alert Manager Server, Avg7Alrt, “C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe” [“GRISOFT, s.r.o.”] AVG7 Update Service, Avg7UpdSvc, “C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe” [“GRISOFT, s.r.o.”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] Odbiornik RIP, Iprip, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\iprip.dll” [MS]} Outpost Firewall Service, OutpostFirewall, “C:\PROGRA~1\AGNITUM\OUTPOS~1.0\outpost.exe /service” [“Agnitum”] Usługi Simple TCP/IP, SimpTcp, “C:\WINDOWS\system32\tcpsvcs.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Adobe PDF Port\Driver = “C:\WINDOWS\System32\AdobePDF.dll” [“Adobe Systems Incorporated.”] LPR Port\Driver = “lprmon.dll” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 54 seconds. ---------- (total run time: 147 seconds)
Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE
Pozdrawiam Gutek2222
Pawel_85
(Paweł_85)
26 Czerwiec 2007 22:01
#4
Skan: AVG AntySpyware 7.5
Wklejając loga obejmij go znacznikiem (tagiem) CODE lub QUOTE
Gutek
(Gutek)
26 Czerwiec 2007 23:43
#5
Syfu a syfu najpierw automat - Daj log z Combofix