Problem z trojanami, plik explorer.exe

wyskakuje mi okienko w czerwonej ramce windowws security center system warning

alert details

file:

{hidden_system_process}

threat:

trojan-downloader.win32.small.abov

nie mogę zrobić logów po prostu się nie da ale chyba mogę instalować programy

prawdopodobnie mam wirusa w explorer.exe

c:\windows\explorer.EXE

i konia trojańskiego o nazwie

trojan.win32.monder.gen

obiekt znajduje się w c:\windows\system32\xmnlnr.dll

Pobierz Malwarebytes’ Anti-Malware Instrukcja i program tutaj http://cybertrash.pl/Tata/MBAM/Malwareb … lware.html przeskanuj wszystkie dyski usuń co znajdzie, daj log na forum

Następnie pobierz Combofix przeskanuj system i daj log na forum.

nie mogę zainstalować tego programu mbam

za to udało mi się zainstalować program a-squared anti-malware

znalazł mi 97 zagrożeń

wszystkie usunąłem, ale nie widzę różnicy dalej mam to samo tyle ze ten program wykrywa mi pełno nowych wirusów

// Połączono posty.

nie usuwam mi tego wirusa ten program

wykrywa od razu trojana downloader.win32.fraudload!ik

i pełno innych

Pokaż log z Combofix

nie mogę uruchomić combofixa

W czasie pobierania i skanowania combofixem zamknij wszelkie programy ochronne (Antywirusa, zaporę)

Jak nie pomoże:

Spróbuj podczas pobierania zapisać nie pod nazwą ComboFix.exe tylko z kreską pomiędzy:

Combo-Fix.exe

Jeśli to również:

Uruchom combofix w trybie awaryjnym

a-squared Anti-Malware - Wersja 4.0

Last update: 2008-11-26 13:14:53

Skanowanie ustawień:

Obiekty: Pamięć, Ślady, Ciasteczka, C:\WINDOWS, C:\Program Files

Skanowanie archiwów: Wł.

Heurystyka: Wł.

Skanowanie reklam: Wł.

Uruchomione skanowanie: 2008-11-26 14:31:31

[692] C:\WINDOWS\system32\winmyy32.dll wykryto: Trojan-Downloader.Win32.FraudLoad!IK

[692] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK

[1004] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK

[1004] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK

[1004] C:\WINDOWS\system32\ebitnmno.dll wykryto: Trojan.Win32.Vundo!IK

[308] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK

[1256] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK

[1500] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK

[2988] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK

[3940] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK

[4364] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK

[4364] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK

[5472] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK

[4952] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK

C:\WINDOWS\Minidump\Mini112408-01.dmp wykryto: Virus.Win32.DNSChanger.VJ!IK

C:\WINDOWS\patcher.exe wykryto: Backdoor.Rbot!IK

C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe wykryto: Email-Worm.Win32.Brontok.do!IK

C:\WINDOWS\system32\av.dat wykryto: Trojan-Downloader.VB.Gen.1!IK

C:\WINDOWS\system32\ccifjyry.dll wykryto: Trojan.Win32.Vundo!IK

C:\WINDOWS\system32\dllcache\msconfig.exe wykryto: Email-Worm.Win32.Brontok.do!IK

C:\WINDOWS\system32\ebitnmno.dll wykryto: Trojan.Win32.Vundo!IK

C:\WINDOWS\system32\geBtQjHy.dll wykryto: Trojan.Win32.Vundo!IK

C:\WINDOWS\system32\getfn32.dll wykryto: Backdoor.Win32.VB!IK

C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK

C:\WINDOWS\system32\opnolKcA.dll wykryto: Trojan.Win32.Vundo!IK

C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK

C:\WINDOWS\system32\rs32net.exe wykryto: Win32.SuspectCrc!IK

C:\WINDOWS\system32\smwin32.dll wykryto: Riskware.AdWare.Win32.CashDeluxe!IK

C:\WINDOWS\system32\uesiuqcr.exe wykryto: Trojan-Downloader.VB.Gen.1!IK

C:\WINDOWS\system32\winmyy32.dll wykryto: Trojan-Downloader.Win32.FraudLoad!IK

C:\WINDOWS\system32\ypmhik.dll wykryto: Trojan.Win32.Vundo!IK

C:\WINDOWS\temp\BN2.tmp wykryto: VirTool.WinNT.Cutwail.K!IK

C:\WINDOWS\temp\BN3.tmp wykryto: VirTool.WinNT.Cutwail.K!IK

C:\WINDOWS\temp\BN6.tmp wykryto: VirTool.WinNT.Cutwail.K!IK

Zeskanowano

Pliki: 36694

Ślady: 546484

Ciasteczka: 317

Procesy: 48

Znaleziono

Pliki: 20

Ślady: 0

Ciasteczka: 0

Procesy: 14

Klucze rejestru: 0

Zakończono skanowanie: 2008-11-26 15:10:25

Scan time: 0:38:54

to raport po inteligentnym skanowaniu czyli tym mniej dokladnym

udało mi się zrobić logi silent runners

“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“swg” = “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [“Google Inc.”]

“H/PC Connection Agent” = ““C:\Program Files\Programy\ActiveSync 4.2\wcescomm.exe”” [MS]

“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

“pdfSaver3” = ““C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe”” [“Tracker Software Products Ltd.”]

“DAEMON Tools Lite” = ““C:\Program Files\Programy\DAEMON Tools Lite\daemon.exe” -autorun” [“DT Soft Ltd”]

“rs32net” = “C:\WINDOWS\System32\rs32net.exe” [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]

“BluetoothAuthenticationAgent” = “rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” [MS]

“HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”]

“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”” [“Sun Microsystems, Inc.”]

“AppleSyncNotifier” = “C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe” [“Apple Inc.”]

“QuickTime Task” = ““C:\Program Files\QuickTime Alternative\qttask.exe” -atboottime” [“Apple Inc.”]

“iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Inc.”]

“MMReminderService” = “C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe” [“Mindjet”]

“AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe”” [“Kaspersky Lab”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”]

{7fc793e3-2599-4e31-9806-1e7bff68f894}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\system32\khfEWPHX.dll” [null data]

{93DCDB67-3C26-4A3D-B54D-BB571B662069}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\system32\vtUkllKd.dll” [null data]

{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)

-> {HKLM…CLSID} = “Google Toolbar Helper”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided)

-> {HKLM…CLSID} = “Google Toolbar Notifier BHO”

\InProcServer32(Default) = “C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll” [“Google Inc.”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

-> {HKLM…CLSID} = “DesktopContext Class”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]

“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

-> {HKLM…CLSID} = “NVIDIA CPL Extension”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

-> {HKLM…CLSID} = “Desktop Explorer”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

-> {HKLM…CLSID} = “nView Desktop Context Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{00020000-0000-1011-8004-0000C06B5161}” = “WIBU-SYSTEMS Shell Extension”

-> {HKLM…CLSID} = “WIBU-SYSTEMS Shell Extension”

\InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”]

“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”

-> {HKLM…CLSID} = “RealOne Player Context Menu Class”

\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”]

“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play”

-> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play”

\InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS]

“{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Statystyki dla ochrony WWW”

-> {HKLM…CLSID} = “Statystyki dla ochrony WWW”

\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll” [“Kaspersky Lab”]

“{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search”

-> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS]

“{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler”

-> {HKLM…CLSID} = “Microsoft Office Metadata Handler”

\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS]

“{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler”

-> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler”

\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS]

“{AB4F43CA-ADCD-4384-B9AF-3CECEA7D6544}” = “Web Sites”

-> {HKLM…CLSID} = “Web Sites”

\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\12\BIN\FPNSE.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Outlook File Icon Extension”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL” [MS]

“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

-> {HKLM…CLSID} = “Microsoft Office Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL” [MS]

“{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device”

-> {HKLM…CLSID} = “Urządzenie przenośne”

\InProcServer32(Default) = “C:\PROGRA~1\Programy\ACTIVE~1.2\Wcesview.dll” [MS]

“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”

-> {HKLM…CLSID} = “iTunes”

\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”]

“{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx”

-> {HKLM…CLSID} = “AlcoholShellEx”

\InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> “{7FC793E3-2599-4E31-9806-1E7BFF68F894}” = “*a” (unwritable string)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\system32\khfEWPHX.dll” [null data]

HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\

<> “GinaDLL” = “GTGina.dll” [“Gemtek”]

<> “Userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,” [MS], [file not found]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\

<> “Authentication Packages” = “msv1_0”|“C:\WINDOWS\system32\vtUkllKd”

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> khfEWPHX\DLLName = “khfEWPHX.dll” [null data]

<> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”]

<> winmyy32\DLLName = “winmyy32.dll” [null data]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}”

-> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter”

\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{00020000-0000-1011-8004-0000C06B5161}(Default) = (no title provided)

-> {HKLM…CLSID} = “WIBU-SYSTEMS Shell Extension”

\InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”]

{4A681BEC-7727-49BD-B695-79F8354CD2E5}(Default) = “PMF Custom Columns”

-> {HKLM…CLSID} = “PMFColumns Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\ESRI\esriShellExt.dll” ["ESRI "]

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll” [“Kaspersky Lab”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll” [“Kaspersky Lab”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Default executables:


<> HKLM\SOFTWARE\Classes.com(Default) = “ComFile”

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoDrives” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoDrives” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“HideLogoffScripts” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“HideStartupScripts” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“RunLogonScriptSync” = (REG_DWORD) dword:0x00000001

{unrecognized setting}

“RunStartupScriptSync” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“DisableTaskMgr” = (REG_DWORD) dword:0x00000001

{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|

Remove Task Manager}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

“DisableRegistryTools” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“HideLogoffScripts” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“RunLogonScriptSync” = (REG_DWORD) dword:0x00000001

{unrecognized setting}

“RunStartupScriptSync” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“HideStartupScripts” = (REG_DWORD) dword:0x00000000

{unrecognized setting}

“DisableTaskMgr” = (REG_DWORD) dword:0x00000001

{unrecognized setting}

Active Desktop and Wallpaper:


Active Desktop may be enabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

“Wallpaper” = “C:\WINDOWS\default.htm”

Windows Portable Device AutoPlay Handlers


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

AlcoholAutoPlayV2.BurnDisc\

“Provider” = “Alcohol 120%”

“InvokeProgID” = “AlcoholAutoPlayV2”

“InvokeVerb” = “BurnDisc”

HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command(Default) = ““C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe” %1” [“Alcohol Soft Development Team”]

AlcoholAutoPlayV2.ReadDisc\

“Provider” = “Alcohol 120%”

“InvokeProgID” = “AlcoholAutoPlayV2”

“InvokeVerb” = “ReadDisc”

HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command(Default) = ““C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe” %1” [“Alcohol Soft Development Team”]

HPUnloadAutoplay\

“Provider” = “Przesyłanie HP i Szybki wydruk”

“InvokeProgID” = “HpqUnApl.Autoplay”

“InvokeVerb” = “Play”

HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = “{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}”

-> {HKLM…CLSID} = (no title provided)

\LocalServer32(Default) = “C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe” [“Hewlett-Packard”]

iTunesBurnCDOnArrival\

“Provider” = “iTunes”

“InvokeProgID” = “iTunes.BurnCD”

“InvokeVerb” = “burn”

HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayBurn “%L”” [“Apple Inc.”]

iTunesImportSongsOnArrival\

“Provider” = “iTunes”

“InvokeProgID” = “iTunes.ImportSongsOnCD”

“InvokeVerb” = “import”

HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayImportSongs “%L”” [“Apple Inc.”]

iTunesPlaySongsOnArrival\

“Provider” = “iTunes”

“InvokeProgID” = “iTunes.PlaySongsOnCD”

“InvokeVerb” = “play”

HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /playCD “%L”” [“Apple Inc.”]

iTunesShowSongsOnArrival\

“Provider” = “iTunes”

“InvokeProgID” = “iTunes.ShowSongsOnCD”

“InvokeVerb” = “showsongs”

HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayShowSongs “%L”” [“Apple Inc.”]

MPCPlayCDAudioOnArrival\

“Provider” = “Media Player Classic”

“InvokeProgID” = “MediaPlayerClassic.Autorun”

“InvokeVerb” = “PlayCDAudio”

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command(Default) = ““C:\Program Files\Programy\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /cd” [“Gabest”]

MPCPlayDVDMovieOnArrival\

“Provider” = “Media Player Classic”

“InvokeProgID” = “MediaPlayerClassic.Autorun”

“InvokeVerb” = “PlayDVDMovie”

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command(Default) = ““C:\Program Files\Programy\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /dvd” [“Gabest”]

MPCPlayMusicFilesOnArrival\

“Provider” = “Media Player Classic”

“InvokeProgID” = “MediaPlayerClassic.Autorun”

“InvokeVerb” = “PlayMusicFiles”

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command(Default) = ““C:\Program Files\Programy\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“Gabest”]

MPCPlayVideoFilesOnArrival\

“Provider” = “Media Player Classic”

“InvokeProgID” = “MediaPlayerClassic.Autorun”

“InvokeVerb” = “PlayVideoFiles”

HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command(Default) = ““C:\Program Files\Programy\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“Gabest”]

MSPlayCDAudioOnArrival\

“Provider” = “ALLPlayer”

“InvokeProgID” = “AllPlayerFile”

“InvokeVerb” = “play”

HKLM\SOFTWARE\Classes\AllPlayerFile\shell\play\command(Default) = "“C:\Program Files\Programy\ALLPlayer\ALLPlayer.exe” “%1"” [“MarBit”]

NeroAutoPlay2AudioToNeroDigital\

“Provider” = “Nero Burning ROM”

“InvokeProgID” = “Nero.AutoPlay2”

“InvokeVerb” = “PlayCDAudioOnArrival_AudioToNeroDigital”

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_AudioToNeroDigital\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracksND /Drive:%L” [“Ahead Software AG”]

NeroAutoPlay2CDAudio\

“Provider” = “Nero Express”

“InvokeProgID” = “Nero.AutoPlay2”

“InvokeVerb” = “HandleCDBurningOnArrival_CDAudio”

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L” [“Ahead Software AG”]

NeroAutoPlay2CopyCD\

“Provider” = “Nero Express”

“InvokeProgID” = “Nero.AutoPlay2”

“InvokeVerb” = “PlayCDAudioOnArrival_CopyCD”

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L” [“Ahead Software AG”]

NeroAutoPlay2DataDisc\

“Provider” = “Nero Express”

“InvokeProgID” = “Nero.AutoPlay2”

“InvokeVerb” = “HandleCDBurningOnArrival_DataDisc”

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L” [“Ahead Software AG”]

NeroAutoPlay2LaunchNeroStartSmart\

“Provider” = “Nero StartSmart”

“InvokeProgID” = “Nero.AutoPlay2”

“InvokeVerb” = “HandleCDBurningOnArrival_LaunchNeroStartSmart”

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command(Default) = “C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L” [“Ahead Software AG”]

NeroAutoPlay2RipCD\

“Provider” = “Nero Burning ROM”

“InvokeProgID” = “Nero.AutoPlay2”

“InvokeVerb” = “PlayCDAudioOnArrival_RipCD”

HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_RipCD\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracks /Drive:%L” [“Ahead Software AG”]

PDVDPlayDVDMovieOnArrival\

“Provider” = “PowerDVD”

“InvokeProgID” = “DVD”

“InvokeVerb” = “PlayWithPowerDVD”

HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command(Default) = ““C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe” “%l”” [“CyberLink Corp.”]

RPDeviceOnArrival\

“Provider” = “RealPlayer”

“ProgID” = “RealPlayer.HWEventHandler”

HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID(Default) = “{67E76F1D-BDE2-4052-913C-2752366192D2}”

-> {HKLM…CLSID} = “RealNetworks Scheduler”

\LocalServer32(Default) = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -autoplay” [“RealNetworks, Inc.”]

Startup items in “User” & “All Users” startup folders:


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]

“HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”]

Enabled Scheduled Tasks:


“dqyaripy” -> launches: “C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\geBtQjHy.dll”,d” [MS]

“rfxfzevt” -> launches: “C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\opnolKcA.dll”,d” [MS]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS]

000000000005\LibraryPath = “C:\Program Files\Bonjour\mdnsNSP.dll” [“Apple Inc.”]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 50

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{2318C2B1-4965-11D4-9B18-009027A5CD4F}”

-> {HKLM…CLSID} = “&Google”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

“{32099AAC-C132-4136-9E9A-4E364A424E17}”

-> {HKLM…CLSID} = “DAEMON Tools Toolbar”

\InProcServer32(Default) = “C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll” [null data]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

“{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided)

-> {HKLM…CLSID} = “&Google”

\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]

“{32099AAC-C132-4136-9E9A-4E364A424E17}” = (no title provided)

-> {HKLM…CLSID} = “DAEMON Tools Toolbar”

\InProcServer32(Default) = “C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll” [null data]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\SOFTWARE\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\SOFTWARE\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo”

Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]

InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]

HKLM\SOFTWARE\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Statystyki dla ochrony WWW”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll” [“Kaspersky Lab”]

HKLM\SOFTWARE\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in 1.6.0_05”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.6.0_05”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll” [“Sun Microsystems, Inc.”]

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\

“ButtonText” = “Statystyki dla ochrony WWW”

{2670000A-7350-4F3C-8081-5663EE0C6C49}\

“ButtonText” = “Wyślij do programu OneNote”

“MenuText” = “Wyślij &do programu OneNote”

“CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}”

-> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll” [MS]

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\

“ButtonText” = “Create Mobile Favorite”

“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”

-> {HKLM…CLSID} = “Create Mobile Favorite”

\InProcServer32(Default) = “C:\PROGRA~1\Programy\ACTIVE~1.2\INetRepl.dll” [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\

“MenuText” = “Utwórz łącze Ulubione dla urządzenia przenośnego…”

“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”

-> {HKLM…CLSID} = “Create Mobile Favorite”

\InProcServer32(Default) = “C:\PROGRA~1\Programy\ACTIVE~1.2\INetRepl.dll” [MS]

{531B9DC0-D8EE-4C76-A6EE-6C1E50569655}\

“ButtonText” = “Send to Mindjet MindManager”

“CLSIDExtension” = “{AC41D38F-B56D-40AD-94E0-B493D130C959}”

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

“ButtonText” = “Research”

Miscellaneous IE Hijack Points


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided)

-> {HKLM…CLSID} = “Search Class”

\InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string]

Running Services (Display Name, Service Name, Path {Service DLL}):


a-squared Anti-Malware Service, a2AntiMalware, ““C:\Program Files\a-squared Anti-Malware\a2service.exe”” [“Emsi Software GmbH”]

Apple Mobile Device, Apple Mobile Device, ““C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe”” [“Apple Inc.”]

ArcGIS License Manager, ArcGIS License Manager, “C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe” [null data]

BlueSoleil Hid Service, BlueSoleil Hid Service, “C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe” [null data]

Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]}

Bonjour Service, Bonjour Service, ““C:\Program Files\Bonjour\mDNSResponder.exe”” [“Apple Inc.”]

NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]

Usługa iPod, iPod Service, ““C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Inc.”]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

WUSB54GCSVC, WUSB54GCSVC, ““C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe” “WUSB54GC.exe”” [“GEMTEKS”]

Print Monitors:


HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

hpzsnt12\Driver = “hpzsnt12.dll” [“HP”]

PDF-XChange\Driver = “C:\WINDOWS\system32\pxc25pm.dll” [“Tracker Software”]

---------- (launch time: 2008-11-26 15:43:51)

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 193 seconds.

---------- (total run time: 281 seconds)

jackspa7 ,

Rejestrując się na niniejszym forum zobowiązałeś się przestrzegać jego regulaminu. Niestety, w tym momencie łamiesz go nie tytułując poprawnie tematu, nie używając polskich znaczków (ę, ą, ś, ż, ź, ć, ń, ł, ó) oraz popełniając błędy gramatyczne. Proszę więc zapoznać się w pierwszej kolejności z całym regulaminem forum, a następnie używając przycisku zmien.gif

Zmiana zasad wklejania logów na forum - viewtopic.php?f=16t=253052 Proszę poprawić wszystkie logi w niniejszym wątku.

Proszę również o dostosowanie swoich przyszłych wiadomości do tego ogłoszenia: viewtopic.php?f=3t=213590

W przypadku zignorowania prośby temat poleci do śmietnika oraz mogą zostać wyciągnięte konsekwencje w postaci ostrzeżenia.

o to logi:

http://wklejto.pl/16523

Podaj log z Combofix

nie da się, próbowałem w trybie awaryjnym uruchomić combofixa, i nic

nie wiem dlaczego nie mogę go uruchomić, zawsze jak zamykam system to wyskakuje mi błąd explorer.exe

teraz nawet było już lepiej

zrobiłem tak, włączyłem tryb awaryjny odpaliłem combofixa i nic

zaraz po tym włączyłem normalnie windowsa i odpaliłem combofixa i pojawił mi się pasek ładowania przeminął i do tej pory nic się nie dzieje

ale to jakiś postęp hehe

po wielkim trudzie udało mi się wykonać logi :

http://wklejto.pl/16535

Pobierz ComboFix, ale nie uruchamiaj

Wklej do notatnika:

File::

c:\windows\system32\TDSScfum.dll

c:\windows\system32\drivers\TDSSmqlt.sys

c:\windows\system32\TDSSofxh.dll

c:\windows\system32\drivers\ati6pvxx.sys

c:\windows\system32\TDSSriqp.dll

c:\windows\system32\TDSSbrsr.dll

c:\windows\system32\TDSSlxwp.dll

c:\windows\system32\TDSSosvd.dat

C:\145158539

c:\windows\system32\tmpBF.tmp

c:\windows\system32\tmpBE.tmp


Driver::

CSRBC01

restore

vad_multi

Plik -> zapisz jako -> CFScript.txt.

Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->

cfscript10uc2.gif

Rozpocznie się usuwanie i powstanie log, który dasz na forum.

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

nie pobierałem nowego combofixa, korzystałem ze starszej wersji ale to chyba nie ma dużego znaczenia

http://wklej.org/id/22016/

czy w tych logach wszystko jest w porządku?

start>>uruchom>>>cmd

sc stop e16d6765

sc delete e16d6765

po każdej linijce enter

usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.

Przeczyść komputer Ccleanerem

Wykonaj optymalizację autostartu

Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja

Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum

lub

Dr.WEB CureIt!

kaspersky nic nie wykrył, ale komenda msconfig nie działa, i mam problem z drukarką która przy drukowaniu zawsze drukuje stronę testową

nie wiem czy to nie przypadkiem od tego wirusa tak się dzieje

Start >>> Uruchom >>> regedit i zweryfikuj czy masz dokładnie tak zapisane:

Klucz w rejestrze:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE

z wartością po prawej stronie:

(Default) REG_SZ C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe

Jak nie to:

  1. Włóż płytkę CD XP do napędu

  2. Start >>> Uruchom >>> C:\Windows\inf

  3. Prawy klik na plik pchealth.inf i opcja Instaluj.

  4. Cały folder PCHEALTH z msconfig zostanie odbudowany z płyty CD

ok zrobię tak, ale z płytki bo nie mam tego pliku w regedicie,

a co z drukarką? to przez wirusa?

Czyli msconfig działa?

Może przeinstalować drukarkę - zainstalować ją jeszcze raz?