wyskakuje mi okienko w czerwonej ramce windowws security center system warning
alert details
file:
{hidden_system_process}
threat:
trojan-downloader.win32.small.abov
nie mogę zrobić logów po prostu się nie da ale chyba mogę instalować programy
prawdopodobnie mam wirusa w explorer.exe
c:\windows\explorer.EXE
i konia trojańskiego o nazwie
trojan.win32.monder.gen
obiekt znajduje się w c:\windows\system32\xmnlnr.dll
Pobierz Malwarebytes’ Anti-Malware Instrukcja i program tutaj http://cybertrash.pl/Tata/MBAM/Malwareb … lware.html przeskanuj wszystkie dyski usuń co znajdzie, daj log na forum
Następnie pobierz Combofix przeskanuj system i daj log na forum.
nie mogę zainstalować tego programu mbam
za to udało mi się zainstalować program a-squared anti-malware
znalazł mi 97 zagrożeń
wszystkie usunąłem, ale nie widzę różnicy dalej mam to samo tyle ze ten program wykrywa mi pełno nowych wirusów
// Połączono posty.
nie usuwam mi tego wirusa ten program
wykrywa od razu trojana downloader.win32.fraudload!ik
i pełno innych
Pokaż log z Combofix
nie mogę uruchomić combofixa
W czasie pobierania i skanowania combofixem zamknij wszelkie programy ochronne (Antywirusa, zaporę)
Jak nie pomoże:
Spróbuj podczas pobierania zapisać nie pod nazwą ComboFix.exe tylko z kreską pomiędzy:
Combo-Fix.exe
Jeśli to również:
Uruchom combofix w trybie awaryjnym
a-squared Anti-Malware - Wersja 4.0
Last update: 2008-11-26 13:14:53
Skanowanie ustawień:
Obiekty: Pamięć, Ślady, Ciasteczka, C:\WINDOWS, C:\Program Files
Skanowanie archiwów: Wł.
Heurystyka: Wł.
Skanowanie reklam: Wł.
Uruchomione skanowanie: 2008-11-26 14:31:31
[692] C:\WINDOWS\system32\winmyy32.dll wykryto: Trojan-Downloader.Win32.FraudLoad!IK
[692] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK
[1004] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK
[1004] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK
[1004] C:\WINDOWS\system32\ebitnmno.dll wykryto: Trojan.Win32.Vundo!IK
[308] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK
[1256] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK
[1500] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK
[2988] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK
[3940] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK
[4364] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK
[4364] C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK
[5472] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK
[4952] C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK
C:\WINDOWS\Minidump\Mini112408-01.dmp wykryto: Virus.Win32.DNSChanger.VJ!IK
C:\WINDOWS\patcher.exe wykryto: Backdoor.Rbot!IK
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe wykryto: Email-Worm.Win32.Brontok.do!IK
C:\WINDOWS\system32\av.dat wykryto: Trojan-Downloader.VB.Gen.1!IK
C:\WINDOWS\system32\ccifjyry.dll wykryto: Trojan.Win32.Vundo!IK
C:\WINDOWS\system32\dllcache\msconfig.exe wykryto: Email-Worm.Win32.Brontok.do!IK
C:\WINDOWS\system32\ebitnmno.dll wykryto: Trojan.Win32.Vundo!IK
C:\WINDOWS\system32\geBtQjHy.dll wykryto: Trojan.Win32.Vundo!IK
C:\WINDOWS\system32\getfn32.dll wykryto: Backdoor.Win32.VB!IK
C:\WINDOWS\system32\khfEWPHX.dll wykryto: Trojan.Win32.Monder!IK
C:\WINDOWS\system32\opnolKcA.dll wykryto: Trojan.Win32.Vundo!IK
C:\WINDOWS\system32\ptruuccu.dll wykryto: Trojan.Win32.Vundo!IK
C:\WINDOWS\system32\rs32net.exe wykryto: Win32.SuspectCrc!IK
C:\WINDOWS\system32\smwin32.dll wykryto: Riskware.AdWare.Win32.CashDeluxe!IK
C:\WINDOWS\system32\uesiuqcr.exe wykryto: Trojan-Downloader.VB.Gen.1!IK
C:\WINDOWS\system32\winmyy32.dll wykryto: Trojan-Downloader.Win32.FraudLoad!IK
C:\WINDOWS\system32\ypmhik.dll wykryto: Trojan.Win32.Vundo!IK
C:\WINDOWS\temp\BN2.tmp wykryto: VirTool.WinNT.Cutwail.K!IK
C:\WINDOWS\temp\BN3.tmp wykryto: VirTool.WinNT.Cutwail.K!IK
C:\WINDOWS\temp\BN6.tmp wykryto: VirTool.WinNT.Cutwail.K!IK
Zeskanowano
Pliki: 36694
Ślady: 546484
Ciasteczka: 317
Procesy: 48
Znaleziono
Pliki: 20
Ślady: 0
Ciasteczka: 0
Procesy: 14
Klucze rejestru: 0
Zakończono skanowanie: 2008-11-26 15:10:25
Scan time: 0:38:54
to raport po inteligentnym skanowaniu czyli tym mniej dokladnym
udało mi się zrobić logi silent runners
“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“swg” = “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [“Google Inc.”]
“H/PC Connection Agent” = ““C:\Program Files\Programy\ActiveSync 4.2\wcescomm.exe”” [MS]
“ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“pdfSaver3” = ““C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe”” [“Tracker Software Products Ltd.”]
“DAEMON Tools Lite” = ““C:\Program Files\Programy\DAEMON Tools Lite\daemon.exe” -autorun” [“DT Soft Ltd”]
“rs32net” = “C:\WINDOWS\System32\rs32net.exe” [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”]
“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]
“BluetoothAuthenticationAgent” = “rundll32.exe bthprops.cpl,BluetoothAuthenticationAgent” [MS]
“HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Co.”]
“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“AppleSyncNotifier” = “C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe” [“Apple Inc.”]
“QuickTime Task” = ““C:\Program Files\QuickTime Alternative\qttask.exe” -atboottime” [“Apple Inc.”]
“iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Inc.”]
“MMReminderService” = “C:\Program Files\Mindjet\MindManager 6\MMReminderService.exe” [“Mindjet”]
“AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe”” [“Kaspersky Lab”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{7fc793e3-2599-4e31-9806-1e7bff68f894}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\khfEWPHX.dll” [null data]
{93DCDB67-3C26-4A3D-B54D-BB571B662069}(Default) = (no title provided)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\vtUkllKd.dll” [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)
-> {HKLM…CLSID} = “Google Toolbar Helper”
\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided)
-> {HKLM…CLSID} = “Google Toolbar Notifier BHO”
\InProcServer32(Default) = “C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll” [“Google Inc.”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”
-> {HKLM…CLSID} = “DesktopContext Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]
“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”
-> {HKLM…CLSID} = “NVIDIA CPL Extension”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”
-> {HKLM…CLSID} = “Portable Media Devices Menu”
\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”
-> {HKLM…CLSID} = “Desktop Explorer”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”
-> {HKLM…CLSID} = “nView Desktop Context Menu”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{00020000-0000-1011-8004-0000C06B5161}” = “WIBU-SYSTEMS Shell Extension”
-> {HKLM…CLSID} = “WIBU-SYSTEMS Shell Extension”
\InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”]
“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”
-> {HKLM…CLSID} = “RealOne Player Context Menu Class”
\InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”]
“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play”
-> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play”
\InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS]
“{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Statystyki dla ochrony WWW”
-> {HKLM…CLSID} = “Statystyki dla ochrony WWW”
\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll” [“Kaspersky Lab”]
“{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}” = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search”
-> {HKLM…CLSID} = “Microsoft Office OneNote Namespace Extension for Windows Desktop Search”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL” [MS]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office12\msohevi.dll” [MS]
“{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler”
-> {HKLM…CLSID} = “Microsoft Office Metadata Handler”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS]
“{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler”
-> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS]
“{AB4F43CA-ADCD-4384-B9AF-3CECEA7D6544}” = “Web Sites”
-> {HKLM…CLSID} = “Web Sites”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\12\BIN\FPNSE.DLL” [MS]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”
-> {HKLM…CLSID} = “Outlook File Icon Extension”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL” [MS]
“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”
-> {HKLM…CLSID} = “Microsoft Office Outlook”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL” [MS]
“{49BF5420-FA7F-11cf-8011-00A0C90A8F78}” = “Mobile Device”
-> {HKLM…CLSID} = “Urządzenie przenośne”
\InProcServer32(Default) = “C:\PROGRA~1\Programy\ACTIVE~1.2\Wcesview.dll” [MS]
“{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes”
-> {HKLM…CLSID} = “iTunes”
\InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Inc.”]
“{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx”
-> {HKLM…CLSID} = “AlcoholShellEx”
\InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> “{7FC793E3-2599-4E31-9806-1E7BFF68F894}” = “*a” (unwritable string)
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\khfEWPHX.dll” [null data]
HKLM\SOFTWA RE\Microsoft\Windows NT\CurrentVersion\Winlogon\
<> “GinaDLL” = “GTGina.dll” [“Gemtek”]
<> “Userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,” [MS], [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<> “Authentication Packages” = “msv1_0”|“C:\WINDOWS\system32\vtUkllKd”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> khfEWPHX\DLLName = “khfEWPHX.dll” [null data]
<> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”]
<> winmyy32\DLLName = “winmyy32.dll” [null data]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = “{807563E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = “Microsoft Office InfoPath XML Mime Filter”
\InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL” [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{00020000-0000-1011-8004-0000C06B5161}(Default) = (no title provided)
-> {HKLM…CLSID} = “WIBU-SYSTEMS Shell Extension”
\InProcServer32(Default) = “C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll” [“WIBU-SYSTEMS AG”]
{4A681BEC-7727-49BD-B695-79F8354CD2E5}(Default) = “PMF Custom Columns”
-> {HKLM…CLSID} = “PMFColumns Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\ESRI\esriShellExt.dll” ["ESRI "]
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”
-> {HKLM…CLSID} = “PDF Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]
HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll” [“Kaspersky Lab”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ShellEx.dll” [“Kaspersky Lab”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
Default executables:
<> HKLM\SOFTWARE\Classes.com(Default) = “ComFile”
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoDrives” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoDrives” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“HideLogoffScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“HideStartupScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“RunLogonScriptSync” = (REG_DWORD) dword:0x00000001
{unrecognized setting}
“RunStartupScriptSync” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“DisableTaskMgr” = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
“DisableRegistryTools” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“HideLegacyLogonScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“HideLogoffScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“RunLogonScriptSync” = (REG_DWORD) dword:0x00000001
{unrecognized setting}
“RunStartupScriptSync” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“HideStartupScripts” = (REG_DWORD) dword:0x00000000
{unrecognized setting}
“DisableTaskMgr” = (REG_DWORD) dword:0x00000001
{unrecognized setting}
Active Desktop and Wallpaper:
Active Desktop may be enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\default.htm”
Windows Portable Device AutoPlay Handlers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
AlcoholAutoPlayV2.BurnDisc\
“Provider” = “Alcohol 120%”
“InvokeProgID” = “AlcoholAutoPlayV2”
“InvokeVerb” = “BurnDisc”
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command(Default) = ““C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe” %1” [“Alcohol Soft Development Team”]
AlcoholAutoPlayV2.ReadDisc\
“Provider” = “Alcohol 120%”
“InvokeProgID” = “AlcoholAutoPlayV2”
“InvokeVerb” = “ReadDisc”
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command(Default) = ““C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe” %1” [“Alcohol Soft Development Team”]
HPUnloadAutoplay\
“Provider” = “Przesyłanie HP i Szybki wydruk”
“InvokeProgID” = “HpqUnApl.Autoplay”
“InvokeVerb” = “Play”
HKLM\SOFTWARE\Classes\HpqUnApl.Autoplay\shell\Play\DropTarget\CLSID = “{E1A1C814-FD09-4c9d-BB4A-0394B836A1F0}”
-> {HKLM…CLSID} = (no title provided)
\LocalServer32(Default) = “C:\Program Files\HP\Digital Imaging\Unload\HpqUnApl.exe” [“Hewlett-Packard”]
iTunesBurnCDOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.BurnCD”
“InvokeVerb” = “burn”
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayBurn “%L”” [“Apple Inc.”]
iTunesImportSongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.ImportSongsOnCD”
“InvokeVerb” = “import”
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayImportSongs “%L”” [“Apple Inc.”]
iTunesPlaySongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.PlaySongsOnCD”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /playCD “%L”” [“Apple Inc.”]
iTunesShowSongsOnArrival\
“Provider” = “iTunes”
“InvokeProgID” = “iTunes.ShowSongsOnCD”
“InvokeVerb” = “showsongs”
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command(Default) = ““C:\Program Files\iTunes\iTunes.exe” /AutoPlayShowSongs “%L”” [“Apple Inc.”]
MPCPlayCDAudioOnArrival\
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayCDAudio”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command(Default) = ““C:\Program Files\Programy\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /cd” [“Gabest”]
MPCPlayDVDMovieOnArrival\
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayDVDMovie”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command(Default) = ““C:\Program Files\Programy\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1 /dvd” [“Gabest”]
MPCPlayMusicFilesOnArrival\
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayMusicFiles”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command(Default) = ““C:\Program Files\Programy\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“Gabest”]
MPCPlayVideoFilesOnArrival\
“Provider” = “Media Player Classic”
“InvokeProgID” = “MediaPlayerClassic.Autorun”
“InvokeVerb” = “PlayVideoFiles”
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command(Default) = ““C:\Program Files\Programy\K-Lite Codec Pack\Media Player Classic\mplayerc.exe” %1” [“Gabest”]
MSPlayCDAudioOnArrival\
“Provider” = “ALLPlayer”
“InvokeProgID” = “AllPlayerFile”
“InvokeVerb” = “play”
HKLM\SOFTWARE\Classes\AllPlayerFile\shell\play\command(Default) = "“C:\Program Files\Programy\ALLPlayer\ALLPlayer.exe” “%1"” [“MarBit”]
NeroAutoPlay2AudioToNeroDigital\
“Provider” = “Nero Burning ROM”
“InvokeProgID” = “Nero.AutoPlay2”
“InvokeVerb” = “PlayCDAudioOnArrival_AudioToNeroDigital”
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_AudioToNeroDigital\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracksND /Drive:%L” [“Ahead Software AG”]
NeroAutoPlay2CDAudio\
“Provider” = “Nero Express”
“InvokeProgID” = “Nero.AutoPlay2”
“InvokeVerb” = “HandleCDBurningOnArrival_CDAudio”
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L” [“Ahead Software AG”]
NeroAutoPlay2CopyCD\
“Provider” = “Nero Express”
“InvokeProgID” = “Nero.AutoPlay2”
“InvokeVerb” = “PlayCDAudioOnArrival_CopyCD”
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L” [“Ahead Software AG”]
NeroAutoPlay2DataDisc\
“Provider” = “Nero Express”
“InvokeProgID” = “Nero.AutoPlay2”
“InvokeVerb” = “HandleCDBurningOnArrival_DataDisc”
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L” [“Ahead Software AG”]
NeroAutoPlay2LaunchNeroStartSmart\
“Provider” = “Nero StartSmart”
“InvokeProgID” = “Nero.AutoPlay2”
“InvokeVerb” = “HandleCDBurningOnArrival_LaunchNeroStartSmart”
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command(Default) = “C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L” [“Ahead Software AG”]
NeroAutoPlay2RipCD\
“Provider” = “Nero Burning ROM”
“InvokeProgID” = “Nero.AutoPlay2”
“InvokeVerb” = “PlayCDAudioOnArrival_RipCD”
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_RipCD\command(Default) = “C:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracks /Drive:%L” [“Ahead Software AG”]
PDVDPlayDVDMovieOnArrival\
“Provider” = “PowerDVD”
“InvokeProgID” = “DVD”
“InvokeVerb” = “PlayWithPowerDVD”
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command(Default) = ““C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe” “%l”” [“CyberLink Corp.”]
RPDeviceOnArrival\
“Provider” = “RealPlayer”
“ProgID” = “RealPlayer.HWEventHandler”
HKLM\SOFTWARE\Classes\RealPlayer.HWEventHandler\CLSID(Default) = “{67E76F1D-BDE2-4052-913C-2752366192D2}”
-> {HKLM…CLSID} = “RealNetworks Scheduler”
\LocalServer32(Default) = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -autoplay” [“RealNetworks, Inc.”]
Startup items in “User” & “All Users” startup folders:
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
“Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”]
“HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”]
Enabled Scheduled Tasks:
“dqyaripy” -> launches: “C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\geBtQjHy.dll”,d” [MS]
“rfxfzevt” -> launches: “C:\WINDOWS\system32\rundll32.exe “C:\WINDOWS\system32\opnolKcA.dll”,d” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000004\LibraryPath = “%SystemRoot%\system32\wshbth.dll” [MS]
000000000005\LibraryPath = “C:\Program Files\Bonjour\mdnsNSP.dll” [“Apple Inc.”]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 50
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{2318C2B1-4965-11D4-9B18-009027A5CD4F}”
-> {HKLM…CLSID} = “&Google”
\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]
“{32099AAC-C132-4136-9E9A-4E364A424E17}”
-> {HKLM…CLSID} = “DAEMON Tools Toolbar”
\InProcServer32(Default) = “C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll” [null data]
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
“{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided)
-> {HKLM…CLSID} = “&Google”
\InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”]
“{32099AAC-C132-4136-9E9A-4E364A424E17}” = (no title provided)
-> {HKLM…CLSID} = “DAEMON Tools Toolbar”
\InProcServer32(Default) = “C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll” [null data]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]
HKLM\SOFTWARE\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]
HKLM\SOFTWARE\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]
HKLM\SOFTWARE\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Statystyki dla ochrony WWW”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll” [“Kaspersky Lab”]
HKLM\SOFTWARE\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Poszukaj”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL” [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.6.0_05”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.6.0_05”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll” [“Sun Microsystems, Inc.”]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
“ButtonText” = “Statystyki dla ochrony WWW”
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
“ButtonText” = “Wyślij do programu OneNote”
“MenuText” = “Wyślij &do programu OneNote”
“CLSIDExtension” = “{48E73304-E1D6-4330-914C-F5F514E3486C}”
-> {HKLM…CLSID} = “Send to OneNote from Internet Explorer button”
\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll” [MS]
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
“ButtonText” = “Create Mobile Favorite”
“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”
-> {HKLM…CLSID} = “Create Mobile Favorite”
\InProcServer32(Default) = “C:\PROGRA~1\Programy\ACTIVE~1.2\INetRepl.dll” [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
“MenuText” = “Utwórz łącze Ulubione dla urządzenia przenośnego…”
“CLSIDExtension” = “{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}”
-> {HKLM…CLSID} = “Create Mobile Favorite”
\InProcServer32(Default) = “C:\PROGRA~1\Programy\ACTIVE~1.2\INetRepl.dll” [MS]
{531B9DC0-D8EE-4C76-A6EE-6C1E50569655}\
“ButtonText” = “Send to Mindjet MindManager”
“CLSIDExtension” = “{AC41D38F-B56D-40AD-94E0-B493D130C959}”
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
“ButtonText” = “Research”
Miscellaneous IE Hijack Points
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided)
-> {HKLM…CLSID} = “Search Class”
\InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string]
Running Services (Display Name, Service Name, Path {Service DLL}):
a-squared Anti-Malware Service, a2AntiMalware, ““C:\Program Files\a-squared Anti-Malware\a2service.exe”” [“Emsi Software GmbH”]
Apple Mobile Device, Apple Mobile Device, ““C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe”” [“Apple Inc.”]
ArcGIS License Manager, ArcGIS License Manager, “C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe” [null data]
BlueSoleil Hid Service, BlueSoleil Hid Service, “C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe” [null data]
Bluetooth Support Service, BthServ, “C:\WINDOWS\system32\svchost.exe -k bthsvcs” {“C:\WINDOWS\System32\bthserv.dll” [MS]}
Bonjour Service, Bonjour Service, ““C:\Program Files\Bonjour\mDNSResponder.exe”” [“Apple Inc.”]
NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]
Usługa iPod, iPod Service, ““C:\Program Files\iPod\bin\iPodService.exe”” [“Apple Inc.”]
Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]
WUSB54GCSVC, WUSB54GCSVC, ““C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe” “WUSB54GC.exe”” [“GEMTEKS”]
Print Monitors:
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
hpzsnt12\Driver = “hpzsnt12.dll” [“HP”]
PDF-XChange\Driver = “C:\WINDOWS\system32\pxc25pm.dll” [“Tracker Software”]
---------- (launch time: 2008-11-26 15:43:51)
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
took 193 seconds.
---------- (total run time: 281 seconds)
jackspa7 ,
Rejestrując się na niniejszym forum zobowiązałeś się przestrzegać jego regulaminu. Niestety, w tym momencie łamiesz go nie tytułując poprawnie tematu, nie używając polskich znaczków (ę, ą, ś, ż, ź, ć, ń, ł, ó) oraz popełniając błędy gramatyczne. Proszę więc zapoznać się w pierwszej kolejności z całym regulaminem forum, a następnie używając przycisku 
Zmiana zasad wklejania logów na forum - viewtopic.php?f=16t=253052 Proszę poprawić wszystkie logi w niniejszym wątku.
Proszę również o dostosowanie swoich przyszłych wiadomości do tego ogłoszenia: viewtopic.php?f=3t=213590
W przypadku zignorowania prośby temat poleci do śmietnika oraz mogą zostać wyciągnięte konsekwencje w postaci ostrzeżenia.
Podaj log z Combofix
nie da się, próbowałem w trybie awaryjnym uruchomić combofixa, i nic
nie wiem dlaczego nie mogę go uruchomić, zawsze jak zamykam system to wyskakuje mi błąd explorer.exe
teraz nawet było już lepiej
zrobiłem tak, włączyłem tryb awaryjny odpaliłem combofixa i nic
zaraz po tym włączyłem normalnie windowsa i odpaliłem combofixa i pojawił mi się pasek ładowania przeminął i do tej pory nic się nie dzieje
ale to jakiś postęp hehe
Pobierz ComboFix, ale nie uruchamiaj
Wklej do notatnika:
File::
c:\windows\system32\TDSScfum.dll
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\drivers\ati6pvxx.sys
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSosvd.dat
C:\145158539
c:\windows\system32\tmpBF.tmp
c:\windows\system32\tmpBE.tmp
Driver::
CSRBC01
restore
vad_multi
Plik -> zapisz jako -> CFScript.txt.
Przeciągnij i upuść ikonkę CFScript.txt na ikonkę ComboFix.exe tak jak tu->
Rozpocznie się usuwanie i powstanie log, który dasz na forum.
Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link
nie pobierałem nowego combofixa, korzystałem ze starszej wersji ale to chyba nie ma dużego znaczenia
czy w tych logach wszystko jest w porządku?
start>>uruchom>>>cmd
sc stop e16d6765
sc delete e16d6765
po każdej linijce enter
usuń ręcznie folder C: \Qoobox , usuń instalkę Combofix z dysku.
Przeczyść komputer Ccleanerem
Wykonaj optymalizację autostartu
Wyłącz i włącz przywracanie systemu na wszystkich dyskach. Instrukcja
Przeskanuj obszar całego komputera http://www.kaspersky.pl/virusscanner.html Daj raport z niego na forum
lub
kaspersky nic nie wykrył, ale komenda msconfig nie działa, i mam problem z drukarką która przy drukowaniu zawsze drukuje stronę testową
nie wiem czy to nie przypadkiem od tego wirusa tak się dzieje
Start >>> Uruchom >>> regedit i zweryfikuj czy masz dokładnie tak zapisane:
Klucz w rejestrze:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE
z wartością po prawej stronie:
(Default) REG_SZ C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe
Jak nie to:
Włóż płytkę CD XP do napędu
Start >>> Uruchom >>> C:\Windows\inf
Prawy klik na plik pchealth.inf i opcja Instaluj.
Cały folder PCHEALTH z msconfig zostanie odbudowany z płyty CD
ok zrobię tak, ale z płytki bo nie mam tego pliku w regedicie,
a co z drukarką? to przez wirusa?
Czyli msconfig działa?
Może przeinstalować drukarkę - zainstalować ją jeszcze raz?