Problem z trojanem Trojan.Win32.Monderb.adnt i kilkoma inny

Franki · 11 Styczeń 2009 21:42

Witam! mam problem a mianowicie od jakich 3 dni mam problemy z trojanami skanowałem juz przez Kaspersky’ego IS 2009 lecz niestety to nie pomogło ponieważ tego trojana nie jest w stanie usunąć ani wstawić do kwarantanny ponieważ po kazdym uruchomieniu kompa ten trojan jest na nowo a konkretnie jest to trojan o nazwie: Trojan. Win32.Monderb.adnt oraz kilka innych. Poniżej wklejam loga z HJT oraz Silent Runners:

HiJackThis:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:35:03, on 2009-01-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe C:\Program Files\ArcaBit\ArcaAgent\ArcaRemoteSvc.exe C:\Program Files\ArcaBit\ArcaTools\arcabackup\ArcaBackupService.exe C:\PROGRA~1\ArcaBit\Common\ARCATA~1.EXE C:\PROGRA~1\ArcaBit\ARCAUP~1\update.exe C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file) O4 - HKLM…\Run: [AVP] “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe” O4 - HKLM…\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [avp] C:\RECYCLER\S-1-5-21-2942357693-3001416816-966493637-1705\hdav.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKUS\S-1-5-19…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA LOKALNA’) O4 - HKUS\S-1-5-20…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘USŁUGA SIECIOWA’) O4 - HKUS\S-1-5-18…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’) O4 - HKUS.DEFAULT…\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’) O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredi … xdm674YYPL O8 - Extra context menu item: Dodaj do listy blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Wyślij do interfejsu &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: ArcaVir >> - {40525A66-DB98-480D-BCF9-7AF88C1AF438} - C:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dll O9 - Extra ‘Tools’ menuitem: ArcaVir >> - {40525A66-DB98-480D-BCF9-7AF88C1AF438} - C:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach … .0.1.0.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows … 7861991437 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s … DEXAXO.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll O23 - Service: ArcaBit FileMonitor (ABFileMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe O23 - Service: ArcaBit NetMonitor (ABNetMon) - ArcaBit - C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe O23 - Service: ArcaBit.Core.Configurator - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe O23 - Service: ArcaBit.Core.LoggingService - ArcaBit - C:\Program Files\ArcaBit\Common\ArcaBit.Core.LoggingService.exe O23 - Service: ArcaBit Control (ArcaRemoteService) - Unknown owner - C:\Program Files\ArcaBit\ArcaAgent\ArcaRemoteSvc.exe O23 - Service: ArcaBit Backup Service (AVBackup) - ArcaBit - C:\Program Files\ArcaBit\ArcaTools\arcabackup\ArcaBackupService.exe O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: ArcaBit Tasks Service (AVTasks2) - ArcaBit - C:\PROGRA~1\ArcaBit\Common\ARCATA~1.EXE O23 - Service: ArcaBit Update Service (AVUpdate) - ArcaBit - C:\PROGRA~1\ArcaBit\ARCAUP~1\update.exe O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe – End of file - 7862 bytes

Silent Runners:

“Silent Runners.vbs”, revision 59, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avp” = “C:\RECYCLER\S-1-5-21-2942357693-3001416816-966493637-1705\hdav.exe” [null data] “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “AVP” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe”” [“Kaspersky Lab”] “MSConfig” = “C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto” [MS] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {0B014B81-4E12-46F9-806F-55867AF8FD3C}(Default) = (no title provided) -> {HKLM…CLSID} = “&Research” \InProcServer32(Default) = “C:\WINDOWS\system32\winsystems.dll” [null data] {42ACD293-8DB7-4267-999D-1294D6437259}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\jkkJcYoN.dll” [null data] {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}(Default) = “IEVkbdBHO” -> {HKLM…CLSID} = “IEVkbdBHO Class” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll” [“Kaspersky Lab”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”] {AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Helper” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}(Default) = (no title provided) -> {HKLM…CLSID} = “Google Toolbar Notifier BHO” \InProcServer32(Default) = “C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll” [“Google Inc.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{6af09ec9-b429-11d4-a1fb-0090960218cb}” = “My Bluetooth Places” -> {HKLM…CLSID} = “Moje miejsca interfejsu Bluetooth” \InProcServer32(Default) = “C:\WINDOWS\system32\btneighborhood.dll” [“Broadcom Corporation.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler” -> {HKLM…CLSID} = “Microsoft Office Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}” = “Microsoft Office Metadata Handler” -> {HKLM…CLSID} = “Microsoft Office Metadata Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}” = “Microsoft Office Thumbnail Handler” -> {HKLM…CLSID} = “Microsoft Office Thumbnail Handler” \InProcServer32(Default) = “C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll” [MS] “{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “Nokia Phone Browser” -> {HKLM…CLSID} = “Nokia Phone Browser” \InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\phonebrowser.dll” [“Nokia”] “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” = “TuneUp Shredder Shell Extension” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] “{44440D00-FF19-4AFC-B765-9A0970567D97}” = “TuneUp Theme Extension” -> {HKLM…CLSID} = “TuneUp Theme Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”] “{D7824897-C8DC-49b4-B790-30F7ED16A5FD}” = “ArcaVir Shell Extension” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaBit\arcavir\avshell.dll” [null data] “{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Statystyki ochrony WWW” -> {HKLM…CLSID} = “Statystyki ochrony WWW” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll” [“Kaspersky Lab”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{93994DE8-8239-4655-B1D1-5F4E91300429}” = (no title provided) -> {HKLM…CLSID} = “DVDIdleShell Class” \InProcServer32(Default) = “C:\PROGRA~1\DVDREG~1\DVDShell.dll” [“Fengtao Software Inc.”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\SYSTEM\CurrentControlSet\Control\Lsa\ <> “Authentication Packages” = “msv1_0”|“C:\WINDOWS\system32\jkkJcYoN” HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> klogon\DLLName = “C:\WINDOWS\system32\klogon.dll” [“Kaspersky Lab”] HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\ <> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\ ArcaVirShell(Default) = “{D7824897-C8DC-49b4-B790-30F7ED16A5FD}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaBit\arcavir\avshell.dll” [null data] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll” [“Kaspersky Lab”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ TuneUp Shredder Shell Extension(Default) = “{4858E7D9-8E12-45a3-B6A3-1CD128C9D403}” -> {HKLM…CLSID} = “TuneUp Shredder Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TUNEUP~1\SDShelEx-win32.dll” [“TuneUp Software GmbH”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\ ArcaVirShell(Default) = “{D7824897-C8DC-49b4-B790-30F7ED16A5FD}” -> {HKLM…CLSID} = “ArcaVir Shell Extension” \InProcServer32(Default) = “C:\Program Files\ArcaBit\arcavir\avshell.dll” [null data] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ShellEx.dll” [“Kaspersky Lab”] Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}” -> {HKLM…CLSID} = “Trojan Remover Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) dword:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\KRIS\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\f3PSSavr.scr” [file not found] Windows Portable Device AutoPlay Handlers ----------------------------------------- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\ DVDDecrypterPlayDVDMovieOnArrival\ “Provider” = “DVD Decrypter” “InvokeProgID” = “DVDDecrypter” “InvokeVerb” = “PlayDVDMovieOnArrival_Decrypt” HKLM\SOFTWARE\Classes\DVDDecrypter\shell\PlayDVDMovieOnArrival_Decrypt\Command(Default) = "“C:\Program Files\DVD Decrypter\DVDDecrypter.exe” /MODE READ /SOURCE “%1"” [“LIGHTNING UK!”] LightScribeOnArrivalAP\ “Provider” = “LightScribe Direct Disc Labeling” “InvokeProgID” = “LightScribe.AutoPlayHandler” “InvokeVerb” = “LabelLightScribeDisc” HKLM\SOFTWARE\Classes\LightScribe.AutoPlayHandler\shell\LabelLightScribeDisc\command(Default) = “C:\Program Files\Common Files\LightScribe\LsLauncher.exe” [“Hewlett-Packard Company”] MSPlayCDAudioOnArrival\ “Provider” = “ALLPlayer” “InvokeProgID” = “AllPlayerFile” “InvokeVerb” = “play” HKLM\SOFTWARE\Classes\AllPlayerFile\shell\play\command(Default) = "“C:\Program Files\MarBit\ALLPlayer\ALLPlayer.exe” “%1"” [“MarBit”] MSWPDShellNamespaceHandler\ “Provider” = “@%SystemRoot%\System32\WPDShextRes.dll,-501” “CLSID” = “{A55803CC-4D53-404c-8557-FD63DBA95D24}” “InitCmdLine” = " " -> {HKLM…CLSID} = “WPDShextAutoplay” \LocalServer32(Default) = “C:\WINDOWS\system32\WPDShextAutoplay.exe” [MS] NeroAutoPlay8AudioToNeroDigital\ “Provider” = “Nero Burning ROM” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “AudioToNeroDigital_PlayCDAudioOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L” [“Nero AG”] NeroAutoPlay8CDAudio\ “Provider” = “Nero Express” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “CDAudio_HandleCDBurningOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD” [“Nero AG”] NeroAutoPlay8CopyCD\ “Provider” = “Nero Burning ROM” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “CopyCD_PlayMusicFilesOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L” [“Nero AG”] NeroAutoPlay8DataDisc_CD\ “Provider” = “Nero Express” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “DataDisc_CD_HandleCDBurningOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L” [“Nero AG”] NeroAutoPlay8DataDisc_DVD\ “Provider” = “Nero Express” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “DataDisc_DVD_HandleDVDBurningOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L” [“Nero AG”] NeroAutoPlay8DVDVideoToNeroDigital\ “Provider” = “Nero Recode” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “DVDVideoToNeroDigital_PlayDVDMovieOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DVDVideoToNeroDigital_PlayDVDMovieOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:ReAuthorNeroDigital” [“Nero AG”] NeroAutoPlay8LaunchNeroStartSmart\ “Provider” = “Nero StartSmart” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “LaunchNeroStartSmart_HandleDVDBurningOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay” [“Nero AG”] NeroAutoPlay8RipCD\ “Provider” = “Nero Burning ROM” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “RipCD_PlayCDAudioOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L” [“Nero AG”] NeroAutoPlay8TranscodeVideo\ “Provider” = “Nero Recode” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “TranscodeVideo_PlayDVDMovieOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo” [“Nero AG”] NeroAutoPlay8ViewPhotos\ “Provider” = “Nero PhotoSnap Viewer” “InvokeProgID” = “Nero.AutoPlay8” “InvokeVerb” = “ViewPhotos_ShowPicturesOnArrival” HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command(Default) = “C:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /” [“Nero AG”] NMMPlayCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMPlayCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD “%L”” [“Nokia”] NMMRipCDAudioOnArrival\ “Provider” = “Nokia Music Manager” “InvokeProgID” = “NokiaMusicManager” “InvokeVerb” = “NMMRipCD” HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD “%L”” [“Nokia”] PDVDPlayCDAudioOnArrival\ “Provider” = “PowerDVD” “InvokeProgID” = “AudioCD” “InvokeVerb” = “PlayWithPowerDVD” HKLM\SOFTWARE\Classes\AudioCD\shell\PlayWithPowerDVD\Command(Default) = ““C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe” “%L”” [“CyberLink Corp.”] PDVDPlayDVDMovieOnArrival\ “Provider” = “PowerDVD” “InvokeProgID” = “DVD” “InvokeVerb” = “PlayWithPowerDVD” HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command(Default) = ““C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe” “%l”” [“CyberLink Corp.”] PDVDPlayVCDMovieOnArrival\ “Provider” = “PowerDVD” “InvokeProgID” = “VCD” “InvokeVerb” = “PlayWithPowerDVD” HKLM\SOFTWARE\Classes\VCD\shell\PlayWithPowerDVD\Command(Default) = ““C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe” “%l”” [“CyberLink Corp.”] Picasa2ImportPicturesOnArrival\ “Provider” = “Picasa2” “InvokeProgID” = “picasa2.autoplay” “InvokeVerb” = “import” HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command(Default) = "C:\Program Files\Picasa2\Picasa2.exe “%1"” [“Google Inc.”] WinampMTPHandler\ “Provider” = “Winamp” “ProgID” = “Shell.HWEventHandlerShellExecute” “InitCmdLine” = “C:\Program Files\Winamp\winamp.exe” HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” -> {HKLM…CLSID} = “ShellExecute HW Event Handler” \LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS] WinampPlayMediaOnArrival\ “Provider” = “Winamp” “InvokeProgID” = “Winamp.File” “InvokeVerb” = “Play” HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command(Default) = "“C:\Program Files\Winamp\winamp.exe” “%1"” [“Nullsoft”] HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = “{46986115-84D6-459c-8F95-52DD653E532E}” -> {HKLM…CLSID} = (no title provided) \LocalServer32(Default) = ““C:\Program Files\Winamp\winamp.exe”” [“Nullsoft”] Enabled Scheduled Tasks: ------------------------ “1-Click Maintenance” -> launches: “C:\Program Files\TuneUp Utilities 2008\OneClick.exe /schedulestart” [“TuneUp Software GmbH”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ “{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided) -> {HKLM…CLSID} = “&Google” \InProcServer32(Default) = “c:\program files\google\googletoolbar1.dll” [“Google Inc.”] Explorer Bars HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ HKLM\SOFTWARE\Classes\CLSID{1E0DE227-5CE4-4EA3-AB0C-8B03E1AA76BC}(Default) = “My Web Search Quick View” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS] HKLM\SOFTWARE\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Statystyki ochrony WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll” [“Kaspersky Lab”] HKLM\SOFTWARE\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}” -> {HKCU…CLSID} = “Java Plug-in 1.6.0_05” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”] -> {HKLM…CLSID} = “Java Plug-in 1.6.0_05” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll” [“Sun Microsystems, Inc.”] {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Statystyki ochrony WWW” {40525A66-DB98-480D-BCF9-7AF88C1AF438}\ “ButtonText” = “ArcaVir >>” “MenuText” = “ArcaVir >>” “CLSIDExtension” = “{40525A66-DB98-480D-BCF9-7AF88C1AF438}” -> {HKLM…CLSID} = “ArcaExtIE Class” \InProcServer32(Default) = “C:\Program Files\ArcaBit\WebExtensions\ie\ArcaIEExt.dll” [“ArcaBit sp. z o.o”] {77BF5300-1474-4EC7-9980-D32B190E9B07}\ “ButtonText” = “Skype” “CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}” -> {HKLM…CLSID} = “Skype add-on (button)” \InProcServer32(Default) = “C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll” [“Skype Technologies S.A.”] {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” {E2E2DD38-D088-4134-82B7-F2BA38496583}\ “MenuText” = “@xpsp3res.dll,-20001” “Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ArcaBit Backup Service, AVBackup, “C:\Program Files\ArcaBit\ArcaTools\arcabackup\ArcaBackupService.exe” [“ArcaBit”] ArcaBit Control, ArcaRemoteService, “C:\Program Files\ArcaBit\ArcaAgent\ArcaRemoteSvc.exe” [null data] ArcaBit FileMonitor, ABFileMon, ““C:\Program Files\ArcaBit\ArcaVir\FileMonSV.exe”” [“ArcaBit”] ArcaBit NetMonitor, ABNetMon, “C:\Program Files\ArcaBit\ArcaVir\NetMonSV.exe” [“ArcaBit”] ArcaBit Tasks Service, AVTasks2, “C:\PROGRA~1\ArcaBit\Common\ARCATA~1.EXE” [“ArcaBit”] ArcaBit Update Service, AVUpdate, “C:\PROGRA~1\ArcaBit\ARCAUP~1\update.exe” [“ArcaBit”] ArcaBit.Core.Configurator, ArcaBit.Core.Configurator, ““C:\Program Files\ArcaBit\Common\ArcaBit.Core.Configurator2.exe”” [“ArcaBit”] Bluetooth Service, btwdins, “C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe” [“Broadcom Corporation.”] hpqwmiex, hpqwmiex, “C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe” [“Hewlett-Packard Development Company, L.P.”] Kaspersky Internet Security, AVP, ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe” -r” [“Kaspersky Lab”] LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] TuneUp Theme Extension, UxTuneUp, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\uxtuneup.dll” [“TuneUp Software GmbH”]} Print Monitors: --------------- HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] Port drukarki interfejsu Bluetooth\Driver = “bthcrp.dll” [“Broadcom Corporation.”] ---------- (launch time: 2009-01-11 22:36:02) <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 46 seconds, including 5 seconds for message boxes)

Prosze o pomoc

Dziekuję i pozdrawiam

huber2t · 12 Styczeń 2009 04:56

Podaj log z Combofix

Logi dajesz na http://wklej.eu lub na http://wklej.org a w poście dajesz tylko link

Franki · 18 Styczeń 2009 18:37

Log z ComboFix: http://www.wklej.eu/index.php?id=5c168ab055

jessica · 18 Styczeń 2009 19:15

Monderb = VUNDO = VIRTUMONDE

Wklej do Notatnika :

File::

c:\windows\system32\dyfkknpe.dll

c:\windows\system32\usooek.dll

c:\windows\system32\xhibyz.dll.vir

c:\windows\system32\winsystems.dll

c:\windows\system32\hitgbpfn.dll


Registry::

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0B014B81-4E12-46F9-806F-55867AF8FD3C}] 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] 

"MyWebSearch Email Plugin"=-

"MyWebSearch Plugin"=-

"34a84ddf"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6353d0b-4104-11dd-b6cb-001e3703df0f}]

>>Plik>>Zapisz jako… >>> CFScript

Przeciągnij i upuść plik CFScript.txt na plik ComboFix.exe

– podobnie jak na tym obrazku –>

Ma się rozpocząć usuwanie. (i powstanie log). Daj ten log.

jessi