krytyk
(Bladolicus)
9 Marzec 2007 14:51
#1
Mam problemy z trzema trojanami , mianowicie win32.VBstat.h , win32.Virtumonde.ft P2P-Worm.win32.Agent.v , ilekroć bym nie skasował ich ciągle mutują i mnożą się , mam całkowicie zaktualizowanego kaspersky’ego , spybota s&d i adware se plus z adwatch. Oto log z hijack this.
Logfile of HijackThis v1.99.1
Scan saved at 15:41:12, on 2007-03-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\autoclk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
E:\Program Files\eMule\Incoming\Cidial 2.3 Full\CiDial.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Pulpit\mini\Travis.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Administrator\Pulpit\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Skrót do CiDial.lnk = E:\Program Files\eMule\Incoming\Cidial 2.3 Full\CiDial.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Dodaj do Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E84ED647-C741-489D-A354-B0548C00DDC7}: NameServer = 194.204.152.34 217.98.63.164
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
Byłbym wdzięczny za dobra diagnozę.
adam9870
(adam9870)
9 Marzec 2007 15:07
#2
Usuń wpis HJT.
krytyk:
Mam problemy z trzema trojanami , mianowicie win32.VBstat.h , win32.Virtumonde.ft P2P-Worm.win32.Agent.v , ilekroć bym nie skasował ich ciągle mutują i mnożą się , mam całkowicie zaktualizowanego kaspersky’ego , spybota s&d i adware se plus z adwatch.
Dobrze ale GDZIE one są wykrywane? Proszę podać dokładne lokalizacje do zainfekowanych plików. Dodatkowo przeskanuj system narzędziem VirtumundoBeGone i VundoFix i pokaż raporty oraz log z SilentRunners i log numer 1 z L2Mfix .
adam9870
(adam9870)
9 Marzec 2007 17:43
#3
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\SYSTEM32\geebb.dll
C:\WINDOWS\SYSTEM32\bbeeg.tmp
C:\WINDOWS\SYSTEM32\mcrh.tmp
C:\WINDOWS\System32\bbeeg.ini2
C:\WINDOWS\System32\rsiffivn.ini
C:\WINDOWS\System32\merhwkwf.ini
C:\WINDOWS\System32\bbeeg.ini
C:\WINDOWS\System32\bbeeg.bak1
C:\WINDOWS\System32\bbeeg.bak2
Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.
Otwórz Notatnik i wklej w nim to:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] “BootExecute”=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\ 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00 [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{E03C740E-BB24-4d3c-B92A-6F84DE1DD99C}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{E5F569C1-63E5-4D0A-91DC-DF33E3C10D97}] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{F5121B67-7279-43E1-8FB0-E90543989DC2}] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] “{F5121B67-7279-43E1-8FB0-E90543989DC2}”=- [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\geebb] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljiihe]
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.
Użyj progrmu ATF Cleaner i przeczyść TEMP’y.
Po wykonaniu pokaż nowy log z hjt, SilentRunners + log numer 1 z L2Mfix .
adam9870
(adam9870)
9 Marzec 2007 19:32
#4
Ściągasz program KillBox , zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:
C:\WINDOWS\System32\geebb.dll.vir
C:\WINDOWS\System32\qarknjlr.ini
C:\WINDOWS\system32\beskulxv.dll
Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart. Jeśli przy wklejaniu pokaże się jakiś błąd to nie przejmuj się nim tylko postępuj dalej.
Otwórz Notatnik i wklej w nim to:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] “DllRunning”=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] “BootExecute”=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\ 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Usuń wpis HJT jeśli będzie.
Przeskanuj http://www.kaspersky.pl/virusscanner.html
Po wykonaniu wklej trzy nowe logi.
adam9870
(adam9870)
9 Marzec 2007 20:28
#5
Start => uruchom => wpisz regedit i kliknij OK => przejdź do klucza:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
i skasuj z prawokliku znajdującą się tam wartość DllRunning
Jeśli nie pomoże to plik FIX.REG o takiej zawartości:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] “DllRunning”=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] “BootExecute”=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\ 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00
Umieść bezpośrednio na partycji C, a następnie wybierz start => uruchom => wpisz polecenie regedit.exe /s C:\fix.reg
krytyk
(Bladolicus)
9 Marzec 2007 20:35
#6
Że tak powiem , beskul pashol won… Wkleic kolejny trzypak logów?
adam9870
(adam9870)
9 Marzec 2007 20:44
#7
Wklej nowy log z Silenta i HJT.
krytyk
(Bladolicus)
9 Marzec 2007 20:50
#8
Logfile of HijackThis v1.99.1
Scan saved at 21:45:46, on 2007-03-10
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\autoclk.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
E:\Program Files\eMule\Incoming\Cidial 2.3 Full\CiDial.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Administrator\Pulpit\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Skrót do CiDial.lnk = E:\Program Files\eMule\Incoming\Cidial 2.3 Full\CiDial.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: Dodaj do Kaspersky Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Ochrona WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E84ED647-C741-489D-A354-B0548C00DDC7}: NameServer = 194.204.152.34 217.98.63.164
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware Pro\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “AWMON” = ““C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe”” [“Lavasoft Sweden”] “AIM” = “C:\Program Files\AIM\aim.exe -cnetwait.odl” [“America Online, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “autoclk” = “autoclk.exe” [empty string] “WOOWATCH” = “C:\PROGRA~1\Wanadoo\Watch.exe” [“France Télécom R&D”] “kis” = ““C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe”” [“Kaspersky Lab”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{85E0B171-04FA-11D1-B7DA-00A0C90348D6}” = “Ochrona WWW” -> {HKLM…CLSID} = “Ochrona WWW” \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll” [“Kaspersky Lab”] “{32020A01-506E-484D-A2A8-BE3CF17601C3}” = “AlcoholShellEx” -> {HKLM…CLSID} = “AlcoholShellEx” \InProcServer32(Default) = “C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll” [“Alcohol Soft Development Team”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Outlook File Icon Extension” \InProcServer32(Default) = “D:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{A5110426-177D-4e08-AB3F-785F10B4439C}” = “Sony Ericsson File Manager” -> {HKLM…CLSID} = “Sony Ericsson File Manager” \InProcServer32(Default) = “C:\Program Files\Sony Ericsson\Mobile2\File Manager\fmgrgui.dll” [“Sony Ericsson Mobile Communications AB”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll” [“Kaspersky Lab”] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”| [file not found] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> klogon\DLLName = “C:\WINDOWS\System32\klogon.dll” [“Kaspersky Lab”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\pdfshell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ DAP_Menu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ DAP_ShredMenu(Default) = “{BED4C38B-F765-45AC-8C56-613F76BBF43E}” -> {HKLM…CLSID} = “DAPMenuShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\DAP\PRIVAC~1\DAPCTX~1.DLL” [“Speedbit Ltd.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Kaspersky Anti-Virus(Default) = “{dd230880-495a-11d1-b064-008048ec2fc5}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\shellex.dll” [“Kaspersky Lab”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Administrator” & “All Users” startup folders: --------------------------------------------------------------- C:\Documents and Settings\Administrator\Menu Start\Programy\Autostart “Skrót do CiDial” -> shortcut to: “E:\Program Files\eMule\Incoming\Cidial 2.3 Full\CiDial.exe” [null data] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W” [empty string] Enabled Scheduled Tasks: ------------------------ “01_Don Omar Feat_ Tego Calderon - Bandaleros” -> launches: “C:\01_Don Omar Feat_ Tego Calderon - Bandaleros.wav” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID{85E0B171-04FA-11D1-B7DA-00A0C90348D6}(Default) = “Ochrona WWW” Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32(Default) = “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll” [“Kaspersky Lab”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\ “ButtonText” = “Ochrona WWW” {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\ “ButtonText” = “AIM” “Exec” = “C:\Program Files\AIM\aim.exe” [“America Online, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Kaspersky Internet Security 6.0, AVP, “C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe -r” [“Kaspersky Lab”] LightScribeService Direct Disc Labeling Service, LightScribeService, ““C:\Program Files\Common Files\LightScribe\LSSrvc.exe”” [“Hewlett-Packard Company”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] StarWind iSCSI Service, StarWindService, “C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe” [“Rocket Division Software”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 169 seconds, including 3 seconds for message boxes)
adam9870
(adam9870)
9 Marzec 2007 20:59
#9
Już jest Ok. Możesz jedynie naprawić tą restrykcję:
Poprzez zastosowanie takiego pliku FIX.REG:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] “BootExecute”=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\ 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00
krytyk
(Bladolicus)
9 Marzec 2007 21:02
#10
No to wielkie dzięki adam za pomoc , i powodzenia w następnych przypadkach, “wdzięczny na zawsze” ;p.
Narazie.