Proszę rzućcie okiem na logi

Dla specjalistów Bezpieczeństwo
#1

Mam wrażenie że jakieś badziewie mnie gryzie.Avast co jakiś czas wykrywa jakiegoś robala.POdaję logi może coś wypatrzycie. Pozdrawiam wszystkich :smiley: :smiley:

“Silent Runners.vbs”, revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{6A373B7E-496E-424f-A9BE-486A5E9AB018}(Default) = (no title provided)

-> {HKLM…CLSID} = “BitComet Toolbar Helper”

\InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]

“{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]

“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

“{e57ce731-33e8-4c51-8354-bb4de9d215d1}” = “Uniwersalne urządzenia Plug and Play”

-> {HKLM…CLSID} = “Uniwersalne urządzenia Plug and Play”

\InProcServer32(Default) = “C:\WINDOWS\system32\upnpui.dll” [MS]

“{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices”

-> {HKLM…CLSID} = “Portable Media Devices”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band”

-> {HKLM…CLSID} = “Shell Search Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

“{AB77609F-2178-4E6F-9C4B-44AC179D937A}” = “a˛ Context Menu Shell Extension”

-> {HKLM…CLSID} = “a˛ Context Menu Shell Extension”

\InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0”

-> {HKLM…CLSID} = “CShellExecuteHookImpl Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

“System” = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

INFECTION WARNING! AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”

-> {HKLM…CLSID} = “CContextScan Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”

-> {HKLM…CLSID} = “CContextScan Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

a2ContMenu(Default) = “{AB77609F-2178-4E6F-9C4B-44AC179D937A}”

-> {HKLM…CLSID} = “a˛ Context Menu Shell Extension”

\InProcServer32(Default) = “C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL” [null data]

avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”

-> {HKLM…CLSID} = “avast”

\InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]

WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”

-> {HKLM…CLSID} = “WinRAR”

\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]

Group Policies [Description] {enabled Group Policy setting}:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

HIJACK WARNING! “ForceActiveDesktopOn”=dword:00000001

[enables Active Desktop and prevents disabling it]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Enable Active Desktop}

HIJACK WARNING! “Wallpaper” = “C:\WINDOWS\desktop.html”

[disables the Display Properties|Desktop (tab) (except the "Customize

Desktop…" button); selects wallpaper and enables Active Desktop]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Active Desktop Wallpaper|Wallpaper Name:}

Active Desktop and Wallpaper:

Active Desktop enabled via Group Policy.

Wallpaper selected via Group Policy.

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\

“SCRNSAVE.EXE” = “C:\WINDOWS\System32\AVASTSS.scr” [“ALWIL Software”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 31

%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{2E608F70-C430-4BC5-96F6-608E02EBA5B2}”

-> {HKLM…CLSID} = “BitComet Toolbar”

\InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{2E608F70-C430-4BC5-96F6-608E02EBA5B2}” = “BitComet Toolbar”

-> {HKLM…CLSID} = “BitComet Toolbar”

\InProcServer32(Default) = “C:\Program Files\BitComet Toolbar\v2.0.0.4\BitComet_Toolbar.dll” [null data]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided)

-> {HKLM…CLSID} = “Shell Search Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.5.0_06”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll” [“Sun Microsystems, Inc.”]

All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):

Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\System32\Ati2evxx.exe” [“ATI Technologies Inc.”]

ATK Keyboard Service, ATKKeyboardService, “C:\WINDOWS\ATKKBService.exe” [“ASUSTeK COMPUTER INC.”]

avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [null data]

avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]

avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”]

avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”]

EvtEng, EvtEng, “C:\Program Files\Intel\Wireless\Bin\EvtEng.exe” [“Intel Corporation”]

ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, “C:\Program Files\ewido anti-spyware 4.0\guard.exe” [“Anti-Malware Development a.s.”]

HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]}

Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS]

OwnershipProtocol, OwnershipProtocol, “C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe” [“Intel Corporation”]

RegSrvc, RegSrvc, “C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe” [“Intel Corporation”]

Spectrum24 Event Monitor, S24EventMonitor, “C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe” ["Intel Corporation "]

Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”]

Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]}

Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\MsPMSNSv.dll” [MS]}

Usługi Simple TCP/IP, SimpTcp, “C:\WINDOWS\System32\tcpsvcs.exe” [MS]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

Toshiba Bluetooth Monitor\Driver = “tbtmon.dll” [“Toshiba America Business Solutions, Inc.”]

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer “No” at the first message box.

---------- (total run time: 24 seconds, including 5 seconds for message boxes)

#2

skasuj plik C:\WINDOWS\desktop.html

Otwórz notatnik i wklej:

Plik>>>zapisz jako>>zmień rozszerzenie z .txt na wszystkie pliki>>>zapisz pod nazwą FIX.REG i uruchom w trybie awaryjnym

Panel Sterowania>>>Właściwości Ekranu>>>dostosuj pulpi>>>sieci web>>>odhacz, podświetl i skasuj security

#3

dzięki chyba wszystko w porządku Pozdrawiam