Trojan generic i FF


(Masaj) #1

Witam.

Potrzebuje pomocy w uśnięciu pozostałości po wirusie trojan generic 32 (Msantivir- auto download z z zarażonej strony).

Usunąłem główne? składniki (w F8-- Skan NIS, Anti malware, RegCleaner- biblioteki dll, usunięte nowe pliki,rejestr wyczyszczony, usługi, etc).

Pozostał problem z FF - nie mogę otworzyć strony w nowej zakładce- blokuje się na stronie , która jest już otwarta i za nic nie otworze nast.

Nie można zablokować samoczynnie otwierających się w nowym oknie stron typu: "travian on-line games czy zarażonych

Znaczne spowolnienie / zawieszanie się kompa- (nie)działanie niektórych programów .

LOG z HJT:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:52, on 2008-12-26

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.20696)

Boot mode: Normal


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe

C:\Program Files\Java\jre6\bin\jusched.exe

D:\Program Files\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe

C:\WINDOWS\system32\tcpsvcs.exe

E:\Alcohol 120\StarWind\StarWindServiceAE.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\sstray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Symantec NCO BHO - {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL

O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H

O4 - HKLM\..\Run: [QuickTime Task] "E:\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')

O4 - Global Startup: SATARaid.lnk = ?

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab

O20 - AppInit_DLLs: pimlhf.dll

O23 - Service: Norton2009 Reset (.norton2009reset) - Unknown owner - C:\Program Files\Norton2009Reset.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)

O23 - Service: Norton Internet Security (norton internet security) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe

O23 - Service: Usługa SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)

O23 - Service: Usługa SNMP Trap (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Alcohol 120\StarWind\StarWindServiceAE.exe


--

End of file - 6195 bytes

LOG z Combofix:

ComboFix 08-12-26.01 - Administrator 2008-12-26 17:32:22.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.511.109 [GMT 1:00]

Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe

AV: Norton Internet Security *On-access scanning disabled* (Outdated)

FW: Norton Internet Security *disabled*

 * Utworzono nowy punkt przywracania

.

[i] ADS - svchost.exe: deleted 88 bytes in 2 streams. [/i]


((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))

.


c:\windows\g32.txt

c:\windows\gs32.txt

c:\windows\system32\grouppolicy\machine\scripts\scripts.ini


.

((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))

.


-------\Legacy_ASPIMGR



((((((((((((((((((((((((( Pliki utworzone od 2008-11-26 do 2008-12-26 )))))))))))))))))))))))))))))))

.


2008-12-26 17:31 . 2008-12-26 17:31	




Cobofix-kwarantanna:

[code]2004-08-18 17:00:00 AC------ 13 C:\Qoobox\Quarantine\C\WINDOWS\g32.txt.vir 2007-06-03 21:13:38 AC------ 6 C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicy\Machine\Scripts\scripts.ini.vir 2008-02-14 13:22:24 AC------ 106 C:\Qoobox\Quarantine\C\WINDOWS\gs32.txt.vir 2008-12-26 17:26:47 A------- 54 C:\Qoobox\Quarantine\catchme.log 2008-12-26 17:35:02 A------- 8,768 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-12-26 17:35:20 A------- 828 C:\Qoobox\Quarantine\Registry_backups\Legacy_ASPIMGR.reg.dat 2008-12-26 17:42:16 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{82B29D31-AC60-432D-8E0D-E09726072137}.reg.dat 2008-12-26 17:42:16 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{b8c52c11-9f95-447f-82a8-cc0a70b7e987}.reg.dat 2008-12-26 17:42:24 A------- 181 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ISUSPM.reg.dat 2008-12-26 17:42:36 A------- 146 C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}.reg.dat
LOG z Silent Runner- przy pobraniu na stronie Forum wystapilo takie cos: ---> http://www.wklej.org/id/31920/ LOG z Silent Runner-pobrany w .zip-ie

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]

"UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe" -H" [null data]

"QuickTime Task" = ""E:\QTTask.exe" -atboottime" ["Apple Inc."]

"!AVG Anti-Spyware" = ""D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]

"nForce Tray Options" = "sstray.exe /r" ["NVIDIA Corporation"]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Adobe PDF Link Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{602adb0e-4aff-4217-8aa1-95dac4dfa408}\(Default) = "Symantec NCO BHO"

  -> {HKLM...CLSID} = "Symantec NCO BHO"

                   \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll" ["Symantec Corporation"]

{6d53ec84-6aae-4787-aeee-f4628f01010c}\(Default) = "Symantec Intrusion Prevention"

  -> {HKLM...CLSID} = "Symantec Intrusion Prevention"

                   \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL" ["Symantec Corporation"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Java(tm) Plug-In SSV Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\ssv.dll" ["Sun Microsystems, Inc."]

{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

  -> {HKLM...CLSID} = "History Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "E:\ALCOHO~1\AxShlex.dll" ["Alcohol Soft Development Team"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" ["Alexander Roshal"]

"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"

  -> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"

  -> {HKLM...CLSID} = "CShellExecuteHookImpl Object"

                   \InProcServer32\(Default) = "D:\Program Files\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<> "BootExecute" = "autocheck autochk *"|"pgdfgsvc C 1" [file not found]


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<> ComPlusSetup\DLLName = "C:\WINDOWS\system32\catsrvut.dll" [MS]


HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

Autodesk.DWF.ContextMenu\(Default) = "{6C18531F-CA85-45F7-8278-FF33CF0A5964}"

  -> {HKLM...CLSID} = "DWFShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk shared\dwf common\DWFShellExtension.dll" ["Autodesk, Inc."]

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

symantec.norton.antivirus.iecontextmenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"

  -> {HKLM...CLSID} = "IEContextMenu Class"

                   \InProcServer32\(Default) = ""C:\Program Files\Norton Internet Security\Engine\16.1.0.33\NavShExt.dll"" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" ["Alexander Roshal"]


HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"

  -> {HKLM...CLSID} = "CContextScan Object"

                   \InProcServer32\(Default) = "D:\Program Files\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" ["Alexander Roshal"]


HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

symantec.norton.antivirus.iecontextmenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"

  -> {HKLM...CLSID} = "IEContextMenu Class"

                   \InProcServer32\(Default) = ""C:\Program Files\Norton Internet Security\Engine\16.1.0.33\NavShExt.dll"" ["Symantec Corporation"]

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\WinRAR\rarext.dll" ["Alexander Roshal"]


HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"

  -> {HKLM...CLSID} = "UnlockerShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]



Default executables:

--------------------


<> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}


"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Windows Portable Device AutoPlay Handlers

-----------------------------------------


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\


AlcoholAutoPlayV2.BurnDisc\

"Provider" = "Alcohol 120%"

"InvokeProgID" = "AlcoholAutoPlayV2"

"InvokeVerb" = "BurnDisc"

HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""E:\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]


AlcoholAutoPlayV2.ReadDisc\

"Provider" = "Alcohol 120%"

"InvokeProgID" = "AlcoholAutoPlayV2"

"InvokeVerb" = "ReadDisc"

HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command\(Default) = ""E:\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]


Picasa2ImportPicturesOnArrival\

"Provider" = "Picasa3"

"InvokeProgID" = "picasa2.autoplay"

"InvokeVerb" = "import"

HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "D:\Program Files\Google\Picasa3\Picasa3.exe "%1"" ["Google Inc."]



Startup items in "Administrator" & "All Users" startup folders:

---------------------------------------------------------------


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"SATARaid" -> shortcut to: "C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe" ["Silicon Image, Inc."]



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

"kfqgebye" -> launches: "C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\pmnlihHx.dll",ShellPath" [MS]

"RegClean Scheduled Scan" -> launches: "D:\Instalki\RegClean\RegClean.exe scheduled" [file not found]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000005\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]


Transport Service Providers


HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 09

%SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\

"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" = "Norton Toolbar"

  -> {HKLM...CLSID} = "Norton Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll" ["Symantec Corporation"]


Explorer Bars


HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\


HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Norton Internet Security, norton internet security, ""C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll" /prefetch:1" ["Symantec Corporation"]

StarWind AE Service, StarWindServiceAE, "E:\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]

Usługi Simple TCP/IP, SimpTcp, "C:\WINDOWS\system32\tcpsvcs.exe" [MS]



Print Monitors:

---------------


HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



---------- (launch time: 2008-12-26 18:54:55)

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 27 seconds.

---------- (total run time: 74 seconds)

Scan Sphosem Anti-Rootkit:

Area:	Windows registry

Description:	Hidden registry key 

Location:	\HKEY_USERS\S-1-5-21-57989841-1202660629-682003330-500

Removable:	No

Notes:	(no more detail available) 


Area:	Windows registry

Description:	Hidden registry key 

Location:	\HKEY_USERS\S-1-5-19

Removable:	No

Notes:	(no more detail available) 



Area:	Windows registry

Description:	Hidden registry key 

Location:	\HKEY_USERS\S-1-5-20

Removable:	No

Notes:	(no more detail available)

Przed chwila wywalilem: Packed Generic 203, Trojan Zlob , Backdoor Formador, Trojan Horse.ale to *&*^% nic nie dalo.

LOG z Trojan Remower: http://wklej.to/qbI/text

LOG z Malwarebytes AntyM : http://www.wklej.org/id/31920/

Sa jakies nawet teoretyczne szanse na posprzatanie w kompie,.

Wszystkie mozliwosci i sposoby do stosowania wiec jesli macie jakies pomysly to OK.