Witam.
Potrzebuje pomocy w uśnięciu pozostałości po wirusie trojan generic 32 (Msantivir- auto download z z zarażonej strony).
Usunąłem główne? składniki (w F8-- Skan NIS, Anti malware, RegCleaner- biblioteki dll, usunięte nowe pliki,rejestr wyczyszczony, usługi, etc).
Pozostał problem z FF - nie mogę otworzyć strony w nowej zakładce- blokuje się na stronie , która jest już otwarta i za nic nie otworze nast.
Nie można zablokować samoczynnie otwierających się w nowym oknie stron typu: "travian on-line games czy zarażonych
Znaczne spowolnienie / zawieszanie się kompa- (nie)działanie niektórych programów .
LOG z HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52, on 2008-12-26
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\tcpsvcs.exe
E:\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec NCO BHO - {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [QuickTime Task] "E:\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.com/srl_bin/sysreqlab3.cab
O20 - AppInit_DLLs: pimlhf.dll
O23 - Service: Norton2009 Reset (.norton2009reset) - Unknown owner - C:\Program Files\Norton2009Reset.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Microsoft Update Service Helper (msupdsvc) - Unknown owner - C:\WINDOWS\system32\msupdsvc32.exe (file missing)
O23 - Service: Norton Internet Security (norton internet security) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: Usługa SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: Usługa SNMP Trap (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\Alcohol 120\StarWind\StarWindServiceAE.exe
--
End of file - 6195 bytes
LOG z Combofix:
ComboFix 08-12-26.01 - Administrator 2008-12-26 17:32:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1045.18.511.109 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Administrator\Pulpit\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Utworzono nowy punkt przywracania
.
[i] ADS - svchost.exe: deleted 88 bytes in 2 streams. [/i]
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\g32.txt
c:\windows\gs32.txt
c:\windows\system32\grouppolicy\machine\scripts\scripts.ini
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_ASPIMGR
((((((((((((((((((((((((( Pliki utworzone od 2008-11-26 do 2008-12-26 )))))))))))))))))))))))))))))))
.
2008-12-26 17:31 . 2008-12-26 17:31
Cobofix-kwarantanna:
[code]2004-08-18 17:00:00 AC------ 13 C:\Qoobox\Quarantine\C\WINDOWS\g32.txt.vir 2007-06-03 21:13:38 AC------ 6 C:\Qoobox\Quarantine\C\WINDOWS\system32\GroupPolicy\Machine\Scripts\scripts.ini.vir 2008-02-14 13:22:24 AC------ 106 C:\Qoobox\Quarantine\C\WINDOWS\gs32.txt.vir 2008-12-26 17:26:47 A------- 54 C:\Qoobox\Quarantine\catchme.log 2008-12-26 17:35:02 A------- 8,768 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-12-26 17:35:20 A------- 828 C:\Qoobox\Quarantine\Registry_backups\Legacy_ASPIMGR.reg.dat 2008-12-26 17:42:16 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{82B29D31-AC60-432D-8E0D-E09726072137}.reg.dat 2008-12-26 17:42:16 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{b8c52c11-9f95-447f-82a8-cc0a70b7e987}.reg.dat 2008-12-26 17:42:24 A------- 181 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-ISUSPM.reg.dat 2008-12-26 17:42:36 A------- 146 C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}.reg.dat
LOG z Silent Runner- przy pobraniu na stronie Forum wystapilo takie cos: —> http://www.wklej.org/id/31920/ LOG z Silent Runner-pobrany w .zip-ie
"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre6\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe" -H" [null data]
"QuickTime Task" = ""E:\QTTask.exe" -atboottime" ["Apple Inc."]
"!AVG Anti-Spyware" = ""D:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["GRISOFT s.r.o."]
"nForce Tray Options" = "sstray.exe /r" ["NVIDIA Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]
{602adb0e-4aff-4217-8aa1-95dac4dfa408}\(Default) = "Symantec NCO BHO"
-> {HKLM...CLSID} = "Symantec NCO BHO"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll" ["Symantec Corporation"]
{6d53ec84-6aae-4787-aeee-f4628f01010c}\(Default) = "Symantec Intrusion Prevention"
-> {HKLM...CLSID} = "Symantec Intrusion Prevention"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.1.0.33\IPSBHO.DLL" ["Symantec Corporation"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\ssv.dll" ["Sun Microsystems, Inc."]
{DBC80044-A445-435b-BC74-9C25C1C588A9}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Java(tm) Plug-In 2 SSV Helper"
\InProcServer32\(Default) = "C:\Program Files\Java\jre6\bin\jp2ssv.dll" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "E:\ALCOHO~1\AxShlex.dll" ["Alcohol Soft Development Team"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\WinRAR\rarext.dll" ["Alexander Roshal"]
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"
-> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"
\InProcServer32\(Default) = "C:\WINDOWS\system32\upnpui.dll" [MS]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Program Files\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["GRISOFT s.r.o."]
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<> "BootExecute" = "autocheck autochk *"|"pgdfgsvc C 1" [file not found]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<> ComPlusSetup\DLLName = "C:\WINDOWS\system32\catsrvut.dll" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Autodesk.DWF.ContextMenu\(Default) = "{6C18531F-CA85-45F7-8278-FF33CF0A5964}"
-> {HKLM...CLSID} = "DWFShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Autodesk shared\dwf common\DWFShellExtension.dll" ["Autodesk, Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
symantec.norton.antivirus.iecontextmenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = ""C:\Program Files\Norton Internet Security\Engine\16.1.0.33\NavShExt.dll"" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\AVG Anti-Spyware 7.5\context.dll" ["GRISOFT s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
symantec.norton.antivirus.iecontextmenu\(Default) = "{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = ""C:\Program Files\Norton Internet Security\Engine\16.1.0.33\NavShExt.dll"" ["Symantec Corporation"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\WinRAR\rarext.dll" ["Alexander Roshal"]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
Default executables:
--------------------
<> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
AlcoholAutoPlayV2.BurnDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""E:\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]
AlcoholAutoPlayV2.ReadDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "ReadDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command\(Default) = ""E:\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]
Picasa2ImportPicturesOnArrival\
"Provider" = "Picasa3"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "D:\Program Files\Google\Picasa3\Picasa3.exe "%1"" ["Google Inc."]
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"SATARaid" -> shortcut to: "C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe" ["Silicon Image, Inc."]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"kfqgebye" -> launches: "C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\pmnlihHx.dll",ShellPath" [MS]
"RegClean Scheduled Scan" -> launches: "D:\Instalki\RegClean\RegClean.exe scheduled" [file not found]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 09
%SystemRoot%\system32\rsvpsp.dll [MS], 10 - 11
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}" = "Norton Toolbar"
-> {HKLM...CLSID} = "Norton Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Engine\16.1.0.33\coIEPlg.dll" ["Symantec Corporation"]
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "D:\Program Files\AVG Anti-Spyware 7.5\guard.exe" ["GRISOFT s.r.o."]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Norton Internet Security, norton internet security, ""C:\Program Files\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton Internet Security" /m "C:\Program Files\Norton Internet Security\Engine\16.1.0.33\diMaster.dll" /prefetch:1" ["Symantec Corporation"]
StarWind AE Service, StarWindServiceAE, "E:\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]
Usługi Simple TCP/IP, SimpTcp, "C:\WINDOWS\system32\tcpsvcs.exe" [MS]
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
hpzlnt09\Driver = "hpzlnt09.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2008-12-26 18:54:55)
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 27 seconds.
---------- (total run time: 74 seconds)
Scan Sphosem Anti-Rootkit:
Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-21-57989841-1202660629-682003330-500
Removable: No
Notes: (no more detail available)
Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-19
Removable: No
Notes: (no more detail available)
Area: Windows registry
Description: Hidden registry key
Location: \HKEY_USERS\S-1-5-20
Removable: No
Notes: (no more detail available)
Przed chwila wywalilem: Packed Generic 203, Trojan Zlob , Backdoor Formador, Trojan Horse.ale to *&*^% nic nie dalo.
LOG z Trojan Remower: http://wklej.to/qbI/text
LOG z Malwarebytes AntyM : http://www.wklej.org/id/31920/
Sa jakies nawet teoretyczne szanse na posprzatanie w kompie,.
Wszystkie mozliwosci i sposoby do stosowania wiec jesli macie jakies pomysly to OK.