gramik
(Mgracz)
12 Maj 2007 21:00
#1
Od pewnego czasu mam problem z wirusem rozsyłającym zarażoną pocztę z mojego kompa. Jego aktywność objawia się alertami AVASTA o dużej ilości wysłanej poczty i pogróżkami ze strony adminów sieci ;/ Skanowanie awastem nie daje żadnych rezultatów. Kilka innych skanerów też nic nie wykrywa (online’owe i MKS, Panda itp.). Może logi coś wyjaśnią. Z góry dzięki.
Logfile of HijackThis v1.99.1 Scan saved at 22:57:42, on 2007-05-12 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe C:\Program Files\DCPFLICS\DCPFLICS.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\oodag.exe C:\Program Files\ProShowGold\ScsiAccess.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Motherboard Monitor 5\MBM5.EXE C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\gapa.exe C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\wspolne\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [MBM 5] “C:\Program Files\Motherboard Monitor 5\MBM5.EXE” O4 - HKLM…\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM…\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Logitech SetPoint.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Skrót do gapa.exe.lnk = C:\Program Files\gapa.exe O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar … vSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar … /cabsa.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: DCPFLICS - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\ProShowGold\ScsiAccess.exe
Gutek
(Gutek)
12 Maj 2007 21:17
#2
gramik
(Mgracz)
12 Maj 2007 21:49
#3
Oto logi z ComboFix i Silent Runners:
“wspolne” - 2007-05-12 23:34:18 Dodatek Service Pack 2 ComboFix 07-05.09.V - Running from: “C:\Documents and Settings\wspolne\Pulpit” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\DOCUME~1\wspolne\DANEAP~1\Install.dat C:\WINDOWS\system32\svcp.csv C:\WINDOWS\system32\winsub.xml C:\WINDOWS\system32\zlbw.dll ((((((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\LEGACY_ICF -------\ICF ((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-12 )))))))))))))))))))))))))))))))))) 2007-05-11 19:29 2007-05-11 18:32 2007-05-11 18:32 2007-05-11 18:05 2007-05-11 18:05 2007-04-23 21:22 2007-04-23 21:21 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-05-12 21:02:00 -------- d-----w C:\Program Files\Steam 2007-05-11 16:43:29 74,450 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-05-11 16:43:29 448,348 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-05-11 16:24:40 -------- d-----w C:\Program Files\7-Zip 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-19 15:00:16 -------- d-----w C:\Program Files\GetRight 2007-04-10 19:55:45 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys 2007-04-10 19:55:45 -------- d-----w C:\Program Files\DAEMON Tools 2007-04-10 19:35:55 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd1133.sys 2007-04-10 19:35:55 642,560 ----a-w C:\WINDOWS\system32\drivers\sptd.sys 2007-04-08 21:24:25 -------- d-----w C:\DOCUME~1\wspolne\DANEAP~1\Command & Conquer 3 Tiberium Wars 2007-04-08 21:16:43 -------- d–h--r C:\DOCUME~1\wspolne\DANEAP~1\SecuROM 2007-04-08 21:03:48 -------- d-----w C:\Program Files\Electronic Arts 2007-04-08 11:11:33 -------- d–h--w C:\Program Files\InstallShield Installation Information 2007-03-30 20:54:35 -------- d-----w C:\Program Files\QuickTime 2007-03-30 09:59:25 -------- d-----w C:\DOCUME~1\wspolne\DANEAP~1\InterVideo 2007-03-30 09:49:22 -------- d-----w C:\Program Files\InterVideo 2007-03-27 13:15:23 -------- d-----w C:\Program Files\DC++ 2007-03-26 21:00:40 -------- d-----w C:\DOCUME~1\wspolne\DANEAP~1\Ahead 2007-03-26 20:58:57 -------- d-----w C:\Program Files\Common Files\Ahead 2007-03-26 20:58:20 -------- d-----w C:\Program Files\Nero 2007-03-26 20:27:28 -------- d-----w C:\Program Files\Ahead 2007-03-26 10:50:02 -------- d-----w C:\Program Files\PhotoZoom Pro 2 2007-03-22 22:34:45 -------- d-----w C:\DOCUME~1\wspolne\DANEAP~1\Apple Computer 2007-03-22 22:23:30 -------- d-----w C:\Program Files\XericDesign 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll 2007-03-12 10:49:50 -------- d-----w C:\Program Files\ProShowGold 2007-03-12 10:43:25 -------- d-----w C:\Program Files\Photodex Presenter 2007-03-12 10:43:25 -------- d-----w C:\DOCUME~1\wspolne\DANEAP~1\Netscape 2007-03-12 10:42:08 -------- d-----w C:\DOCUME~1\wspolne\DANEAP~1\Photodex 2007-03-12 09:01:01 -------- d-----w C:\Program Files\Winamp 2007-03-08 15:38:47 579,072 ----a-w C:\WINDOWS\system32\user32.dll 2007-03-08 15:38:47 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll 2007-03-08 15:38:47 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll 2007-03-08 15:37:33 1,843,840 ----a-w C:\WINDOWS\system32\win32k.sys 2007-02-21 21:11:03 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat 2007-02-15 12:45:36 707,344 ----a-w C:\WINDOWS\system32\oodag.exe 2007-02-15 12:34:30 217,360 ----a-w C:\WINDOWS\system32\oodbs.exe 2007-02-15 12:16:20 11,536 ----a-w C:\WINDOWS\system32\oodbsrs.dll 2007-02-15 12:16:10 17,168 ----a-w C:\WINDOWS\system32\oodagrs.dll 2007-02-15 12:15:58 17,168 ----a-w C:\WINDOWS\system32\oodagmg.dll 2007-02-15 08:44:32 16,656 ----a-w C:\WINDOWS\system32\ootmapi.dll 2007-02-10 16:34:50 1,168 ----a-w C:\WINDOWS\mozver.dat 2007-02-10 09:52:32 0 ----a-w C:\WINDOWS\nsreg.dat 2007-02-07 13:08:41 16,368 ----a-w C:\DOCUME~1\wspolne\DANEAP~1\GDIPFONTCACHEV1.DAT 2007-02-05 20:19:48 185,856 ----a-w C:\WINDOWS\system32\upnphost.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects] “{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}”=“C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “SoundMan”=“SOUNDMAN.EXE” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “MBM 5”="“C:\Program Files\Motherboard Monitor 5\MBM5.EXE”" “Logitech Hardware Abstraction Layer”=“KHALMNPR.EXE” “Kernel and Hardware Abstraction Layer”=“KHALMNPR.EXE” “NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” “QuickTime Task”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa Authentication Packages msv1_0\0\0 Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0 Notification Packages scecli\0\0 HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WdfLoadGroup [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter HTTPFilter\0\0 LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService DnsCache\0\0 DcomLaunch DcomLaunch\0TermService\0\0 rpcss RpcSs\0\0 imgsvc StiSvc\0\0 termsvcs TermService\0\0 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost ******************************************************************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-05-12 23:37:29 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes … scanning hidden services … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 ******************************************************************** Completion time: 2007-05-12 23:38:06 - machine was rebooted C:\ComboFix-quarantined-files.txt … 2007-05-12 23:38
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “ctfmon.exe” = “C:\WINDOWS\system32\ctfmon.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “avast!” = “C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [“ALWIL Software”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “MBM 5” = ““C:\Program Files\Motherboard Monitor 5\MBM5.EXE”” [“Alex van Kaam”] “Logitech Hardware Abstraction Layer” = “KHALMNPR.EXE” [“Logitech Inc.”] “Kernel and Hardware Abstraction Layer” = “KHALMNPR.EXE” [“Logitech Inc.”] “NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{472083B0-C522-11CF-8763-00608CC02F24}” = “avast” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{19F500E0-9964-11cf-B63D-08002B317C03}” = “Desktop Icon Layout” -> {HKLM…CLSID} = “Desktop Icon Layout” \InProcServer32(Default) = “Layout.dll” [“Microsoft”] “{6DEA92E9-8682-4b6a-97DE-354772FE5727}” = “Autodesk DWF Preview” -> {HKLM…CLSID} = “ACDWFTHMBPRXY” \InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\AcDwfThmbPrxy16.dll” [“Autodesk”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{B9B9F083-2B04-452A-8691-83694AC1037B}” = “Logitech Setpoint Extension” -> {HKLM…CLSID} = “LogiExt Class” \InProcServer32(Default) = “C:\Program Files\Logitech\SetPoint\mcplext.dll” [“Logitech Inc.”] “{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}” = “Logitech Setpoint Extension” -> {HKLM…CLSID} = “KbLogiExt Class” \InProcServer32(Default) = “C:\Program Files\Logitech\SetPoint\kbcplext.dll” [“Logitech Inc.”] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”|“oodbs” [“O&O Software GmbH”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”] IconLayout(Default) = “{19F500E0-9964-11cf-B63D-08002B317C03}” -> {HKLM…CLSID} = “Desktop Icon Layout” \InProcServer32(Default) = “Layout.dll” [“Microsoft”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Default executables: -------------------- HKLM\Software\Classes.scr(Default) = “*g” (unwritable string) HKLM\Software\Classes*g\shell\open\command (unwritable string)\ = (key not found) HKLM\Software\Classes*g (unwritable string)\ = (key not found) Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in “wspolne” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\wspolne\Menu Start\Programy\Autostart “Adobe Gamma” -> shortcut to: “C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe” [“Adobe Systems, Inc.”] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Logitech SetPoint” -> shortcut to: “C:\Program Files\Logitech\SetPoint\SetPoint.exe” [“Logitech Inc.”] “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “Skrót do gapa.exe” -> shortcut to: “C:\Program Files\gapa.exe” [“Tomasz Porosiński”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\NetLimiter\nl_lsp.dll [null data], 01 - 05, 17 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_05” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Autodesk Licensing Service, Autodesk Licensing Service, ““C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe”” [“Autodesk”] avast! Antivirus, avast! Antivirus, ““C:\Program Files\Alwil Software\Avast4\ashServ.exe”” [“ALWIL Software”] avast! iAVS4 Control Service, aswUpdSv, ““C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [“ALWIL Software”] avast! Mail Scanner, avast! Mail Scanner, ““C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Program Files\Alwil Software\Avast4\ashWebSv.exe” /service” [“ALWIL Software”] DCPFLICS, DCPFLICS, “C:\Program Files\DCPFLICS\DCPFLICS.exe” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] O&O Defrag, O&O Defrag, “C:\WINDOWS\system32\oodag.exe” [“O&O Software GmbH”] ScsiAccess, ScsiAccess, “C:\Program Files\ProShowGold\ScsiAccess.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 59 seconds. ---------- (total run time: 114 seconds)
Gutek
(Gutek)
12 Maj 2007 21:58
#4
Jest Ok, ale wklej do notatnika:
Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT.scr] @=“scrfile” [HKEY_CLASSES_ROOT.scr\OpenWithList] [HKEY_CLASSES_ROOT.scr\OpenWithProgIds] [HKEY_CLASSES_ROOT\scrfile] @=“Screen Saver” [HKEY_CLASSES_ROOT\scrfile\shell] [HKEY_CLASSES_ROOT\scrfile\shell\config] @=“C&onfigure” [HKEY_CLASSES_ROOT\scrfile\shell\config\command] @=""%1"" [HKEY_CLASSES_ROOT\scrfile\shell\install] @="&Install" [HKEY_CLASSES_ROOT\scrfile\shell\install\command] @=“rundll32.exe desk.cpl,InstallScreenSaver %l” [HKEY_CLASSES_ROOT\scrfile\shell\open] @=“T&est” [HKEY_CLASSES_ROOT\scrfile\shell\open\command] @=""%1" /S" [HKEY_CLASSES_ROOT\scrfile\shellex] [HKEY_CLASSES_ROOT\scrfile\shellex\ContextMenuHandlers] [HKEY_CLASSES_ROOT\scrfile\shellex\DropHandler] @="{86C86720-42A0-1069-A2E8-08002B30309D}"
Plik >>> Zapisz jako >>> Ustaw rozszerzenie z TXT na Wszystkie pliki >>> zapisz pod nazwą FIX.REG >>> kliknij podwójnie zrobiony plik i potwierdź >>> reset kompa
gramik
(Mgracz)
12 Maj 2007 22:22
#5
Dzięki za sprawdzenie logów.
Zrobiłem jak napisałeś. Komp startuje się znacznie szybciej, wiec zawsze to jakieś pocieszenie. Na razie wirus nie daje o sobie znać, ale moi kochani admini zablokowali mi port 25, więc pewnie dla tego jest spokój. Ehh, póki co poczty sobie nie powysyłam
Jak masz jeszcze jakis pomysł co mógłbym zrobić to wal śmiało
Jeszcze raz THX.