22.07.2008, 16:09
Witam, to mój pierwszy post na tym forum. Mam nadzieję że wszystko ok robię pisząc temat 
Jak już wyjaśnił temat, mój komputer jest zainfekowany czymś co Avira AntiVir (darmowa wersja, zaktualizowana) wykrywa jako TR/Crypt.XPACK.Gen . Program nie jest w stanie wrzucić tego czegoś do kwarantanny, ani usunąć, a trojan znajduje się w w pliku C:WINDOWSsystem32ntbios.dll . Próbowałem go usunąć zarówno w trybie zwykłym, jak i awaryjnym - nic to nie dało, wyskakuje okienko o "odmowie dostępu". Avira szaleje gdy tylko widzi folder system32.
Log z programu HijackThis :
Log z programu Silent Runners :
Próbowalem też usunąć ten plik za pomocą ComboFix, przeciągałem ikonkę z plikiem tekstowym o treści :
ComboFix nie rozpoznaje tego pliku.
ps : zaraz wrzucę log combofixa
edit : w załączniku dodałem raport
Jak już wyjaśnił temat, mój komputer jest zainfekowany czymś co Avira AntiVir (darmowa wersja, zaktualizowana) wykrywa jako TR/Crypt.XPACK.Gen . Program nie jest w stanie wrzucić tego czegoś do kwarantanny, ani usunąć, a trojan znajduje się w w pliku C:WINDOWSsystem32ntbios.dll . Próbowałem go usunąć zarówno w trybie zwykłym, jak i awaryjnym - nic to nie dało, wyskakuje okienko o "odmowie dostępu". Avira szaleje gdy tylko widzi folder system32.
Log z programu HijackThis :
Kod:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:36:39, on 2008-07-22
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesLavasoftAd-Awareaawservice.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
C:Program FilesCOMODOFirewallcmdagent.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe
C:Program FilesScreenshotCaptorScreenshotCaptor.exe
C:WINDOWSsystem32ctfmon.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesWapSterWapSter AQQAQQ.exe
C:WINDOWSexplorer.exe
C:Program FilesCOMODOFirewallcfp.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:Documents and SettingsDexPulpitHijackThis.exe
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.comodo.com/search/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCUSoftwareMicrosoftInternet ExplorerToolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:Program FilesFlashGetjccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_07binssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:Program FilesFlashGetgetflash.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:Program FilesAskSBarbar1.binASKSBAR.DLL
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [COMODO Firewall Pro] "C:Program FilesCOMODOFirewallcfp.exe" -h
O4 - HKLM..Run: [avgnt] "C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" /min
O4 - HKCU..Run: [Screenshot Captor] "C:Program FilesScreenshotCaptorScreenshotCaptor.exe" /autorun
O4 - HKCU..Run: [CTFMON.EXE] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [AQQ] C:PROGRA~1WapSterWAPSTE~1AQQ.exe
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA LOKALNA'')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''USŁUGA SIECIOWA'')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''SYSTEM'')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSsystem32CTFMON.EXE (User ''Default user'')
O8 - Extra context menu item: &Ściągnij przy pomocy FlashGet''a - C:Program FilesFlashGetjc_link.htm
O8 - Extra context menu item: &Ściągnij wszystko przy pomocy FlashGet''a - C:Program FilesFlashGetjc_all.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra ''Tools'' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_07binssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra ''Tools'' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra ''Tools'' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:Program FilesLavasoftAd-Awareaawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:Program FilesCOMODOFirewallcmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:Program FilesGoogleCommonGoogle UpdaterGoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
--
End of file - 6044 bytesLog z programu Silent Runners :
Kod:
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"Screenshot Captor" = ""C:Program FilesScreenshotCaptorScreenshotCaptor.exe" /autorun" ["DonationCoder"]
"CTFMON.EXE" = "C:WINDOWSsystem32ctfmon.exe" [MS]
"AQQ" = "C:PROGRA~1WapSterWAPSTE~1AQQ.exe" [empty string]
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun {++}
"NvMediaCenter" = "RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit" [MS]
"NvCplDaemon" = "RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup" [MS]
"COMODO Firewall Pro" = ""C:Program FilesCOMODOFirewallcfp.exe" -h" ["COMODO"]
"avgnt" = ""C:Program FilesAviraAntiVir PersonalEdition Classicavgnt.exe" /min" ["Avira GmbH"]
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}(Default) = (no title provided)
-> {HKLM...CLSID} = "Ask Search Assistant BHO"
InProcServer32(Default) = "C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL" ["Ask.com"]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
InProcServer32(Default) = "C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = "flashget urlcatch"
-> {HKLM...CLSID} = "FGCatchUrl"
InProcServer32(Default) = "C:Program FilesFlashGetjccatch.dll" ["www.flashget.com"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
InProcServer32(Default) = "C:Program FilesJavajre1.6.0_07binssv.dll" ["Sun Microsystems, Inc."]
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}(Default) = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar BHO"
InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]
{F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided)
-> {HKLM...CLSID} = "FlashGet GetFlash Class"
InProcServer32(Default) = "C:Program FilesFlashGetgetflash.dll" ["www.flashget.com"]
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAviraAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]
"{10677009-C23C-4FC2-A62C-29323A2201F0}" = "AQQ File Transfer Shell Extension"
-> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"
InProcServer32(Default) = "C:PROGRA~1WapSterWAPSTE~1SystemAQQSHE~1.DLL" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesMicrosoft OfficeOFFICE11msohev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
InProcServer32(Default) = "C:WINDOWSsystem32nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {HKLM...CLSID} = "NVIDIA CPL Extension"
InProcServer32(Default) = "C:WINDOWSsystem32nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
InProcServer32(Default) = "C:WINDOWSsystem32nvshell.dll" ["NVIDIA Corporation"]
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad
"IconPackager Repair" = "{1799460C-0BC8-4865-B9DF-4A36CD703FF0}"
-> {HKLM...CLSID} = "IPShellInstantiator Class"
InProcServer32(Default) = "C:Program FilesStardockObject DesktopIconPackageriprepair.dll" ["Stardock.net, Inc"]
HKLMSYSTEMCurrentControlSetControlSession Manager
<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]
HKLMSOFTWAREClassesPROTOCOLSFilter
<<!>> text/xmlCLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesCommon FilesMicrosoft SharedOFFICE11MSOXMLMF.DLL" [MS]
HKLMSOFTWAREClassesFoldershellexColumnHandlers
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
InProcServer32(Default) = "C:Program FilesCommon FilesAdobeAcrobatActiveXPDFShell.dll" ["Adobe Systems, Inc."]
HKLMSOFTWAREClasses*shellexContextMenuHandlers
AQQFileTransfer(Default) = "{10677009-C23C-4FC2-A62C-29323A2201F0}"
-> {HKLM...CLSID} = "AQQ File Transfer Shell Extension"
InProcServer32(Default) = "C:PROGRA~1WapSterWAPSTE~1SystemAQQSHE~1.DLL" [null data]
Shell Extension for Malware scanning(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAviraAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
HKLMSOFTWAREClassesDirectoryshellexContextMenuHandlers
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
HKLMSOFTWAREClassesFoldershellexContextMenuHandlers
Shell Extension for Malware scanning(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
InProcServer32(Default) = "C:Program FilesAviraAntiVir PersonalEdition Classicshlext.dll" ["Avira GmbH"]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "C:Program FilesWinRARrarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorer
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"disableregistrytools" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}
HKCUSoftwarePoliciesMicrosoftWindowsSystem
"DisableCMD" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|System|
Disable the command prompt}
HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCUControl PanelDesktop
"Wallpaper" = "C:Documents and SettingsDexUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCUControl PanelDesktop
"SCRNSAVE.EXE" = "C:WINDOWSsystem32logon.scr" [MS]
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerAutoplayHandlersHandlers
ASHAshampoo_Burning_Studio_6_FREEBURNONARRIVAL
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-burn"
HKLMSOFTWAREClassesAshampoo.BurningStudio6FREEshellautoplay-burnCommand(Default) = ""C:Program FilesAshampooAshampoo Burning Studio 6burningstudio.exe" -autoplay -selectdrive "%l"" ["ashampoo Technology GmbH & Co. KG"]
ASHAshampoo_Burning_Studio_6_FREECOPYONARRIVAL
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-copy"
HKLMSOFTWAREClassesAshampoo.BurningStudio6FREEshellautoplay-copyCommand(Default) = "C:Program FilesAshampooAshampoo Burning Studio 6burningstudio.exe" -autoplay -selectdrive "%l" -copy" [file not found]
ASHAshampoo_Burning_Studio_6_FREERIPONARRIVAL
"Provider" = "Ashampoo Burning Studio 6 FREE"
"InvokeProgID" = "Ashampoo.BurningStudio6FREE"
"InvokeVerb" = "autoplay-rip"
HKLMSOFTWAREClassesAshampoo.BurningStudio6FREEshellautoplay-ripCommand(Default) = ""C:Program FilesAshampooAshampoo Burning Studio 6burningstudio.exe" -autoplay -selectdrive "%l" -rip" ["ashampoo Technology GmbH & Co. KG"]
Picasa2ImportPicturesOnArrival
"Provider" = "Picasa2"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLMSOFTWAREClassespicasa2.autoplayshellimportcommand(Default) = "C:Program FilesPicasa2Picasa2.exe "%1"" ["Google Inc."]
WinampMTPHandler
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "C:Program FilesWinampwinamp.exe"
HKLMSOFTWAREClassesShell.HWEventHandlerShellExecuteCLSID(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
LocalServer32(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
WinampPlayMediaOnArrival
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLMSOFTWAREClassesWinamp.FileshellPlaycommand(Default) = ""C:Program FilesWinampwinamp.exe" "%1"" ["Nullsoft"]
HKLMSOFTWAREClassesWinamp.FileshellPlayDropTargetCLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
LocalServer32(Default) = ""C:Program FilesWinampwinamp.exe"" ["Nullsoft"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
Transport Service Providers
HKLMSYSTEMCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%system32mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%system32rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCUSoftwareMicrosoftInternet ExplorerToolbarWebBrowser
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"
-> {HKLM...CLSID} = "Ask Toolbar"
InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]
HKLMSOFTWAREMicrosoftInternet ExplorerToolbar
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)
-> {HKLM...CLSID} = "Ask Toolbar"
InProcServer32(Default) = "C:Program FilesAskSBarbar1.binASKSBAR.DLL" ["Ask.com"]
Explorer Bars
HKLMSOFTWAREMicrosoftInternet ExplorerExplorer Bars
HKLMSOFTWAREClassesCLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = "&Badanie"
Implemented Categories{00021493-0000-0000-C000-000000000046} [vertical bar]
InProcServer32(Default) = "C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLMSOFTWAREMicrosoftInternet ExplorerExtensions
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
InProcServer32(Default) = "C:Program FilesJavajre1.6.0_07binssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
InProcServer32(Default) = "C:Program FilesJavajre1.6.0_07binnpjpi160_07.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}
"ButtonText" = "Badanie"
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}
"ButtonText" = "FlashGet"
"MenuText" = "FlashGet"
"Exec" = "C:Program FilesFlashGetFlashGet.exe" ["FlashGet.com"]
{FB5F1910-F110-11D2-BB9E-00C04F795683}
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:Program FilesMessengermsmsgs.exe" [MS]
Miscellaneous IE Hijack Points
------------------------------
HKCUSoftwareMicrosoftInternet ExplorerURLSearchHooks
<<H>> "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
InProcServer32(Default) = "C:Program FilesAskSBarSrchAstt1.binA2SRCHAS.DLL" ["Ask.com"]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Avira AntiVir Personal – Free Antivirus Guard, AntiVirService, ""C:Program FilesAviraAntiVir PersonalEdition Classicavguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal – Free Antivirus Scheduler, AntiVirScheduler, ""C:Program FilesAviraAntiVir PersonalEdition Classicsched.exe"" ["Avira GmbH"]
COMODO Firewall Pro Helper Service, cmdAgent, ""C:Program FilesCOMODOFirewallcmdagent.exe"" ["COMODO"]
Lavasoft Ad-Aware Service, aawservice, ""C:Program FilesLavasoftAd-Awareaawservice.exe"" ["Lavasoft"]
NVIDIA Display Driver Service, NVSvc, "C:WINDOWSsystem32nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:WINDOWSsystem32wdfmgr.exe" [MS]
Print Monitors:
---------------
HKLMSYSTEMCurrentControlSetControlPrintMonitors
hpzsnt09Driver = "hpzsnt09.dll" ["HP"]
Microsoft Document Imaging Writer MonitorDriver = "mdimon.dll" [MS]
---------- (launch time: 2008-07-22 16:33:32)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 210 seconds.,
---------- (total run time: 373 seconds)Próbowalem też usunąć ten plik za pomocą ComboFix, przeciągałem ikonkę z plikiem tekstowym o treści :
Kod:
File ::
C:WINDOWSsystem32ntbios.dllComboFix nie rozpoznaje tego pliku.
ps : zaraz wrzucę log combofixa
edit : w załączniku dodałem raport