Mam dziwny problem polegający na tym, że po załączeniu dysku przenośnego odpala się okno "Moje dokumenty", natomiast po kliknięciu prawym na ikonę dysku pojawiają się zamiast otwórz jakieś znaki zapytania.
Zrobiłem skanowanie SDFix, HiJackThis oraz Combofix. Za radą znajomego użyłem też mbr, żeby sprawdzić, czy nie siedzi coś w masterze - nie siedzi.
Czy mógłby ktoś rzucić okiem? Dziękuję z góry. Jeszcze jedno: komp jest kolegi, który nie ma połączenia z siecią. Podejrzewam pendrive'y lub przez dysk zewnętrzny.
SDFix
- Kod: Zaznacz wszystko
[b]SDFix: Version 1.206 [/b]
Run by AMD on 08-07-20 at 15:20
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
[b]Checking Services [/b]:
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
[b]Checking Files [/b]:
No Trojan Files Found
Removing Temp Files
[b]ADS Check [/b]:
[b]Final Check [/b]:
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 15:23:41
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000040
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Twain]
"y\1r?ó?d?B\1o? ?d?o?m?y?[\1l?n?e?"="C:\SUPERXP\Twain_32\CNQ8400\CISDS.ds"
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
[b]Remaining Services [/b]:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Gigabyte\\BIOS\\gwf32.exe"="C:\\Program Files\\Gigabyte\\BIOS\\gwf32.exe:*:Enabled:gwflash"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[b]Remaining Files [/b]:
[b]Files with Hidden Attributes [/b]:
Sun 7 May 2006 56 ..SHR --- "C:\SUPERXP\system32\E3EE169A5F.sys"
Sun 7 May 2006 1,682 A.SH. --- "C:\SUPERXP\system32\KGyGaAvL.sys"
Sat 18 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 28 May 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv12.bak"
Sat 18 Mar 2006 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv17.bak"
[b]Finished![/b]
Combofix
- Kod: Zaznacz wszystko
ComboFix 08-07-18.5 - AMD 2008-07-20 16:12:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.178 [GMT 2:00]
Running from: C:\Naprawa\ComboFix.exe
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.
2008-07-20 16:08 . 2008-07-20 16:08 <DIR> d-------- C:\Program Files\Odkurzacz
2008-07-20 15:30 . 2008-07-20 15:30 <DIR> d-------- C:\Documents and Settings\AMD\Dane aplikacji\Grisoft
2008-07-20 15:30 . 2008-07-20 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Grisoft
2008-07-20 15:30 . 2007-05-30 14:10 10,872 --a------ C:\SUPERXP\system32\drivers\AvgAsCln.sys
2008-07-20 15:29 . 2008-07-20 15:29 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Installations
2008-07-20 15:18 . 2008-07-20 15:18 <DIR> d-------- C:\SUPERXP\ERUNT
2008-07-20 15:16 . 2008-07-20 15:24 <DIR> d-------- C:\SDFix
2008-07-20 15:15 . 2008-07-20 15:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-20 14:50 . 2008-07-20 16:11 <DIR> d-------- C:\Naprawa
2008-06-29 13:24 . 2008-06-29 13:24 <DIR> d-------- C:\Nowy folder(3)
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 07:49 --------- d-----w C:\Documents and Settings\AMD\Dane aplikacji\foobar2000
2008-07-15 16:51 --------- d-----w C:\Documents and Settings\AMD\Dane aplikacji\Canon
2008-07-13 18:41 --------- d-----w C:\Documents and Settings\AMD\Dane aplikacji\NeroDCTemplates
2008-06-29 15:57 --------- d-----w C:\Program Files\Było Sobie Życie
2008-05-31 20:11 --------- d-----w C:\Program Files\illiminable
2004-10-01 14:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
2006-05-07 16:07 56 --sh--r C:\SUPERXP\system32\E3EE169A5F.sys
2006-05-07 16:07 1,682 --sha-w C:\SUPERXP\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( snapshot@2008-07-20_15.13.53.96 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-17 10:57:07 163,328 ----a-w C:\SUPERXP\ERUNT\SDFIX\ERDNT.EXE
+ 2008-07-20 13:18:39 12,812,288 ----a-w C:\SUPERXP\ERUNT\SDFIX\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-07-20 13:18:39 8,192 ----a-w C:\SUPERXP\ERUNT\SDFIX\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-07-17 10:57:07 163,328 ----a-w C:\SUPERXP\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-07-20 13:18:38 12,812,288 ----a-w C:\SUPERXP\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-07-20 13:18:38 8,192 ----a-w C:\SUPERXP\ERUNT\SDFIX_First_Run\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-07-20 13:29:43 16,384 ----atw C:\SUPERXP\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:55 1667584]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 19:25 1961984]
"Odkurzacz-MCD"="C:\Program Files\Odkurzacz\odk_mcd.exe" [2008-03-03 14:44 266240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2005-09-22 01:55 57344]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-08 16:25 1397760]
"NeroFilterCheck"="C:\SUPERXP\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"IMJPMIG8.1"="C:\SUPERXP\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\SUPERXP\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\SUPERXP\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-07-19 16:38 78008]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 11:25 6731312]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 11:09 77824 C:\SUPERXP\SOUNDMAN.EXE]
C:\Documents and Settings\AMD\Menu Start\Programy\Autostart\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-11 21:41:39 113664]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
ATI CATALYST - pasek zadaä.lnk - C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe [2005-09-22 01:55:04 57344]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Gigabyte\\BIOS\\gwf32.exe"=
R1 aswSP;avast! Self Protection;C:\SUPERXP\system32\drivers\aswSP.sys [2008-07-19 16:35]
R1 oreans32;oreans32;C:\SUPERXP\system32\drivers\oreans32.sys [2006-12-08 16:29]
R2 aswFsBlk;aswFsBlk;C:\SUPERXP\system32\DRIVERS\aswFsBlk.sys [2008-07-19 16:37]
S2 WinMgct;Windows Management Controllor;C:\SUPERXP\system32\WinMgCt.exe []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1928feb5-bc24-11da-b61b-001485b327e7}]
\Shell\Auto\command - UFO.exe
\Shell\AutoRun\command - C:\SUPERXP\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL UFO.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a513a1f-28b0-11dc-bccd-001485b327e7}]
\Shell\AutoRun\command - F:\EXPLORER.EXE
\Shell\explore\Command - F:\EXPLORER.EXE
\Shell\open\Command - F:\EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4cd5474b-b6a9-11da-b60e-001485b327e7}]
\Shell\AutoRun\command - G:\EXPLORER.EXE
\Shell\explore\Command - G:\EXPLORER.EXE
\Shell\open\Command - G:\EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d4d57e1-21b7-11dd-8069-001485b327e7}]
\Shell\AutoRun\command - C:\SUPERXP\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(&0)\command - Recycled\ctfmon.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d4d57e2-21b7-11dd-8069-001485b327e7}]
\Shell\AutoRun\command - G:\USBNB.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6de399b8-9606-11dc-be40-001485b327e7}]
\Shell\AutoRun\command - F:\EXPLORER.EXE
\Shell\explore\Command - F:\EXPLORER.EXE
\Shell\open\Command - F:\EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{91cdf938-6391-11dc-bd7d-001485b327e7}]
\Shell\AutoRun\command - F:\EXPLORER.EXE
\Shell\explore\Command - F:\EXPLORER.EXE
\Shell\open\Command - F:\EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a49f4b26-b188-11dc-bebd-001485b327e7}]
\Shell\AutoRun\command - F:\EXPLORER.EXE
\Shell\explore\Command - F:\EXPLORER.EXE
\Shell\open\Command - F:\EXPLORER.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e32b677e-c076-11dc-beec-001485b327e7}]
\Shell\AutoRun\command - F:\EXPLORER.EXE
\Shell\explore\Command - F:\EXPLORER.EXE
\Shell\open\Command - F:\EXPLORER.EXE
*Newly Created Service* - AVG_ANTI-SPYWARE_DRIVER
*Newly Created Service* - AVG_ANTI-SPYWARE_GUARD
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 16:13:59
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-20 16:15:10
ComboFix-quarantined-files.txt 2008-07-20 14:15:03
ComboFix2.txt 2008-07-20 13:14:38
Pre-Run: 23,357,661,184 bajtów wolnych
Post-Run: 23,348,854,784 bajtów wolnych
127
HiJackTihs
- Kod: Zaznacz wszystko
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11, on 08-07-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\SUPERXP\System32\smss.exe
C:\SUPERXP\system32\winlogon.exe
C:\SUPERXP\system32\services.exe
C:\SUPERXP\system32\lsass.exe
C:\SUPERXP\system32\Ati2evxx.exe
C:\SUPERXP\system32\svchost.exe
C:\SUPERXP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\SUPERXP\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\SUPERXP\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\SUPERXP\system32\spoolsv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\SUPERXP\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\SUPERXP\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\SUPERXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\SUPERXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\SUPERXP\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\SUPERXP\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Odkurzacz-MCD] C:\Program Files\Odkurzacz\odk_mcd.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST – pasek zadań.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.google.pl
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1CB6278-D68F-4119-AEAA-0D26FF01E3A1}: NameServer = 194.204.152.34,194.204.159.1
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\SUPERXP\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\SUPERXP\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Windows Management Controllor (WinMgct) - Unknown owner - C:\SUPERXP\system32\WinMgCt.exe (file missing)
--
End of file - 5780 bytes
