Mam problem z komputerem, sporo plików przenoszę z pracy na swojego laptopa na penie. Dostałem teraz informację, że współpracownikom po podłączeniu przenośnych dysków pojawia się informacja o blokowaniu "copy.exe". Zapuściłem u siebie Combofixa i znalazło mi jeden plik, log daje poniżej. Dodatkowo nie mogę zmienić ustawień na pokazywanie ukrytych plików oraz przy próbie dostania się na dysk nie wie czym otworzyć - dostać się mogę dopiero przez "eksploruj" (teraz sprawdziłem, Combofix chyba ten problem usunął). Bardzo proszę o pomoc i przejrzenie logów:
ComboFix:
- Kod: Zaznacz wszystko
ComboFix 09-02-12.03 - Służbowy 2009-02-13 20:25:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.1015.590 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Służbowy\Pulpit\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090212-0] *On-access scanning disabled* (Updated)
* Utworzono nowy punkt przywracania
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Autorun.inf
.
((((((((((((((((((((((((( Pliki utworzone od 2009-01-13 do 2009-02-13 )))))))))))))))))))))))))))))))
.
2009-02-13 19:37 . 2009-02-13 19:37 <DIR> d-------- c:\program files\Trend Micro
2009-02-13 19:30 . 2009-02-13 19:30 <DIR> d-------- C:\!KillBox
2009-02-06 00:40 . 2009-02-06 00:40 <DIR> d-------- c:\documents and settings\Służbowy\Dane aplikacji\Black Sea Studios
2009-01-27 13:36 . 2004-08-03 23:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-01-27 13:36 . 2004-08-03 23:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-01-18 20:03 . 2009-01-18 20:02 410,984 --a------ c:\windows\system32\deploytk.dll
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-11 23:02 --------- d-----w c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2009-02-07 11:05 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll
2009-01-18 19:02 --------- d-----w c:\program files\Java
2008-12-27 20:04 --------- d-----w c:\program files\directx
2008-12-21 11:49 --------- d-----w c:\program files\World of Warcraft
2008-12-20 23:03 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-16 21:00 --------- d-----w c:\program files\VDMSound
2008-12-02 21:16 697,025 ----a-w c:\windows\system32\unins000.exe
2008-12-02 20:49 921,600 ----a-w c:\windows\system32\vorbisenc.dll
2008-12-02 20:49 9,216 ----a-w c:\windows\system32\cpuinf32.dll
2008-12-02 20:49 892,928 ----a-w c:\windows\system32\iconv.dll
2008-12-02 20:49 45,056 ----a-w c:\windows\system32\ogg.dll
2008-12-02 20:49 245,760 ----a-w c:\windows\system32\mplvpx.dll
2008-12-02 20:49 237,568 ----a-w c:\windows\system32\OggDS.dll
2008-12-02 20:49 188,416 ----a-w c:\windows\system32\vorbis.dll
2008-12-02 20:49 1,415,680 ----a-w c:\windows\system32\WMV9VCM.dll
2008-05-28 12:22 32,768 --sha-w c:\windows\system32\config\systemprofile\Ustawienia lokalne\Historia\History.IE5\MSHist012008052820080529\index.dat
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2006-03-02 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-07 827392]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-05-11 472632]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-10-03 178712]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2005-12-20 1187840]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-09 806912]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-10-09 697976]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-02-26 177456]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 137752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-18 136600]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]
c:\documents and settings\All Users\Menu Start\Programy\Autostart\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
GlobeTrotter Connect.lnk - c:\program files\ERA\GlobeTrotter Connect\GlobeTrotter Connect.exe [2008-01-10 782336]
Watch.lnk - c:\windows\twain_32\S6U12BX\WATCH.exe [2008-11-24 356352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\All Users\\Dane aplikacji\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\Polish\\setup.exe"=
"c:\\Program Files\\Java\\jre1.6.0_06\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Służbowy\\Pulpit\\Prywatne\\UT\\Unreal Tournament\\System\\UnrealTournament.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-10-16 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-10-16 20560]
R2 GtDetectSc;GtDetectSc;c:\program files\ERA\GlobeTrotter Connect\GtDetectSc.exe [2007-11-05 204915]
R2 NwSapAgent;Agent SAP;c:\windows\system32\svchost.exe -k netsvcs [2006-03-02 14336]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-10 193840]
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\drivers\Gt51Ip.sys [2007-07-09 95744]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\drivers\gt72ubus.sys [2007-06-26 51968]
S3 GTPTSER;GT PT SER;c:\windows\system32\drivers\gtptser.sys [2007-03-30 8064]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{88851a75-ca96-11dd-84f8-00210004e54e}]
\Shell\AutoRun\command - f:\pd\PrvDisk.exe /voyager /minimize /path:image.dpd /symbol:Z /RD
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8a30c6fc-2ce9-11dd-8426-00210004e54e}]
\Shell\AutoRun\command - E:\setup.exe AUTORUN=1
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6aae4a6-087e-11dd-8423-806d6172696f}]
\Shell\AutoRun\command - 1utbfd.bat
\Shell\open\Command - 1utbfd.bat
.
- - - - USUNIĘTO PUSTE WPISY - - - -
HKCU-Run-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe
HKCU-Run-EdHTML - c:\program files\Binboy\EdHTMLv5.0\EdHTML.exe
HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe
HKLM-Run-Gtwatch - c:\windows\gtwatch.exe
.
------- Skan uzupełniający -------
.
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Służbowy\Dane aplikacji\Mozilla\Firefox\Profiles\xydqkc92.default\
FF - component: c:\documents and settings\Służbowy\Dane aplikacji\Mozilla\Firefox\Profiles\xydqkc92.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-13 20:26:33
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
skanowanie ukrytych procesów ...
skanowanie ukrytych wpisów autostartu ...
skanowanie ukrytych plików ...
skanowanie pomyślnie ukończone
ukryte pliki: 0
**************************************************************************
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
- - - - - - - > 'winlogon.exe'(856)
c:\windows\system32\igfxdev.dll
.
Czas ukończenia: 2009-02-13 20:27:57
ComboFix-quarantined-files.txt 2009-02-13 19:27:30
Przed: 5 036 658 688 bajtów wolnych
Po: 7,326,195,712 bajtów wolnych
WindowsXP-KB310994-SP2-Home-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
139 --- E O F --- 2009-02-11 23:03:50
HiJack:
- Kod: Zaznacz wszystko
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:42, on 2009-02-13
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\ERA\GlobeTrotter Connect\GlobeTrotter Connect.exe
C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
C:\Program Files\ERA\GlobeTrotter Connect\GtDetectSc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: GlobeTrotter Connect.lnk = C:\Program Files\ERA\GlobeTrotter Connect\GlobeTrotter Connect.exe
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\S6U12BX\WATCH.exe
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GtDetectSc - Option - C:\Program Files\ERA\GlobeTrotter Connect\GtDetectSc.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
--
End of file - 6942 bytes
Wielkie dzięki.
