Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

wsc.exe

13 views
Skip to first unread message

Karol Augustin

unread,
Feb 27, 2010, 6:28:36 PM2/27/10
to
Witam,

Jak podlaczam pendriva do komputera to pojawiaja sie na nim pliki
autostart.ini i WSC.exe, dodatkowo w systemie caly czas jest aktywny proces
wsc.exe, ktory lubi sie laczyc z internetem i otwierac mnostwo portow.
Logika wskazuje, ze jest to kolejna odlsona jakiegos sprytnego robaka, tylko
ze zaden program antywirusowy (mam mcafee), windows defender, ani zaden
skaner on-line nie stwierdzja ze to jakis wirus. Wiecie co z tym zrobic?
system operacyjny to windows 7.

pozdrawiam,
k.a.

Michal Kawecki

unread,
Feb 28, 2010, 7:30:11 AM2/28/10
to
Dnia Sun, 28 Feb 2010 00:28:36 +0100, Karol Augustin napisaďż˝(a):

Combofix
--
M. [Windows Desktop Experience MVP]
/odpowiadaj�c na priv zmie� px na pl/
https://mvp.support.microsoft.com/profile/Michal.Kawecki

Karol Augustin

unread,
Feb 28, 2010, 9:48:45 AM2/28/10
to
chyba zadzialalo.

ComboFix 10-02-27.04 - karolaug 2010-02-28 14:00:28.1.2 - x86
Microsoft Windows 7 Starter 6.1.7600.0.1250.48.1033.18.1014.281 [GMT 1:00]
Uruchomiony z: c:\users\karolaug\Downloads\ComboFix.exe
* Rezydentny antywirus jest aktywny

.

(((((((((((((((((((((((((((((((((((((((
Usuni�to )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-180062270-2823823758-3174352558-500
c:\$recycle.bin\S-1-5-21-3466144863-901731986-1422160646-500
c:\program files\temp
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
c:\users\karolaug\AppData\Roaming\Microsoft\WSC.exe

.
((((((((((((((((((((((((( Pliki utworzone od 2010-01-28 do
010-02-28 )))))))))))))))))))))))))))))))
.

2010-02-28 13:29 . 2010-02-28 13:32 -------- d-----w-c:\users\karolaug\AppData\Local\temp2010-02-28 13:29 . 2010-02-28 13:29 -------- d-----w-
c:\users\Default\AppData\Local\temp
2010-02-28 12:53 . 2010-02-28 12:55 -------- d-----w- C:\32788R22FWJFW
2010-02-27 17:33 . 2009-12-13 09:30 641536 ----a-w-c:\windows\system32\CPFilters.dll2010-02-27 17:33 . 2009-12-13 09:30 465408 ----a-w-
c:\windows\system32\psisdecd.dll
2010-02-27 17:33 . 2010-02-02 07:45 2048 ----a-w-c:\windows\system32\tzres.dll2010-02-27 16:30 . 2010-02-27 16:31 -------- d-----w- c:\program
files\Gadu-Gadu 10
2010-02-25 01:58 . 2010-02-24 08:16 181632 ------w-c:\windows\system32\MpSigStub.exe2010-02-24 12:15 . 2010-02-24 12:15 -------- d-----w-
c:\users\karolaug\AppData\Roaming\ipla
2010-02-24 12:15 . 2010-02-24 12:15 -------- d-----w- c:\programdata\ipla
2010-02-24 12:14 . 2010-02-24 12:14 1700352 ----a-w-c:\windows\system32\gdiplus.dll2010-02-24 12:14 . 2010-02-24 12:14 1060864 ----a-w-
c:\windows\system32\mfc71.dll
2010-02-24 12:13 . 2010-02-24 12:13 -------- d-----w-c:\programdata\Gadu-Gadu10
2010-02-24 12:12 . 2010-02-24 12:12 -------- d-----w-c:\users\karolaug\AppData\Roaming\Gadu-Gadu10
2010-02-22 19:54 . 2010-02-22 19:58 -------- d-----w-c:\users\karolaug\AppData\Roaming\DeepBurner2010-02-21 14:32 . 2010-02-21 14:32 -------- d-----w-
c:\users\karolaug\AppData\Local\Microsoft Help
2010-02-15 20:00 . 2010-01-18 23:29 365568 ----a-w-c:\windows\system32\secproc_isv.dll2010-02-15 20:00 . 2010-01-18 23:29 369152 ----a-w-
c:\windows\system32\secproc.dll
2010-02-15 20:00 . 2010-01-18 23:28 324608 ----a-w-c:\windows\system32\RMActivate_isv.exe2010-02-15 20:00 . 2010-01-18 23:28 320512 ----a-w-
c:\windows\system32\RMActivate.exe
2010-02-15 20:00 . 2010-01-18 23:29 85504 ----a-w-c:\windows\system32\secproc_ssp_isv.dll2010-02-15 20:00 . 2010-01-18 23:29 85504 ----a-w-
c:\windows\system32\secproc_ssp.dll
2010-02-15 20:00 . 2010-01-18 23:28 277504 ----a-w-c:\windows\system32\RMActivate_ssp_isv.exe2010-02-15 20:00 . 2010-01-18 23:28 280064 ----a-w-
c:\windows\system32\RMActivate_ssp.exe
2010-02-08 17:45 . 2010-02-14 01:22 -------- d-----w-c:\users\karolaug\AppData\Local\AppleComputer
2010-02-08 17:45 . 2010-02-08 18:01 -------- d-----w-c:\users\karolaug\AppData\Roaming\AppleComputer
2010-02-08 17:44 . 2009-05-18 13:17 26600 ----a-w-c:\windows\system32\drivers\GEARAspiWDM.sys2010-02-08 17:44 . 2008-04-17 12:12 107368 ----a-w-
c:\windows\system32\GEARAspi.dll
2010-02-08 17:42 . 2010-02-08 17:42 -------- d-----w- c:\program files\iPod
2010-02-08 17:42 . 2010-02-08 17:44 -------- d-----w-c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}2010-02-08 17:42 . 2010-02-08 17:44 -------- d-----w- c:\program
files\iTunes
2010-02-08 13:49 . 2010-02-08 13:49 -------- d-----w- c:\program
files\Bonjour
2010-02-08 13:46 . 2010-02-08 13:48 -------- d-----w- c:\program
files\QuickTime
2010-02-08 13:46 . 2010-02-08 17:42 -------- d-----w- c:\programdata\Apple
Computer
2010-02-08 13:46 . 2010-02-08 13:46 -------- d-----w-c:\users\karolaug\AppData\Local\Apple2010-02-08 13:46 . 2010-02-08 13:46 -------- d-----w- c:\program files\Apple
Software Update
2010-02-08 13:44 . 2010-02-08 13:44 -------- d-----w- c:\programdata\Apple
2010-02-08 13:44 . 2010-02-08 17:42 -------- d-----w- c:\program
files\Common Files\Apple
2010-02-06 19:16 . 2009-12-19 09:02 977920 ----a-w-c:\windows\system32\wininet.dll2010-02-06 19:16 . 2009-10-31 05:45 2614272 ----a-w- c:\windows\explorer.exe
2010-02-06 19:16 . 2009-10-28 06:17 285696 ----a-w-c:\windows\system32\winlogon.exe2010-02-06 17:59 . 2008-09-26 17:04 621056 ----a-w-
c:\windows\system32\drivers\mod7700.sys
2010-02-06 17:59 . 2008-09-26 17:04 113152 ----a-w-c:\windows\system32\drivers\ewusbnet.sys2010-02-06 17:59 . 2008-09-26 17:04 101760 ----a-w-
c:\windows\system32\drivers\ewusbmdm.sys
2010-02-06 17:59 . 2008-09-26 17:03 23424 ----a-w-c:\windows\system32\drivers\ewdcsc.sys2010-02-06 17:57 . 2010-02-06 18:02 -------- d-----w- c:\program files\PLAY
ONLINE

.
(((((((((((((((((((((((((((((((((((((((( Sekcja
nd3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-28 13:17 . 2009-11-18 12:59 -------- d-----w-c:\users\karolaug\AppData\Roaming\Skype2010-02-28 02:15 . 2009-11-19 10:41 -------- d-----w-
c:\users\karolaug\AppData\Roaming\uTorrent
2010-02-24 12:12 . 2009-11-18 16:21 -------- d-----w- c:\program files\Nowe
Gadu-Gadu
2010-02-24 07:11 . 2009-11-19 10:42 -------- d-----w- c:\program
files\uTorrent
2010-02-19 09:10 . 2009-09-22 19:17 -------- d-----w- c:\program
files\McAfee
2010-02-18 17:23 . 2009-09-22 19:32 -------- d-----w-c:\programdata\MicrosoftHelp
2010-02-15 19:51 . 2009-09-22 19:15 -------- d-----w- c:\program files\Sony
2010-02-15 19:50 . 2009-09-01 16:25 -------- d--h--w- c:\program
files\InstallShield Installation Information
2010-02-14 19:54 . 2009-11-19 10:50 -------- d-----w-c:\users\karolaug\AppData\Roaming\BESTplayer2010-01-22 18:51 . 2010-01-22 18:51 72488 ----a-w- c:\programdata\Apple
Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-21 21:45 . 2009-11-26 23:53 -------- d-----w- c:\program
files\Microsoft Silverlight
2010-01-21 00:24 . 2010-01-21 00:24 -------- d-----w- c:\program
files\K-Lite Codec Pack
2010-01-20 12:05 . 2010-01-20 12:05 42088 ----a-w-c:\users\karolaug\AppData\Roaming\Gadu-Gadu10\_userdata\ggbho.2.dll
2010-01-15 01:46 . 2009-09-22 19:15 -------- d-----w- c:\program
files\Common Files\Adobe
2010-01-08 03:18 . 2010-02-15 20:01 221184 ----a-w-c:\windows\system32\drivers\mrxsmb10.sys2010-01-08 03:17 . 2010-02-15 20:01 123392 ----a-w-
c:\windows\system32\drivers\mrxsmb.sys
2009-12-19 09:02 . 2010-02-15 20:01 12288 ----a-w-c:\windows\system32\tsbyuv.dll2009-12-19 09:02 . 2010-02-15 20:01 1328640 ----a-w-
c:\windows\system32\quartz.dll
2009-12-19 09:02 . 2010-02-15 20:01 22016 ----a-w-c:\windows\system32\msyuv.dll2009-12-19 09:02 . 2010-02-15 20:01 31744 ----a-w-
c:\windows\system32\msvidc32.dll
2009-12-19 09:02 . 2010-02-15 20:01 13312 ----a-w-c:\windows\system32\msrle32.dll2009-12-19 09:02 . 2010-02-15 20:01 84480 ----a-w-
c:\windows\system32\mciavi32.dll
2009-12-19 09:02 . 2010-02-15 20:01 50176 ----a-w-c:\windows\system32\iyuv_32.dll2009-12-19 09:02 . 2010-02-15 20:01 91648 ----a-w-
c:\windows\system32\avifil32.dll
2009-12-08 11:40 . 2010-02-15 20:01 3955288 ----a-w-c:\windows\system32\ntkrnlpa.exe2009-12-08 11:40 . 2010-02-15 20:01 3899464 ----a-w-
c:\windows\system32\ntoskrnl.exe
2009-12-08 11:32 . 2010-02-15 20:01 292864 ----a-w-c:\windows\system32\apphelp.dll2009-12-08 08:05 . 2010-02-15 20:01 310784 ----a-w-
c:\windows\system32\drivers\srv.sys
2009-12-08 08:05 . 2010-02-15 20:01 113664 ----a-w-c:\windows\system32\drivers\srvnet.sys2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r-
c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w-c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe.

((((((((((((((((((((((((((((((((((((( Wpisy startowe
jestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domy�lne, prawid�owe wpisy nie s� pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25626408]
"Google
Update"="c:\users\karolaug\AppData\Local\Google\Update\GoogleUpdate.exe"
[2010-01-06 135664]
"Gadu-Gadu 10"="c:\program files\Gadu-Gadu 10\gg.exe" [2010-01-20 12067432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-07-31 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-07-31 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-07-31 150552]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-07-02
7514656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-08-03
1545512]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2009-05-26
317288]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"MarketingTools"="c:\program files\Sony\Marketing Tools\MarketingTools.exe"
[2009-09-22 26624]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29
1218008]
"NortonOnlineBackup"="c:\program files\Symantec\Norton Online
Backup\NOBuClient.exe" [2009-05-19 736600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"
[2009-10-11 149280]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader
9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
[2009-12-11 948672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22
141608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\VESWinlogon]
2009-07-01 18:49 98304 ----a-w- c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg
pku2u livessp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R1 vwififlt;Virtual WiFi Filter
Driver;c:\windows\System32\drivers\vwififlt.sys [2009-07-14 48128]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [2007-04-18 11032]
R3 ArcSoftKsUFilter;ArcSoft Magic-I Visual
Effect;c:\windows\System32\drivers\ArcSoftKsUFilter.sys [2009-09-22 17408]
R3 L1C;NDIS Miniport Driver for Atheros AR813x/AR815x PCI-E Ethernet
Controller;c:\windows\System32\drivers\L1C62x86.sys [2009-11-13 58368]
R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys
[2009-09-01 9344]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys
[2009-09-01 29472]
S3 fssfltr;fssfltr;c:\windows\System32\drivers\fssfltr.sys [2009-09-22
55264]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family
Safety\fsssvc.exe [2008-12-09 533344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS
FontCache fdrespub AppIDSvc QWAVE wcncsvc
.
Zawarto�� folderu 'Zaplanowane zadania'

2010-02-28
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3417356103-620111890-538560738-1000Core.job
- c:\users\karolaug\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-06
21:42]

2010-02-28
c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3417356103-620111890-538560738-1000UA.job
- c:\users\karolaug\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-06
21:42]

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-18 11:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-18 11:22]
.
.
------- Skan uzupe�niaj�cy -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel -
c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth
Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth
Software\btsendto_ie.htm
TCP: {6FA357FA-8B1A-4B31-AAE3-30244EEFCD8F} = 195.114.161.61,195.114.161.130
.
- - - - USUNI�TO PUSTE WPISY - - - -

HKCU-Run-WindowsSoundClient -
c:\users\karolaug\AppData\Roaming\Microsoft\WSC.exe


.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Czas uko�czenia: 2010-02-28 14:41:15
ComboFix-quarantined-files.txt 2010-02-28 13:41

Przed: 52 143 955 968 bytes free
Po: 52 149 825 536 bytes free

- - End Of File - - 61CFE4C2BF721733980F5876737B0360

"Michal Kawecki" <kkw...@o2.px> wrote in message
news:qgwtoocm2sq0$.dlg@kwinto.prv...

Michal Kawecki

unread,
Feb 28, 2010, 7:19:11 PM2/28/10
to
Dnia Sun, 28 Feb 2010 15:48:45 +0100, Karol Augustin napisaďż˝(a):

> chyba zadzialalo.
>
> ComboFix 10-02-27.04 - karolaug 2010-02-28 14:00:28.1.2 - x86
> Microsoft Windows 7 Starter 6.1.7600.0.1250.48.1033.18.1014.281 [GMT 1:00]
> Uruchomiony z: c:\users\karolaug\Downloads\ComboFix.exe
> * Rezydentny antywirus jest aktywny
>
> .
>
> (((((((((((((((((((((((((((((((((((((((
> Usuni�to )))))))))))))))))))))))))))))))))))))))))))))))))
> .
>
> c:\$recycle.bin\S-1-5-21-180062270-2823823758-3174352558-500
> c:\$recycle.bin\S-1-5-21-3466144863-901731986-1422160646-500
> c:\program files\temp
> c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
> c:\users\karolaug\AppData\Roaming\Microsoft\WSC.exe

Z ca�� pewno�ci�. W folderze \users\...\AppData\Roaming\Microsoft\ nie
powinno by� �adnych plik�w wykonywalnych. Skr�t Bluetooth.lnk m�g�
uaktywnia� wirusa, dziwne �e �aden antywirus go nie wykry�.

A teraz migiem zainstaluj IE8, uaktualnij system, Javďż˝, QuickTime oraz
Adobe Acrobat Readera. Cho� o wiele lepszym pomys�em b�dzie instalacja
solidnego i darmowego Foxit PDF Readera zamiast tej wiecznie dziurawej
koby�y. Na koniec zainstaluj sobie darmowego ale bardzo dobrego
antywirusa Microsoft Security Essentials z
http://www.softpedia.com/get/Antivirus/Microsoft-Security-Essentials.shtml,
przy czym pami�taj, �e w systemie powinien by� aktywny tylko jeden
antywirus na raz.

Piotr Palusiński

unread,
Mar 1, 2010, 1:25:01 AM3/1/10
to
In news:hmdvoe$3vj$1...@inews.gazeta.pl,
*Karol Augustin* <karo...@gmail.com> typed:

Je�li juz Ci dzia�a, to teraz wywal przynajmniej po�ow� z autostartu, po
licho to wszystko uaktywnia siďż˝ przy starcie.
A resztďż˝ wykonaj jak Ci to Michaďż˝ napisaďż˝.

--
Piotr Palusi�ski [Microsoft MVP - Windows Desktop Experience]
https://mvp.support.microsoft.com/profile/Piotr.Palusinski
news://msnews.microsoft.com/microsoft.public.pl.windows
Nigdy nie k��� si� z g�upcem, bo ludzie mog� nie dostrzec r�nicy

0 new messages