Brave Sentry-wirus


(Kriss91) #1

Już gdzieś widziałem coś o tym wirusie na tym forum. Otóż standardowo-przez GG go złapałem. Menedżer zadań został mi zablokowany (rzekomo przez administratora). Wszystkie narzędzia systemowe zostały mi zablokowane!! Nawet w normalnym trybie windowsa nie mogę zapisać loga z hijacka. Zaraz spróbuję przez tryb awaryjny. POMOCY!!

Złączono Posta : 11.07.2006 (Wto) 11:38

Log z trybu awaryjnego

Logfile of HijackThis v1.99.1

Scan saved at 11:31:57, on 2006-07-11

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\devldr32.exe

C:\Documents and Settings\sapkiewicz.PRIVATE-H633W4P\Pulpit\PROGRAMY\INNE\hijackthis\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = £¹cza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe

O4 - HKLM\..\Run: [ÿ_zsktiygch^ikwuigkhp50inkrwksz_] c:\windows\system32\_zskwrkni05phkgiuwki^hcgyit.exe

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe

O4 - HKLM\..\RunServices: [ÿ_zsktiygch^ikwuigkhp50inkrwksz_] c:\windows\system32\_zskwrkni05phkgiuwki^hcgyit.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - HKCU\..\Run: [ÿ_zsktiygch^ikwuigkhp50inkrwksz_] c:\windows\system32\_zskwrkni05phkgiuwki^hcgyit.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Œci¹gnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Œci¹gnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Dokumenty\Settings\artm_new.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

Pomocy!! Zaraz to ch***stwo zeżre mi system. Ponadto na tapecie się pojawił tekst: Your computer is in Danger! bla, bla, bla itd.Edit: Zeskanowałem dysk Avastem i oto log:

Logfile of HijackThis v1.99.1

Scan saved at 13:00:34, on 2006-07-11

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\UAService7.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

C:\WINDOWS\System32\testtestt.exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\System32\taskdir.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Neostrada TP\NeostradaTP.exe

C:\Program Files\Neostrada TP\ComComp.exe

C:\Program Files\Neostrada TP\Watch.exe

C:\Documents and Settings\sapkiewicz.PRIVATE-H633W4P\Pulpit\PROGRAMY\INNE\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = £¹cza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\testtestt.exe

O4 - HKLM\..\Run: [ÿ_zsktiygch^ikwuigkhp50inkrwksz_] c:\windows\system32\_zskwrkni05phkgiuwki^hcgyit.exe

O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe

O4 - HKLM\..\RunServices: [ÿ_zsktiygch^ikwuigkhp50inkrwksz_] c:\windows\system32\_zskwrkni05phkgiuwki^hcgyit.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe

O4 - HKCU\..\Run: [ÿ_zsktiygch^ikwuigkhp50inkrwksz_] c:\windows\system32\_zskwrkni05phkgiuwki^hcgyit.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Œci¹gnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Œci¹gnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{0F76ACAD-5FAC-4F9D-89FD-3DDC98271C22}: NameServer = 194.204.152.34 217.98.63.164

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users.WINDOWS\Dokumenty\Settings\artm_new.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

Nadal jednak menadżer zadań został (niby) zablokowany przez administratora. Nie mogę uruchomić wordpada. Nie mogę uruchomić np. services.msc. Na tapecie zaś nadal widniej napis: Your computer is in danger!! POMOCY!!!


(system) #2

W pierwszej kolejności pozbądz sie tego

Zrób tak

Ściagasz Gmer-a http://www.gmer.net/ przechodzisz do zakładka procesy i wybierz funkcje zabij wszystko. Następnie w zakładce procesy wybierasz opcje plik i przechodzisz do c:\windows\system32 i wyszukujesz _zskwrkni05phkgiuwki^hcgyit.exe także może być _zskwrkni05phkgiuwki^hcgyit.dll Z prawej strony jest opcja usuń użyj jej.

Restart kompa wchodzisz z powrotem w gmera i zakładka rootkit i szukaj jak gmer skończy kopiuj=> i do posta wklej log(ctrl+v)

Dalszy syf.

  1. Użyj narzędzia w trybie awaryjnym SmitFraudFix http://siri.urz.free.fr/Fix/SmitfraudFix_En.php i użyj opcji n2 (clean) (więcej o tym w przyklejonym temacie) i wklej wynik usuwania na forum będzie na dysku c:\raport.txt

2.

to usuń w ten sposób

-wpisz w uruchom

i OK

Następnie użyj killboxa http://www.downloads.subratam.org/KillBox.zip. Zaznaczasz opcję Delete on reboot następnie w polu Full Path of File to Delete wklej ścieżke

C:\Documents and Settings\All Users.WINDOWS\Dokumenty\Settings\artm_new.dll naciskasz x-czerwony i restart kompa

Reszta w logu do usunięcia łącznie z wpisami , plikami i katalogami.

Po wszystkim logi Gmer , raport-usuwania SmitFraudFix , silnet runners(info w przyklejonych) i hijackthis


(Kriss91) #3

Niektórych czynności nie dało się zrobić, np. skasowanie wszystkich procesów w GMERze. Nie zrobiłem także szczegółowego loga w tym programie, bo zanim utworzy się ta lista mija około godzina. Na początku gdy po długim czasie utworzyła mi się ta lista, skasowałem wszystkie procesy, program zaciął mi się i musiałem resetować kompa. Lista zaś się skasowała. Mam tylko coś powierzchownego. Ale wydaje mi się, że wirusa nie ma. Mogę już korzystkać z menedżera zadań itd. Nie ma także tego durnego napisu na tapecie.

LOGI:

GMER 1.0.10.10122 - http://www.gmer.net

Rootkit 2006-07-11 15:29:54

Windows 5.1.2600 



---- System - GMER 1.0.10 ----


SSDT d347bus.sys ZwEnumerateKey

SSDT d347bus.sys ZwEnumerateValueKey


---- Devices - GMER 1.0.10 ----


Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 81B9BEB0


---- Modules - GMER 1.0.10 ----


Module _________ F987D000


---- EOF - GMER 1.0.10 ----

SmitFraudFix v2.69


Scan done at 15:02:37,24, 2006-07-11

Run from C:\Documents and Settings\sapkiewicz.PRIVATE-H633W4P\Pulpit\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

Fix ran in safe mode


»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


C:\WINDOWS\desktop.html Deleted

C:\WINDOWS\system32\dlh9jkdq?.exe Deleted

C:\WINDOWS\system32\helper.exe Deleted

C:\WINDOWS\system32\kernels8.exe Deleted

C:\WINDOWS\system32\taskdir.exe Deleted

C:\WINDOWS\system32\taskdir~.exe Deleted

C:\WINDOWS\system32\TheMatrixHasYou.exe Deleted

C:\WINDOWS\system32\vxgame?.exe Deleted

C:\WINDOWS\system32\vxgamet?.exe Deleted

C:\WINDOWS\system32\zlbw.dll Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End


[/code]

[code]Logfile of HijackThis v1.99.1 Scan saved at 15:36:28, on 2006-07-11 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\UAService7.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Documents and Settings\sapkiewicz.PRIVATE-H633W4P\Pulpit\PROGRAMY\INNE\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.exe O4 - HKLM..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM..\Run: [nwiz] nwiz.exe /install O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM..\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Ściągnij przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Ściągnij wszystko przy pomocy FlashGet'a - C:\Program Files\FlashGet\jc_all.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\System32\UAService7.exe

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"PinnacleDriverCheck" = "C:\WINDOWS\System32\PSDrvCheck.exe" [empty string]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]

"UpdReg" = "C:\WINDOWS\Updreg.exe" ["Creative Technology Ltd."]

"AHQInit" = "C:\Program Files\Creative\SBLive\Program\AHQInit.exe" ["Creative Technology Ltd"]

"NWEReboot" = (empty string)

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" ["InstallShield Software Corporation"]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]

"WooCnxMon" = "C:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]

"WOOWATCH" = "C:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Télécom R&D"]

"WOOTASKBARICON" = "C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Télécom R&D"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{A5366673-E8CA-11D3-9CD9-0090271D075B}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "IeCatch2 Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\FlashGet\jccatch.dll" ["Amaze Soft"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{F5D92341-0A64-11D0-9956-0000E8096023}" = "CD Copy Shell Extension"

  -> {HKLM...CLSID} = "CD Copy Shell Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]

"{F5D92342-0A64-11D0-9956-0000E8096023}" = "CD Wizard Shell Extension"

  -> {HKLM...CLSID} = "CD Wizard Shell Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Shellext\CDWshext.dll" ["Pinnacle Systems, Inc."]

"{F5D92344-0A64-11D0-9956-0000E8096023}" = "InstantWrite Shellextension"

  -> {HKLM...CLSID} = "InstantWrite Shellextension"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\ShellExt\iwshex.dll" ["VOB Computersysteme GmbH"]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

  -> {HKLM...CLSID} = "DesktopContext Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

  -> {HKLM...CLSID} = "Desktop Explorer"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

  -> {HKLM...CLSID} = "nView Desktop Context Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]

"{A5110426-177D-4e08-AB3F-785F10B4439C}" = "My Phones"

  -> {HKLM...CLSID} = "My Phones"

                   \InProcServer32\(Default) = "C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll" ["Teleca Software Solutions AB"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"

  -> {HKLM...CLSID} = "RealOne Player Context Menu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"

  -> {HKLM...CLSID} = "KodakShellExtension"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Kodak\ifscore\KodakShX.dll" ["Eastman Kodak Company"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"

  -> {HKLM...CLSID} = "ShellLink for Application References"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS]

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"

  -> {HKLM...CLSID} = "Shell Icon Handler for Application References"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\dfshim.dll" [MS]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

  -> {HKLM...CLSID} = "NVIDIA CPL Extension"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

Hex Editor 3\(Default) = "{B95713CD-06FF-4D35-A9DA-4DBDFE5FD7F4}"

  -> {HKLM...CLSID} = "ShellExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\HHD Software\Hex Editor 3.x\heshell.dll" ["HHD Software"]

PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"

  -> {HKLM...CLSID} = "PowerArchiver Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

PowerArchiver\(Default) = "{d03d3e68-0c44-3d45-b15f-bcfd8a8b4c7e}"

  -> {HKLM...CLSID} = "PowerArchiver Shell Extensions"

                   \InProcServer32\(Default) = "C:\Program Files\PowerArchiver\PASHLEXT.DLL" ["ConeXware, Inc."]



Active Desktop and Wallpaper:

-----------------------------


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState



Startup items in "sapkiewicz" & "All Users" startup folders:

------------------------------------------------------------


C:\Documents and Settings\sapkiewicz.PRIVATE-H633W4P\Menu Start\Programy\Autostart

"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]


C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart

"DSLMON" -> shortcut to: "C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe /W" [empty string]



Enabled Scheduled Tasks:

------------------------


"FRU Task #Hewlett-Packard#hp psc 1200 series#1122061452" -> launches: "C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe -I "#Hewlett-Packard#hp psc 1200 series#1122061452"" [empty string]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\

"ButtonText" = "FlashGet"

"MenuText" = "&FlashGet"

"Exec" = "C:\PROGRA~1\FlashGet\flashget.exe" ["Amaze Soft"]



Miscellaneous IE Hijack Points

------------------------------


C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")


Added lines (compared with English-language version):

[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome


Missing lines (compared with English-language version):

[Strings]: 1 line


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

"{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  -> {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]

SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\System32\UAService7.exe" ["Sony DADC Austria AG."]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt07\Driver = "hpzsnt07.dll" ["HP"]

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

  use the -supp parameter or answer "No" at the first message box.

---------- (total run time: 699 seconds, including 4 seconds for message boxes)

(Gblade) #4

logi czyste

miałeś zaznaczone procesy i biblioteki przy skanie ? jeśli nie to zrób loga, ale zaznacz tylko procesy i bilblioteki


(Kriss91) #5
GMER 1.0.10.10122 - http://www.gmer.net

Rootkit 2006-07-11 16:25:27

Windows 5.1.2600 



---- Processes - GMER 1.0.10 ----


Process Sytem Idle 0

Process System 4

Process C:\WINDOWS\System32\smss.exe 224

Library C:\WINDOWS\System32\smss.exe 0x48580000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000


Process C:\WINDOWS\system32\csrss.exe 276

Library C:\WINDOWS\system32\csrss.exe 0x4A680000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\CSRSRV.dll 0x75B10000

Library C:\WINDOWS\system32\basesrv.dll 0x75B20000

Library C:\WINDOWS\system32\winsrv.dll 0x75B30000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library C:\WINDOWS\system32\KERNEL32.dll 0x77E60000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library C:\WINDOWS\System32\sxs.dll 0x75E60000


Process C:\WINDOWS\SYSTEM32\winlogon.exe 300

Library C:\WINDOWS\SYSTEM32\winlogon.exe 0x01000000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\kernel32.dll 0x77E60000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library C:\WINDOWS\system32\AUTHZ.dll 0x76CB0000

Library C:\WINDOWS\system32\msvcrt.dll 0x77C00000

Library C:\WINDOWS\system32\CRYPT32.dll 0x76290000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library C:\WINDOWS\system32\MSASN1.dll 0x76270000

Library C:\WINDOWS\system32\NDdeApi.dll 0x75910000

Library C:\WINDOWS\system32\PROFMAP.dll 0x75900000

Library C:\WINDOWS\system32\NETAPI32.dll 0x71BD0000

Library C:\WINDOWS\system32\USERENV.dll 0x75A40000

Library C:\WINDOWS\system32\PSAPI.DLL 0x76BE0000

Library C:\WINDOWS\system32\REGAPI.dll 0x76BA0000

Library C:\WINDOWS\system32\Secur32.dll 0x76F80000

Library C:\WINDOWS\system32\SETUPAPI.dll 0x76650000

Library C:\WINDOWS\system32\sfc_os.dll 0x76C50000

Library C:\WINDOWS\system32\WINTRUST.dll 0x76C20000

Library C:\WINDOWS\system32\ole32.dll 0x771A0000

Library C:\WINDOWS\system32\IMAGEHLP.dll 0x76C80000

Library C:\WINDOWS\system32\VERSION.dll 0x77BF0000

Library C:\WINDOWS\system32\WINSTA.dll 0x76330000

Library C:\WINDOWS\system32\WS2_32.dll 0x71A50000

Library C:\WINDOWS\system32\WS2HELP.dll 0x71A40000

Library C:\WINDOWS\SYSTEM32\MSGINA.dll 0x75940000

Library C:\WINDOWS\system32\SHELL32.dll 0x773C0000

Library C:\WINDOWS\system32\SHLWAPI.dll 0x772C0000

Library C:\WINDOWS\system32\COMCTL32.dll 0x77330000

Library C:\WINDOWS\SYSTEM32\ODBC32.dll 0x1F7B0000

Library C:\WINDOWS\system32\comdlg32.dll 0x76380000

Library C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x71950000

Library C:\WINDOWS\SYSTEM32\odbcint.dll 0x1F850000

Library C:\WINDOWS\SYSTEM32\SHSVCS.dll 0x76BB0000

Library C:\WINDOWS\system32\sfc.dll 0x76B90000

Library C:\WINDOWS\SYSTEM32\WINMM.dll 0x76B20000

Library C:\WINDOWS\SYSTEM32\cscdll.dll 0x765D0000

Library C:\WINDOWS\SYSTEM32\WlNotify.dll 0x75920000

Library C:\WINDOWS\SYSTEM32\WinSCard.dll 0x72380000

Library C:\WINDOWS\SYSTEM32\WTSAPI32.dll 0x76F40000

Library C:\WINDOWS\SYSTEM32\WINSPOOL.DRV 0x72F90000

Library C:\WINDOWS\system32\MPR.dll 0x71AC0000

Library C:\WINDOWS\System32\rsaenh.dll 0x0FFD0000

Library C:\WINDOWS\SYSTEM32\UxTheme.dll 0x5B1D0000

Library C:\WINDOWS\SYSTEM32\SAMLIB.dll 0x71BA0000

Library C:\WINDOWS\SYSTEM32\cscui.dll 0x765F0000

Library C:\WINDOWS\SYSTEM32\NTMARTA.DLL 0x76CD0000

Library C:\WINDOWS\system32\WLDAP32.dll 0x76F50000

Library C:\WINDOWS\SYSTEM32\COMRes.dll 0x77040000

Library C:\WINDOWS\system32\OLEAUT32.dll 0x77110000

Library C:\WINDOWS\SYSTEM32\CLBCATQ.DLL 0x76FC0000


Process C:\WINDOWS\system32\services.exe 348

Library C:\WINDOWS\system32\services.exe 0x01000000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\kernel32.dll 0x77E60000

Library C:\WINDOWS\system32\msvcrt.dll 0x77C00000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library C:\WINDOWS\system32\USERENV.dll 0x75A40000

Library C:\WINDOWS\system32\SCESRV.dll 0x758A0000

Library C:\WINDOWS\system32\AUTHZ.dll 0x76CB0000

Library C:\WINDOWS\system32\umpnpmgr.dll 0x75880000

Library C:\WINDOWS\system32\WINSTA.dll 0x76330000

Library C:\WINDOWS\system32\NCObjAPI.DLL 0x5FC00000

Library C:\WINDOWS\system32\secur32.dll 0x76F80000

Library C:\WINDOWS\system32\eventlog.dll 0x75860000

Library C:\WINDOWS\system32\WS2_32.dll 0x71A50000

Library C:\WINDOWS\system32\WS2HELP.dll 0x71A40000

Library C:\WINDOWS\system32\PSAPI.DLL 0x76BE0000

Library C:\WINDOWS\system32\wtsapi32.dll 0x76F40000


Process C:\WINDOWS\system32\lsass.exe 360

Library C:\WINDOWS\system32\lsass.exe 0x01000000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\kernel32.dll 0x77E60000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library C:\WINDOWS\system32\LSASRV.dll 0x744D0000

Library C:\WINDOWS\system32\msvcrt.dll 0x77C00000

Library C:\WINDOWS\system32\Secur32.dll 0x76F80000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library C:\WINDOWS\system32\SAMSRV.dll 0x743F0000

Library C:\WINDOWS\system32\cryptdll.dll 0x76770000

Library C:\WINDOWS\system32\DNSAPI.dll 0x76F10000

Library C:\WINDOWS\system32\WS2_32.dll 0x71A50000

Library C:\WINDOWS\system32\WS2HELP.dll 0x71A40000

Library C:\WINDOWS\system32\MSASN1.dll 0x76270000

Library C:\WINDOWS\system32\NETAPI32.dll 0x71BD0000

Library C:\WINDOWS\system32\SAMLIB.dll 0x71BA0000

Library C:\WINDOWS\system32\MPR.dll 0x71AC0000

Library C:\WINDOWS\system32\NTDSAPI.dll 0x76780000

Library C:\WINDOWS\system32\WLDAP32.dll 0x76F50000

Library C:\WINDOWS\system32\msprivs.dll 0x74350000

Library C:\WINDOWS\system32\kerberos.dll 0x71CA0000

Library C:\WINDOWS\system32\msv1_0.dll 0x76D00000

Library C:\WINDOWS\system32\netlogon.dll 0x74460000

Library C:\WINDOWS\system32\w32time.dll 0x767A0000

Library C:\WINDOWS\system32\MSVCP60.dll 0x76050000

Library C:\WINDOWS\system32\iphlpapi.dll 0x76D50000

Library C:\WINDOWS\system32\netman.dll 0x76DD0000

Library C:\WINDOWS\system32\MPRAPI.dll 0x76D30000

Library C:\WINDOWS\system32\ACTIVEDS.dll 0x76E30000

Library C:\WINDOWS\system32\adsldpc.dll 0x76E00000

Library C:\WINDOWS\system32\ATL.DLL 0x76B00000

Library C:\WINDOWS\system32\ole32.dll 0x771A0000

Library C:\WINDOWS\system32\OLEAUT32.dll 0x77110000

Library C:\WINDOWS\system32\rtutils.dll 0x76E70000

Library C:\WINDOWS\system32\SETUPAPI.dll 0x76650000

Library C:\WINDOWS\system32\RASAPI32.dll 0x76ED0000

Library C:\WINDOWS\system32\rasman.dll 0x76E80000

Library C:\WINDOWS\system32\TAPI32.dll 0x76EA0000

Library C:\WINDOWS\system32\SHLWAPI.dll 0x772C0000

Library C:\WINDOWS\system32\WINMM.dll 0x76B20000

Library C:\WINDOWS\system32\SHELL32.dll 0x773C0000

Library C:\WINDOWS\system32\WZCSvc.DLL 0x76D90000

Library C:\WINDOWS\system32\WMI.dll 0x76D20000

Library C:\WINDOWS\system32\DHCPCSVC.DLL 0x76D70000

Library C:\WINDOWS\system32\CRYPT32.dll 0x76290000

Library C:\WINDOWS\system32\WTSAPI32.dll 0x76F40000

Library C:\WINDOWS\system32\WINSTA.dll 0x76330000

Library C:\WINDOWS\system32\USERENV.dll 0x75A40000

Library C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x71950000

Library C:\WINDOWS\system32\comctl32.dll 0x77330000

Library C:\WINDOWS\system32\schannel.dll 0x767D0000

Library C:\WINDOWS\system32\wdigest.dll 0x74320000

Library C:\WINDOWS\System32\rsaenh.dll 0x0FFD0000

Library C:\WINDOWS\system32\scecli.dll 0x743B0000


Process C:\WINDOWS\system32\svchost.exe 532

Library C:\WINDOWS\system32\svchost.exe 0x01000000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\kernel32.dll 0x77E60000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library c:\windows\system32\rpcss.dll 0x75810000

Library C:\WINDOWS\system32\msvcrt.dll 0x77C00000

Library c:\windows\system32\WS2_32.dll 0x71A50000

Library c:\windows\system32\WS2HELP.dll 0x71A40000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library c:\windows\system32\Secur32.dll 0x76F80000

Library C:\WINDOWS\system32\userenv.dll 0x75A40000

Library C:\WINDOWS\system32\CLBCATQ.DLL 0x76FC0000

Library C:\WINDOWS\system32\ole32.dll 0x771A0000

Library C:\WINDOWS\system32\OLEAUT32.dll 0x77110000

Library C:\WINDOWS\system32\COMRes.dll 0x77040000

Library C:\WINDOWS\system32\VERSION.dll 0x77BF0000


Process C:\WINDOWS\system32\svchost.exe 556

Library C:\WINDOWS\system32\svchost.exe 0x01000000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\kernel32.dll 0x77E60000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library C:\WINDOWS\system32\ole32.dll 0x771A0000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library c:\windows\system32\cryptsvc.dll 0x74F50000

Library C:\WINDOWS\system32\msvcrt.dll 0x77C00000

Library c:\windows\system32\WINTRUST.dll 0x76C20000

Library C:\WINDOWS\system32\CRYPT32.dll 0x76290000

Library C:\WINDOWS\system32\MSASN1.dll 0x76270000

Library C:\WINDOWS\system32\IMAGEHLP.dll 0x76C80000

Library c:\windows\system32\certcli.dll 0x75300000

Library c:\windows\system32\ATL.DLL 0x76B00000

Library C:\WINDOWS\system32\WLDAP32.dll 0x76F50000

Library C:\WINDOWS\system32\OLEAUT32.dll 0x77110000

Library c:\windows\system32\Secur32.dll 0x76F80000

Library c:\windows\system32\NETAPI32.dll 0x71BD0000

Library c:\windows\system32\CRYPTUI.dll 0x75480000

Library C:\WINDOWS\system32\WININET.dll 0x761D0000

Library C:\WINDOWS\system32\SHLWAPI.dll 0x772C0000

Library c:\windows\system32\ESENT.dll 0x69C20000

Library C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x71950000

Library c:\windows\system32\wbem\wmisvc.dll 0x598E0000

Library c:\windows\system32\wbem\wbemcomn.dll 0x75240000

Library C:\WINDOWS\SYSTEM32\VSSAPI.DLL 0x75390000

Library c:\windows\pchealth\helpctr\binaries\pchsvc.dll 0x74EF0000

Library C:\WINDOWS\SYSTEM32\WINSTA.dll 0x76330000

Library c:\windows\system32\dmserver.dll 0x74F40000

Library c:\windows\system32\SETUPAPI.dll 0x76650000

Library C:\WINDOWS\system32\CLBCATQ.DLL 0x76FC0000

Library C:\WINDOWS\system32\COMRes.dll 0x77040000

Library C:\WINDOWS\system32\VERSION.dll 0x77BF0000

Library C:\WINDOWS\System32\es.dll 0x76B50000

Library C:\WINDOWS\System32\WS2_32.dll 0x71A50000

Library C:\WINDOWS\System32\WS2HELP.dll 0x71A40000

Library C:\WINDOWS\system32\wtsapi32.dll 0x76F40000


Process C:\WINDOWS\Explorer.EXE 780

Library C:\WINDOWS\Explorer.EXE 0x01000000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\kernel32.dll 0x77E60000

Library C:\WINDOWS\system32\msvcrt.dll 0x77C00000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library C:\WINDOWS\system32\SHLWAPI.dll 0x772C0000

Library C:\WINDOWS\system32\SHELL32.dll 0x773C0000

Library C:\WINDOWS\system32\ole32.dll 0x771A0000

Library C:\WINDOWS\system32\OLEAUT32.dll 0x77110000

Library C:\WINDOWS\System32\BROWSEUI.dll 0x75F50000

Library C:\WINDOWS\System32\SHDOCVW.dll 0x769A0000

Library C:\WINDOWS\System32\UxTheme.dll 0x5B1D0000

Library C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x71950000

Library C:\WINDOWS\system32\comctl32.dll 0x77330000

Library C:\WINDOWS\system32\appHelp.dll 0x75F10000

Library C:\WINDOWS\System32\CLBCATQ.DLL 0x76FC0000

Library C:\WINDOWS\System32\COMRes.dll 0x77040000

Library C:\WINDOWS\system32\VERSION.dll 0x77BF0000

Library C:\WINDOWS\System32\cscui.dll 0x765F0000

Library C:\WINDOWS\System32\CSCDLL.dll 0x765D0000

Library C:\WINDOWS\System32\themeui.dll 0x5BA90000

Library C:\WINDOWS\System32\Secur32.dll 0x76F80000

Library C:\WINDOWS\System32\MSIMG32.dll 0x76350000

Library C:\WINDOWS\system32\USERENV.dll 0x75A40000

Library C:\WINDOWS\System32\msutb.dll 0x600A0000

Library C:\WINDOWS\System32\MSCTF.dll 0x746D0000

Library C:\WINDOWS\System32\netapi32.dll 0x71BD0000

Library C:\WINDOWS\System32\LINKINFO.dll 0x76960000

Library C:\WINDOWS\System32\ntshrui.dll 0x76970000

Library C:\WINDOWS\System32\ATL.DLL 0x76B00000

Library C:\WINDOWS\System32\SETUPAPI.dll 0x76650000

Library C:\WINDOWS\system32\NETSHELL.dll 0x75CC0000

Library C:\WINDOWS\system32\credui.dll 0x76BF0000

Library C:\WINDOWS\system32\WS2_32.dll 0x71A50000

Library C:\WINDOWS\system32\WS2HELP.dll 0x71A40000

Library C:\WINDOWS\system32\iphlpapi.dll 0x76D50000

Library C:\WINDOWS\system32\netman.dll 0x76DD0000

Library C:\WINDOWS\system32\MPRAPI.dll 0x76D30000

Library C:\WINDOWS\system32\ACTIVEDS.dll 0x76E30000

Library C:\WINDOWS\system32\adsldpc.dll 0x76E00000

Library C:\WINDOWS\system32\WLDAP32.dll 0x76F50000

Library C:\WINDOWS\system32\rtutils.dll 0x76E70000

Library C:\WINDOWS\system32\SAMLIB.dll 0x71BA0000

Library C:\WINDOWS\system32\RASAPI32.dll 0x76ED0000

Library C:\WINDOWS\system32\rasman.dll 0x76E80000

Library C:\WINDOWS\system32\TAPI32.dll 0x76EA0000

Library C:\WINDOWS\system32\WINMM.dll 0x76B20000

Library C:\WINDOWS\system32\WZCSvc.DLL 0x76D90000

Library C:\WINDOWS\system32\WMI.dll 0x76D20000

Library C:\WINDOWS\system32\DHCPCSVC.DLL 0x76D70000

Library C:\WINDOWS\system32\DNSAPI.dll 0x76F10000

Library C:\WINDOWS\system32\CRYPT32.dll 0x76290000

Library C:\WINDOWS\system32\MSASN1.dll 0x76270000

Library C:\WINDOWS\system32\WTSAPI32.dll 0x76F40000

Library C:\WINDOWS\system32\WINSTA.dll 0x76330000

Library C:\WINDOWS\System32\msi.dll 0x01260000

Library C:\WINDOWS\System32\browselc.dll 0x723E0000

Library C:\WINDOWS\system32\urlmon.dll 0x760C0000

Library C:\Program Files\Microsoft Office\OFFICE11\msohev.dll 0x325C0000

Library C:\WINDOWS\system32\WININET.dll 0x761D0000

Library C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll 0x10000000


Process C:\WINDOWS\System32\devldr32.exe 856

Library C:\WINDOWS\System32\devldr32.exe 0x01000000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\kernel32.dll 0x77E60000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library C:\WINDOWS\system32\SHELL32.dll 0x773C0000

Library C:\WINDOWS\system32\msvcrt.dll 0x77C00000

Library C:\WINDOWS\system32\SHLWAPI.dll 0x772C0000

Library C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x71950000

Library C:\WINDOWS\system32\comctl32.dll 0x77330000

Library C:\WINDOWS\System32\Secur32.dll 0x76F80000


Process C:\Documents and Settings\sapkiewicz.PRIVATE-H633W4P\Pulpit\PROGRAMY\INNE\gmer110\gmer.exe 880

Library C:\Documents and Settings\sapkiewicz.PRIVATE-H633W4P\Pulpit\PROGRAMY\INNE\gmer110\gmer.exe 0x00400000

Library C:\WINDOWS\System32\ntdll.dll 0x77F50000

Library C:\WINDOWS\system32\kernel32.dll 0x77E60000

Library C:\WINDOWS\system32\USER32.dll 0x77D30000

Library C:\WINDOWS\system32\GDI32.dll 0x77C60000

Library C:\WINDOWS\system32\ADVAPI32.dll 0x77DC0000

Library C:\WINDOWS\system32\RPCRT4.dll 0x77CB0000

Library C:\WINDOWS\system32\COMCTL32.dll 0x77330000

Library C:\WINDOWS\System32\OLEPRO32.DLL 0x5F260000

Library C:\WINDOWS\system32\ole32.dll 0x771A0000

Library C:\WINDOWS\system32\MSVCRT.dll 0x77C00000

Library C:\WINDOWS\system32\OLEAUT32.dll 0x77110000

Library C:\WINDOWS\gmer.dll 0x07200000

Library C:\WINDOWS\system32\SHLWAPI.dll 0x772C0000

Library C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll 0x71950000

Library C:\WINDOWS\system32\USERENV.dll 0x75A40000


---- EOF - GMER 1.0.10 ----

Wcześniejszy log był taki krótki bo robiłem go w normalnym trybie windowsa :roll:


(Gblade) #6

no jest ok


(Maniek070) #7

mam problem z wirusem trojan złapałem go przez gg ale chyba nie zadomowił sie u mnie na dobre bo w pore sie szczaiłem tylko mam problem z internet explorer nie wyswietlaja mi sie obrazy,grafika jedynie to reklamy i napisy tyle ze jesli chce zobaczyc obraz klikam prawym i wybieram pokasz obraz wtedy sie ukazuje kto moze mi pomuc jek to rozwiązac moj program antywirusowy kasperski nie wykrywa zadnych wirusów????