GMER wskazuje na zmiany systemu mogące świadczyć o obecności

Dla specjalistów Bezpieczeństwo
#1

Dobry Wieczór!

Mój problem jest taki:

1.ostatnio komputer łapał jakieś dziwne zawieszenia: zeskanowałem pełnym skanem F-Secure2006 który znalazł jakieś 3 wirusy ale niestety nie zapisałem raportu…poprostu byłem zadowolony że je usunął, Spyboot i Ad-Aware nic nie znalazły…Sophos Anti-Rootkit też nie

  1. na pocztę przychodzi mi ostatnio sporo dziwnych “listów” choć mam filtr antyspamowy(poczta na onet.pl)

  2. zapora Jetico bardzo często ostatnio blokuje całą masę jakiś pakietów które do mnie się “dobijają”: tak było np. przed wczoraj

Z uwagi na powyższe zeskanowałem system także GMEREM który wskazał na kilka modyfikacji systemu wskazujących na obecność Rootkita.Skan GMEREM w zakładce rootkit robiłem na full z opcją pokaż wszystko.

Mam tylko mały problem: gdy wklejam loga i obejmuję go tagiem to nie mogę wysłać postu bo wyskakuje mi jakiś błąd po dłuższej chwili.Nie wiem…może osoby chcące mi pomóc podadzą e-mail to im wyślę log do oceny. Nie wiem dlaczego zakładając tego posta nie mogę dołączyć logów( także z Hijacka i Silenta). Mam nadzieję że moderator okaże wyrozumiałość i nie wykasuje mojego posta tak z urzędu tylko jakoś mną pokieruje bo robię wszystko zgodnie z regulaminem

Pozdrawiam i proszę o pomoc i radę.

#2

Daj log z HJT i Silenta

#3

Logfile of HijackThis v1.99.1

Scan saved at 20:14:06, on 2006-11-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE

C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\PROGRA~1\FDF\FAST2.EXE

C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\FSGK32.EXE

C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fssm32.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE

C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

C:\Program Files\F-Secure Internet Security\Common\FCH32.EXE

C:\Program Files\F-Secure Internet Security\Common\FAMEH32.EXE

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsqh.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsrw.exe

C:\Program Files\F-Secure Internet Security\Anti-Virus\fsav32.exe

C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

C:\PROGRA~1\F-SECU~1\ANTI-S~1\fsaw.exe

C:\Program Files\F-Secure Internet Security\FSGUI\fsguidll.exe

C:\Documents and Settings\Czarek\Moje dokumenty\Szczepionki\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM…\Run: [nwiz] nwiz.exe /install

O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM…\Run: [F-Secure Manager] “C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE” /splash

O4 - HKLM…\Run: [F-Secure TNB] “C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe” /CHECKALL /WAITFORSW

O4 - HKLM…\Run: [F-Secure Startup Wizard] “C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE” /reboot

O4 - HKLM…\Run: [JeticoPFStartup] “C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe”

O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”

O4 - HKCU…\Run: [FAST Defrag] C:\PROGRA~1\FDF\FAST2.EXE -tray

O4 - Global Startup: F-Secure Anti-Virus 2006.lnk = C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Zablokuj to okienko - C:\Program Files\F-Secure Internet Security\Anti-Spyware\blockpopups.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka … nicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc … oscan8.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 4354443906

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab

O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab

O23 - Service: F-Secure Anti-Virus 2006 (BackWeb Plug-in - 4476822) - F-Secure Internet Security 2005 - C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE

O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe

O23 - Service: fsbwsys - F-Secure Corp. - C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe

O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe

O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Złączono Posta : 01.12.2006 (Pią) 22:35

“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“FAST Defrag” = “C:\PROGRA~1\FDF\FAST2.EXE -tray” [“AMS”]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”]

“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]

“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]

“NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS]

“F-Secure Manager” = ““C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE” /splash” [“F-Secure Corporation”]

“F-Secure TNB” = ““C:\Program Files\F-Secure Internet Security\TNB\TNBUtil.exe” /CHECKALL /WAITFORSW” [“F-Secure Corporation”]

“F-Secure Startup Wizard” = ““C:\Program Files\F-Secure Internet Security\FSGUI\FSSW.EXE” /reboot” [“F-Secure Corporation”]

“JeticoPFStartup” = ““C:\Program Files\Jetico\Jetico Personal Firewall\fwsrv.exe”” [“Jetico, Inc.”]

“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)

-> {HKLM…CLSID} = “AcroIEHlprObj Class”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

-> {HKLM…CLSID} = “DesktopContext Class”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]

“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

-> {HKLM…CLSID} = “NVIDIA CPL Extension”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

-> {HKLM…CLSID} = “Desktop Explorer”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

-> {HKLM…CLSID} = “nView Desktop Context Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band”

-> {HKLM…CLSID} = “Shell Search Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

“{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices”

-> {HKLM…CLSID} = “Portable Media Devices”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”

-> {HKLM…CLSID} = “Portable Media Devices Menu”

\InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS]

“{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension”

-> {HKLM…CLSID} = “7-Zip Shell Extension”

\InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]

HKLM\System\CurrentControlSet\Control\Session Manager\

INFECTION WARNING! “BootExecute” = “autocheck autochk *” [file not found], [MS], [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

7-ZIP(Default) = “{23170F69-40C1-278A-1000-000100020000}”

-> {HKLM…CLSID} = “7-Zip Shell Extension”

\InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

7-ZIP(Default) = “{23170F69-40C1-278A-1000-000100020000}”

-> {HKLM…CLSID} = “7-Zip Shell Extension”

\InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]

Active Desktop and Wallpaper:

Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\Czarek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:

HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\NIKEFO~1.SCR” (Nikefootball_Ronaldinho.scr) [“ScreenTime Media”]

Startup items in “Czarek” & “All Users” startup folders:

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

“F-Secure Anti-Virus 2006” -> shortcut to: “C:\Program Files\F-Secure Internet Security\backweb\4476822\Program\fspex.exe -startup” [“F-Secure Internet Security 2005”]

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

“MenuText” = “Sun Java Console”

“CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}”

-> {HKCU…CLSID} = “Java Plug-in 1.5.0_09”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]

-> {HKLM…CLSID} = “Java Plug-in 1.5.0_09”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”]

{85D1F590-48F4-11D9-9669-0800200C9A66}\

“MenuText” = “Uninstall BitDefender Online Scanner v8”

“Exec” = “%windir%\bdoscandel.exe” [null data]

Running Services (Display Name, Service Name, Path {Service DLL}):

F-Secure Anti-Virus 2006, BackWeb Plug-in - 4476822, “C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE” [“F-Secure Internet Security 2005”]

F-Secure Anti-Virus Firewall Daemon, FSDFWD, ““C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe”” [“F-Secure Corporation”]

F-Secure Management Agent, FSMA, ““C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE”” [“F-Secure Corporation”]

fsbwsys, fsbwsys, ““C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe”” [“F-Secure Corp.”]

FSGKHS, F-Secure Gatekeeper Handler Starter, ““C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe”” [“F-Secure Corporation”]

NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]

Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • To search all directories of local fixed drives for DESKTOP.INI

DLL launch points and all Registry CLSIDs for dormant Explorer Bars,

use the -supp parameter or answer “No” at the first message box.

---------- (total run time: 31 seconds, including 15 seconds for message boxes)

#4

Proszę otworzyć Notatnik i wkleić w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG i uruchom go w trybie awaryjnym.

Log z Gmer’a wklej do notatnika i zapisz, a następnie umieść w jakimś serwisie hostingoym:

http://forum.dobreprogramy.pl/viewtopic.php?t=96929

Dodatkowo możesz podrzucić jeszcze log z Gmer’a wykonanych na ustawieniu zaznaczone tylko usługi + pokazuj wszystko.

#5

Ok…loga z MERA umieściłem na www./megaupload.com/pl/(mam nadzieję że zrobiłem to dobrze…za fixa zaraz się wezmę tylko zrobię ten skan GMEREM o jakim tu piszesz…może choć ten tu wejdzie…moment

Złączono Posta : 01.12.2006 (Pią) 22:56

Log z GMERA

GMER 1.0.10.10122 - http://www.gmer.net

Rootkit 2006-12-01 22:57:15

Windows 5.1.2600 Dodatek Service Pack 2

---- Services - GMER 1.0.10 ----

Service [DISABLED] Abiosdsk

Service [DISABLED] abp480n5

Service C:\WINDOWS\system32\DRIVERS\ACPI.sys [bOOT] ACPI

Service [DISABLED] ACPIEC

Service [DISABLED] adpu160m

Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec

Service C:\WINDOWS\System32\drivers\afd.sys [sYSTEM] AFD

Service [DISABLED] Aha154x

Service [DISABLED] aic78u2

Service [DISABLED] aic78xx

Service C:\WINDOWS\system32\drivers\ALCXSENS.SYS [MANUAL] ALCXSENS

Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM

Service C:\WINDOWS\system32\svchost.exe [DISABLED] Alerter

Service C:\WINDOWS\System32\alg.exe [DISABLED] ALG

Service [DISABLED] AliIde

Service [DISABLED] amsint

Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt

Service [DISABLED] asc

Service [DISABLED] asc3350p

Service [DISABLED] asc3550

Service C:\WINDOWS\system32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac

Service C:\WINDOWS\system32\DRIVERS\atapi.sys [bOOT] atapi

Service [DISABLED] Atdisk

Service C:\WINDOWS\system32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv

Service C:\WINDOWS\system32\DRIVERS\audstub.sys [MANUAL] audstub

Service C:\PROGRA~1\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE [AUTO] BackWeb Plug-in - 4476822

Service [sYSTEM] bcftdi

Service [sYSTEM] bc_filter

Service [sYSTEM] bc_ip_f

Service [sYSTEM] bc_ngn

Service [sYSTEM] bc_pat_f

Service [sYSTEM] bc_prt_f

Service [sYSTEM] bc_tdi_f

Service [sYSTEM] Beep

Service C:\WINDOWS\system32\svchost.exe [MANUAL] BITS

Service C:\WINDOWS\system32\svchost.exe [AUTO] Browser

Service [DISABLED] cbidf2k

Service [DISABLED] cd20xrnt

Service [sYSTEM] Cdaudio

Service [DISABLED] Cdfs

Service C:\WINDOWS\system32\DRIVERS\cdrom.sys [sYSTEM] Cdrom

Service [sYSTEM] Changer

Service C:\WINDOWS\system32\cisvc.exe [DISABLED] CiSvc

Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv

Service [DISABLED] CmdIde

Service C:\WINDOWS\system32\dllhost.exe [MANUAL] COMSysApp

Service [DISABLED] Cpqarray

Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc

Service [DISABLED] dac2w2k

Service [DISABLED] dac960nt

Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch

Service C:\WINDOWS\system32\svchost.exe [AUTO] Dhcp

Service C:\WINDOWS\system32\DRIVERS\disk.sys [bOOT] Disk

Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin

Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot

Service C:\WINDOWS\System32\drivers\dmio.sys [bOOT] dmio

Service C:\WINDOWS\System32\drivers\dmload.sys [bOOT] dmload

Service C:\WINDOWS\System32\svchost.exe [MANUAL] dmserver

Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic

Service C:\WINDOWS\system32\svchost.exe [AUTO] Dnscache

Service [DISABLED] dpti2o

Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud

Service System32\Drivers\dtscsi.sys [MANUAL] dtscsi

Service C:\WINDOWS\System32\svchost.exe [DISABLED] ERSvc

Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog

Service C:\WINDOWS\system32\svchost.exe [MANUAL] EventSystem

Service C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSfilter.sys [AUTO] F-Secure Filter

Service C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSgk.sys [AUTO] F-Secure Gatekeeper

Service C:\Program Files\F-Secure Internet Security\Anti-Virus\fsgk32st.exe [AUTO] F-Secure Gatekeeper Handler Starter

Service C:\Program Files\F-Secure Internet Security\Anti-Virus\Win2K\FSrec.sys [AUTO] F-Secure Recognizer

Service [DISABLED] Fastfat

Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility

Service C:\WINDOWS\system32\DRIVERS\fdc.sys [MANUAL] Fdc

Service [sYSTEM] Fips

Service C:\WINDOWS\system32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk

Service C:\WINDOWS\system32\DRIVERS\fltMgr.sys [bOOT] FltMgr

Service C:\Program Files\F-Secure Internet Security\backweb\4476822\program\fsbwsys.exe [AUTO] fsbwsys

Service C:\Program Files\F-Secure Internet Security\FWES\Program\fsdfwd.exe [MANUAL] FSDFWD

Service C:\WINDOWS\System32\drivers\fsdfw.sys [bOOT] FSFW

Service C:\Program Files\F-Secure Internet Security\Common\FSMA32.EXE [AUTO] FSMA

Service [sYSTEM] Fs_Rec

Service C:\WINDOWS\system32\DRIVERS\ftdisk.sys [bOOT] Ftdisk

Service C:\WINDOWS\system32\DRIVERS\gameenum.sys [MANUAL] gameenum

Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] Gmer

Service C:\WINDOWS\system32\DRIVERS\msgpc.sys [MANUAL] Gpc

Service C:\WINDOWS\system32\DRIVERS\hamachi.sys [MANUAL] hamachi

Service C:\WINDOWS\System32\svchost.exe [MANUAL] helpsvc

Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ

Service [DISABLED] hpn

Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP

Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter

Service [sYSTEM] i2omgmt

Service [DISABLED] i2omp

Service C:\WINDOWS\system32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt

Service C:\WINDOWS\system32\DRIVERS\imapi.sys [sYSTEM] Imapi

Service C:\WINDOWS\system32\imapi.exe [MANUAL] ImapiService

Service [DISABLED] ini910u

Service [DISABLED] IntelIde

Service C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys [MANUAL] Ip6Fw

Service C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver

Service C:\WINDOWS\system32\DRIVERS\ipinip.sys [MANUAL] IpInIp

Service C:\WINDOWS\system32\DRIVERS\ipnat.sys [MANUAL] IpNat

Service C:\WINDOWS\system32\DRIVERS\ipsec.sys [sYSTEM] IPSec

Service C:\WINDOWS\system32\DRIVERS\irenum.sys [MANUAL] IRENUM

Service C:\WINDOWS\system32\DRIVERS\isapnp.sys [bOOT] isapnp

Service C:\WINDOWS\system32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass

Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer

Service [bOOT] KSecDD

Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanserver

Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanworkstation

Service [sYSTEM] lbrtfdc

Service C:\WINDOWS\system32\svchost.exe [AUTO] LmHosts

Service C:\WINDOWS\system32\AB.tmp [MANUAL] MEMSWEEP2

Service C:\WINDOWS\system32\svchost.exe [DISABLED] Messenger

Service [sYSTEM] mnmdd

Service C:\WINDOWS\system32\mnmsrvc.exe [DISABLED] mnmsrvc

Service [MANUAL] Modem

Service C:\WINDOWS\system32\DRIVERS\mouclass.sys [sYSTEM] Mouclass

Service [bOOT] MountMgr

Service [DISABLED] mraid35x

Service C:\WINDOWS\system32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV

Service C:\WINDOWS\system32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb

Service C:\WINDOWS\system32\msdtc.exe [MANUAL] MSDTC

Service [sYSTEM] Msfs

Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer

Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV

Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK

Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM

Service C:\WINDOWS\system32\DRIVERS\mssmbios.sys [MANUAL] mssmbios

Service C:\WINDOWS\system32\drivers\msmpu401.sys [MANUAL] ms_mpu401

Service [bOOT] Mup

Service [bOOT] NDIS

Service C:\WINDOWS\system32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi

Service C:\WINDOWS\system32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio

Service C:\WINDOWS\system32\DRIVERS\ndiswan.sys [MANUAL] NdisWan

Service [MANUAL] NDProxy

Service C:\WINDOWS\system32\DRIVERS\netbios.sys [sYSTEM] NetBIOS

Service C:\WINDOWS\system32\DRIVERS\netbt.sys [MANUAL] NetBT

Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE

Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm

Service C:\WINDOWS\system32\lsass.exe [MANUAL] Netlogon

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman

Service C:\WINDOWS\system32\svchost.exe [MANUAL] Nla

Service [sYSTEM] Npfs

Service [DISABLED] Ntfs

Service C:\WINDOWS\system32\lsass.exe [MANUAL] NtLmSsp

Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc

Service [sYSTEM] Null

Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [MANUAL] nv

Service C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [MANUAL] NVENETFD

Service C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [MANUAL] nvnetbus

Service C:\WINDOWS\system32\nvsvc32.exe [AUTO] NVSvc

Service C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt

Service C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd

Service C:\WINDOWS\system32\DRIVERS\parport.sys [MANUAL] Parport

Service [bOOT] PartMgr

Service [AUTO] ParVdm

Service C:\WINDOWS\system32\DRIVERS\pci.sys [bOOT] PCI

Service [sYSTEM] PCIDump

Service C:\WINDOWS\system32\DRIVERS\pciide.sys [bOOT] PCIIde

Service [DISABLED] Pcmcia

Service [MANUAL] PDCOMP

Service [MANUAL] PDFRAME

Service [MANUAL] PDRELI

Service [MANUAL] PDRFRAME

Service [DISABLED] perc2

Service [DISABLED] perc2hib

Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay

Service C:\WINDOWS\system32\lsass.exe [AUTO] PolicyAgent

Service C:\WINDOWS\system32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport

Service C:\WINDOWS\system32\DRIVERS\processr.sys [sYSTEM] Processor

Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage

Service C:\WINDOWS\system32\DRIVERS\psched.sys [MANUAL] PSched

Service C:\WINDOWS\system32\DRIVERS\ptilink.sys [MANUAL] Ptilink

Service [DISABLED] ql1080

Service [DISABLED] Ql10wnt

Service [DISABLED] ql12160

Service [DISABLED] ql1240

Service [DISABLED] ql1280

Service C:\WINDOWS\system32\DRIVERS\rasacd.sys [sYSTEM] RasAcd

Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasAuto

Service C:\WINDOWS\system32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp

Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasMan

Service C:\WINDOWS\system32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe

Service C:\WINDOWS\system32\DRIVERS\raspti.sys [MANUAL] Raspti

Service C:\WINDOWS\system32\DRIVERS\rdbss.sys [sYSTEM] Rdbss

Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD

Service C:\WINDOWS\system32\DRIVERS\rdpdr.sys [MANUAL] rdpdr

Service [MANUAL] RDPWD

Service C:\WINDOWS\system32\sessmgr.exe [DISABLED] RDSessMgr

Service C:\WINDOWS\system32\DRIVERS\redbook.sys [sYSTEM] redbook

Service C:\WINDOWS\system32\svchost.exe [DISABLED] RemoteAccess

Service C:\WINDOWS\system32\svchost.exe [DISABLED] RemoteRegistry

Service C:\WINDOWS\system32\locator.exe [MANUAL] RpcLocator

Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs

Service C:\WINDOWS\system32\rsvp.exe [DISABLED] RSVP

Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs

Service C:\WINDOWS\System32\SCardSvr.exe [DISABLED] SCardSvr

Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule

Service C:\WINDOWS\system32\DRIVERS\secdrv.sys [AUTO] Secdrv

Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon

Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS

Service C:\WINDOWS\system32\DRIVERS\serenum.sys [MANUAL] serenum

Service C:\WINDOWS\system32\DRIVERS\serial.sys [sYSTEM] Serial

Service [sYSTEM] Sfloppy

Service C:\WINDOWS\system32\svchost.exe [DISABLED] SharedAccess

Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection

Service [DISABLED] Simbad

Service [DISABLED] Sparrow

Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter

Service C:\WINDOWS\system32\spoolsv.exe [MANUAL] Spooler

Service C:\WINDOWS\System32\Drivers\sptd.sys [bOOT] sptd

Service C:\WINDOWS\system32\DRIVERS\sr.sys [bOOT] sr

Service C:\WINDOWS\system32\svchost.exe [AUTO] srservice

Service C:\WINDOWS\system32\DRIVERS\srv.sys [MANUAL] Srv

Service C:\WINDOWS\system32\svchost.exe [DISABLED] SSDPSRV

Service C:\WINDOWS\system32\svchost.exe [MANUAL] stisvc

Service C:\WINDOWS\system32\DRIVERS\swenum.sys [MANUAL] swenum

Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi

Service C:\WINDOWS\system32\dllhost.exe [MANUAL] SwPrv

Service [DISABLED] symc810

Service [DISABLED] symc8xx

Service [DISABLED] sym_hi

Service [DISABLED] sym_u3

Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio

Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv

Service C:\WINDOWS\system32\DRIVERS\tcpip.sys [sYSTEM] Tcpip

Service [MANUAL] TDPIPE

Service [MANUAL] TDTCP

Service C:\WINDOWS\system32\DRIVERS\termdd.sys [sYSTEM] TermDD

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService

Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes

Service C:\WINDOWS\system32\tlntsvr.exe [DISABLED] TlntSvr

Service C:\WINDOWS\system32\drivers\tmcomm.sys [AUTO] tmcomm

Service [DISABLED] TosIde

Service C:\WINDOWS\system32\svchost.exe [MANUAL] TrkWks

Service [DISABLED] Udfs

Service [DISABLED] ultra

Service C:\WINDOWS\system32\wdfmgr.exe [AUTO] UMWdf

Service C:\WINDOWS\system32\DRIVERS\update.sys [MANUAL] Update

Service C:\WINDOWS\system32\svchost.exe [DISABLED] upnphost

Service C:\WINDOWS\System32\ups.exe [DISABLED] UPS

Service C:\WINDOWS\system32\DRIVERS\usbehci.sys [MANUAL] usbehci

Service C:\WINDOWS\system32\DRIVERS\usbhub.sys [MANUAL] usbhub

Service C:\WINDOWS\system32\DRIVERS\usbohci.sys [MANUAL] usbohci

Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR

Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave

Service [DISABLED] ViaIde

Service [bOOT] VolSnap

Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS

Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time

Service C:\WINDOWS\system32\DRIVERS\wanarp.sys [MANUAL] Wanarp

Service [MANUAL] WDICA

Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud

Service C:\WINDOWS\system32\svchost.exe [AUTO] WebClient

Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt

Service [MANUAL] Winsock

Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi

Service C:\WINDOWS\system32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv

Service [sYSTEM] WS2IFSL

Service C:\WINDOWS\System32\svchost.exe [AUTO] wscsvc

Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv

Service C:\WINDOWS\System32\svchost.exe [DISABLED] WZCSVC

Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov

Service [MANUAL] apsawjwg

---- EOF - GMER 1.0.10 ----

Zrobiłem to co mi napisałeś…sytuacja się uspokoiła…niby wszystko jest Ok.Ponowne skanowanie GMEREM nic już nie wykazuje a i Twój brak wypowiedzi na podane logi uznaję za potwierdzenie że wszystko jest teraz w porządku…ale…Drążąc temat ściągnąłem sobie narzędzie RootkitRevealer, zrobiłem skan i znalazł mi jakiś podejrzany klucz.W związku z tym jest moje pytanie czy to coś szkodliwego oraz czy mam to usunąć a jeśli tak to czym i czy w trybie awaryjnym z wyłączonym przywracaniem.Oto log:

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg 2006-11-19 17:28 0 bytes Access is denied.