Infekcja: win32: Agent-DAW, prosze o sprawdzenie loga


(Damno) #1

Hej,

Avast wykryl u mnie trojana w: C:\Documents and Settings\Damian\directpush.sys

oto log:

Logfile of HijackThis v1.99.1

Scan saved at 21:38:42, on 2007-02-07

Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\ACS.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\System32\directxpushup.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\System32\irdvxc.exe

C:\WINDOWS\System32\SCardSvr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Last.fm\LastFM.exe

C:\Program Files\WinRAR\WinRAR.exe

C:\DOCUME~1\Damian\USTAWI~1\Temp\Rar$EX00.766\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gadu-gadu.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL (file missing)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [msvcc25] svcchost.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Microsoft Directx push] directxpushup.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\RunServices: [msvcc25] svcchost.exe

O4 - HKLM\..\RunServices: [Microsoft Directx push] directxpushup.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [Microsoft Directx push] directxpushup.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [SparVoip] "C:\Program Files\SparVoip\SparVoip.exe" -nosplash -minimized

O4 - HKCU\..\RunServices: [Microsoft Directx push] directxpushup.exe

O4 - Startup: Registration SETTLERS - Dziedzictwo Królów.LNK = ?

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O17 - HKLM\System\CCS\Services\Tcpip\..\{21126233-B1B8-45B8-89C3-EE8285689A27}: NameServer = 85.255.114.4,85.255.112.137

O17 - HKLM\System\CCS\Services\Tcpip\..\{753B1B9B-4D04-4CDE-B6CF-76E33058B3DB}: NameServer = 85.255.114.4,85.255.112.137

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137

O17 - HKLM\System\CS1\Services\Tcpip\..\{21126233-B1B8-45B8-89C3-EE8285689A27}: NameServer = 85.255.114.4,85.255.112.137

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137

O17 - HKLM\System\CS2\Services\Tcpip\..\{21126233-B1B8-45B8-89C3-EE8285689A27}: NameServer = 85.255.114.4,85.255.112.137

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.4 85.255.112.137

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Windows Management Service - Unknown owner - C:\WINDOWS\System32\.exe

Z gory dzieki, Damian


(adam9870) #2

Nie trzymaj hijacka w TEMPie lub innym katalogu tymczasowym. Umieść go np. na pulpicie.

Start => uruchom => wpisz cmd i kliknij OK => w konsoli, która się otworzy wpisz:

Pliki zaznaczone kasujesz ręcznie z dysku będąc w trybie awaryjnym natomiast wpisy w HijackThis.

Jeśli nie masz już aplikacji dostępowej neostrady to usuń dodatkowo:

Użyj narzędzia FixWareOut.

Po wykonaniu proszę pokazać komplet logów:


(Damno) #3

dzieki za szybka reakcje :smiley:

czy moglbyc mi pomoc i napisac jak znalezc i usunac wskazane pliki w systemie awaryjnym?

dzieki

Damian


(adam9870) #4

Skoro jesteś początkujący to usuniemy te pliki nieco innym, szybszym sposobem.

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\System32\svcchost.exe

C:\WINDOWS\System32\directxpushup.exe

C:\WINDOWS\System32\irdvxc.exe

C:\WINDOWS\System32.exe

po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.


(Damno) #5

dzieki, sorki ze od razu nie zaznaczylem, ze jestem poczatkujacy

zrobilem jak napisales i usunalem pliki uzywajac KillBoxa

usunalem 2 wpisy w HiJackThis -

O4 - HKLM..\Run: [msvcc25] svcchost.exe

O4 - HKLM..\Run: [Microsoft Directx push] directxpushup.exe

pozostalych 2 nie znalazlem

oto logi:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu Sp. z o.o."]

"Microsoft Directx push" = "directxpushup.exe" [file not found]

"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

"SparVoip" = ""C:\Program Files\SparVoip\SparVoip.exe" -nosplash -minimized" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]

"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [null data]

"TPSMain" = "TPSMain.exe" ["TOSHIBA Corporation"]

"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]

"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]

"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

"NapsterShell" = "C:\Program Files\Napster\napster.exe /systray" [file not found]

"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]

"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]

"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Active Setup\Installed Components\

{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)

                                       \StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Documents and Settings\Damian\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Damian\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]



Autostart via AUTORUN.INF on local fixed drives:

------------------------------------------------


D:\

<> D:\AUTORUN.INF -> "OPEN=setupSNK.exe" [file not found]



Startup items in "Damian" & "All Users" startup folders:

--------------------------------------------------------


C:\Documents and Settings\Damian\Menu Start\Programy\Autostart

"Registration SETTLERS - Dziedzictwo Królów" -> shortcut to: "C:\Program Files\Ubisoft\Blue Byte\SETTLERS - Dziedzictwo Królów\Support\Register\RegistrationReminder.exe -d 802855 -l english -r 7 -g SETTLERS - Dziedzictwo Królów -c us -i 2057" [file not found]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"

  -> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"



Miscellaneous IE Hijack Points

------------------------------


HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

<> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)

  -> {HKLM...CLSID} = "Search Class"

                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [file not found]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Atheros Configuration Service, ACS, "C:\WINDOWS\System32\ACS.exe" [null data]

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]

avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]

avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]

avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]

avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]



----------

<>: Suspicious data at a malware launch point.

<>: Suspicious data at a browser hijack point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 1208 seconds, including 18 seconds for message boxes)

COMBOFIX:

"Damian" - 07-02-07 23:58:07 Dodatek Service Pack. 1

ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Damian\Pulpit"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



C:\WINDOWS\system32\recsl.exe

C:\INSTALL.LOG



((((((((((((((((((((((((((((((( Files Created from 2007-01-07 to 2007-02-07 ))))))))))))))))))))))))))))))))))



2007-02-07 23:23	




GMER:

[code] GMER 1.0.12.12027 - http://www.gmer.net Rootkit scan 2007-02-08 00:15:46 Windows 5.1.2600 Dodatek Service Pack. 1 ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [06] .text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 7203407A .text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034205 .text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 720340E9 .text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72034098 ---- User code sections - GMER 1.0.12 ---- .text C:\WINDOWS\explorer.exe[1336] ntdll.dll!NtResumeThread 77F76341 5 Bytes JMP 01E17040 ---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12027 - http://www.gmer.net

Rootkit scan 2007-02-08 00:17:20

Windows 5.1.2600 Dodatek Service Pack. 1



---- Services - GMER 1.0.12 ----


Service [SYSTEM] Aavmker4

Service [DISABLED] Abiosdsk

Service [DISABLED] abp480n5

Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [BOOT] ACPI

Service C:\WINDOWS\System32\DRIVERS\ACPIEC.sys [BOOT] ACPIEC

Service C:\WINDOWS\System32\ACS.exe [AUTO] ACS

Service [DISABLED] adpu160m

Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec

Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD

Service [DISABLED] Aha154x

Service [DISABLED] aic78u2

Service [DISABLED] aic78xx

Service C:\WINDOWS\System32\DRIVERS\alcan5wn.sys [MANUAL] alcan5wn

Service C:\WINDOWS\System32\DRIVERS\alcaudsl.sys [MANUAL] alcaudsl

Service C:\WINDOWS\system32\drivers\ALCXSENS.SYS [MANUAL] ALCXSENS

Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM

Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG

Service [DISABLED] AliIde

Service [DISABLED] amsint

Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt

Service C:\WINDOWS\System32\DRIVERS\ar5211.sys [MANUAL] AR5211

Service [DISABLED] asc

Service [DISABLED] asc3350p

Service [DISABLED] asc3550

Service [AUTO] Aspi32

Service [AUTO] aswMon2

Service [MANUAL] aswRdr

Service [SYSTEM] aswTdi

Service C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [AUTO] aswUpdSv

Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac

Service C:\WINDOWS\System32\DRIVERS\atapi.sys [BOOT] atapi

Service [DISABLED] Atdisk

Service C:\WINDOWS\System32\Ati2evxx.exe [AUTO] Ati HotKey Poller

Service C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag

Service C:\WINDOWS\System32\DRIVERS\atiide.sys [BOOT] atiide

Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv

Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub

Service C:\Program Files\Alwil Software\Avast4\ashServ.exe [AUTO] avast! Antivirus

Service C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [MANUAL] avast! Mail Scanner

Service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [MANUAL] avast! Web Scanner

Service BattC

Service [SYSTEM] Beep

Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS

Service C:\WINDOWS\System32\DRIVERS\atisgkaf.sys [BOOT] caboagp

Service [DISABLED] cbidf2k

Service [DISABLED] cd20xrnt

Service [SYSTEM] Cdaudio

Service [DISABLED] Cdfs

Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [SYSTEM] Cdrom

Service [SYSTEM] Changer

Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc

Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv

Service C:\WINDOWS\System32\DRIVERS\CmBatt.sys [MANUAL] CmBatt

Service [DISABLED] CmdIde

Service C:\WINDOWS\System32\DRIVERS\compbatt.sys [BOOT] Compbatt

Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp

Service ContentFilter

Service ContentIndex

Service [DISABLED] Cpqarray

Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc

Service [DISABLED] dac2w2k

Service [DISABLED] dac960nt

Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp

Service C:\WINDOWS\System32\DRIVERS\disk.sys [BOOT] Disk

Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin

Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot

Service C:\WINDOWS\System32\drivers\dmio.sys [BOOT] dmio

Service C:\WINDOWS\System32\drivers\dmload.sys [BOOT] dmload

Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver

Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic

Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache

Service [DISABLED] dpti2o

Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud

Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc

Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem

Service [DISABLED] Fastfat

Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility

Service [SYSTEM] Fdc

Service [SYSTEM] Fips

Service [SYSTEM] Flpydisk

Service [SYSTEM] Fs_Rec

Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [BOOT] Ftdisk

Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer

Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc

Service C:\WINDOWS\System32\svchost.exe [AUTO] HidServ

Service C:\WINDOWS\System32\DRIVERS\hidusb.sys [MANUAL] hidusb

Service [DISABLED] hpn

Service [SYSTEM] i2omgmt

Service [DISABLED] i2omp

Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [SYSTEM] i8042prt

Service C:\WINDOWS\System32\DRIVERS\imapi.sys [SYSTEM] Imapi

Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService

Service inetaccs

Service [DISABLED] ini910u

Service Inport

Service [DISABLED] IntelIde

Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver

Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp

Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat

Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [SYSTEM] IPSec

Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM

Service ISAPISearch

Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [BOOT] isapnp

Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [SYSTEM] Kbdclass

Service C:\WINDOWS\System32\DRIVERS\kbdhid.sys [SYSTEM] kbdhid

Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer

Service [BOOT] KSecDD

Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver

Service [SYSTEM] lbrtfdc

Service ldap

Service LicenseService

Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts

Service C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [AUTO] MDC8021X

Service [SYSTEM] mnmdd

Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc

Service [MANUAL] Modem

Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [SYSTEM] Mouclass

Service C:\WINDOWS\System32\DRIVERS\mouhid.sys [MANUAL] mouhid

Service [BOOT] MountMgr

Service [DISABLED] mraid35x

Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV

Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC

Service [SYSTEM] Msfs

Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer

Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV

Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK

Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM

Service [BOOT] Mup

Service [BOOT] NDIS

Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi

Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio

Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan

Service [MANUAL] NDProxy

Service C:\WINDOWS\System32\DRIVERS\netbt.sys [AUTO] NetBT

Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE

Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla

Service C:\WINDOWS\system32\drivers\npf.sys [MANUAL] NPF

Service [SYSTEM] Npfs

Service [DISABLED] Ntfs

Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc

Service [SYSTEM] Null

Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt

Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd

Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [MANUAL] ose

Service Outlook

Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport

Service [BOOT] PartMgr

Service [AUTO] ParVdm

Service C:\WINDOWS\System32\DRIVERS\pci.sys [BOOT] PCI

Service [SYSTEM] PCIDump

Service C:\WINDOWS\System32\DRIVERS\pciide.sys [BOOT] PCIIde

Service C:\WINDOWS\System32\DRIVERS\pcmcia.sys [BOOT] Pcmcia

Service [MANUAL] PDCOMP

Service [MANUAL] PDFRAME

Service [MANUAL] PDRELI

Service [MANUAL] PDRFRAME

Service [DISABLED] perc2

Service [DISABLED] perc2hib

Service PerfDisk

Service PerfNet

Service PerfOS

Service PerfProc

Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay

Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent

Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport

Service C:\WINDOWS\System32\DRIVERS\processr.sys [SYSTEM] Processor

Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage

Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched

Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink

Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [BOOT] PxHelp20

Service [DISABLED] ql1080

Service [DISABLED] Ql10wnt

Service [DISABLED] ql12160

Service [DISABLED] ql1240

Service [DISABLED] ql1280

Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [SYSTEM] RasAcd

Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto

Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp

Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan

Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe

Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti

Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [SYSTEM] RDPCDD

Service RDPDD

Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr

Service RDPNP

Service [MANUAL] RDPWD

Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr

Service C:\WINDOWS\System32\DRIVERS\redbook.sys [SYSTEM] redbook

Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess

Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry

Service C:\Program Files\WinPcap\rpcapd.exe [MANUAL] rpcapd

Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs

Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP

Service C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139

Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs

Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv

Service C:\WINDOWS\System32\SCardSvr.exe [AUTO] SCardSvr

Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule

Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [AUTO] Secdrv

Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon

Service System32\DRIVERS\semwl5.sys [MANUAL] SEM43XX

Service System32\DRIVERS\GCXX.sys [MANUAL] SEMWModem

Service System32\DRIVERS\GCXXNet.sys [MANUAL] SEMWWNIC

Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS

Service [AUTO] Serial

Service [SYSTEM] Sfloppy

Service C:\WINDOWS\System32\svchost.exe [DISABLED] SharedAccess

Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection

Service [DISABLED] Simbad

Service C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [MANUAL] SONYPVU1

Service System32\DRIVERS\GCXXSC.sys [MANUAL] Sony_EricssonWWSC

Service [DISABLED] Sparrow

Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter

Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler

Service C:\WINDOWS\System32\DRIVERS\sr.sys [BOOT] sr

Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice

Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv

Service C:\WINDOWS\System32\svchost.exe [AUTO] SSDPSRV

Service C:\WINDOWS\System32\STEC3.sys [AUTO] STEC3

Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc

Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum

Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi

Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv

Service [DISABLED] symc810

Service [DISABLED] symc8xx

Service [DISABLED] sym_hi

Service [DISABLED] sym_u3

Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio

Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv

Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [SYSTEM] Tcpip

Service [MANUAL] TDPIPE

Service [MANUAL] TDTCP

Service C:\WINDOWS\System32\DRIVERS\termdd.sys [SYSTEM] TermDD

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService

Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes

Service C:\WINDOWS\System32\tlntsvr.exe [DISABLED] TlntSvr

Service [DISABLED] TosIde

Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks

Service TSDDD

Service [DISABLED] Udfs

Service [DISABLED] ultra

Service C:\WINDOWS\System32\wdfmgr.exe [AUTO] UMWdf

Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update

Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr

Service C:\WINDOWS\System32\svchost.exe [AUTO] upnphost

Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS

Service C:\WINDOWS\System32\DRIVERS\usbccgp.sys [MANUAL] usbccgp

Service C:\WINDOWS\System32\DRIVERS\usbehci.sys [MANUAL] usbehci

Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub

Service C:\WINDOWS\System32\DRIVERS\usbohci.sys [MANUAL] usbohci

Service C:\WINDOWS\System32\DRIVERS\usbscan.sys [MANUAL] usbscan

Service C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR

Service C:\WINDOWS\System32\drivers\vga.sys [SYSTEM] VgaSave

Service [DISABLED] ViaIde

Service [BOOT] VolSnap

Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS

Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time

Service W3SVC

Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp

Service [MANUAL] WDICA

Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud

Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient

Service C:\WINDOWS\System32\dmnxo.exe [AUTO] Windows Management Service

Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt

Service [MANUAL] Winsock

Service WinSock2

Service WinTrust

Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi

Service WmiApRpl

Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv

Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv

Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC

Service {21126233-B1B8-45B8-89C3-EE8285689A27}

Service {753B1B9B-4D04-4CDE-B6CF-76E33058B3DB}


---- EOF - GMER 1.0.12 ----

Złączono Posta : 08.02.2007 (Czw) 0:27jeszcze FixWearOut:

Fixwareout

Last edited 1/30/2007

Post this report in the forums please 

...

Prerun check

»»»»» HKLM run and Winlogon System values


»»»»» System restarted

Reg Entries that were deleted 

...

Random Runs removed from HKLM 

...


»»»»» Misc files. 


»»»»» Checking for older varients.


»»»»» Postrun check 

»»»»» HKLM run 

»»»»» Winlogon System value

"system"=""

»»»»» 


PLEASE NOTE, There CAN be LEGITIMATE FILES LISTED IN THIS SECTION.


This WILL/CAN also list Legit Files, Submit them at Virustotal

Search five digit cs, dm kd and jb files.

C:\WINDOWS\System32\dmnxo.exe

»»»»»  

»»»»» Current runs 


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"

"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

"TPSMain"="TPSMain.exe"

"ATIModeChange"="Ati2mdxx.exe"

"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"NapsterShell"="C:\\Program Files\\Napster\\napster.exe /systray"

"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"

"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]

"Installed"="1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]

"Installed"="1"


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"

"Microsoft Directx push"="directxpushup.exe"

"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

"SparVoip"="\"C:\\Program Files\\SparVoip\\SparVoip.exe\" -nosplash -minimized"


Hosts file was reset, If you use a custom hosts file please replace it

(adam9870) #6

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

  1. W zakładce Usługi znajdź i skasuj z prawokliku usługę msdirectxpushup oraz Windows Management Service (jeśli będą)

  2. W zakładce CMD z zaznaczoną podopcją CMD.EXE wklej:

  1. W zakładce CMD z zaznaczoną podopcją REGEDIT.EXE wklej:

  1. W zakładce Procesy wybierz Zabij wszystko. Teraz poczekaj cierpliwie aż zniknie pulpit etc. - zostanie tylko okienko Gmer'a

  2. Przejdź do zakładki CMD i kliknij Uruchom najpierw przy zaznaczonej opcji CMD.EXE , a potem REGDIT.EXE

Teraz reset i nowy log z ComboFix oraz Gmer'a wykonany przy zaznaczonych usługi + pokazuj wszystko.


(Damno) #7

zrobilem jak poleciles

oto logi:

"Damian" - 07-02-08 21:32:15 Dodatek Service Pack. 1

ComboFix 07-02-07 - Running from: "C:\Documents and Settings\Damian\Pulpit"


((((((((((((((((((((((((((((((( Files Created from 2007-01-08 to 2007-02-08 ))))))))))))))))))))))))))))))))))



2007-02-08 20:20	777	--a------	C:\WINDOWS\gmer.reg

2007-02-08 12:14

[code] GMER 1.0.12.12027 - http://www.gmer.net Rootkit scan 2007-02-08 21:38:35 Windows 5.1.2600 Dodatek Service Pack. 1 ---- Services - GMER 1.0.12 ---- Service [SYSTEM] Aavmker4 Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [BOOT] ACPI Service C:\WINDOWS\System32\DRIVERS\ACPIEC.sys [BOOT] ACPIEC Service C:\WINDOWS\System32\ACS.exe [AUTO] ACS Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\System32\DRIVERS\alcan5wn.sys [MANUAL] alcan5wn Service C:\WINDOWS\System32\DRIVERS\alcaudsl.sys [MANUAL] alcaudsl Service C:\WINDOWS\system32\drivers\ALCXSENS.SYS [MANUAL] ALCXSENS Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service C:\WINDOWS\System32\DRIVERS\ar5211.sys [MANUAL] AR5211 Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service [AUTO] Aspi32 Service [AUTO] aswMon2 Service [MANUAL] aswRdr Service [SYSTEM] aswTdi Service C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [AUTO] aswUpdSv Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\System32\DRIVERS\atapi.sys [BOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\System32\Ati2evxx.exe [AUTO] Ati HotKey Poller Service C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag Service C:\WINDOWS\System32\DRIVERS\atiide.sys [BOOT] atiide Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub Service C:\Program Files\Alwil Software\Avast4\ashServ.exe [AUTO] avast! Antivirus Service C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [MANUAL] avast! Mail Scanner Service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [MANUAL] avast! Web Scanner Service BattC Service [SYSTEM] Beep Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\System32\DRIVERS\atisgkaf.sys [BOOT] caboagp Service [DISABLED] cbidf2k Service [DISABLED] cd20xrnt Service [SYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [SYSTEM] Cdrom Service [SYSTEM] Changer Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv Service C:\WINDOWS\System32\DRIVERS\CmBatt.sys [MANUAL] CmBatt Service [DISABLED] CmdIde Service C:\WINDOWS\System32\DRIVERS\compbatt.sys [BOOT] Compbatt Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\System32\DRIVERS\disk.sys [BOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [BOOT] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [BOOT] dmload Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service [SYSTEM] Fdc Service [SYSTEM] Fips Service [SYSTEM] Flpydisk Service [SYSTEM] Fs_Rec Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [BOOT] Ftdisk Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [AUTO] HidServ Service C:\WINDOWS\System32\DRIVERS\hidusb.sys [MANUAL] hidusb Service [DISABLED] hpn Service [SYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [SYSTEM] i8042prt Service C:\WINDOWS\System32\DRIVERS\imapi.sys [SYSTEM] Imapi Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService Service inetaccs Service [DISABLED] ini910u Service Inport Service [DISABLED] IntelIde Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [SYSTEM] IPSec Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [BOOT] isapnp Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [SYSTEM] Kbdclass Service C:\WINDOWS\System32\DRIVERS\kbdhid.sys [SYSTEM] kbdhid Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [BOOT] KSecDD Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver Service [SYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts Service C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [AUTO] MDC8021X Service [SYSTEM] mnmdd Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [SYSTEM] Mouclass Service C:\WINDOWS\System32\DRIVERS\mouhid.sys [MANUAL] mouhid Service [BOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC Service [SYSTEM] Msfs Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service [BOOT] Mup Service [BOOT] NDIS Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\System32\DRIVERS\netbt.sys [AUTO] NetBT Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla Service C:\WINDOWS\system32\drivers\npf.sys [MANUAL] NPF Service [SYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [SYSTEM] Null Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [MANUAL] ose Service Outlook Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport Service [BOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\System32\DRIVERS\pci.sys [BOOT] PCI Service [SYSTEM] PCIDump Service C:\WINDOWS\System32\DRIVERS\pciide.sys [BOOT] PCIIde Service C:\WINDOWS\System32\DRIVERS\pcmcia.sys [BOOT] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\System32\DRIVERS\processr.sys [SYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [BOOT] PxHelp20 Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [SYSTEM] RasAcd Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [SYSTEM] RDPCDD Service RDPDD Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\System32\DRIVERS\redbook.sys [SYSTEM] redbook Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry Service C:\Program Files\WinPcap\rpcapd.exe [MANUAL] rpcapd Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139 Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv Service C:\WINDOWS\System32\SCardSvr.exe [AUTO] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [AUTO] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service System32\DRIVERS\semwl5.sys [MANUAL] SEM43XX Service System32\DRIVERS\GCXX.sys [MANUAL] SEMWModem Service System32\DRIVERS\GCXXNet.sys [MANUAL] SEMWWNIC Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service [AUTO] Serial Service [SYSTEM] Sfloppy Service C:\WINDOWS\System32\svchost.exe [DISABLED] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [MANUAL] SONYPVU1 Service System32\DRIVERS\GCXXSC.sys [MANUAL] Sony_EricssonWWSC Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\System32\DRIVERS\sr.sys [BOOT] sr Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\System32\svchost.exe [AUTO] SSDPSRV Service C:\WINDOWS\System32\STEC3.sys [AUTO] STEC3 Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [SYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\System32\DRIVERS\termdd.sys [SYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service C:\WINDOWS\System32\tlntsvr.exe [DISABLED] TlntSvr Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\System32\wdfmgr.exe [AUTO] UMWdf Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr Service C:\WINDOWS\System32\svchost.exe [AUTO] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\System32\DRIVERS\usbccgp.sys [MANUAL] usbccgp Service C:\WINDOWS\System32\DRIVERS\usbehci.sys [MANUAL] usbehci Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\System32\DRIVERS\usbohci.sys [MANUAL] usbohci Service C:\WINDOWS\System32\DRIVERS\usbscan.sys [MANUAL] usbscan Service C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR Service C:\WINDOWS\System32\drivers\vga.sys [SYSTEM] VgaSave Service [DISABLED] ViaIde Service [BOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi Service WmiApRpl Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service {21126233-B1B8-45B8-89C3-EE8285689A27} Service {753B1B9B-4D04-4CDE-B6CF-76E33058B3DB} ---- EOF - GMER 1.0.12 ----


(adam9870) #8

Sprawdź czy masz na dysku plik C:\windows\system32\directxpushup.exe , a jeśli tak to go usuń.

Start => uruchom => wpisz regedit i kliknij OK => przejdź do klucza:

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run

i skasuj z prawokliku znajdującą się tam wartość Microsoft Directx push

Po wykonaniu możesz wrzucić nowy log z ComboFix.


(Damno) #9

log z combo


(adam9870) #10

Log jest w porządku.

Kosmetyka:

Jeśli nie korzystasz z zaawansowanych usług tekstowych to je wyłącz: Panel sterowania => Opcje regionalne => Języki => Szczegóły => Zaawansowane => zaznacz wyłącz zaawansowane usługi tekstowe.

Panel sterowania => Java => Update => odznacz opcję Check for updates automatically.

Start => uruchom => msconfig => zakładka Uruchamianie => możesz odznaczyć w/w.

Jeśli nie korzystasz z Messenger'a to go usuń: Start => uruchom => wpisz:

RunDll32 advpack.dll,LaunchINFSection %windir%\INF\msmsgs.inf,BLC.Remove


(Damno) #11

Wielkie dzieki za profesjonalna pomoc!! :mrgreen: