eagle-jd
(Eagle Jd)
31 Styczeń 2007 11:19
#1
Od jakiegoś czasu ukrywają mi się programy monitorujące komputer. Spybot, SpywareGuard itd. Przeskanowałem komputer czym się dało i Avast nie wykrył wirusów, Spybot i Adaware też nic nie wykryły. Zainstalowałem spywar terminator i znalazł mi jednego trojana. Postanowiłem zeskanować też pod kątem występowania rootkita i chyba coś znalazł. Są klucze rejestru których nie mogę usunąć , pliki których nie ma. Wklejam logi z programów. Hijack , Silentrunner i rootkithookanalyzer. Ten ostatni znajduje coś.
HijackThis v1.99.1
Logfile of HijackThis v1.99.1 Scan saved at 11:50:15, on 2007-01-31 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Programy\Avast\ashDisp.exe C:\Programy\SpywareGuard\sgmain.exe C:\Programy\Spyware Terminator\SpywareTerminatorShield.exe C:\Programy\Jetico Personal Firewall 1.0.1.61\fwsrv.exe C:\Programy\Gadu-Gadu\gg.exe C:\Programy\Spybot - Search & Destroy\TeaTimer.exe C:\Programy\SpywareGuard\sgbhp.exe C:\Programy\Kalendarz XP\Kalendarz.exe C:\Programy\Avast\aswUpdSv.exe C:\Programy\Avast\ashServ.exe D:\Programy\Catia V5R16\intel_a\code\bin\CATSysDemon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\spool\ugplot\ugiipqd.exe D:\Programy\UG NX\License Servers\UGNXFLEXlm\lmgrd.exe C:\Program Files\WinClamAVShield\sp_clam.exe D:\Programy\UG NX\License Servers\UGNXFLEXlm\uglmd.exe C:\Programy\Avast\ashMaiSv.exe C:\Programy\Avast\ashWebSv.exe C:\WINDOWS\System32\svchost.exe C:\Programy\Hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programy\Adobe Reader 7.0.5\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programy\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programy\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [avast!] C:\Programy\Avast\ashDisp.exe O4 - HKLM…\Run: [spywareGuard] C:\Programy\SpywareGuard\sgmain.exe O4 - HKLM…\Run: [spywareTerminator] “C:\Programy\Spyware Terminator\SpywareTerminatorShield.exe” O4 - HKLM…\Run: [JeticoPFStartup] “C:\Programy\Jetico Personal Firewall 1.0.1.61\fwsrv.exe” O4 - HKCU…\Run: [Gadu-Gadu] “C:\Programy\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Programy\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Kalendarz XP.lnk = C:\Programy\Kalendarz XP\Kalendarz.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\Programy\MICROS~1\Office10\EXCEL.EXE/3000 O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne … nicode.cab O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) - O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programy\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Programy\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programy\Avast\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Programy\Avast\ashWebSv.exe" /service (file missing) O23 - Service: Backbone Service (BBDemon) - Unknown owner - D:\Programy\Catia V5R16\intel_a\code\bin\CATSysDemon.exe" -service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unknown owner - C:\WINDOWS\system32\spool\ugplot\ugiipqd.exe O23 - Service: Unigraphics License Server (uglmd) - GLOBEtrotter Software Inc. - D:\Programy\UG NX\License Servers\UGNXFLEXlm\lmgrd.exe
Silent Runners
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Programy\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “SpybotSD TeaTimer” = “C:\Programy\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS] “avast!” = “C:\Programy\Avast\ashDisp.exe” [null data] “SpywareGuard” = “C:\Programy\SpywareGuard\sgmain.exe” [null data] “SpywareTerminator” = ““C:\Programy\Spyware Terminator\SpywareTerminatorShield.exe”” [“Crawler.com ”] “JeticoPFStartup” = ““C:\Programy\Jetico Personal Firewall 1.0.1.61\fwsrv.exe”” [“Jetico, Inc.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Programy\Adobe Reader 7.0.5\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {4A368E80-174F-4872-96B5-0B27DDD11DB2}(Default) = “SpywareGuard Download Protection” -> {HKLM…CLSID} = “SpywareGuardDLBLOCK.CBrowserHelper” \InProcServer32(Default) = “C:\Programy\SpywareGuard\dlprotect.dll” [null data] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programy\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Programy\Microsoft Office XP\Office10\msohev.dll” [MS] “{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}” = “PhotoToys” -> {HKCU…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\phototoys.dll” [MS] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] “{81559C35-8464-49F7-BB0E-07A383BEF910}” = (no title provided) -> {HKLM…CLSID} = “SpywareGuard.Handler” \InProcServer32(Default) = “C:\Programy\SpywareGuard\spywareguard.dll” [null data] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” -> {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Programy\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” -> {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Programy\QuickTime\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}” = (no title provided) -> {HKLM…CLSID} = “SABShellExecuteHook Class” \InProcServer32(Default) = “C:\Programy\SUPERAntiSpyware\SASSEH.DLL” [“SuperAdBlocker.com ”] <> “{81559C35-8464-49F7-BB0E-07A383BEF910}” = (no title provided) -> {HKLM…CLSID} = “SpywareGuard.Handler” \InProcServer32(Default) = “C:\Programy\SpywareGuard\spywareguard.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}” -> {HKLM…CLSID} = “WPDShServiceObj Class” \InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS] HKLM\System\CurrentControlSet\Control\Session Manager\ <> “BootExecute” = “autocheck autochk *”| [file not found] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Programy\OpenOffice 2.0.4\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Programy\Adobe Reader 7.0.5\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Programy\Avast\ashShell.dll” [“ALWIL Software”] IZArcCM(Default) = “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” -> {HKLM…CLSID} = “IZArc Shell Context Menu” \InProcServer32(Default) = “C:\Programy\IZARC3~1.6\IZArcCM.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ IZArcCM(Default) = “{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}” -> {HKLM…CLSID} = “IZArc Shell Context Menu” \InProcServer32(Default) = “C:\Programy\IZARC3~1.6\IZArcCM.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}” -> {HKLM…CLSID} = “avast” \InProcServer32(Default) = “C:\Programy\Avast\ashShell.dll” [“ALWIL Software”] UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” -> {HKLM…CLSID} = “UnlockerShellExtension” \InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “ForceClassicControlPanel” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSMConfigurePrograms” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoSaveSettings” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Desktop| Don’t save settings at exit} “NoLowDiskSpaceChecks” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “NoChangeKeyboardNavigationIndicators” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “ClassicShell” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Enable Classic Shell / Turn on Classic Shell} “NoSharedDocuments” = (REG_DWORD) hex:0x00000001 {User Configuration|Administrative Templates|Windows Components|Windows Explorer| Remove Shared Documents from My Computer} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ “NoRemoteRecursiveEvents” = (REG_DWORD) hex:0x00000001 {unrecognized setting} “ClassicShell” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “NoVisualStyleChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoColorChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} “NoSizeChoice” = (REG_DWORD) hex:0x00000000 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\JP\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “JP” & “All Users” startup folders: ---------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Kalendarz XP” -> shortcut to: “C:\Programy\Kalendarz XP\Kalendarz.exe” [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ avast! Antivirus, avast! Antivirus, ““C:\Programy\Avast\ashServ.exe”” [null data] avast! iAVS4 Control Service, aswUpdSv, ““C:\Programy\Avast\aswUpdSv.exe”” [null data] avast! Mail Scanner, avast! Mail Scanner, ““C:\Programy\Avast\ashMaiSv.exe” /service” [“ALWIL Software”] avast! Web Scanner, avast! Web Scanner, ““C:\Programy\Avast\ashWebSv.exe” /service” [“ALWIL Software”] Backbone Service, BBDemon, ““D:\Programy\Catia V5R16\intel_a\code\bin\CATSysDemon.exe” -service” [“Dassault Systemes”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”] Unigraphics License Server (uglmd), Unigraphics License Server (uglmd), ““D:\Programy\UG NX\License Servers\UGNXFLEXlm\lmgrd.exe”” [“GLOBEtrotter Software Inc.”] Unigraphics Plot Server (ugiipqd), ugiipqd, “C:\WINDOWS\system32\spool\ugplot\ugiipqd.exe” [null data] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 209 seconds. ---------- (total run time: 246 seconds)
Złączono Posty : 31.01.2007 (Sro) 12:24
Z góry dzięki za pomoc. Dołączę jeszcze raport z gmera
adam9870
(adam9870)
31 Styczeń 2007 11:28
#2
Usuń kosmetycznie HJT.
Otwórz Notatnik i wklej w nim to:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] “BootExecute”=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\ 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00
Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.
Gdzie jest wykrywany rootkit? Najlepiej pokaż screena.
http://forum.dobreprogramy.pl/viewtopic.php?t=46412
Możesz dla pewności pokazać dwa logi z Gmer’a wykonane przy takich ustawieniach:
Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
eagle-jd
(Eagle Jd)
31 Styczeń 2007 11:36
#3
gmer pkt 1
gmer pkt2
Złączono Posty : 31.01.2007 (Sro) 12:41
Złączono Posty : 31.01.2007 (Sro) 13:59
wszystko jest w porządku?? jeszcze firewall jetico zgłasza się że zmieniły się ustawienia sieci i musi się załadować system od nowa
Gutek
(Gutek)
31 Styczeń 2007 13:10
#4
eagle-jd
(Eagle Jd)
31 Styczeń 2007 13:32
#5
nadal to samo. log jak w załączonym screenie.
adam9870
(adam9870)
31 Styczeń 2007 13:36
#6
Pokaż nowe logi z Gmer’a.
adam9870
(adam9870)
31 Styczeń 2007 14:08
#8
Czysto, wklej jeszcze log wykonany przy ustawieniu usługi + pokazuj wszystko.
eagle-jd
(Eagle Jd)
31 Styczeń 2007 14:08
#9
a i wie ktoś może jak usunąć z rejestru wpis z /0 na końcu?? tzn taki który normalnie nie chce się usunąć
Złączono Posty : 31.01.2007 (Sro) 15:10
to jak wytłumaczyć te wpisy z
http://img220.imageshack.us/my.php?image=pulpit1tx6.jpg
Złączono Posty : 31.01.2007 (Sro) 19:45
przeinstalowałem jetico personal firewall na drugim kompie i pojawił się ten sam plik co u mnie bcftdi.sys. Zaznaczony jest przez gmera jako SSDT rootkit. Użytkownik adam9870 stwierdził że to nic groźnego. Może mi ktoś napisać co to jest za plik??
I jeszcze jedno . Co taki wpis modyfikuje??
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] “BootExecute”=hex(7):61,00,75,00,74,00,6f,00,63,00,68,00,65,00,63,00,6b,00,20,\ 00,61,00,75,00,74,00,6f,00,63,00,68,00,6b,00,20,00,2a,00,00,00,00,00
I dzięki za pomoc. Te ostatnie pytania to tylko do mojej informacji.