Wszystko niby cacy i działa, ale internet je bardzo zamulony, a jeszcze większym problem są dla mnie szalejące pingi we wszystkich grach.
Oto komplet logów z Silent Runers, Hijacks i dorzucam jeszcze log ze SmitfraundFix. Wg mnie na 99% mamy tu do czynienia z rootkitami
Logfile of HijackThis v1.99.1 Scan saved at 16:08:03, on 2007-04-12 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\WINDOWS\System32\RUNDLL32.EXE D:\Programy\AntiVir PersonalEdition Classic\avgnt.exe D:\Programy\Winamp 5.33\winampa.exe D:\Programy\PowerISO\PWRISOVM.EXE D:\Programy\Comodo Firewall\Personal Firewall\CPF.exe C:\Program Files\Comodo\LaunchPad\CLPTray.exe D:\Programy\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\System32\ctfmon.exe D:\Programy\Tlen.pl\tlen.exe C:\WINDOWS\system32\RaConfig.exe D:\Programy\OpenOficce.org 2.1\program\soffice.exe D:\Programy\OpenOficce.org 2.1\program\soffice.BIN D:\Programy\hijackthis\HijackThis.exe
Silent:
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Komunikator” = “D:\Programy\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”] “ccleaner” = ““D:\Programy\CCleaner\ccleaner.exe” /AUTO” [“Piriform Ltd”] “NBJ” = ““D:\Programy\Nero Vision\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “Odkurzacz-MCD” = “D:\Programy\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “Gadu-Gadu” = ““D:\Programy\Gadu-Gadu\gg.exe” /tray” [“sms-express.com ”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HPDJ Taskbar Utility” = “C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe” [“HP”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”] “avgnt” = ““D:\Programy\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “WinampAgent” = “D:\Programy\Winamp 5.33\winampa.exe” [null data] “PWRISOVM.EXE” = “D:\Programy\PowerISO\PWRISOVM.EXE” [“PowerISO Computing, Inc.”] “Comodo Personal Firewall” = “D:\Programy\Comodo Firewall\Personal Firewall\CPF.exe sysrestart” [“COMODO”] “Comodo Launch Pad Tray” = “C:\Program Files\Comodo\LaunchPad\CLPTray.exe” [“COMODO”] “!AVG Anti-Spyware” = ““D:\Programy\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “Adobe PDF Reader Link Helper” \InProcServer32(Default) = “D:\Programy\Adobe Reader 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Programy\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] {CC59E0F9-7E43-44FA-9FAA-8377850BF205}(Default) = (no title provided) -> {HKLM…CLSID} = “FDMIECookiesBHO Class” \InProcServer32(Default) = “D:\Programy\Free Download Manager 2.1 PL (Full)\Free Download Manager\iefdmcks.dll” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{0A082D00-EC93-11D0-B1E6-80580BC10627}” = “Corel Media Folder Root Menu Handler” -> {HKLM…CLSID} = “Corel Media Folder Root Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” = “Folder To Corel Media Folder Menu Handler” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{854AF161-1AE1-11D1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{E856F161-1AE5-11d1-AB9B-00C0F00683EB}” = “Corel Media Folder” -> {HKLM…CLSID} = “Corel Media Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{CDB89701-262F-11D1-AB9C-00C0F00683EB}” = “Corel Media Find Folder” -> {HKLM…CLSID} = “Corel Media Find Folder” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{F8152501-455F-11D1-B1E6-444553540000}” = “Corel Media Folder Copy Hook Handler” -> {HKLM…CLSID} = “Corel Media Folder Copy Hook Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “D:\Programy\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Programy\OpenOficce.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Programy\OpenOficce.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Programy\OpenOficce.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Programy\OpenOficce.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Programy\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “D:\Programy\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““D:\Programy\OpenOficce.org 2.1\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\Programy\Adobe Reader 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “D:\Programy\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Programy\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “D:\Programy\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “D:\Programy\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] FolderToCorelMediaFolder(Default) = “{0FBF99C1-4127-11D1-B1E6-C17E96D9180A}” -> {HKLM…CLSID} = “Folder To Corel Media Folder Menu Handler” \InProcServer32(Default) = “C:\Corel\Graphics8\programs\CMFFld80.dll” [empty string] PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Programy\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” -> {HKLM…CLSID} = “PowerISO” \InProcServer32(Default) = “D:\Programy\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”] Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” -> {HKLM…CLSID} = “Shell Extension for Malware scanning” \InProcServer32(Default) = “D:\Programy\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Documents and Settings\Dominik\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Dominik\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\system32\logon.scr” [MS] Startup items in “Oominik” & “All Users” startup folders: --------------------------------------------------------- C:\Documents and Settings\Oominik.MORON-CZF9TY5IA\Menu Start\Programy\Autostart “OpenOffice.org 2.1” -> shortcut to: “D:\Programy\OpenOficce.org 2.1\program\quickstart.exe” [null data] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “RaConfig” -> shortcut to: “C:\WINDOWS\system32\RaConfig.exe” [“Ralink Technology, Corp.”] “Adobe Reader Speed Launch” -> shortcut to: “D:\Programy\Adobe Reader 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AntiVir PersonalEdition Classic Guard, AntiVirService, “D:\Programy\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”] AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “D:\Programy\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”] AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “D:\Programy\AVG Anti-Spyware 7.5\guard.exe” [“Anti-Malware Development a.s.”] Comodo Application Agent, CmdAgent, “D:\Programy\Comodo Firewall\Personal Firewall\cmdagent.exe” [“COMODO”] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] SecuROM User Access Service (V7), UserAccess7, “C:\WINDOWS\System32\UAService7.exe” [“Sony DADC Austria AG.”] StarWind iSCSI Service, StarWindService, “D:\Programy\Alcohol 120%\StarWind\StarWindService.exe” [“Rocket Division Software”] StyleXPService, StyleXPService, ““C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe”” [empty string] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt05\Driver = “hpzsnt05.dll” [“HP”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 354 seconds. ---------- (total run time: 2441 seconds)
Oraz na dokładkę najbardziej jak dla mnie niepokojący log ze Smita:
SmitFraudFix v2.166 Scan done at 18:31:23,57, 2007-04-12 Run from D:\Programy\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» Process C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe C:\WINDOWS\System32\RUNDLL32.EXE D:\Programy\AntiVir PersonalEdition Classic\avgnt.exe D:\Programy\Winamp 5.33\winampa.exe D:\Programy\PowerISO\PWRISOVM.EXE D:\Programy\Comodo Firewall\Personal Firewall\CPF.exe C:\Program Files\Comodo\LaunchPad\CLPTray.exe D:\Programy\AVG Anti-Spyware 7.5\avgas.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\system32\RaConfig.exe D:\Programy\OpenOficce.org 2.1\program\soffice.exe D:\Programy\OpenOficce.org 2.1\program\soffice.BIN D:\Programy\Winamp 5.33\winamp.exe D:\Programy\Mozilla Firefox 2.0\firefox.exe C:\WINDOWS\System32\cmd.exe »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dominik »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Dominik\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DOMINIK~1.MOR\ULUBIONE »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] “Source”=“About:Home” “SubscribedURL”=“About:Home” “FriendlyName”=“Moja bieľĄca strona gˆ˘wna” »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !Attention, following keys are not inevitably infected! »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !Attention, following keys are not inevitably infected! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 huy32 detected, use a Rootkit scanner pe386 detected, use a Rootkit scanner lzx32 detected, use a Rootkit scanner msguard detected, use a Rootkit scanner »»»»»»»»»»»»»»»»»»»»»»»» DNS Description: RT2400 Wireless LAN Card - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 192.168.18.1 DNS Server Search Order: 194.204.159.1 HKLM\SYSTEM\CCS\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1 HKLM\SYSTEM\CS1\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,195.114.161.61 HKLM\SYSTEM\CS2\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1 HKLM\SYSTEM\CS3\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End Oraz kolejny log ze Smita po małej operacji: SmitFraudFix v2.166 Scan done at 18:40:06,17, 2007-04-12 Run from D:\Programy\SmitfraudFix\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT The filesystem type is Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» DNS Before Fix Description: RT2400 Wireless LAN Card - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 192.168.18.1 DNS Server Search Order: 194.204.159.1 HKLM\SYSTEM\CCS\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1 HKLM\SYSTEM\CS1\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,195.114.161.61 HKLM\SYSTEM\CS2\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1 HKLM\SYSTEM\CS3\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1 »»»»»»»»»»»»»»»»»»»»»»»» DNS After Fix Description: RT2400 Wireless LAN Card - Sterownik miniport Harmonogramu pakietów DNS Server Search Order: 192.168.18.1 DNS Server Search Order: 194.204.159.1 HKLM\SYSTEM\CCS\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1 HKLM\SYSTEM\CS1\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,195.114.161.61 HKLM\SYSTEM\CS2\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1 HKLM\SYSTEM\CS3\Services\Tcpip…{9759F774-A012-4E4C-A4B4-279406B4B4EA}: NameServer=192.168.18.1,194.204.159.1
adam9870
(adam9870)
12 Kwiecień 2007 18:59
#4
Na razie widzę w logach:
Po aq70mwz4.SYS powinna być jeszcze usługa, natomiast usługa ldiskl może być od programu Rootkit Revealer.
Ale póki co proszę:
zastosuj SmitFraudFix ale tym razem z opcji numer 2 w trybie awaryjnym
wklej raport z smitfraudfix
wklej log z combofix plus log z Gmer’a wykonany przy ustawieniu usługi + pokazuj wszystko.
Radziłbym zainstalować Service Pack 2
asterisk
(Asterisk)
12 Kwiecień 2007 19:13
#7
Zastosuj się do tego Tematu i zmień
tytuł tematu na konkretny - inaczej KOSZ
adam9870
(adam9870)
12 Kwiecień 2007 20:13
#9
Usuń te pliki ręcznie w trybie awaryjnym.
Start => uruchom => wpisz regedit i kliknij OK => przejdź do klucza:
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce
i skasuj z prawokliku znajdującą się tam wartość Del41
Po wykonaniu wklej nowy log z Combo plus dwa logi z Gmer’a. Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.
Gutek
(Gutek)
13 Kwiecień 2007 20:26
#10
Po wykonaniu wklej nowy log z Combo plus dwa logi z Gmer’a. Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.
Byłeś o coś proszony kombersista - takie długie logi rozwalają forum i nie są całe. Logi skasowałem, daj jeszcze raz ale tak jak o to ciebie prosił adam