Komputer włacza się i zaraz sam resetuje

Albatros78 · 25 Styczeń 2007 11:37

W trybie awaryjnym jest OK ale w Normalnym komputer zaraz się resetuje… Czy jeśli wrzucę logi z Hijack-a i SilentRuner-a z trubu awaryjnego to wystarczy żeby coś stwierdzić ?? Czy nie ??

boczi · 25 Styczeń 2007 11:48

Skończ zanim zaczniesz

Złączono Posty : 25 Styczeń 2007, 12:49:59

Wrzuć najpierw logi i zobaczymy.

Joan · 25 Styczeń 2007 11:56

To po 1. Ponad to:

Zdejmij reset na rzecz BSOD w Panelu sterowania > System > Zaawansowane > Uruchamianie i odzyskiwanie > odptaszyć Automatycznie uruchom ponownie. Jak system wyświetli BSODa, spiszesz z niego dane (kod błędu z nazwą pliku pod spodem) i wrzucisz je tutaj.

Przeczytaj to: KLIK i wklej zawartość pliku minidump

Albatros78 · 25 Styczeń 2007 12:06

Odznaczenie “ptaszka” nie pomogło mimo to komputer zamknął i uruchomił ponownie system… Logi z Hijacka i Silentrunnrera w trybie awaryjnym wyglądają tak:

Hijack:

Logfile of HijackThis v1.99.1 Scan saved at 13:03:37, on 2007-01-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\dworek admiral\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [sqlStart] SCM -ACTION 1 -SERVICE mssql$gastro -silent 1 O4 - HKLM…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/pl/domino_2_0_0_28.cab O17 - HKLM\System\CCS\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246 O17 - HKLM\System\CCS\Services\Tcpip…{8E9A8D75-D223-4736-874B-5F33C7DDAB51}: NameServer = 139.163.85.246 O17 - HKLM\System\CS1\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246 O17 - HKLM\System\CS2\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

Silentrunner:

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Agent” = “C:\WINDOWS\system32\alsys.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SQLStart” = “SCM -ACTION 1 -SERVICE mssql$gastro -silent 1” [file not found] “Agent” = “C:\WINDOWS\system32\alsys.exe” [null data] “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dworek admiral\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [file not found] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- ASP.NET State Service, aspnet_state, “C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe” [MS] Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS] MSSQL$GASTRO, MSSQL$GASTRO, “C:\Program Files\Microsoft SQL Server\MSSQL$GASTRO\Binn\sqlservr.exe -sGASTRO” [MS] MSSQLServerADHelper, MSSQLServerADHelper, “C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe” [MS] SQLAgent$GASTRO, SQLAgent$GASTRO, “C:\Program Files\Microsoft SQL Server\MSSQL$GASTRO\Binn\sqlagent.EXE -i GASTRO” [MS] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Usługa numeru seryjnego multimediów przenośnych, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\system32\MsPMSNSv.dll” [MS]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Zarządzanie aplikacjami, AppMgmt, “C:\WINDOWS\system32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\appmgmts.dll” [file not found]} ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 36 seconds. ---------- (total run time: 76 seconds)

adam9870 · 25 Styczeń 2007 12:12

Usuń plik ręcznie będąc w trybie awaryjnym:

C:\WINDOWS\system32\alsys.exe

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Usuń HJT jeśli będą.

Zdebuduj błąd, opis:

http://forum.dobreprogramy.pl/viewtopic … 327#797327

Po wykonaniu wklej nowe logi.

Albatros78 · 25 Styczeń 2007 12:23

Po tej akcji system “powstał” w trybie normalnym już generuje logi:

Logfile of HijackThis v1.99.1 Scan saved at 13:22:54, on 2007-01-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\explorer.exe C:\Program Files\Microsoft SQL Server\MSSQL$GASTRO\Binn\sqlservr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WScript.exe C:\Documents and Settings\dworek admiral\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/pl/domino_2_0_0_28.cab O17 - HKLM\System\CCS\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246 O17 - HKLM\System\CCS\Services\Tcpip…{8E9A8D75-D223-4736-874B-5F33C7DDAB51}: NameServer = 139.163.85.246 O17 - HKLM\System\CS1\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246 O17 - HKLM\System\CS2\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “KernelFaultCheck” = “C:\WINDOWS\system32\dumprep 0 -k” HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ <> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5” -> {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.2\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” -> {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\dworek admiral\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ MSSQL$GASTRO, MSSQL$GASTRO, “C:\Program Files\Microsoft SQL Server\MSSQL$GASTRO\Binn\sqlservr.exe -sGASTRO” [MS] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 41 seconds. ---------- (total run time: 75 seconds)

Minidump:

Microsoft ® Windows Debugger Version 6.6.0003.5 Copyright © Microsoft Corporation. All rights reserved. Loading Dump File [C] Mini Kernel Dump File: Only registers and stack trace are available Symbol search path is: *** Invalid *** **************************************************************************** * Symbol loading may be unreliable without a symbol search path. * * Use .symfix to have the debugger choose a symbol path. * * After setting your symbol path, use .reload to refresh symbol locations. * **************************************************************************** Executable search path is: ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Windows XP Kernel Version 2600 (Service Pack 2) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Kernel base = 0x804d7000 PsLoadedModuleList = 0x805531a0 Debug session time: Thu Jan 25 12:26:34.968 2007 (GMT+1) System Uptime: 0 days 0:00:32.554 ********************************************************************* * Symbols can not be loaded because symbol path is not initialized. * * * * The Symbol Path can be set by: * * using the _NT_SYMBOL_PATH environment variable. * * using the -y argument when starting the debugger. * * using .sympath and .sympath+ * ********************************************************************* Unable to load image ntoskrnl.exe, Win32 error 2 *** WARNING: Unable to verify timestamp for ntoskrnl.exe *** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe Loading Kernel Symbols … Loading User Symbols Loading unloaded module list … ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 100000CE, {f07fc576, 8, f07fc576, 0} ***** Kernel symbols are WRONG. Please fix symbols to do analysis. Probably caused by : wincom32.sys ( wincom32+576 ) Followup: MachineOwner ---------

Złączono Posty : 25.01.2007 (Czw) 13:46

Czy ten plik:

C:\WINDOWS\system32\alsys.exe

mógł powodować zamykanie się systemu czy mam szukać innej przyczyny ??

Grzesiek13 · 25 Styczeń 2007 12:54

Raczej tak Powinno być już w porządku

Albatros78 · 25 Styczeń 2007 13:04

No i nieststy nie pomogło po kolejnym resecie to samo. Poza tym przy próbie skanowania Skanerem On-line mks-u znalazł pliki których nie może usunąć a po usunięciu ich w trybie awaryjnym po resecie są znowu… Nie mam pojęcia co to za zwid MKS napisał coś takiego:

A nawet Mr. Google nic nie wie na temat tego vira.

Logi też nic za bardzo JUŻ nie wykazują co to za cholerstwo może być ??

Złączono Posty : 25.01.2007 (Czw) 14:08

O okazało się że ten wpis:

znów jest w rejestrze… i znów jest w katalogu…

HiJack wygląda teraz tak…

Logfile of HijackThis v1.99.1 Scan saved at 14:12:00, on 2007-01-25 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\dworek admiral\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza F2 - REG:system.ini: Shell=explorer.exe O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O4 - HKCU…\Run: [Agent] C:\WINDOWS\system32\alsys.exe O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {A7196C8E-35A5-4FF0-9E46-E28918B5CAF6} (GameDesire Domino) - http://67.15.101.3/g_bin/pl/domino_2_0_0_28.cab O17 - HKLM\System\CCS\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246 O17 - HKLM\System\CCS\Services\Tcpip…{8E9A8D75-D223-4736-874B-5F33C7DDAB51}: NameServer = 139.163.85.246 O17 - HKLM\System\CS1\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246 O17 - HKLM\System\CS2\Services\Tcpip…{332AA144-541E-4DC2-999C-F30983139B7D}: NameServer = 139.163.85.246

Złączono Posty : 25.01.2007 (Czw) 14:15

Po usunięciu pliku i wpisów komputer się uruchomił, a po kolejnym resecie znów było to samo -= znaczy automatyczne zamknięcie sie systemu a w Hijack-u i katalogu znów wredny plik alsys.exe…

Wczoraj niechcący usunąłem jeden wpis z Hijacka, ale nie usunąłem pliku do którego sie odwoływał - zrobiłem to w złej kolejności (poprostu) czy ten plik może generować zpowrotem plik alsys.exe ?? I jak go ewentualnie odnaleźć/unieszkodliwić - proszę o pomoc

adam9870 · 25 Styczeń 2007 13:34

Pozamykaj porty robakom. W tym celu użyj Windows Worms Doors Cleanera zmień znaczki z disable na enable (wszystkie znaczki maja być na zielono, jeżeli któryś z nich będzie na żółto to go zostaw). Po użyciu narzędzia wymagany jest restart.

W nowym logu widać:

Plik usuń ręcznie w trybie awaryjnym, a wpisy HJT.

W jakiej lokalizacji MKS znajduje tego szkodnika, o którym wspomniałeś?

W minidumpie nie podoba mi się ten plik:

Według firmy McAfee produkującej programy zabezpieczające na komputery PC jest to szkodnik o nazwie Downloader-BAI!M711 , który ma usługę. Dlatego proszę na wszelki wypadek pokazać dwa logi z Gmer’a przy takich ustawieniach:

Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Gutek · 25 Styczeń 2007 17:35

wklej logi czekamy, OT KOSZ

Albatros78 · 26 Styczeń 2007 10:40

Porty pozamykałem i WWDC mówi że pod względem portów komp jest bezpieczny. Jeśli chodzi o tego trojana (Trojan.Agent.aim) to generuje pliki w katalogu zalogowanego usera (c:\Documents and Settings\nazwa usera\plik.exe) nazwy plików są mocno losowe typu BBpCK58.exe, d70037c.exe itd.

Log z Gmer’a

Opcja pierwsza:

GMER 1.0.12.12011 - http://www.gmer.net Rootkit scan 2007-01-26 11:45:37 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.12 ---- SSDT ??\C:\WINDOWS\system32\wincom32.sys ZwEnumerateKey SSDT ??\C:\WINDOWS\system32\wincom32.sys ZwEnumerateValueKey SSDT ??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess SSDT ??\C:\WINDOWS\system32\wincom32.sys ZwQueryDirectoryFile SSDT ??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess ---- Devices - GMER 1.0.12 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EF4866F8] wincom32.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EF4866F8] wincom32.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EF4866F8] wincom32.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EF4866F8] wincom32.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EF4866F8] wincom32.sys ---- Services - GMER 1.0.12 ---- Service C:\WINDOWS\system32\wincom32.sys (*** hidden *** ) [AUTO] wincom32 <-- ROOTKIT ! ---- Registry - GMER 1.0.12 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000@Service wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000@DeviceDesc wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000@Service wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000@DeviceDesc wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000\Control@ActiveService wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000@Service wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32\0000@DeviceDesc wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINCOM32@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@Start 2 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32\Enum@0 Root\LEGACY_WINCOM32\0000 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000@Service wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000@DeviceDesc wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000@Service wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32\0000@DeviceDesc wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINCOM32@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@Start 2 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000@Service wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000@DeviceDesc wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000@Service wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000@DeviceDesc wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000\Control@ActiveService wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000@Service wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32\0000@DeviceDesc wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINCOM32@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@Start 2 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@DisplayName wincom32 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32\Enum@0 Root\LEGACY_WINCOM32\0000 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@ImagePath ??\C:\WINDOWS\system32\wincom32.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\wincom32@DisplayName wincom32 ---- Files - GMER 1.0.12 ---- ADS C:\Documents and Settings\dworek admiral\Pulpit\grafik-barmani.odt:SummaryInformation ADS C:\Documents and Settings\dworek admiral\Pulpit\grafik-barmani.odt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} File C:\WINDOWS\system32\wincom32.ini File C:\WINDOWS\system32\wincom32.sys – ROOTKIT ! ---- EOF - GMER 1.0.12 ---- 2 opcja: GMER 1.0.12.12011 - http://www.gmer.net Rootkit scan 2007-01-26 11:46:23 Windows 5.1.2600 Dodatek Service Pack 2 ---- Services - GMER 1.0.12 ---- Service .NET CLR Data Service .NET CLR Networking Service .NETFramework Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\system32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [DISABLED] Adobe LM Service Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [sYSTEM] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\system32\svchost.exe [AUTO] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service C:\WINDOWS\system32\DRIVERS\AmdK8.sys [sYSTEM] AmdK8 Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service C:\WINDOWS\system32\DRIVERS\arp1394.sys [MANUAL] Arp1394 Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service ASP.NET Service ASP.NET_1.1.4322 Service C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [MANUAL] aspnet_state Service C:\WINDOWS\system32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\system32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\system32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\system32\DRIVERS\audstub.sys [MANUAL] audstub Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys [sYSTEM] AVG Anti-Spyware Driver Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [DISABLED] AVG Anti-Spyware Guard Service C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [sYSTEM] AvgAsCln Service BattC Service [sYSTEM] Beep Service C:\WINDOWS\system32\svchost.exe [MANUAL] BITS Service C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe [DISABLED] Boonty Games Service C:\WINDOWS\system32\svchost.exe [AUTO] Browser Service C:\WINDOWS\System32\drivers\BrPar.sys [AUTO] BrPar Service [DISABLED] cbidf2k Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\system32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\system32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch Service c:\program files\softech bis\dfsetup\dfserwis.exe [DISABLED] DFSerwis Service C:\WINDOWS\system32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\system32\DRIVERS\disk.sys [bOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [DISABLED] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [DISABLED] dmload Service C:\WINDOWS\System32\svchost.exe [MANUAL] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\system32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\system32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\system32\DRIVERS\fdc.sys [MANUAL] Fdc Service [sYSTEM] Fips Service C:\WINDOWS\system32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service C:\WINDOWS\system32\DRIVERS\fltMgr.sys [bOOT] FltMgr Service [sYSTEM] Fs_Rec Service C:\WINDOWS\system32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\gdrv.sys [MANUAL] gdrv Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\system32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\WINDOWS\system32\drivers\HdAudio.sys [MANUAL] HdAudAddService Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [MANUAL] HDAudBus Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service C:\WINDOWS\system32\DRIVERS\hidusb.sys [MANUAL] HidUsb Service [DISABLED] hpn Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\system32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service C:\WINDOWS\system32\DRIVERS\imapi.sys [sYSTEM] Imapi Service C:\WINDOWS\system32\imapi.exe [MANUAL] ImapiService Service inetaccs Service [DISABLED] ini910u Service Inport Service system32\drivers\RtkHDAud.sys [MANUAL] IntcAzAudAddService Service [DISABLED] IntelIde Service C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys [MANUAL] Ip6Fw Service C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\system32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\system32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\system32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\system32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\system32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\system32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\system32\svchost.exe [AUTO] LmHosts Service C:\WINDOWS\system32\svchost.exe [DISABLED] Messenger Service C:\WINDOWS\system32\DRIVERS\mf.sys [MANUAL] mf Service [sYSTEM] mnmdd Service C:\WINDOWS\system32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\system32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service C:\WINDOWS\system32\DRIVERS\mouhid.sys [MANUAL] mouhid Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\system32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\system32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\WINDOWS\system32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service C:\WINDOWS\system32\DRIVERS\mssmbios.sys [MANUAL] mssmbios Service C:\Program [AUTO] MSSQL$GASTRO Service [AUTO] MSSQLSERVER Service C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [MANUAL] MSSQLServerADHelper Service [bOOT] Mup Service [bOOT] NDIS Service C:\WINDOWS\system32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\system32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\system32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\system32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\system32\DRIVERS\netbt.sys [MANUAL] NetBT Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm Service C:\WINDOWS\system32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\system32\DRIVERS\nic1394.sys [MANUAL] NIC1394 Service C:\WINDOWS\system32\svchost.exe [MANUAL] Nla Service system32\drivers\nmwcdc.sys [MANUAL] Nokia USB Generic Service system32\drivers\nmwcdcm.sys [MANUAL] Nokia USB Modem Service system32\drivers\nmwcd.sys [MANUAL] Nokia USB Phone Parent Service system32\drivers\nmwcdcj.sys [MANUAL] Nokia USB Port Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\system32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [sYSTEM] Null Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [MANUAL] nv Service C:\WINDOWS\system32\DRIVERS\nvata.sys [bOOT] nvata Service C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [MANUAL] NVENETFD Service C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [MANUAL] nvnetbus Service C:\WINDOWS\system32\nvsvc32.exe [DISABLED] NVSvc Service C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\WINDOWS\system32\DRIVERS\ohci1394.sys [bOOT] ohci1394 Service C:\WINDOWS\system32\drivers\oreans32.sys [sYSTEM] oreans32 Service C:\WINDOWS\system32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [DISABLED] ParVdm Service C:\WINDOWS\system32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service C:\WINDOWS\system32\DRIVERS\pciide.sys [bOOT] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\system32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\system32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\system32\DRIVERS\processr.sys [sYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\system32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\system32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [bOOT] PxHelp20 Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\system32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\system32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\system32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\system32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\system32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\system32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteAccess Service C:\WINDOWS\system32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\system32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\system32\DRIVERS\secdrv.sys [AUTO] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\system32\DRIVERS\ser2pl.sys [MANUAL] Ser2pl Service C:\WINDOWS\system32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\system32\DRIVERS\serial.sys [sYSTEM] Serial Service C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [DISABLED] ServiceLayer Service [sYSTEM] Sfloppy Service C:\WINDOWS\system32\svchost.exe [DISABLED] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\Program [MANUAL] SQLAgent$GASTRO Service C:\WINDOWS\system32\DRIVERS\sr.sys [bOOT] sr Service C:\WINDOWS\system32\svchost.exe [AUTO] srservice Service C:\WINDOWS\system32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\system32\svchost.exe [MANUAL] SSDPSRV Service C:\WINDOWS\system32\svchost.exe [AUTO] stisvc Service C:\WINDOWS\system32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\system32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\system32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\system32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\system32\wdfmgr.exe [AUTO] UMWdf Service C:\WINDOWS\system32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\system32\svchost.exe [MANUAL] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\system32\DRIVERS\usbehci.sys [MANUAL] usbehci Service C:\WINDOWS\system32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\system32\DRIVERS\usbohci.sys [MANUAL] usbohci Service C:\WINDOWS\system32\DRIVERS\usbprint.sys [MANUAL] usbprint Service C:\WINDOWS\system32\DRIVERS\usbscan.sys [MANUAL] usbscan Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [MANUAL] usbstor Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service [DISABLED] ViaIde Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\system32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [sYSTEM] wceusbsh Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\system32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\system32\wincom32.sys (*** hidden *** ) [AUTO] wincom32 – ROOTKIT ! Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN Service WmiApRpl Service C:\WINDOWS\system32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service [sYSTEM] WS2IFSL Service C:\WINDOWS\System32\svchost.exe [AUTO] wscsvc Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov Service {332AA144-541E-4DC2-999C-F30983139B7D} Service {8E9A8D75-D223-4736-874B-5F33C7DDAB51} ---- EOF - GMER 1.0.12 ----

adam9870 · 26 Styczeń 2007 10:56

No i jest rootkit.

W Gmerze w zakładce CMD z zaznaczoną opcją CMD.EXE proszę wkleić:

i kliknąć z prawej strony na Uruchom. Potem cierpliwie poczekać na zniknięcie pulpitu i zrestartowanie komputera.

Możesz przelecieć system http://www.kaspersky.pl/virusscanner.html lub http://www.ewido.net/en/.

Po wykonaniu nowe logi z Gmer’a + dodatkowo możesz z ComboFix.

Albatros78 · 26 Styczeń 2007 11:12

niestety przy próbie zrobienia tego wyskakuje Wystąpił błąd 0xc000034 i w trybie normalnym i awaryjnym… Jakiś pomysł jak to obejść ??

adam9870 · 26 Styczeń 2007 11:24

Hmm… kiedy pojawia Ci się ten komunikat? Cóż, spróbujemy ręcznie.

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

w zakładce Usługi skasuj z prawokliku usługę wincom32
w zakładce CMD z zaznaczoną opcją CMD.EXE wklej:

w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:

w zakładce Procesy wybierz Zabij wszystko. Teraz poczekaj cierpliwie aż zniknie pulpit etc.
przejdź do zakładki CMD i kliknij Uruchom dla opcji CMD.EXE i REGEDIT.EXE

Potem reset i nowe logi, o które prosiłem.

Albatros78 · 26 Styczeń 2007 12:07

Ręcznie się dało i nawet MKS skasował pliki - robię skan Kasperskym a wrzucam nowe logi z Gmer’a:

GMER 1.0.12.12011 - http://www.gmer.net Rootkit scan 2007-01-26 13:13:00 Windows 5.1.2600 Dodatek Service Pack 2 ---- Services - GMER 1.0.12 ---- Service .NET CLR Data Service .NET CLR Networking Service .NETFramework Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\system32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [DISABLED] Adobe LM Service Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [sYSTEM] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\system32\svchost.exe [AUTO] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service C:\WINDOWS\system32\DRIVERS\AmdK8.sys [sYSTEM] AmdK8 Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service C:\WINDOWS\system32\DRIVERS\arp1394.sys [MANUAL] Arp1394 Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service ASP.NET Service ASP.NET_1.1.4322 Service C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [MANUAL] aspnet_state Service C:\WINDOWS\system32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\system32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\system32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\system32\DRIVERS\audstub.sys [MANUAL] audstub Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys [sYSTEM] AVG Anti-Spyware Driver Service C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe [DISABLED] AVG Anti-Spyware Guard Service C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys [sYSTEM] AvgAsCln Service BattC Service [sYSTEM] Beep Service C:\WINDOWS\system32\svchost.exe [MANUAL] BITS Service C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe [DISABLED] Boonty Games Service C:\WINDOWS\system32\svchost.exe [AUTO] Browser Service C:\WINDOWS\System32\drivers\BrPar.sys [AUTO] BrPar Service [DISABLED] cbidf2k Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\system32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\system32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch Service c:\program files\softech bis\dfsetup\dfserwis.exe [DISABLED] DFSerwis Service C:\WINDOWS\system32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\system32\DRIVERS\disk.sys [bOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [DISABLED] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [DISABLED] dmload Service C:\WINDOWS\System32\svchost.exe [MANUAL] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\system32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\system32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\system32\DRIVERS\fdc.sys [MANUAL] Fdc Service [sYSTEM] Fips Service C:\WINDOWS\system32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service C:\WINDOWS\system32\DRIVERS\fltMgr.sys [bOOT] FltMgr Service [sYSTEM] Fs_Rec Service C:\WINDOWS\system32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\gdrv.sys [MANUAL] gdrv Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\system32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\WINDOWS\system32\drivers\HdAudio.sys [MANUAL] HdAudAddService Service C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [MANUAL] HDAudBus Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service C:\WINDOWS\system32\DRIVERS\hidusb.sys [MANUAL] HidUsb Service [DISABLED] hpn Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\system32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service C:\WINDOWS\system32\DRIVERS\imapi.sys [sYSTEM] Imapi Service C:\WINDOWS\system32\imapi.exe [MANUAL] ImapiService Service inetaccs Service [DISABLED] ini910u Service Inport Service system32\drivers\RtkHDAud.sys [MANUAL] IntcAzAudAddService Service [DISABLED] IntelIde Service C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys [MANUAL] Ip6Fw Service C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\system32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\system32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\system32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\system32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\system32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\system32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\system32\svchost.exe [AUTO] LmHosts Service C:\WINDOWS\system32\svchost.exe [DISABLED] Messenger Service C:\WINDOWS\system32\DRIVERS\mf.sys [MANUAL] mf Service [sYSTEM] mnmdd Service C:\WINDOWS\system32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\system32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service C:\WINDOWS\system32\DRIVERS\mouhid.sys [MANUAL] mouhid Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\system32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\system32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\WINDOWS\system32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service C:\WINDOWS\system32\DRIVERS\mssmbios.sys [MANUAL] mssmbios Service C:\Program [AUTO] MSSQL$GASTRO Service [AUTO] MSSQLSERVER Service C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [MANUAL] MSSQLServerADHelper Service [bOOT] Mup Service [bOOT] NDIS Service C:\WINDOWS\system32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\system32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\system32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\system32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\system32\DRIVERS\netbt.sys [MANUAL] NetBT Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm Service C:\WINDOWS\system32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\system32\DRIVERS\nic1394.sys [MANUAL] NIC1394 Service C:\WINDOWS\system32\svchost.exe [MANUAL] Nla Service system32\drivers\nmwcdc.sys [MANUAL] Nokia USB Generic Service system32\drivers\nmwcdcm.sys [MANUAL] Nokia USB Modem Service system32\drivers\nmwcd.sys [MANUAL] Nokia USB Phone Parent Service system32\drivers\nmwcdcj.sys [MANUAL] Nokia USB Port Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\system32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [sYSTEM] Null Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [MANUAL] nv Service C:\WINDOWS\system32\DRIVERS\nvata.sys [bOOT] nvata Service C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [MANUAL] NVENETFD Service C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [MANUAL] nvnetbus Service C:\WINDOWS\system32\nvsvc32.exe [DISABLED] NVSvc Service C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\WINDOWS\system32\DRIVERS\ohci1394.sys [bOOT] ohci1394 Service C:\WINDOWS\system32\drivers\oreans32.sys [sYSTEM] oreans32 Service C:\WINDOWS\system32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [DISABLED] ParVdm Service C:\WINDOWS\system32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service C:\WINDOWS\system32\DRIVERS\pciide.sys [bOOT] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\system32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\system32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\system32\DRIVERS\processr.sys [sYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\system32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\system32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [bOOT] PxHelp20 Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\system32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\system32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\system32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\system32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\system32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\system32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteAccess Service C:\WINDOWS\system32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\system32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\system32\DRIVERS\secdrv.sys [AUTO] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\system32\DRIVERS\ser2pl.sys [MANUAL] Ser2pl Service C:\WINDOWS\system32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\system32\DRIVERS\serial.sys [sYSTEM] Serial Service C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [DISABLED] ServiceLayer Service [sYSTEM] Sfloppy Service C:\WINDOWS\system32\svchost.exe [DISABLED] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\Program [MANUAL] SQLAgent$GASTRO Service C:\WINDOWS\system32\DRIVERS\sr.sys [bOOT] sr Service C:\WINDOWS\system32\svchost.exe [AUTO] srservice Service C:\WINDOWS\system32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\system32\svchost.exe [MANUAL] SSDPSRV Service C:\WINDOWS\system32\svchost.exe [AUTO] stisvc Service C:\WINDOWS\system32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\system32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\system32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\system32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\system32\wdfmgr.exe [AUTO] UMWdf Service C:\WINDOWS\system32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\system32\svchost.exe [MANUAL] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\system32\DRIVERS\usbehci.sys [MANUAL] usbehci Service C:\WINDOWS\system32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\system32\DRIVERS\usbohci.sys [MANUAL] usbohci Service C:\WINDOWS\system32\DRIVERS\usbprint.sys [MANUAL] usbprint Service C:\WINDOWS\system32\DRIVERS\usbscan.sys [MANUAL] usbscan Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [MANUAL] usbstor Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service [DISABLED] ViaIde Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\system32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service C:\WINDOWS\system32\DRIVERS\wceusbsh.sys [sYSTEM] wceusbsh Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\system32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN Service WmiApRpl Service C:\WINDOWS\system32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service [sYSTEM] WS2IFSL Service C:\WINDOWS\System32\svchost.exe [AUTO] wscsvc Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov Service {332AA144-541E-4DC2-999C-F30983139B7D} Service {8E9A8D75-D223-4736-874B-5F33C7DDAB51} ---- EOF - GMER 1.0.12 ----

adam9870 · 26 Styczeń 2007 12:15

Rootkita już nie ma.

Możesz przeskanować ten driver:

na stronie http://virusscan.jotti.org/ lub http://www.virustotal.com/vt/

Albatros78 · 26 Styczeń 2007 12:15

I log z ComboFix-a

“dworek admiral” - 07-01-26 13:18:01 Dodatek Service Pack 2 ComboFix 07-01-25 - Running from: “C:\Documents and Settings\dworek admiral\Moje dokumenty” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\adir.dll C:\WINDOWS\system32\taskdir.exe C:\WINDOWS\system32\zlbw.dll ((((((((((((((((((((((((((((((( Files Created from 2006-12-26 to 2007-01-26 )))))))))))))))))))))))))))))))))) 2007-01-26 12:49 2007-01-26 12:49 2007-01-26 12:47 235 --a------ C:\WINDOWS\gmer.reg 2007-01-26 12:19 48,259 —h----- C:\WINDOWS\system32\alsys.exe 2007-01-26 11:38 80 --a------ C:\WINDOWS\gmer_uninstall.cmd 2007-01-26 01:10 2007-01-26 00:59 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll 2007-01-26 00:59 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll 2007-01-26 00:59 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll 2007-01-25 14:26 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-01-25 14:26 718 --a------ C:\WINDOWS\system32\tmp.reg 2007-01-25 14:26 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-01-25 14:26 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-01-25 14:26 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2007-01-25 14:26 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-01-25 14:26 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2007-01-25 13:34 2007-01-25 13:27 2007-01-24 23:03 54,382 --a------ C:\WINDOWS\system32\game.exe 2007-01-24 15:33 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:04 2007-01-24 14:04 2007-01-24 14:04 2007-01-24 14:04 2007-01-24 14:02 2007-01-24 14:02 2007-01-24 14:02 2007-01-24 13:49 54,382 --a------ C:\WINDOWS\system32\game0.exe 2007-01-24 13:10 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-01-24 13:10 2007-01-24 12:25 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 10:06 2007-01-24 10:05 2007-01-23 18:04 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll 2007-01-23 18:04 2007-01-23 18:04 2007-01-23 18:03 2007-01-22 20:18 48,259 --a------ C:\WINDOWS\system32\game3.exe 2007-01-22 12:00 719,088 --a------ C:\WINDOWS\system32\SkanerOnline.dll 2007-01-19 09:40 89,088 --a------ C:\WINDOWS\system32\SkanerOnlineUninstall.exe 2007-01-19 09:23 6,307 --a------ C:\WINDOWS\system32\game4.exe 2007-01-19 09:23 6,307 --a------ C:\WINDOWS\system32\clcbt.exe 2007-01-19 09:23 6,307 --a------ C:\WINDOWS\system32\adirss.exe 2007-01-19 09:23 6,275 --a------ C:\WINDOWS\system32\game2.exe 2007-01-19 09:23 6,275 --a------ C:\WINDOWS\system32\game1.exe 2007-01-16 21:01 2007-01-11 10:46 2007-01-07 21:59 2006-12-26 01:28 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-01-26 10:18 -------- d-------- C:\Program Files\mozilla firefox 2007-01-26 03:32 -------- d-------- C:\Program Files\windows nt 2007-01-26 03:32 -------- d-------- C:\Program Files\winamp 2007-01-26 03:32 -------- d-------- C:\Program Files\pc connectivity solution 2007-01-26 03:32 -------- d-------- C:\Program Files\my downloaded games 2007-01-26 03:31 -------- d-------- C:\Program Files\messenger 2007-01-26 03:31 -------- d-------- C:\Program Files\gadu-gadu 2007-01-26 03:31 -------- d-------- C:\Program Files\dosbox-0.65 2007-01-26 03:31 -------- d-------- C:\Program Files\brownie 2007-01-26 01:06 -------- d–h----- C:\Program Files\installshield installation information 2007-01-25 23:37 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\openoffice.org2 2007-01-25 17:18 -------- d-------- C:\Program Files\ganymedenet 2007-01-22 21:08 -------- d-------- C:\Program Files\Common Files\real 2007-01-14 17:55 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\nokia 2006-12-25 16:32 -------- d-------- C:\Program Files\nokia pc suite 6 2006-12-25 16:32 -------- d-------- C:\Program Files\gimp-2.0 2006-12-25 15:24 -------- d-------- C:\Program Files\globalmapper8 2006-12-25 14:39 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\datalayer 2006-12-25 14:38 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\pc suite 2006-12-25 14:31 -------- d-------- C:\Program Files\difx 2006-12-10 05:44 -------- d-------- C:\Program Files\orban 2006-12-07 06:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll 2006-12-05 12:27 -------- d-------- C:\Program Files\Common Files\adobe 2006-12-05 12:15 -------- d-------- C:\Program Files\boonty 2006-11-30 12:27 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\adobe 2006-11-30 03:46 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\ganymedenet 2006-11-29 18:09 -------- d-------- C:\Program Files\aod 2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll 2006-10-26 22:27 0 --a------ C:\DOCUME~1\DWOREK~1\Dane aplikacji\avsdvdplayer.m3u (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “KernelFaultCheck”=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Service Manager.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Service Manager.lnk” “backup”=“C:\WINDOWS\pss\Service Manager.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\MICROS~2\80\Tools\Binn\sqlmangr.exe /n” “item”=“Service Manager” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Skrót do internet.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Skrót do internet.lnk” “backup”=“C:\WINDOWS\pss\Skrót do internet.lnkCommon Startup” “location”=“Common Startup” “command”=“D:\HOTEL\internet.exe " “item”=“Skrót do internet” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dworek admiral^Menu Start^Programy^Autostart^OpenOffice.org 2.0.lnk] “path”=“C:\Documents and Settings\dworek admiral\Menu Start\Programy\Autostart\OpenOffice.org 2.0.lnk” “backup”=“C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup” “location”=“Startup” “command”=“C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe " “item”=“OpenOffice.org 2.0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“avgas” “hkey”=“HKLM” “command”=”“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcbt.exe] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“clcbt” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\clcbt.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CS DVD Player 3] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CS DVD Player 3” “hkey”=“HKCU” “command”=“C:\Program Files\CS Corporation\CS DVD Player 3 PRO\CS DVD Player 3.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“ctfmon” “hkey”=“HKCU” “command”=“C:\WINDOWS\system32\ctfmon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“HDAShCut” “hkey”=“HKLM” “command”=“HDAShCut.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“dumprep 0 -k” “hkey”=“HKLM” “command”=”%systemroot%\system32\dumprep 0 -k" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“msmsgs” “hkey”=“HKCU” “command”="“C:\Program Files\Messenger\msmsgs.exe” /background" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NvCpl” “hkey”=“HKLM” “command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NvMcTray” “hkey”=“HKLM” “command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“qttask” “hkey”=“HKLM” “command”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“GoogleToolbarNotifier” “hkey”=“HKCU” “command”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysinter] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“adirss” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\adirss.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“winampa” “hkey”=“HKLM” “command”=“C:\Program Files\Winamp\winampa.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “ServiceLayer”=dword:00000003 “NVSvc”=dword:00000002 “DFSerwis”=dword:00000002 “Boonty Games”=dword:00000003 “Adobe LM Service”=dword:00000003 “AVG Anti-Spyware Guard”=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “taskdir”=“C:\WINDOWS\system32\taskdir.exe” “Agent”=“C:\WINDOWS\system32\alsys.exe” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “taskdir”=“C:\WINDOWS\system32\taskdir.exe” “Agent”=“C:\WINDOWS\system32\alsys.exe” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Completion time: 07-01-26 13:19:06

Złączono Posty : 26.01.2007 (Pią) 13:16

I log z ComboFix-a

“dworek admiral” - 07-01-26 13:18:01 Dodatek Service Pack 2 ComboFix 07-01-25 - Running from: “C:\Documents and Settings\dworek admiral\Moje dokumenty” (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\WINDOWS\system32\adir.dll C:\WINDOWS\system32\taskdir.exe C:\WINDOWS\system32\zlbw.dll ((((((((((((((((((((((((((((((( Files Created from 2006-12-26 to 2007-01-26 )))))))))))))))))))))))))))))))))) 2007-01-26 12:49 2007-01-26 12:49 2007-01-26 12:47 235 --a------ C:\WINDOWS\gmer.reg 2007-01-26 12:19 48,259 —h----- C:\WINDOWS\system32\alsys.exe 2007-01-26 11:38 80 --a------ C:\WINDOWS\gmer_uninstall.cmd 2007-01-26 01:10 2007-01-26 00:59 21,840 --a----t- C:\WINDOWS\system32\SIntfNT.dll 2007-01-26 00:59 17,212 --a----t- C:\WINDOWS\system32\SIntf32.dll 2007-01-26 00:59 12,067 --a----t- C:\WINDOWS\system32\SIntf16.dll 2007-01-25 14:26 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe 2007-01-25 14:26 718 --a------ C:\WINDOWS\system32\tmp.reg 2007-01-25 14:26 53,248 --a------ C:\WINDOWS\system32\Process.exe 2007-01-25 14:26 51,200 --a------ C:\WINDOWS\system32\dumphive.exe 2007-01-25 14:26 40,960 --a------ C:\WINDOWS\system32\swsc.exe 2007-01-25 14:26 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe 2007-01-25 14:26 135,168 --a------ C:\WINDOWS\system32\swreg.exe 2007-01-25 13:34 2007-01-25 13:27 2007-01-24 23:03 54,382 --a------ C:\WINDOWS\system32\game.exe 2007-01-24 15:33 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:20 2007-01-24 14:04 2007-01-24 14:04 2007-01-24 14:04 2007-01-24 14:04 2007-01-24 14:02 2007-01-24 14:02 2007-01-24 14:02 2007-01-24 13:49 54,382 --a------ C:\WINDOWS\system32\game0.exe 2007-01-24 13:10 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys 2007-01-24 13:10 2007-01-24 12:25 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 12:22 2007-01-24 10:06 2007-01-24 10:05 2007-01-23 18:04 30,720 --a------ C:\WINDOWS\system32\nmwcdcocls.dll 2007-01-23 18:04 2007-01-23 18:04 2007-01-23 18:03 2007-01-22 20:18 48,259 --a------ C:\WINDOWS\system32\game3.exe 2007-01-22 12:00 719,088 --a------ C:\WINDOWS\system32\SkanerOnline.dll 2007-01-19 09:40 89,088 --a------ C:\WINDOWS\system32\SkanerOnlineUninstall.exe 2007-01-19 09:23 6,307 --a------ C:\WINDOWS\system32\game4.exe 2007-01-19 09:23 6,307 --a------ C:\WINDOWS\system32\clcbt.exe 2007-01-19 09:23 6,307 --a------ C:\WINDOWS\system32\adirss.exe 2007-01-19 09:23 6,275 --a------ C:\WINDOWS\system32\game2.exe 2007-01-19 09:23 6,275 --a------ C:\WINDOWS\system32\game1.exe 2007-01-16 21:01 2007-01-11 10:46 2007-01-07 21:59 2006-12-26 01:28 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-01-26 10:18 -------- d-------- C:\Program Files\mozilla firefox 2007-01-26 03:32 -------- d-------- C:\Program Files\windows nt 2007-01-26 03:32 -------- d-------- C:\Program Files\winamp 2007-01-26 03:32 -------- d-------- C:\Program Files\pc connectivity solution 2007-01-26 03:32 -------- d-------- C:\Program Files\my downloaded games 2007-01-26 03:31 -------- d-------- C:\Program Files\messenger 2007-01-26 03:31 -------- d-------- C:\Program Files\gadu-gadu 2007-01-26 03:31 -------- d-------- C:\Program Files\dosbox-0.65 2007-01-26 03:31 -------- d-------- C:\Program Files\brownie 2007-01-26 01:06 -------- d–h----- C:\Program Files\installshield installation information 2007-01-25 23:37 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\openoffice.org2 2007-01-25 17:18 -------- d-------- C:\Program Files\ganymedenet 2007-01-22 21:08 -------- d-------- C:\Program Files\Common Files\real 2007-01-14 17:55 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\nokia 2006-12-25 16:32 -------- d-------- C:\Program Files\nokia pc suite 6 2006-12-25 16:32 -------- d-------- C:\Program Files\gimp-2.0 2006-12-25 15:24 -------- d-------- C:\Program Files\globalmapper8 2006-12-25 14:39 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\datalayer 2006-12-25 14:38 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\pc suite 2006-12-25 14:31 -------- d-------- C:\Program Files\difx 2006-12-10 05:44 -------- d-------- C:\Program Files\orban 2006-12-07 06:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll 2006-12-05 12:27 -------- d-------- C:\Program Files\Common Files\adobe 2006-12-05 12:15 -------- d-------- C:\Program Files\boonty 2006-11-30 12:27 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\adobe 2006-11-30 03:46 -------- d-------- C:\DOCUME~1\DWOREK~1\Dane aplikacji\ganymedenet 2006-11-29 18:09 -------- d-------- C:\Program Files\aod 2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll 2006-10-26 22:27 0 --a------ C:\DOCUME~1\DWOREK~1\Dane aplikacji\avsdvdplayer.m3u (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “KernelFaultCheck”=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\ 65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00 [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Service Manager.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Service Manager.lnk” “backup”=“C:\WINDOWS\pss\Service Manager.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\MICROS~2\80\Tools\Binn\sqlmangr.exe /n” “item”=“Service Manager” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Skrót do internet.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Skrót do internet.lnk” “backup”=“C:\WINDOWS\pss\Skrót do internet.lnkCommon Startup” “location”=“Common Startup” “command”=“D:\HOTEL\internet.exe " “item”=“Skrót do internet” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^dworek admiral^Menu Start^Programy^Autostart^OpenOffice.org 2.0.lnk] “path”=“C:\Documents and Settings\dworek admiral\Menu Start\Programy\Autostart\OpenOffice.org 2.0.lnk” “backup”=“C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup” “location”=“Startup” “command”=“C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe " “item”=“OpenOffice.org 2.0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“avgas” “hkey”=“HKLM” “command”=”“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\clcbt.exe] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“clcbt” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\clcbt.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CS DVD Player 3] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CS DVD Player 3” “hkey”=“HKCU” “command”=“C:\Program Files\CS Corporation\CS DVD Player 3 PRO\CS DVD Player 3.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“ctfmon” “hkey”=“HKCU” “command”=“C:\WINDOWS\system32\ctfmon.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“HDAShCut” “hkey”=“HKLM” “command”=“HDAShCut.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“dumprep 0 -k” “hkey”=“HKLM” “command”=”%systemroot%\system32\dumprep 0 -k" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“msmsgs” “hkey”=“HKCU” “command”="“C:\Program Files\Messenger\msmsgs.exe” /background" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NvCpl” “hkey”=“HKLM” “command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NvMcTray” “hkey”=“HKLM” “command”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“qttask” “hkey”=“HKLM” “command”="“C:\Program Files\QuickTime\qttask.exe” -atboottime" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”=“C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“GoogleToolbarNotifier” “hkey”=“HKCU” “command”=“C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysinter] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“adirss” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\adirss.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“winampa” “hkey”=“HKLM” “command”=“C:\Program Files\Winamp\winampa.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] “ServiceLayer”=dword:00000003 “NVSvc”=dword:00000002 “DFSerwis”=dword:00000002 “Boonty Games”=dword:00000003 “Adobe LM Service”=dword:00000003 “AVG Anti-Spyware Guard”=dword:00000002 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “taskdir”=“C:\WINDOWS\system32\taskdir.exe” “Agent”=“C:\WINDOWS\system32\alsys.exe” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “taskdir”=“C:\WINDOWS\system32\taskdir.exe” “Agent”=“C:\WINDOWS\system32\alsys.exe” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Completion time: 07-01-26 13:19:06

Złączono Posty : 26.01.2007 (Pią) 13:19

Ten plik jest czysty… To zdaje się driver od drukarki Brothera

Ale obie strony steirdzają że plik jest czysty

adam9870 · 26 Styczeń 2007 12:32

ComboFix usunął kilka szkodliwych plików ale jeszcze zostały te:

W Gmerze:

w zakładce CMD z zaznaczoną opcją CMD.EXE wklej:

w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:

w zakładce Procesy wybierz Zabij wszystko
w zakładce CMD kliknij na Uruchom dla opcji CMD.EXE i REGEDIT.EXE

Potem reset i pokaż nowy log z ComboFixa i Silenta.

Gutek · 26 Styczeń 2007 15:49

Używałeś kiedyś SmitFraudFix? Ponieważ ten plik to pozostałość plus kila innych

Albatros78 · 26 Styczeń 2007 16:20

Jestem bliski poddania się i zrobienia formata Po każdym resecie wszystko wraca i jeszcze zamyka mi programy… Dodaje się do uruchamianych exe-ków. Nawet HiJack już ostatnio był zawirusowany i wysypywał system musiałem zassać z netu nowy…

Gmer mi się nie włącza, tzn. włącza i zamyka po około 15-20 sek.

Hijack tak samo

■■■■■■■ nie wiem jak to obejść…