Mam Worm.Bagle.ih, Worm.Bagle.D i inne

andziak25 · 1 Marzec 2007 15:41

Co mam zrobić??

Podam ścieżki wszystkich:

C:\WINDOWS\exefld\103078.exe wirus Worm.Bagle.ih

C:\WINDOWS\exefld\114031.exe wirus Worm.Bagle.ih

C:\WINDOWS\exefld\118625.exe wirus Worm.Bagle.ih

itd wszystkich w sumie jest 46 w tej lokalizacji.

C:\Documents and Settings\anna\Dane aplikacji\hidires\m_hook.sys(1).VIR wirus Worm.Bagle.D

Trainer.exe wirus Trojan.Keylogger.Hatkeys.M04.A2

Trainer.exe wirus Trojan.Keylogger.Hatkeys.M04.A2 (tak mam w raporcie dwa razy to samo)

C:\WINDOWS\SYSTEM32\WINTEMS.EXE wirus Worm.Email.Bagle.hq ( 6 razy w raporcie)

C:\WINDOWS\system32\wintems.exe wirus Worm.Email.Bagle.hq (5 razy)

C:\Documents and Settings\anna\Ustawienia lokalne\Temp~10.exe wirus Worm.Bagle.D Występuje 22 razy z różnymi kombinacjami cyferek.

MKS VIR podaje,że nie może ich usunąć, a część z nich, np Temp chyba można? Tak mi się wydaje.

Dużo ich było w Sysytem Volume Information, mimo, iż folder był pusty, usunęłam bez pytania.

Jeśli będa potrzebne logi to załączę.

Szukałam informacji o tych wirusach na necie, ale sa tylko na stronach w języku francuskim a ja niestety tylko angielski

Proszę o pomoc, bo komp się dziwniw zachowuje. Otwarte okienka dziwnie migają tak jakby się co chwilę coś działo

Złączono Posta : 01.03.2007 (Czw) 16:43

jeszcze dodam, że przy starcie kompa, po uruchomieniu windowsa pojawia sie Instalator Windows i ginie, że nie jestem w stanie przeczytać co tam pisze i tak kilka razy a na pasku jest tylko “TrayApp”

adam9870 · 1 Marzec 2007 15:52

Pokaż komplet logów:

[*:24zapi08]HijackThis
http://forum.dobreprogramy.pl/viewtopic.php?t=36654

andziak25 · 1 Marzec 2007 15:54

Hijackthis

Logfile of HijackThis v1.99.1 Scan saved at 16:50:16, on 2007-03-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\mks_vir_2007\bin\MksFwall.exe C:\Program Files\mks_vir_2007\bin\MksPC.exe C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WgaTray.exe D:\Drukarka\HP Software Update\HPWuSchd.exe C:\Program Files\Multimedia Combo Set\MouseDrv.exe C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe C:\WINDOWS\system32\hldrrr.exe C:\Program Files\mks_vir_2007\bin\mks_mail.exe C:\Program Files\mks_vir_2007\bin\mksregmon.exe C:\Program Files\mks_vir_2007\bin\mkstray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\hldrrr.exe C:\Program Files\mks_vir_2007\bin\mks_scan.exe D:\Drukarka\Digital Imaging\bin\hpqtra08.exe D:\Drukarka\Digital Imaging\bin\hpohmr08.exe D:\Drukarka\Digital Imaging\bin\hpotdd01.exe D:\Drukarka\Digital Imaging\bin\hpoevm08.exe D:\Drukarka\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\mks_vir_2007\bin\mksupdate.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\anna\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\KODEKI\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [HP Software Update] “D:\Drukarka\HP Software Update\HPWuSchd.exe” O4 - HKLM…\Run: [WireLessMouse] C:\Program Files\Multimedia Combo Set\MouseDrv.exe O4 - HKLM…\Run: [WireLessKeyboard] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe O4 - HKLM…\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe O4 - HKLM…\Run: [mks_mail] C:\Program Files\mks_vir_2007\bin\mks_mail.exe O4 - HKLM…\Run: [MKSRegmon] C:\Program Files\mks_vir_2007\bin\mksregmon.exe O4 - HKLM…\Run: [mkstray] C:\Program Files\mks_vir_2007\bin\mkstray.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [hldrrr] C:\WINDOWS\system32\hldrrr.exe O4 - HKCU…\Run: [drvsyskit] C:\Documents and Settings\anna\Dane aplikacji\hidires\hidr.exe O4 - HKCU…\Run: [german.exe] C:\WINDOWS\system32\wintems.exe O4 - HKCU…\Run: [Odkurzacz-MCD] D:\Odkurzacz\odk_mcd.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\KODEKI\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Drukarka\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O15 - Trusted Zone: http://www.mks.com.pl O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/ … uncher.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: MksFwall - MKS Sp z o.o. - C:\Program Files\mks_vir_2007\bin\MksFwall.exe O23 - Service: MksPC - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksPC.exe O23 - Service: MksUpdate - MKS Sp. z o. o. - C:\Program Files\mks_vir_2007\bin\mksupdate.exe O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\mks_vir_2007\bin\mks_scan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

i Silent Runers

“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “hldrrr” = “C:\WINDOWS\system32\hldrrr.exe” [null data] “drvsyskit” = “C:\Documents and Settings\anna\Dane aplikacji\hidires\hidr.exe” [file not found] “german.exe” = “C:\WINDOWS\system32\wintems.exe” [file not found] “Odkurzacz-MCD” = “D:\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “odk_mcd” = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “HP Software Update” = ““D:\Drukarka\HP Software Update\HPWuSchd.exe”” [“Hewlett-Packard”] "WireLessMouse " = “C:\Program Files\Multimedia Combo Set\MouseDrv.exe” [empty string] "WireLessKeyboard " = “C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe” [empty string] “hldrrr” = “C:\WINDOWS\system32\hldrrr.exe” [null data] “mks_mail” = “C:\Program Files\mks_vir_2007\bin\mks_mail.exe” [“MkS Sp. z o.o.”] “MKSRegmon” = “C:\Program Files\mks_vir_2007\bin\mksregmon.exe” [null data] “mkstray” = “C:\Program Files\mks_vir_2007\bin\mkstray.exe” [“MKS Sp z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\KODEKI\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{BB7DF450-F119-11CD-8465-00AA00425D90}” = “Microsoft Access Custom Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Office\soa800.dll” [MS] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Explode” -> {HKLM…CLSID} = “Microsoft Office Binder Explode” \InProcServer32(Default) = “D:\Office\UNBIND.DLL” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\KODEKI\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “C:\Program Files\mks_vir_2007\bin\mksshell.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “C:\Program Files\mks_vir_2007\bin\mksshell.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\anna\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “anna” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “D:\KODEKI\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “HP Digital Imaging Monitor” -> shortcut to: “D:\Drukarka\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “hp psc 1000 series” -> shortcut to: “D:\Drukarka\Digital Imaging\bin\hpohmr08.exe” [“Hewlett-Packard Co.”] “hpoddt01.exe” -> shortcut to: “D:\Drukarka\Digital Imaging\bin\hpotdd01.exe” [“Hewlett-Packard”] Enabled Scheduled Tasks: ------------------------ “FRU Task #Hewlett-Packard#hp psc 1200 series#1135877353” -> launches: "D:\Drukarka\Digital Imaging\Bin\hpqfrucl.exe -I “#Hewlett-Packard#hp psc 1200 series#1135877353"” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\mks_vir_2007\bin\mkslsp.dll [null data], 01 - 03, 19 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided) -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ MkS_Scan, MkS_Scan, “C:\Program Files\mks_vir_2007\bin\mks_scan.exe” [empty string] mks_vir file monitor, MksVirMonSvc, “C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe” [null data] MksFwall, MksFwall, ““C:\Program Files\mks_vir_2007\bin\MksFwall.exe”” [“MKS Sp z o.o.”] MksPC, MksPC, ““C:\Program Files\mks_vir_2007\bin\MksPC.exe”” [null data] MksUpdate, MksUpdate, ““C:\Program Files\mks_vir_2007\bin\mksupdate.exe”” [“MKS Sp. z o. o.”] STI Simulator, STI Simulator, “C:\WINDOWS\System32\PAStiSvc.exe” [null data] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzsnt07\Driver = “hpzsnt07.dll” [“HP”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 50 seconds, including 10 seconds for message boxes)

adam9870 · 1 Marzec 2007 15:57

Tak… w logach:

Ale zanim przejdziemy do usuwania pokaż jeszcze dwa logi z Gmer’a, aby od razu usunąć wszystkie śmieci, a nie po części.

andziak25 · 1 Marzec 2007 16:57

GMER 1.0.12.12027 - http://www.gmer.net Rootkit scan 2007-03-01 17:54:40 Windows 5.1.2600 Dodatek Service Pack 2 ---- Files - GMER 1.0.12 ---- ADS C:\Documents and Settings\All Users\Dane aplikacji\Microsoft\User Account Pictures\go:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Sk:KAVICHS ADS C:\Documents and Settings\All Users\Dokumenty\ANIA\Zakr:KAVICHS ADS … ADS D:\Emule\Incoming\Dla P.A\05 :KAVICHS ADS D:\Gadu-Gadu\sounds\dost:KAVICHS ADS D:\Gadu-Gadu\sounds\wiadomo:KAVICHS ADS D:\NERO\Ahead.Nero.Burning.ROM.v6.6.0.12 Multilenguaje Espa:KAVICHS ADS D:\NERO\Ahead.Nero.Burning.ROM.v6.6.0.12 Multilenguaje Espa:KAVICHS ADS D:\NERO\Ahead.Nero.Burning.ROM.v6.6.0.12 Multilenguaje Espa:KAVICHS ADS D:\NERO\Ahead.Nero.Burning.ROM.v6.6.0.12 Multilenguaje Espa:KAVICHS ADS D:\NERO\Ahead.Nero.Burning.ROM.v6.6.0.12 Multilenguaje Espa:KAVICHS ADS D:\NERO\Ahead.Nero.Burning.ROM.v6.6.0.12 Multilenguaje Espa:KAVICHS ADS D:\NERO\Ahead.Nero.Burning.ROM.v6.6.0.12 Multilenguaje Espa:KAVICHS ADS D:\NERO\Ahead.Nero.Burning.ROM.v6.6.0.12 Multilenguaje Espa:KAVICHS ADS … ---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12027 - http://www.gmer.net

Rootkit scan 2007-03-01 17:56:16

Windows 5.1.2600 Dodatek Service Pack 2

---- Services - GMER 1.0.12 ----

Service .NET CLR Data

Service .NET CLR Networking

Service .NETFramework

Service [DISABLED] Abiosdsk

Service [DISABLED] abp480n5

Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [bOOT] ACPI

Service [DISABLED] ACPIEC

Service [DISABLED] adpu160m

Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec

Service C:\WINDOWS\System32\drivers\afd.sys [sYSTEM] AFD

Service [sYSTEM] AFS2K

Service [DISABLED] Aha154x

Service [DISABLED] aic78u2

Service [DISABLED] aic78xx

Service C:\WINDOWS\System32\svchost.exe [DISABLED] Alerter

Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG

Service [DISABLED] AliIde

Service [DISABLED] amsint

Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt

Service [DISABLED] asc

Service [DISABLED] asc3350p

Service [DISABLED] asc3550

Service ASP.NET

Service ASP.NET_1.1.4322

Service Aspi32

Service C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [MANUAL] aspnet_state

Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac

Service C:\WINDOWS\System32\DRIVERS\atapi.sys [bOOT] atapi

Service [DISABLED] Atdisk

Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv

Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub

Service BattC

Service [sYSTEM] Beep

Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS

Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser

Service [DISABLED] cbidf2k

Service C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [MANUAL] CCDECODE

Service [DISABLED] cd20xrnt

Service [sYSTEM] Cdaudio

Service [DISABLED] Cdfs

Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [sYSTEM] Cdrom

Service [sYSTEM] Changer

Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc

Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv

Service [DISABLED] CmdIde

Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp

Service ContentFilter

Service ContentIndex

Service [DISABLED] Cpqarray

Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc

Service [DISABLED] dac2w2k

Service [DISABLED] dac960nt

Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch

Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp

Service C:\WINDOWS\System32\DRIVERS\disk.sys [bOOT] Disk

Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin

Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot

Service C:\WINDOWS\System32\drivers\dmio.sys [bOOT] dmio

Service C:\WINDOWS\System32\drivers\dmload.sys [bOOT] dmload

Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver

Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic

Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache

Service [DISABLED] dpti2o

Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud

Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc

Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem

Service [DISABLED] Fastfat

Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility

Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc

Service C:\WINDOWS\System32\DRIVERS\fetnd5.sys [MANUAL] FETNDIS

Service [sYSTEM] Fips

Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk

Service C:\WINDOWS\system32\drivers\fltmgr.sys [bOOT] FltMgr

Service [sYSTEM] Fs_Rec

Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [bOOT] Ftdisk

Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer

Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc

Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ

Service C:\WINDOWS\System32\DRIVERS\hidusb.sys [MANUAL] hidusb

Service [DISABLED] hpn

Service C:\WINDOWS\system32\DRIVERS\HPZid412.sys [MANUAL] HPZid412

Service C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [MANUAL] HPZipr12

Service C:\WINDOWS\system32\DRIVERS\HPZius12.sys [MANUAL] HPZius12

Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP

Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter

Service [sYSTEM] i2omgmt

Service [DISABLED] i2omp

Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt

Service C:\WINDOWS\System32\DRIVERS\imapi.sys [sYSTEM] Imapi

Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService

Service system32\drivers\InCDFs.sys [DISABLED] InCDFs

Service system32\drivers\InCDPass.sys [sYSTEM] InCDPass

Service system32\drivers\InCDRm.sys [sYSTEM] InCDRm

Service inetaccs

Service [DISABLED] ini910u

Service Inport

Service [DISABLED] IntelIde

Service C:\WINDOWS\System32\DRIVERS\intelppm.sys [sYSTEM] intelppm

Service C:\WINDOWS\system32\drivers\ip6fw.sys [DISABLED] ip6fw

Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver

Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp

Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat

Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [sYSTEM] IPSec

Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM

Service ISAPISearch

Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [bOOT] isapnp

Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass

Service C:\WINDOWS\System32\DRIVERS\kbdhid.sys [sYSTEM] kbdhid

Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer

Service [bOOT] KSecDD

Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver

Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation

Service [sYSTEM] lbrtfdc

Service ldap

Service LicenseService

Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts

Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger

Service C:\Program Files\mks_vir_2007\bin\MksFwall.exe [AUTO] MksFwall

Service C:\WINDOWS\system32\mksfwallf.sys [sYSTEM] mksfwallf

Service C:\WINDOWS\system32\mksfwallt.sys [sYSTEM] mksfwallt

Service C:\WINDOWS\system32\mksidsa.sys [bOOT] mksidsa

Service C:\WINDOWS\system32\mksidsf.sys [MANUAL] mksidsf

Service C:\Program Files\mks_vir_2007\bin\MksMonEn.sys [MANUAL] MksMonEn

Service C:\Program Files\mks_vir_2007\bin\MksMonEv.sys [MANUAL] MksMonEv

Service C:\Program Files\mks_vir_2007\bin\MksMonFd.sys [MANUAL] MksMonFd

Service C:\Program Files\mks_vir_2007\bin\MksPC.exe [AUTO] MksPC

Service C:\Program Files\mks_vir_2007\bin\mksupdate.exe [AUTO] MksUpdate

Service C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe [AUTO] MksVirMonSvc

Service C:\Program Files\mks_vir_2007\bin\mks_scan.exe [MANUAL] MkS_Scan

Service [sYSTEM] mnmdd

Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc

Service [MANUAL] Modem

Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [sYSTEM] Mouclass

Service C:\WINDOWS\System32\DRIVERS\mouhid.sys [MANUAL] mouhid

Service [bOOT] MountMgr

Service [DISABLED] mraid35x

Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV

Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb

Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC

Service [sYSTEM] Msfs

Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer

Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV

Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK

Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM

Service C:\WINDOWS\System32\DRIVERS\mssmbios.sys [MANUAL] mssmbios

Service C:\WINDOWS\system32\drivers\MSTEE.sys [MANUAL] MSTEE

Service [bOOT] Mup

Service C:\Documents and Settings\anna\Dane aplikacji\hidires\m_hook.sys [MANUAL] m_hook

Service C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [MANUAL] NABTSFEC

Service [bOOT] NDIS

Service C:\WINDOWS\system32\DRIVERS\NdisIP.sys [MANUAL] NdisIP

Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi

Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [DISABLED] Ndisuio

Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan

Service [MANUAL] NDProxy

Service C:\WINDOWS\System32\DRIVERS\netbios.sys [sYSTEM] NetBIOS

Service C:\WINDOWS\System32\DRIVERS\netbt.sys [sYSTEM] NetBT

Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE

Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm

Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla

Service [sYSTEM] Npfs

Service [DISABLED] Ntfs

Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp

Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc

Service [sYSTEM] Null

Service C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [MANUAL] nv

Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt

Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd

Service C:\WINDOWS\system32\DRIVERS\pfc027.sys [MANUAL] PAC207

Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport

Service [bOOT] PartMgr

Service [AUTO] ParVdm

Service C:\WINDOWS\System32\DRIVERS\pci.sys [bOOT] PCI

Service [sYSTEM] PCIDump

Service [DISABLED] PCIIde

Service [DISABLED] Pcmcia

Service [MANUAL] PDCOMP

Service [MANUAL] PDFRAME

Service [MANUAL] PDRELI

Service [MANUAL] PDRFRAME

Service [DISABLED] perc2

Service [DISABLED] perc2hib

Service PerfDisk

Service PerfNet

Service PerfOS

Service PerfProc

Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay

Service C:\WINDOWS\system32\HPZipm12.exe [MANUAL] Pml Driver HPZ12

Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent

Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport

Service C:\WINDOWS\System32\DRIVERS\processr.sys [sYSTEM] Processor

Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage

Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched

Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink

Service [DISABLED] ql1080

Service [DISABLED] Ql10wnt

Service [DISABLED] ql12160

Service [DISABLED] ql1240

Service [DISABLED] ql1280

Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [sYSTEM] RasAcd

Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto

Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp

Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan

Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe

Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti

Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [sYSTEM] Rdbss

Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD

Service RDPDD

Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr

Service RDPNP

Service [MANUAL] RDPWD

Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr

Service C:\WINDOWS\System32\DRIVERS\redbook.sys [sYSTEM] redbook

Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess

Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry

Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator

Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs

Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP

Service C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139

Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs

Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr

Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule

Service ScsiPort

Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [MANUAL] Secdrv

Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon

Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS

Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum

Service C:\WINDOWS\System32\DRIVERS\serial.sys [sYSTEM] Serial

Service [sYSTEM] Sfloppy

Service C:\WINDOWS\System32\svchost.exe [DISABLED] SharedAccess

Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection

Service [DISABLED] Simbad

Service C:\WINDOWS\system32\DRIVERS\SLIP.sys [MANUAL] SLIP

Service [DISABLED] Sparrow

Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter

Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler

Service C:\WINDOWS\System32\DRIVERS\sr.sys [bOOT] sr

Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice

Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv

Service C:\WINDOWS\System32\svchost.exe [MANUAL] SSDPSRV

Service C:\WINDOWS\System32\PAStiSvc.exe [AUTO] STI Simulator

Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc

Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys [MANUAL] streamip

Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum

Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi

Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv

Service swwd

Service [DISABLED] symc810

Service [DISABLED] symc8xx

Service [DISABLED] sym_hi

Service [DISABLED] sym_u3

Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio

Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv

Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [sYSTEM] Tcpip

Service [MANUAL] TDPIPE

Service [MANUAL] TDTCP

Service C:\WINDOWS\System32\DRIVERS\termdd.sys [sYSTEM] TermDD

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService

Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes

Service C:\WINDOWS\System32\tlntsvr.exe [DISABLED] TlntSvr

Service [DISABLED] TosIde

Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks

Service TSDDD

Service [DISABLED] Udfs

Service [DISABLED] ultra

Service C:\WINDOWS\system32\wdfmgr.exe [AUTO] UMWdf

Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update

Service C:\WINDOWS\System32\svchost.exe [MANUAL] upnphost

Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS

Service C:\WINDOWS\System32\DRIVERS\usbccgp.sys [MANUAL] usbccgp

Service C:\WINDOWS\System32\DRIVERS\usbehci.sys [MANUAL] usbehci

Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub

Service C:\WINDOWS\system32\DRIVERS\usbprint.sys [MANUAL] usbprint

Service C:\WINDOWS\system32\DRIVERS\usbscan.sys [MANUAL] usbscan

Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci

Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave

Service C:\WINDOWS\System32\DRIVERS\viaagp.sys [bOOT] viaagp

Service C:\WINDOWS\System32\DRIVERS\viaide.sys [bOOT] ViaIde

Service C:\WINDOWS\system32\drivers\viaudios.sys [MANUAL] VIAudio

Service [bOOT] VolSnap

Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS

Service VXD

Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time

Service W3SVC

Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp

Service [MANUAL] WDICA

Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud

Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient

Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt

Service [MANUAL] Winsock

Service [MANUAL] Winsock - Google Desktop Search Backup Before First Install

Service [MANUAL] Winsock - Google Desktop Search Backup Before Last Install

Service WinSock2

Service Winsock2 - Google Desktop Search Backup Before First Install

Service Winsock2 - Google Desktop Search Backup Before Last Install

Service WinTrust

Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi

Service WmiApRpl

Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv

Service C:\WINDOWS\System32\drivers\ws2ifsl.sys [DISABLED] WS2IFSL

Service C:\WINDOWS\System32\svchost.exe [DISABLED] wscsvc

Service C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [MANUAL] WSTCODEC

Service C:\WINDOWS\System32\svchost.exe [DISABLED] wuauserv

Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC

Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov

Service {9F5132FF-C367-42FA-9D98-72515F26E760}

Service {C347D611-455C-4CD8-8D13-179D24147D14}

Service {D3E972ED-CA0B-468B-94E2-357983C38D39}

---- EOF - GMER 1.0.12 ----

Gutek · 1 Marzec 2007 17:10

Log Ok

andziak25 · 1 Marzec 2007 18:16

Usunęłam to co radziliście Hijackthis-em. Przeskanowałam MKS-em i znalazł jeszcze jednego takiego samego

I teraz nie wiem. Czy reszty nie wykrył, bo są w kwarantannie czy ich już nie ma? Może to jest banalne pytanie, ale ja mam wątpliwości.

adam9870 · 1 Marzec 2007 19:31

Jeśli zainfekowany plik został przeniesiony do kwarantanny to jest całkowicie nieszkodliwy.

Wklej komplet nowych logów - HJT i Silent.

andziak25 · 1 Marzec 2007 20:59

HT

Logfile of HijackThis v1.99.1 Scan saved at 21:53:58, on 2007-03-01 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\SYSTEM32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\mks_vir_2007\bin\MksFwall.exe C:\Program Files\mks_vir_2007\bin\MksPC.exe C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\WgaTray.exe D:\Drukarka\HP Software Update\HPWuSchd.exe C:\Program Files\Multimedia Combo Set\MouseDrv.exe C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe C:\Program Files\mks_vir_2007\bin\mks_mail.exe C:\Program Files\mks_vir_2007\bin\mksregmon.exe C:\Program Files\mks_vir_2007\bin\mkstray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\hldrrr.exe C:\Program Files\mks_vir_2007\bin\mks_scan.exe D:\Drukarka\Digital Imaging\bin\hpqtra08.exe D:\Drukarka\Digital Imaging\bin\hpohmr08.exe D:\Drukarka\Digital Imaging\bin\hpotdd01.exe D:\Drukarka\Digital Imaging\bin\hpoevm08.exe D:\Drukarka\Digital Imaging\Bin\hpoSTS08.exe C:\Program Files\mks_vir_2007\bin\mksupdate.exe D:\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\anna\Pulpit\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interia.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\KODEKI\ActiveX\AcroIEHelper.dll O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [HP Software Update] “D:\Drukarka\HP Software Update\HPWuSchd.exe” O4 - HKLM…\Run: [WireLessMouse] C:\Program Files\Multimedia Combo Set\MouseDrv.exe O4 - HKLM…\Run: [WireLessKeyboard] C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe O4 - HKLM…\Run: [mks_mail] C:\Program Files\mks_vir_2007\bin\mks_mail.exe O4 - HKLM…\Run: [MKSRegmon] C:\Program Files\mks_vir_2007\bin\mksregmon.exe O4 - HKLM…\Run: [mkstray] C:\Program Files\mks_vir_2007\bin\mkstray.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Odkurzacz-MCD] D:\Odkurzacz\odk_mcd.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\KODEKI\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Drukarka\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: hp psc 1000 series.lnk = ? O4 - Global Startup: hpoddt01.exe.lnk = ? O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O10 - Unknown file in Winsock LSP: c:\program files\mks_vir_2007\bin\mkslsp.dll O15 - Trusted Zone: http://www.mks.com.pl O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave.com/content/luxor/ … uncher.cab O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: MksFwall - MKS Sp z o.o. - C:\Program Files\mks_vir_2007\bin\MksFwall.exe O23 - Service: MksPC - Unknown owner - C:\Program Files\mks_vir_2007\bin\MksPC.exe O23 - Service: MksUpdate - MKS Sp. z o. o. - C:\Program Files\mks_vir_2007\bin\mksupdate.exe O23 - Service: mks_vir file monitor (MksVirMonSvc) - Unknown owner - C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe O23 - Service: MkS_Scan - Unknown owner - C:\Program Files\mks_vir_2007\bin\mks_scan.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

Silent Runers

“Silent Runners.vbs”, revision 48, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] “Odkurzacz-MCD” = “D:\Odkurzacz\odk_mcd.exe” [“Franmo Software”] “odk_mcd” = (empty string) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “HP Software Update” = ““D:\Drukarka\HP Software Update\HPWuSchd.exe”” [“Hewlett-Packard”] "WireLessMouse " = “C:\Program Files\Multimedia Combo Set\MouseDrv.exe” [empty string] "WireLessKeyboard " = “C:\Program Files\Multimedia Combo Set\PS2USBKbdDrv.exe” [empty string] “mks_mail” = “C:\Program Files\mks_vir_2007\bin\mks_mail.exe” [“MkS Sp. z o.o.”] “MKSRegmon” = “C:\Program Files\mks_vir_2007\bin\mksregmon.exe” [null data] “mkstray” = “C:\Program Files\mks_vir_2007\bin\mkstray.exe” [“MKS Sp z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\KODEKI\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band” -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] “{BB7DF450-F119-11CD-8465-00AA00425D90}” = “Microsoft Access Custom Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “D:\Office\soa800.dll” [MS] “{59850401-6664-101B-B21C-00AA004BA90B}” = “Microsoft Office Binder Explode” -> {HKLM…CLSID} = “Microsoft Office Binder Explode” \InProcServer32(Default) = “D:\Office\UNBIND.DLL” [MS] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” -> {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\system32\Audiodev.dll” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “D:\KODEKI\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “C:\Program Files\mks_vir_2007\bin\mksshell.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ MkS_Vir(Default) = “{E64226E0-9DA1-479E-8265-8D65BA327BD4}” -> {HKLM…CLSID} = “MkS_Vir Shell Extension” \InProcServer32(Default) = “C:\Program Files\mks_vir_2007\bin\mksshell.dll” [null data] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\anna\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “anna” & “All Users” startup folders: ------------------------------------------------------ C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “D:\KODEKI\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] “HP Digital Imaging Monitor” -> shortcut to: “D:\Drukarka\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Co.”] “hp psc 1000 series” -> shortcut to: “D:\Drukarka\Digital Imaging\bin\hpohmr08.exe” [“Hewlett-Packard Co.”] “hpoddt01.exe” -> shortcut to: “D:\Drukarka\Digital Imaging\bin\hpotdd01.exe” [“Hewlett-Packard”] Enabled Scheduled Tasks: ------------------------ “FRU Task #Hewlett-Packard#hp psc 1200 series#1135877353” -> launches: "D:\Drukarka\Digital Imaging\Bin\hpqfrucl.exe -I “#Hewlett-Packard#hp psc 1200 series#1135877353"” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\mks_vir_2007\bin\mkslsp.dll [null data], 01 - 03, 19 %SystemRoot%\system32\mswsock.dll [MS], 04 - 06, 09 - 18 %SystemRoot%\system32\rsvpsp.dll [MS], 07 - 08 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\ {21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided) -> {HKLM…CLSID} = “Shell Search Band” \InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ MkS_Scan, MkS_Scan, “C:\Program Files\mks_vir_2007\bin\mks_scan.exe” [empty string] mks_vir file monitor, MksVirMonSvc, “C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe” [null data] MksFwall, MksFwall, ““C:\Program Files\mks_vir_2007\bin\MksFwall.exe”” [“MKS Sp z o.o.”] MksPC, MksPC, ““C:\Program Files\mks_vir_2007\bin\MksPC.exe”” [null data] MksUpdate, MksUpdate, ““C:\Program Files\mks_vir_2007\bin\mksupdate.exe”” [“MKS Sp. z o. o.”] STI Simulator, STI Simulator, “C:\WINDOWS\System32\PAStiSvc.exe” [null data]

Te wirusy cały czas sie pojawiają ze zmienioną lokalizacją. Już są 3 nowe.

Gutek · 1 Marzec 2007 21:02

Użyj Pocket Killbox. Zaznaczasz opcję Delete on Reboot i w polu Full Path of File to Delete wklejasz ścieżkę

C:\WINDOWS\system32\hldrrr.exe i naciskasz X czerwony. Program poprosi o reset kompa … czyli resetujesz.

andziak25 · 1 Marzec 2007 21:19

Zrobiłam. Jutro zobacze czy sie znowu nie zjawiają. Na razie dziekuję