Mój antywirus przestał działać bez powodu


(Dariuszopala) #1

Mam problem ze swoim antywirusem: Symantec AntiVirus... Wyskakuje mi komunikat: "Symantec AntiVirus Auto-Protect failed to load"... a poza tym wydaje mi się, że mam dużo robaków na dysku... Proszę o sprawdzenie loga...

Logfile of HijackThis v1.99.1

Scan saved at 13:34:09, on 2007-03-26

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\winlogon.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

E:\Programy\Gadu-Gadu\gg.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

E:\Programy\LOGI\HiJack\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll

O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Programy\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

O8 - Extra context menu item: &Download with &DAP - E:\Programy\DAP\dapextie.htm

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm

O8 - Extra context menu item: Download &all with DAP - E:\Programy\DAP\dapextie2.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\OFFICE~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/229?1499baf0d9dc47f399ef52ec7ccaa3c

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/230?1499baf0d9dc47f399ef52ec7ccaa3c

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0E0927EB-85CC-4D9C-8F0B-C764BF8E98D1}: NameServer = 10.1.0.1,10.1.1.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll

O21 - SSODL: LyiWldUHN - {58BD0399-F217-A933-01BA-258275F4849E} - C:\WINDOWS\system32\sl.dll (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Programy\Bluetooth\BTNtService.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Windows Logon Process Service (MSWinLogonProcService) - Unknown owner - C:\WINDOWS\winlogon.exe" -service (file missing)

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\

"{58BD0398-063B-1045-0824-050508170030}" = ""C:\Program Files\Common Files\{58BD0398-063B-1045-0824-050508170030}\Update.exe" te-110-12-0000271" [file not found]

"{58BD0398-063C-1045-0824-050508170030}" = ""C:\Program Files\Common Files\{58BD0398-063C-1045-0824-050508170030}\Update.exe" te-110-12-0000271" [file not found]


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""E:\Programy\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]

"IpWins" = "C:\Program Files\Ipwindows\ipwins.exe" [file not found]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]

"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"NCInstallQueue" = "rundll32 netman.dll,ProcessQueue" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "DriveLetterAccess"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "MSN Search Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{2F5AC606-70CF-461C-BFE1-6063670C3484}" = "Display CPL Extension"

  -> {HKLM...CLSID} = "DisplayCplExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Toshiba\TouchED\TouchED.DLL" ["TOSHIBA Inc."]

"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"

  -> {HKLM...CLSID} = "RecordNow! SendToExt"

                   \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]

"{E91B2703-013E-4A99-AD33-2B6FB00AA356}" = "RecordNow! ContextMenuExt"

  -> {HKLM...CLSID} = "RecordNow! ContextMenuExt"

                   \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]

"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"

  -> {HKLM...CLSID} = "DriveLetterAccess"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\Office 2003\OFFICE11\msohev.dll" [MS]

"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"

  -> {HKLM...CLSID} = "Windows Desktop Search"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\EXT\02.05.0000.1105\en-gb\msnlExt.dll" [MS]

"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar"

  -> {HKLM...CLSID} = "MSN Search Deskbar"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\DB\02.05.0000.1082\en-gb\deskbar.dll" [MS]

"{A4D78B20-6E05-1069-8758-4E73FD83DEAD}" = "QCopy"

  -> {HKLM...CLSID} = "QCopy"

                   \InProcServer32\(Default) = "dropcpyr.dll" [null data]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]

"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\Programy\OFFICE~1\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\Programy\OFFICE~1\OFFICE11\OLKFSTUB.DLL" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = "E:\Programy\quick\iTunesMiniPlayer.dll" ["Apple Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"LyiWldUHN" = "{58BD0399-F217-A933-01BA-258275F4849E}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\sl.dll" [file not found]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> A3dxq\DLLName = "C:\WINDOWS\system32\a3dxq.dll" [null data]

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

<> winsys2freg\DLLName = "C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll" [null data]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKCU\Software\Classes\.bat\(Default) = (value not set)


HKCU\Software\Classes\.cmd\(Default) = (value not set)


HKCU\Software\Classes\.com\(Default) = (value not set)


HKCU\Software\Classes\.exe\(Default) = (value not set)


HKCU\Software\Classes\.hta\(Default) = "htafile"



Group Policies {policy setting}:

--------------------------------


Note: detected settings may not have any effect.


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"ForceActiveDesktopOn" = (REG_DWORD) hex:0x00000001

{Enable Active Desktop}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Opała Dariusz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"

  -> {HKLM...CLSID} = "MSN Search Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll" [MS]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"

  -> {HKLM...CLSID} = "MSN Search Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll" [MS]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)

  -> {HKLM...CLSID} = "MSN Search Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll" [MS]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_02"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]

Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]

Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

Windows Logon Process Service, MSWinLogonProcService, ""C:\WINDOWS\winlogon.exe" -service" ["Microsoft"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 51 seconds.

---------- (total run time: 101 seconds)

(Joan Sunshine) #2

Użyj SmitFraudFix z opcji 2 w trybie awaryjnym

START > URUCHOM > CMD > WPISZ:

SC STOP MSWinLogonProcService

SC DELETE MSWinLogonProcService

DEL C:\WINDOWS\winlogon.exe

Pliki/foldery na czerwono usuwasz z dysku w awaryjnym, wpisy usuwasz w HJT.

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.REG

Odpal plik FIX.REG i potwierdź dodanie do rejestru i reset kompa :slight_smile:

Ściągnij i zainstaluj UnHookExec.inf (po ściągnięciu prawym na plik, wybierasz opcję "zainstaluj")

nowe logi a także raport ze SmitFraudFix – plik c:\rapport.txt. :slight_smile:


(Dariuszopala) #3
Logfile of HijackThis v1.99.1

Scan saved at 18:37:09, on 2007-03-27

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

E:\Programy\Bluetooth\BTNtService.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\ctfmon.exe

E:\Programy\Gadu-Gadu\gg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

E:\Programy\LOGI\HiJack\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll

O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\RunOnce: [NCInstallQueue] rundll32 netman.dll,ProcessQueue

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "E:\Programy\Gadu-Gadu\gg.exe" /tray

O8 - Extra context menu item: &Download with &DAP - E:\Programy\DAP\dapextie.htm

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm

O8 - Extra context menu item: Download &all with DAP - E:\Programy\DAP\dapextie2.htm

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Programy\OFFICE~1\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/229?1499baf0d9dc47f399ef52ec7ccaa3c

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0000.1105\en-gb\msntabres.dll/230?1499baf0d9dc47f399ef52ec7ccaa3c

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [INTERNATIONAL] International*

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{0E0927EB-85CC-4D9C-8F0B-C764BF8E98D1}: NameServer = 10.1.0.1,10.1.1.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\Programy\Bluetooth\BTNtService.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"Gadu-Gadu" = ""E:\Programy\Gadu-Gadu\gg.exe" /tray" ["sms-express.com"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]

"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]

"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]


HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}

"NCInstallQueue" = "rundll32 netman.dll,ProcessQueue" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "DriveLetterAccess"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]

{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Google Toolbar Helper"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "MSN Search Toolbar Helper"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{2F5AC606-70CF-461C-BFE1-6063670C3484}" = "Display CPL Extension"

  -> {HKLM...CLSID} = "DisplayCplExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\Toshiba\TouchED\TouchED.DLL" ["TOSHIBA Inc."]

"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"

  -> {HKLM...CLSID} = "RecordNow! SendToExt"

                   \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]

"{E91B2703-013E-4A99-AD33-2B6FB00AA356}" = "RecordNow! ContextMenuExt"

  -> {HKLM...CLSID} = "RecordNow! ContextMenuExt"

                   \InProcServer32\(Default) = "C:\Program Files\Sonic\RecordNow!\shlext.dll" [null data]

"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"

  -> {HKLM...CLSID} = "DriveLetterAccess"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "E:\Programy\Office 2003\OFFICE11\msohev.dll" [MS]

"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"

  -> {HKLM...CLSID} = "Windows Desktop Search"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\EXT\02.05.0000.1105\en-gb\msnlExt.dll" [MS]

"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar"

  -> {HKLM...CLSID} = "MSN Search Deskbar"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\DB\02.05.0000.1082\en-gb\deskbar.dll" [MS]

"{A4D78B20-6E05-1069-8758-4E73FD83DEAD}" = "QCopy"

  -> {HKLM...CLSID} = "QCopy"

                   \InProcServer32\(Default) = "dropcpyr.dll" [null data]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]

"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "E:\Programy\OFFICE~1\OFFICE11\MLSHEXT.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"

                   \InProcServer32\(Default) = "E:\Programy\OFFICE~1\OFFICE11\OLKFSTUB.DLL" [MS]

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"

  -> {HKLM...CLSID} = "iTunes"

                   \InProcServer32\(Default) = "E:\Programy\quick\iTunesMiniPlayer.dll" ["Apple Inc."]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]

<> winsys2freg\DLLName = "C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll" [null data]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"

  -> {HKLM...CLSID} = "VpshellEx Class"

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "E:\Programy\WinRAR\rarext.dll" [null data]



Default executables:

--------------------


HKCU\Software\Classes\.bat\(Default) = (value not set)


HKCU\Software\Classes\.cmd\(Default) = (value not set)


HKCU\Software\Classes\.com\(Default) = (value not set)


HKCU\Software\Classes\.exe\(Default) = (value not set)


HKCU\Software\Classes\.hta\(Default) = "htafile"


<> HKLM\Software\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]



Group Policies {policy setting}:

--------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Enabled Scheduled Tasks:

------------------------


"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -Task" ["Apple Computer, Inc."]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Toolbars


HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"

  -> {HKLM...CLSID} = "MSN Search Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll" [MS]


HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"

  -> {HKLM...CLSID} = "MSN Search Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll" [MS]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = (no title provided)

  -> {HKLM...CLSID} = "MSN Search Toolbar"

                   \InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll" [MS]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

  -> {HKLM...CLSID} = "&Google"

                   \InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "E:\Programy\OFFICE~1\OFFICE11\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"

  -> {HKLM...CLSID} = "Java Plug-in 1.5.0_02"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]


{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]

BlueSoleil Hid Service, BlueSoleil Hid Service, "E:\Programy\Bluetooth\BTNtService.exe" [null data]

ConfigFree Service, CFSvcs, "C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe" ["TOSHIBA CORPORATION"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]

Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]

Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]

Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

  took 49 seconds.

---------- (total run time: 100 seconds)

SmitFraudFix v2.158


Scan done at 14:12:49,85, 2007-03-27

Run from E:\Programy\LOGI\SmitfraudFix

OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Killing process



»»»»»»»»»»»»»»»»»»»»»»»» hosts



»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix


GenericRenosFix by S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


C:\WINDOWS\system32\svchosts.exe Deleted

C:\WINDOWS\system32\zlbw.dll Deleted

C:\Program Files\BraveSentry\ Deleted


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files



»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!Attention, following keys are not inevitably infected!


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""



»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning


Registry Cleaning done. 


»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!Attention, following keys are not inevitably infected!


SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll



»»»»»»»»»»»»»»»»»»»»»»»» End


[/code]

(adam9870) #4

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\Documents and Settings\All Users\Dokumenty\Settings\winsys2f.dll

Klikasz X czerwony i restart kompa.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Usuń wpis HJT jeśli będzie.

Przejrzyj Naprawianie uszkodzonych rozszerzeń.

Po wykonaniu wklej log z ComboFix.


(Dariuszopala) #5

(adam9870) #6

Póki co w logu widzę:

Ale ze względu na:

Proszę pokazać zanim jeszcze zaczniemy usuwać dwa logi z Gmer'a wykonane przy takich ustawieniach:

  1. Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

  2. Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.

http://forum.dobreprogramy.pl/viewtopic.php?t=96929


(Dariuszopala) #7

Co do punktu pierwszego to nie jestem pewien czy Gmer skończył wyszukiwanie, ale mam nadzieje, że w pełni przeszukał kompa i moje wątpliwości są tylko efektem złudzenia :wink:

Ad.1 :

GMER 1.0.12.12086 - http://www.gmer.net

Rootkit scan 2007-03-27 22:03:40

Windows 5.1.2600 Dodatek Service Pack 2



---- System - GMER 1.0.12 ----


Code F7C49D98 ZwCreateFile

Code F7C4AA88 ZwCreateKey

Code F7C4A964 ZwEnumerateKey

Code F7C4AA28 ZwEnumerateValueKey

Code F7C49CE0 ZwOpenFile

Code F7C4AB1C ZwOpenKey

Code F7C49BCE ZwQueryDirectoryFile

Code F7C4B708 ZwTerminateProcess

Code F7C49D97 NtCreateFile

Code F7C49CDF NtOpenFile

Code F7C49BCD NtQueryDirectoryFile


---- Kernel code sections - GMER 1.0.12 ----


PAGE ntoskrnl.exe!ZwOpenKey 80567CFB 5 Bytes JMP F7C4AB20 

PAGE ntoskrnl.exe!ZwCreateKey 8056E7A9 5 Bytes JMP F7C4AA8C 

PAGE ntoskrnl.exe!ZwEnumerateKey 8056EEB0 5 Bytes JMP F7C4A968 

PAGE ntoskrnl.exe!NtOpenFile 8056FB93 5 Bytes JMP F7C49CE4 

PAGE ntoskrnl.exe!NtCreateFile 8056FBF8 5 Bytes JMP F7C49D9C 

PAGE ntoskrnl.exe!NtQueryDirectoryFile 80573515 5 Bytes JMP F7C49BD2 

PAGE ntoskrnl.exe!ZwEnumerateValueKey 8057FB78 5 Bytes JMP F7C4AA2C 

PAGE ntoskrnl.exe!ZwTerminateProcess 80584740 5 Bytes JMP F7C4B70C 

? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Nie można odnaleźć określonego pliku.

.text ntdll.dll!NtClose 7C90D586 5 Bytes JMP 720342BA 

.text ntdll.dll!NtCreateProcess 7C90D754 5 Bytes JMP 72034445 

.text ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes JMP 72034329 

.text ntdll.dll!NtCreateSection 7C90D793 5 Bytes JMP 720342D8 


---- Devices - GMER 1.0.12 ----


Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 85355ED8

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 850FEAB0

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 850FEAB0

Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 8514ACE0

Device \Driver\poof \Device\poofpoof IRP_MJ_CREATE F7C486D0

Device \Driver\poof \Device\poofpoof IRP_MJ_CLOSE F7C486D0

Device \Driver\poof \Device\poofpoof IRP_MJ_DEVICE_CONTROL F7C485C8

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 850FEAB0

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 850FEAB0

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_READ 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA 84EE9AE8

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 84EE9AE8

Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 8523D510

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 851777E8

Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 851777E8

Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 852D3290

Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 8533EDB0

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLOSE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_READ 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_WRITE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_EA 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_POWER 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_PNP 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_READ 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA 8501CF00

Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP 8501CF00

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 852179F8

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 852179F8

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 852179F8

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 852179F8

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 852179F8

Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 8512F948

Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F2B7FD30] tfsnifs.sys


---- Modules - GMER 1.0.12 ----


Module _________ F7794000

Module \??\C:\WINDOWS\system32\poof ( ***hidden*** ) F7C48000                               


---- Processes - GMER 1.0.12 ----


Process C:\WINDOWS\system32\koos.exe ( ***hidden*** ) 1092                                   

Library C:\WINDOWS\system32\koos.exe ( ***hidden*** ) @ C:\WINDOWS\system32\koos.exe [1092] 0x00400000

Ad. 2: w poście poniżej


(adam9870) #8

Wklej dalszą część loga zaczynając od:


(Dariuszopala) #9

Sorry, że w drugim poście zamieszczam... ale w jednym sie nie mieści log dotyczacy punktu 2, dlatego obcięło cześć tego loga...

Ad. 2 :

GMER 1.0.12.12086 - http://www.gmer.net

Rootkit scan 2007-03-27 22:13:53

Windows 5.1.2600 Dodatek Service Pack 2



---- Services - GMER 1.0.12 ----


Service .NET CLR Data

Service .NET CLR Networking

Service .NET Data Provider for Oracle

Service .NET Data Provider for SqlServer

Service .NETFramework

Service [DISABLED] Abiosdsk

Service [DISABLED] abp480n5

Service C:\WINDOWS\system32\DRIVERS\ACPI.sys [BOOT] ACPI

Service C:\WINDOWS\system32\DRIVERS\ACPIEC.sys [BOOT] ACPIEC

Service [DISABLED] adpu160m

Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec

Service C:\WINDOWS\System32\drivers\afd.sys [SYSTEM] AFD

Service [DISABLED] Aha154x

Service [DISABLED] aic78u2

Service [DISABLED] aic78xx

Service C:\WINDOWS\system32\svchost.exe [DISABLED] Alerter

Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG

Service [DISABLED] AliIde

Service [DISABLED] amsint

Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt

Service C:\WINDOWS\system32\DRIVERS\ar5211.sys [MANUAL] AR5211

Service [DISABLED] asc

Service [DISABLED] asc3350p

Service [DISABLED] asc3550

Service ASP.NET

Service ASP.NET_1.1.4322

Service ASP.NET_2.0.50727

Service C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [MANUAL] aspnet_state

Service C:\WINDOWS\system32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac

Service C:\WINDOWS\system32\DRIVERS\atapi.sys [BOOT] atapi

Service [DISABLED] Atdisk

Service C:\WINDOWS\system32\Ati2evxx.exe [AUTO] Ati HotKey Poller

Service C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag

Service Atierecord

Service C:\WINDOWS\system32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc

Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv

Service C:\WINDOWS\system32\DRIVERS\audstub.sys [MANUAL] audstub

Service BattC

Service [SYSTEM] Beep

Service C:\WINDOWS\system32\svchost.exe [MANUAL] BITS

Service C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [MANUAL] BlueletAudio

Service E:\Programy\Bluetooth\BTNtService.exe [AUTO] BlueSoleil Hid Service

Service C:\WINDOWS\system32\drivers\BoiHwSetup.sys [MANUAL] BoiHwsetup

Service C:\WINDOWS\system32\svchost.exe [AUTO] Browser

Service C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [MANUAL] BT

Service C:\WINDOWS\System32\Drivers\btcusb.sys [MANUAL] Btcsrusb

Service C:\WINDOWS\system32\DRIVERS\vbtenum.sys [MANUAL] BTHidEnum

Service C:\WINDOWS\System32\Drivers\BTHidMgr.sys [BOOT] BTHidMgr

Service C:\WINDOWS\system32\drivers\camc6aud.sys [MANUAL] CAMCAUD

Service C:\WINDOWS\system32\drivers\camc6hal.sys [MANUAL] CAMCHALA

Service [DISABLED] cbidf2k

Service C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [MANUAL] CCDECODE

Service C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [AUTO] ccSetMgr

Service [DISABLED] cd20xrnt

Service [SYSTEM] Cdaudio

Service [DISABLED] Cdfs

Service C:\WINDOWS\system32\DRIVERS\cdrom.sys [SYSTEM] Cdrom

Service C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe [AUTO] CFSvcs

Service [SYSTEM] Changer

Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc

Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv

Service C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [MANUAL] clr_optimization_v2.0.50727_32

Service C:\WINDOWS\system32\DRIVERS\CmBatt.sys [MANUAL] CmBatt

Service [DISABLED] CmdIde

Service C:\WINDOWS\system32\DRIVERS\compbatt.sys [BOOT] Compbatt

Service C:\WINDOWS\system32\dllhost.exe [MANUAL] COMSysApp

Service ContentFilter

Service ContentIndex

Service [DISABLED] Cpqarray

Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc

Service C:\WINDOWS\system32\DRIVERS\d347bus.sys [BOOT] d347bus

Service C:\WINDOWS\System32\Drivers\d347prt.sys [BOOT] d347prt

Service [DISABLED] dac2w2k

Service [DISABLED] dac960nt

Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch

Service C:\Program Files\Symantec AntiVirus\DefWatch.exe [AUTO] DefWatch

Service C:\WINDOWS\system32\svchost.exe [AUTO] Dhcp

Service C:\WINDOWS\system32\DRIVERS\disk.sys [BOOT] Disk

Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin

Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot

Service C:\WINDOWS\System32\drivers\dmio.sys [DISABLED] dmio

Service C:\WINDOWS\System32\drivers\dmload.sys [DISABLED] dmload

Service C:\WINDOWS\System32\svchost.exe [MANUAL] dmserver

Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic

Service C:\WINDOWS\system32\svchost.exe [AUTO] Dnscache

Service [DISABLED] dpti2o

Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud

Service C:\WINDOWS\system32\drivers\drvmcdb.sys [BOOT] drvmcdb

Service drvncdb

Service C:\WINDOWS\system32\drivers\drvnddm.sys [AUTO] drvnddm

Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc

Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog

Service C:\WINDOWS\system32\svchost.exe [MANUAL] EventSystem

Service [DISABLED] Fastfat

Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility

Service [SYSTEM] Fdc

Service [SYSTEM] Fips

Service [SYSTEM] Flpydisk

Service C:\WINDOWS\system32\DRIVERS\fltMgr.sys [BOOT] FltMgr

Service [SYSTEM] Fs_Rec

Service C:\WINDOWS\system32\DRIVERS\ftdisk.sys [BOOT] Ftdisk

Service C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [MANUAL] GEARAspiWDM

Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer

Service C:\WINDOWS\system32\DRIVERS\msgpc.sys [MANUAL] Gpc

Service C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [MANUAL] gusvc

Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc

Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ

Service C:\WINDOWS\system32\DRIVERS\hidusb.sys [MANUAL] HidUsb

Service [DISABLED] hpn

Service C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [MANUAL] HSFHWATI

Service C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys [MANUAL] HSF_DPV

Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP

Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter

Service [SYSTEM] i2omgmt

Service [DISABLED] i2omp

Service C:\WINDOWS\system32\DRIVERS\i8042prt.sys [SYSTEM] i8042prt

Service C:\WINDOWS\system32\DRIVERS\imapi.sys [SYSTEM] Imapi

Service C:\WINDOWS\system32\imapi.exe [MANUAL] ImapiService

Service inetaccs

Service [DISABLED] ini910u

Service Inport

Service [DISABLED] IntelIde

Service C:\WINDOWS\system32\DRIVERS\intelppm.sys [SYSTEM] intelppm

Service C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys [MANUAL] Ip6Fw

Service C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver

Service C:\WINDOWS\system32\DRIVERS\ipinip.sys [MANUAL] IpInIp

Service C:\WINDOWS\system32\DRIVERS\ipnat.sys [MANUAL] IpNat

Service C:\Program Files\iPod\bin\iPodService.exe [MANUAL] iPod Service

Service C:\WINDOWS\system32\DRIVERS\ipsec.sys [SYSTEM] IPSec

Service C:\WINDOWS\system32\DRIVERS\irenum.sys [MANUAL] IRENUM

Service ISAPISearch

Service C:\WINDOWS\system32\DRIVERS\isapnp.sys [BOOT] isapnp

Service C:\WINDOWS\system32\DRIVERS\kbdclass.sys [SYSTEM] Kbdclass

Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer

Service kprof

Service [BOOT] KSecDD

Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanserver

Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanworkstation

Service [SYSTEM] lbrtfdc

Service ldap

Service LicenseService

Service C:\WINDOWS\system32\svchost.exe [AUTO] LmHosts

Service C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [AUTO] MDM

Service C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [AUTO] mdmxsdk

Service C:\WINDOWS\system32\svchost.exe [DISABLED] Messenger

Service [SYSTEM] mnmdd

Service C:\WINDOWS\system32\mnmsrvc.exe [MANUAL] mnmsrvc

Service [MANUAL] Modem

Service C:\WINDOWS\system32\DRIVERS\mouclass.sys [SYSTEM] Mouclass

Service C:\WINDOWS\system32\DRIVERS\mouhid.sys [MANUAL] mouhid

Service [BOOT] MountMgr

Service [DISABLED] mraid35x

Service C:\WINDOWS\system32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV

Service C:\WINDOWS\system32\DRIVERS\mrxsmb.sys [SYSTEM] MRxSmb

Service C:\WINDOWS\system32\msdtc.exe [MANUAL] MSDTC

Service [SYSTEM] Msfs

Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer

Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV

Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK

Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM

Service C:\WINDOWS\system32\DRIVERS\mssmbios.sys [MANUAL] mssmbios

Service C:\WINDOWS\system32\drivers\MSTEE.sys [MANUAL] MSTEE

Service [BOOT] Mup

Service C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [MANUAL] NABTSFEC

Service C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070321.018\NAVENG.SYS [MANUAL] NAVENG

Service C:\Program Files\Common Files\Symantec Shared\VirusDefs\20070321.018\NAVEX15.SYS [MANUAL] NAVEX15

Service [BOOT] NDIS

Service C:\WINDOWS\system32\DRIVERS\NdisIP.sys [MANUAL] NdisIP

Service C:\WINDOWS\system32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi

Service C:\WINDOWS\system32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio

Service C:\WINDOWS\system32\DRIVERS\ndiswan.sys [MANUAL] NdisWan

Service [MANUAL] NDProxy

Service C:\WINDOWS\system32\DRIVERS\netbios.sys [SYSTEM] NetBIOS

Service C:\WINDOWS\system32\DRIVERS\netbt.sys [SYSTEM] NetBT

Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE

Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm

Service C:\WINDOWS\system32\DRIVERS\netdevio.sys [AUTO] Netdevio

Service C:\WINDOWS\system32\lsass.exe [MANUAL] Netlogon

Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman

Service C:\WINDOWS\system32\svchost.exe [MANUAL] Nla

Service [SYSTEM] Npfs

Service [DISABLED] Ntfs

Service C:\WINDOWS\system32\lsass.exe [MANUAL] NtLmSsp

Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc

Service [SYSTEM] Null

Service C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt

Service C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd

Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [MANUAL] ose

Service Outlook

Service [MANUAL] Parport

Service [BOOT] PartMgr

Service [DISABLED] ParVdm

Service C:\WINDOWS\system32\DRIVERS\pci.sys [BOOT] PCI

Service [SYSTEM] PCIDump

Service C:\WINDOWS\system32\DRIVERS\pciide.sys [BOOT] PCIIde

Service C:\WINDOWS\system32\DRIVERS\pcmcia.sys [BOOT] Pcmcia

Service [MANUAL] PDCOMP

Service [MANUAL] PDFRAME

Service [MANUAL] PDRELI

Service [MANUAL] PDRFRAME

Service [DISABLED] perc2

Service [DISABLED] perc2hib

Service PerfDisk

Service PerfNet

Service PerfOS

Service PerfProc

Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay

Service C:\WINDOWS\system32\lsass.exe [AUTO] PolicyAgent

Service poof

Service C:\WINDOWS\system32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport

Service [SYSTEM] PQNTDrv

Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage

Service C:\WINDOWS\system32\DRIVERS\psched.sys [MANUAL] PSched

Service C:\WINDOWS\system32\DRIVERS\ptilink.sys [MANUAL] Ptilink

Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [BOOT] PxHelp20

Service C:\WINDOWS\system32\drivers\qkbfiltr.sys [MANUAL] qkbfiltr

Service [DISABLED] ql1080

Service [DISABLED] Ql10wnt

Service [DISABLED] ql12160

Service [DISABLED] ql1240

Service [DISABLED] ql1280

Service C:\WINDOWS\system32\drivers\qmofiltr.sys [MANUAL] qmofiltr

Service C:\WINDOWS\system32\DRIVERS\rasacd.sys [SYSTEM] RasAcd

Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasAuto

Service C:\WINDOWS\system32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp

Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasMan

Service C:\WINDOWS\system32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe

Service C:\WINDOWS\system32\DRIVERS\raspti.sys [MANUAL] Raspti

Service C:\WINDOWS\system32\DRIVERS\rdbss.sys [SYSTEM] Rdbss

Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [SYSTEM] RDPCDD

Service RDPDD

Service RDPNP

Service [MANUAL] RDPWD

Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr

Service C:\WINDOWS\system32\DRIVERS\redbook.sys [SYSTEM] redbook

Service C:\WINDOWS\system32\svchost.exe [DISABLED] RemoteAccess

Service C:\WINDOWS\System32\Drivers\RootMdm.sys [MANUAL] ROOTMODEM

Service C:\WINDOWS\system32\locator.exe [MANUAL] RpcLocator

Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs

Service RSGatherer

Service RSGTHRSVC

Service RSIndex

Service RSSearch

Service C:\WINDOWS\system32\rsvp.exe [MANUAL] RSVP

Service C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [MANUAL] RTL8023xp

Service C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139

Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs

Service C:\Program Files\Symantec AntiVirus\SavRoam.exe [MANUAL] SavRoam

Service C:\Program Files\Symantec AntiVirus\savrt.sys [SYSTEM] SAVRT

Service C:\Program Files\Symantec AntiVirus\Savrtpel.sys [AUTO] SAVRTPEL

Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr

Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule

Service C:\WINDOWS\system32\DRIVERS\secdrv.sys [AUTO] Secdrv

Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon

Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS

Service C:\WINDOWS\system32\DRIVERS\serenum.sys [MANUAL] Serenum

Service [AUTO] Serial

Service [SYSTEM] Sfloppy

Service C:\WINDOWS\system32\svchost.exe [AUTO] SharedAccess

Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection

Service [DISABLED] Simbad

Service C:\WINDOWS\system32\DRIVERS\SLIP.sys [MANUAL] SLIP

Service C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [MANUAL] SNDSrvc

Service [DISABLED] Sparrow

Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter

Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler

Service C:\WINDOWS\system32\DRIVERS\sr.sys [BOOT] sr

Service C:\WINDOWS\system32\svchost.exe [AUTO] srservice

Service C:\WINDOWS\system32\DRIVERS\srv.sys [MANUAL] Srv

Service C:\WINDOWS\system32\drivers\sscdbhk5.sys [SYSTEM] sscdbhk5

Service C:\WINDOWS\system32\svchost.exe [MANUAL] SSDPSRV

Service C:\WINDOWS\system32\drivers\ssrtln.sys [SYSTEM] ssrtln

Service C:\WINDOWS\system32\svchost.exe [MANUAL] stisvc

Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys [MANUAL] streamip

Service C:\WINDOWS\system32\DRIVERS\swenum.sys [MANUAL] swenum

Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi

Service C:\WINDOWS\system32\dllhost.exe [MANUAL] SwPrv

Service C:\Program Files\Symantec AntiVirus\Rtvscan.exe [AUTO] Symantec AntiVirus

Service [DISABLED] symc810

Service [DISABLED] symc8xx

Service SymEvent

Service C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [MANUAL] SYMREDRV

Service C:\WINDOWS\System32\Drivers\SYMTDI.SYS [SYSTEM] SYMTDI

Service [DISABLED] sym_hi

Service [DISABLED] sym_u3

Service C:\WINDOWS\system32\DRIVERS\SynTP.sys [MANUAL] SynTP

Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio

Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv

Service C:\WINDOWS\system32\DRIVERS\tcpip.sys [SYSTEM] Tcpip

Service [MANUAL] TDPIPE

Service [MANUAL] TDTCP

Service C:\WINDOWS\system32\DRIVERS\termdd.sys [SYSTEM] TermDD

Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService

Service C:\WINDOWS\system32\dla\tfsnboio.sys [AUTO] tfsnboio

Service C:\WINDOWS\system32\dla\tfsncofs.sys [AUTO] tfsncofs

Service C:\WINDOWS\system32\dla\tfsndrct.sys [AUTO] tfsndrct

Service C:\WINDOWS\system32\dla\tfsndres.sys [AUTO] tfsndres

Service C:\WINDOWS\system32\dla\tfsnifs.sys [AUTO] tfsnifs

Service C:\WINDOWS\system32\dla\tfsnopio.sys [AUTO] tfsnopio

Service C:\WINDOWS\system32\dla\tfsnpool.sys [AUTO] tfsnpool

Service C:\WINDOWS\system32\dla\tfsnudf.sys [AUTO] tfsnudf

Service C:\WINDOWS\system32\dla\tfsnudfa.sys [AUTO] tfsnudfa

Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes

Service [DISABLED] TosIde

Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks

Service TSDDD

Service [DISABLED] Udfs

Service [DISABLED] ultra

Service C:\WINDOWS\system32\wdfmgr.exe [AUTO] UMWdf

Service C:\WINDOWS\system32\DRIVERS\update.sys [MANUAL] Update

Service C:\WINDOWS\system32\svchost.exe [MANUAL] upnphost

Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS

Service C:\WINDOWS\system32\DRIVERS\usbehci.sys [MANUAL] usbehci

Service C:\WINDOWS\system32\DRIVERS\usbhub.sys [MANUAL] usbhub

Service C:\WINDOWS\system32\DRIVERS\usbohci.sys [MANUAL] usbohci

Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR

Service C:\WINDOWS\system32\DRIVERS\VComm.sys [MANUAL] VComm

Service C:\WINDOWS\System32\Drivers\VcommMgr.sys [MANUAL] VcommMgr

Service C:\WINDOWS\System32\drivers\vga.sys [SYSTEM] VgaSave

Service [DISABLED] ViaIde

Service [BOOT] VolSnap

Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS

Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time

Service W3SVC

Service C:\WINDOWS\system32\DRIVERS\wanarp.sys [MANUAL] Wanarp

Service [MANUAL] WDICA

Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud

Service C:\WINDOWS\system32\svchost.exe [AUTO] WebClient

Service C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [MANUAL] winachsf

Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt

Service [MANUAL] Winsock

Service WinSock2

Service WinTrust

Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN

Service WmiApRpl

Service C:\WINDOWS\system32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv

Service C:\WINDOWS\System32\drivers\ws2ifsl.sys [DISABLED] WS2IFSL

Service C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [MANUAL] WSTCODEC

Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv

Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC

Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov

Service {0E0927EB-85CC-4D9C-8F0B-C764BF8E98D1}

Service {39157710-A004-47F7-8472-99D5B2C3F6FF}

Service {EC2CF02B-0EEA-433F-9D1D-C0B2824A6448}


---- EOF - GMER 1.0.12 ----

(adam9870) #10

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

W zakładce Procesy kliknij Gmer awaryjny >>> nastąpi reset i pozostanie samo okienko Gmer'a >>> w zakładce Procesy przez ... (trzy kropki) wskaż plik FIX.BAT >>> przez chwilkę mignie ekran i nastąpi reset. Po resecie otwórz Gmer'a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:

Następnie kliknij Uruchom i reset.

Poczytaj o usuwaniu plików i folderów z pytajnikiem - Usuwanie PurityScan.

Gmer pokazał zastanawiający driver:

Niektóre programy zabezpieczające (m.in Kaspersky) wykrywają ten driver jako szkodnik ale we właściwościach pliku jest napisane Quanta HotKey Keyboard Filter Driver.

Po wykonaniu wklej nowe logi (combo plus dwa gmery).


(Dariuszopala) #11
"Opaa Dariusz" - 07-03-28 23:08:22 Dodatek Service Pack 2

ComboFix 07-03-27.4 - Running from: "E:\Programy\LOGI"



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



C:\WINDOWS\system32\kprof

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\qoobox\purity\WINDOWS\RACLE~1



((((((((((((((((((((((((((((((( Files Created from 2007-02-28 to 2007-03-28 ))))))))))))))))))))))))))))))))))



2007-03-27 14:12	1,506	--a------	C:\WINDOWS\system32\tmp.reg

2007-03-27 14:11	79,360	--a------	C:\WINDOWS\system32\swxcacls.exe

2007-03-27 14:11	53,248	--a------	C:\WINDOWS\system32\Process.exe

2007-03-27 14:11	51,200	--a------	C:\WINDOWS\system32\dumphive.exe

2007-03-27 14:11	40,960	--a------	C:\WINDOWS\system32\swsc.exe

2007-03-27 14:11	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe

2007-03-27 14:11	135,168	--a------	C:\WINDOWS\system32\swreg.exe

2007-03-26 18:27

[code]GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2007-03-28 23:20:02 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.12 ---- SSDT d347bus.sys ZwClose SSDT d347bus.sys ZwCreateKey SSDT d347bus.sys ZwCreatePagingFile SSDT d347bus.sys ZwEnumerateKey SSDT d347bus.sys ZwEnumerateValueKey SSDT d347bus.sys ZwOpenKey SSDT d347bus.sys ZwQueryKey SSDT d347bus.sys ZwQueryValueKey SSDT d347bus.sys ZwSetSystemPowerState ---- Kernel code sections - GMER 1.0.12 ---- ? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS Nie można odnaleźć określonego pliku. ---- Devices - GMER 1.0.12 ---- Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 85355ED8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 84F1DAE8 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 84F1DAE8 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ 851010D8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 84F1DAE8 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 84F1DAE8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 84F225E0 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 84F225E0 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_READ 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA 84F225E0 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 84F225E0 Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ 8513BAC0 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ 84FBF2F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ 84FBF2F8 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ 8510B5C8 Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ 8507F220 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLOSE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_READ 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_WRITE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_INFORMATION 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_EA 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_EA 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CLEANUP 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_SECURITY 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_POWER 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_SET_QUOTA 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1Port2Path0Target0Lun0 IRP_MJ_PNP 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_READ 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA 84EE6298 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP 84EE6298 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ 84FE9230 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ 84FE9230 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ 84FE9230 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ 84FE9230 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ 84FE9230 Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ 85109EA8 Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F2C26D30] tfsnifs.sys ---- Modules - GMER 1.0.12 ---- Module _________ F7794000 ---- Files - GMER 1.0.12 ---- ADS C:\Documents and Settings\Opa:favicon ---- EOF - GMER 1.0.12 ----

Złączono Posta : 28.03.2007 (Sro) 23:26

Wstyd się przyznać ale nie potrafię zamieścić logów w serwisie hostingowym... :? z tego powodu nie moge zamieścić drugiego loga z gmera bo nie mieści się w poście :?


(adam9870) #12

Poczytaj o usuwaniu plików i folderów z pytajnikiem - Usuwanie PurityScan.

Usuń ręcznie folder kwarantanny utworzony przez ComboFix'a -> C:\qoobox


(Dariuszopala) #13

Usunąłem folder kwarantanny utworzony przez Combofixa...ale tego pytajnika ??sks.exe nie mogę usunąc za pomocą PiurityScan bo nie mogę odnaleść w ogóle tego pliku ...wykonywałem czynności tak jak są w załączonym linku przec Ciebie...


(adam9870) #14

W takim razie poczytaj to:

http://cybertrash.pl/images/tata/PurityScan.html


(Dariuszopala) #15

Wykonałem polecenia z podanego linku...

"Opaa Dariusz" - 07-03-29 7:49:46 Dodatek Service Pack 2

(Joan Sunshine) #16

Ten plik może być ukryty, włącz widok plików ukrytych i systemowych. Zresztą to jest opisane w temacie Picasso, wykonałeś wszystko jak radziła? W Dane aplikacji za dużo plików nie ma, wrzuć screena najwyżej.


(Dariuszopala) #17

Zrobiłem tak jak w poście Picasso... ale tego pliku ??sks.exe nie ma na liście pliów ukrytych... Screena zamiescilbym, ale nie moge znalesc darmowego hosta w necie, a te które znajduje to nie działają bo akurat konserwacja jest:?

Jest więc jakiś sposób na to żeby mój Symantec znów zaczął chronić mój komputer? Pomijam format :stuck_out_tongue:

Hmmm.. więc chyba już nie da mi się pomóc... został tylko format...