Nadal problem z csrss.exe 100% obiążenie procka


(szejk) #1
Logfile of HijackThis v1.99.1

Scan saved at 20:54:05, on 2006-07-11

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\Program Files\Spamihilator\spamihilator.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\WINDOWS\system32\devldr32.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\HijackThis.exe

C:\Program Files\Internet Explorer\iexplore.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe

O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe

O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [LXBSCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBStime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Lexmark\Lexmark Precision Photo\MemCard.exe -startup

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [˙_zskp`wzwhl^pdciyvsw50inkrwksz_] c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WOOKIT] C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\RunServices: [˙_zskp`wzwhl^pdciyvsw50inkrwksz_] c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe

O4 - HKCU\..\Run: [Spamihilator] "C:\Program Files\Spamihilator\spamihilator.exe"

O4 - HKCU\..\Run: [˙_zskp`wzwhl^pdciyvsw50inkrwksz_] c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151186987468

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151187154984

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C54FEF28-13DF-427A-9E3A-3B8D52C8D44B}: NameServer = 194.204.152.34 217.98.63.164

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPwdSvc.exe (file missing)

O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)

O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Norton Internet Security\comHost.exe (file missing)

O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe

O23 - Service: Usługa Auto-Protect programu Norton AntiVirus (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: Usługa Norton Protection Center (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)

O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

(Gblade) #2

Ściągnij Gmer'a, Przejdź do zakładki cmd i wklej:

w zakładce procesy wybierz opcje zabij wszystko, wybierz Pliki, przejdź do folderu C:\windows\system32 , znajdź _zskwrkni05wsvyicdp^lhwzwp.exe** i **\_zskwrkni05wsvyicdp^lhwzwp.dll

, podświetl i wybierz usuń.

W cmd wybierz uruchom, w procesy wybierz 3 kropki, uruchom hijackthis i skasuj wpisy:

Restart i Daj log z Gmer'a, ściągnij>>>uruchom>>>przejdź do zakładki "rootkit">>>wybierz "szukaj">>>czekaż cierpliwie aż program zakończy prace>>>klikasz "kopiuj">>>ctrl + v i wklej do posta. + silent runners


(szejk) #3

Następny problem po uruchomieniu "Gmer"a resetuje się komputer czyli nie mogę zrobić loga


(system) #4

Kiedy Gmer się resetuje ?? Jak robisz loga czy zaraz po uruchomieniu ?? Czy może przy wybraniu opcji ZABIJ WSZYSTKO ??


(szejk) #5

wczoraj przy robieniu loga prawie pod konirc restart przed chwilą zaraz po uruchomieni restart następne uruchomienie wkleiłem cytat i zabij wszystko i tu kompa nie mogłem zrestartować uzyłem przycisku na jednostce Po uruchomieni bedąc w folderze system 32 znów restart i nie zdążyłem usuną próbuję jeszcze raz


(system) #6

Rozumiem że plików też nie udało się usunąć.

Wpisz w uruchom

Następnie ściągnij killbox http://www.downloads.subratam.org/KillBox.zip Zaznaczasz opcję Delete on reboot + ALL FILES następnie w polu Full Path of File to Delete wklej ścieżki

c:\windows\system32_zskwrkni05wsvyicdp^lhwzw`p.exe

c:\windows\system32_zskwrkni05wsvyicdp^lhwzw`p.dll

C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

Następnie x- czerwony i restart kompa-dopiero dasz potwierdzenie jak wkleisz ostanią ścieżke pliku

Po wszystki nowe logi Hijackthis silent runners(info w przyklejonych) i dodatkowo wrzuć loga z programu L2Mfix Zrobionego z opcji nr 1. Chce coś sprawdzić czy ten rootkit nie ładuje się w winlogon


(szejk) #7

do tej pory udało mi sie usunąc te pliki po 2 restartach i nie wiem jak w procesach wybrać 3kropki


(system) #8

No usuwaj wpisy też

To usunołeś ??

Po wszystkim nowe logi i tego dodatkowo L2Mfix co napisałem wyżej


(szejk) #9

tak usunołem ten cytat zatrzymałem się na tych 3 kropkach jak to zrobić sory jestem laikem


(system) #10

Jeśli usunołeś pliki zostaw już te rzy kropki wklej nowe logi to zobaczymy. Te wpisy możesz usunąć w programie hijackthis poleceniem fixchecked. Info na temat usuwania wpisów w hijackthis w przyklejonych


(szejk) #11

problem z logiem z Gmera reset pod koniec pracy probuję jeszcze raz


(system) #12

Zostało

Narazie log z gmera zostaw. Miałes wkleic loga jeszcze z programu silent runners i L2Mfix


(szejk) #13


(system) #14

Nie wiem czy fix-y zadziałają więc przejdz do klucza i usuwaj ręcznie

Wpisz w uruchom regedit i ok

i usuń z prawokliku myszki

Następny

i usuń z prawokliku myszki

Następny jak już to wal i tego

Do usuwania zobacz czy pójdzie killboxem te pliki

c:\windows\system32_zskwrkni05wsvyicdp^lhwzw`p.exe

c:\windows\system32_zskwrkni05wsvyicdp^lhwzw`p.dll

No i wklej wreście tego loga z programu L2Mfix


(szejk) #15
L2MFIX find log 051206

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\artm_newreg]

"DllName"="C:\\Documents and Settings\\All Users\\Dokumenty\\Settings\\artm_new.dll"

"Startup"="artm_newreg"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

  6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

  6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001


**********************************************************************************

useragent:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

"Neostrada TP 6.1"="IEAKFT"


**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{00022613-0000-0000-C000-000000000046}"="Karta waciwoci pliku multimedialnego"

"{176d6597-26d3-11d1-b350-080036a75b03}"="ZarzĄdzanie skanerem ICM"

"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Strona zabezpieczeä NTFS"

"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Strona waciwoci OLE Docfile"

"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Rozszerzenia powoki dla udost©pniania zasob˘w"

"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"

"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL karty graficznej"

"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL monitora wywietlania"

"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Rozszerzenie CPL kadrowania wywietlania"

"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Strona zabezpieczeä usugi DS"

"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Strona zgodnoci"

"{56117100-C0CD-101B-81E2-00AA004AE837}"="Program obsugi danych wycinkowych powoki"

"{59099400-57FF-11CE-BD94-0020AF85B590}"="Rozszerzenie Disc Copy"

"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Rozszerzenia powoki dla obiekt˘w Microsoft Windows Network"

"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ZarzĄdzanie monitorem ICM"

"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ZarzĄdzanie drukarkĄ ICM"

"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Rozszerzenia powoki dla kompresji plik˘w"

"{77597368-7b15-11d0-a0c2-080036af3f03}"="Rozszerzenie powoki drukarek sieci Web"

"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"

"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu kontekstowe szyfrowania"

"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Akt˘wka"

"{88895560-9AA2-1069-930E-00AA0030EBC8}"="Rozszerzenie ikony HyperTerminalu"

"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"

"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Profil ICC"

"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Strona zabezpieczeä drukarek"

"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Rozszerzenia powoki dla udost©pniania zasob˘w"

"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"

"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Rozszerzenie Crypto PKO"

"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Rozszerzenie Crypto Sign"

"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="PoĄczenia sieciowe"

"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="PoĄczenia sieciowe"

"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="&Skanery i aparaty fotograficzne"

"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="&Skanery i aparaty fotograficzne"

"{905667aa-acd6-11d2-8080-00805f6596d2}"="&Skanery i aparaty fotograficzne"

"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="&Skanery i aparaty fotograficzne"

"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="&Skanery i aparaty fotograficzne"

"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"

"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Rozszerzenia powoki dla hosta skrypt˘w systemu Windows"

"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"

"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"

"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"

"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Zaplanowane zadania"

"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Pasek zadaä i menu Start"

"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Wyszukaj"

"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Pomoc i obsuga techniczna"

"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Pomoc i obsuga techniczna"

"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Uruchom..."

"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"

"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"

"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Czcionki"

"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Narz©dzia administracyjne"

"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Strona waciwoci Poprzednie wersje"

"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Poprzednie wersje"

"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"

"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"

"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"

"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"

"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"

"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"

"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Pasek narz©dzi programu Microsoft Internet"

"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Stan pobierania"

"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Folder powoki zwi©kszonej"

"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Folder powoki zwi©kszonej 2"

"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"

"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Pasek przeglĄdarki Microsoft"

"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Pasek wyszukiwania"

"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Wyszukiwanie w okienku"

"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Wyszukiwanie w sieci Web"

"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Narz©dzie opcji drzewa rejestru"

"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adres"

"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Pole edycji adresu"

"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Autouzupenianie Microsoft"

"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="Wyodr©bnianie obraz˘w Trident"

"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista autouzupeniania MRU"

"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Niestandardowa lista autouzupeniania MRU"

"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Dost©pny"

"{acf35015-526e-4230-9596-becbe19f0ac9}"="Pasek podr©czny ledzenia"

"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista autouzupeniania historii Microsoft"

"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista autouzupeniania folderu powoki Microsoft"

"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Kontener wielu list autouzupeniania Microsoft"

"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Menu witryny paska powoki"

"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"

"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Pasek pulpitu powoki"

"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"

"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Pomoc dla uľytkownika"

"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globalne ustawienia folder˘w"

"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"

"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"

"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"

"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"

"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"

"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"

"{FF393560-C2A7-11CF-BFF4-444553540000}"="Historia"

"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tymczasowe pliki internetowe"

"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tymczasowe pliki internetowe"

"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"

"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="Ekran powitalny pakietu IE4"

"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"

"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"

"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"

"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Internet"

"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"

"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Pasek eksploratora"

"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"

"{88C6C381-2E85-11D0-94DE-444553540000}"="Folder pami©ci podr©cznej ActiveX"

"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"

"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"

"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Folder subskrypcji"

"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"

"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"

"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"

"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"

"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"

"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"

"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"

"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Menedľer aplikacji powoki"

"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Wyliczanie zainstalowanych aplikacji"

"{CFCCC7A0-A282-11D1-9082-006008059382}"="Publikator aplikacji Darwin"

"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"

"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"

"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"

"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+program wyodr©bniajĄcy miniatury plik˘w"

"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Informacje podsumowujĄce obsugi miniatur (DOCFILES)"

"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Wyodr©bnianie miniatur HTML"

"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"

"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Kreator publikacji w sieci Web"

"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Zamawianie odbitek w sieci Web"

"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Obiekt powoki kreatora publikacji"

"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Kreator uzyskiwania profilu usugi Passport"

"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Konta uľytkownik˘w"

"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"

"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"

"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Plik kanau"

"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Skr˘t kanau"

"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Obiekt obsugi kanau"

"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"

"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"

"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"

"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"

"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"

"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"

"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"

"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"

"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"

"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"

"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"

"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"

"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"

"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"

"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"

"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"

"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"

"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"

"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"

"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"

"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"

"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Folder plik˘w trybu offline"

"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"

"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"

"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"

"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"

"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"

"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Do os˘b..."

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"

"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Foldery w sieci Web"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Folder przesyania Share-to-Web"

"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"

"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"

"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"


**********************************************************************************

HKEY ROOT CLASSIDS:

**********************************************************************************

Files Found are not all bad files:

(system) #16

Ok nie ma rootkita w wpisach winlogon jest tylko to co ci napisałem że masz usunąć w rejestrze

Zobacz tym killboxem czy pójdą pliki i usun to co napisałem z rejestru.

Po usuwaniu nowe log hijackthis silent i Szczególnie Gmer z zakładki rootkit oprócz oczywiście L2MFIX .


(szejk) #17

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pomyłkowo usunołem cały RUN i tak samo w

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

co robić

Złączono Posta : 11.07.2006 (Wto) 23:55

Logfile of HijackThis v1.99.1

Scan saved at 23:56:47, on 2006-07-11

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\VTTimer.exe

C:\PROGRA~1\NEOSTR~1\CnxMon.exe

C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe

C:\Program Files\Spamihilator\spamihilator.exe

C:\PROGRA~1\NEOSTR~1\ComComp.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\devldr32.exe

C:\PROGRA~1\NEOSTR~1\Watch.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\gmer.exe

C:\Program Files\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - (no file)

O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - (no file)

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)

O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)

O4 - HKLM\..\Run: [˙_zskp`wzwhl^pdciyvsw50inkrwksz_] c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe

O4 - HKLM\..\RunServices: [˙_zskp`wzwhl^pdciyvsw50inkrwksz_] c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe

O4 - HKCU\..\Run: [˙_zskp`wzwhl^pdciyvsw50inkrwksz_] c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe

O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virusscanner/kavwebscan_unicode.cab

O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151186987468

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151187154984

O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C54FEF28-13DF-427A-9E3A-3B8D52C8D44B}: NameServer = 194.204.152.34 217.98.63.164

O20 - Winlogon Notify: artm_newreg - C:\WINDOWS\

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)

O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\ccPwdSvc.exe (file missing)

O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)

O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Norton Internet Security\comHost.exe (file missing)

O23 - Service: lxbs_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbscoms.exe

O23 - Service: Usługa Auto-Protect programu Norton AntiVirus (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)

O23 - Service: Usługa Norton Protection Center (NSCService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE (file missing)

O23 - Service: Symantec AVScan (SAVScan) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe (file missing)

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

"Silent Runners.vbs", revision 46, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"˙_zskp`wzwhl^pdciyvsw50inkrwksz_" = "c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe" [null data]


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"˙_zskp`wzwhl^pdciyvsw50inkrwksz_" = "c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "PCTools Site Guard"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll" ["PC Tools"]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "SSVHelper Class"

                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]

{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "PCTools Browser Monitor"

                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll" ["PC Tools"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"

  -> {HKLM...CLSID} = "Portable Media Devices"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

  -> {HKLM...CLSID} = "Portable Media Devices Menu"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

  -> {HKLM...CLSID} = "AlcoholShellEx"

                   \InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Folder przesyłania Share-to-Web"

  -> {HKLM...CLSID} = "Folder przesyłania Share-to-Web"

                   \InProcServer32\(Default) = "C:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]

"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"

  -> {HKLM...CLSID} = "Shell Search Band"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]


HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"

  -> {HKLM...CLSID} = "avast"

                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"

  -> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"

                   \InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]



Group Policies [Description] {enabled Group Policy setting}:

------------------------------------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoActiveDesktop"=dword:00000001 

[disables Active Desktop; removes Web tab from Display Properties|

Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]

{User Configuration|Administrative Templates|Desktop|Active Desktop|

Disable Active Desktop}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop disabled via Group Policy.


HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\Web\Wallpaper\Idylla.bmp"



Enabled Screen Saver:

---------------------


HKCU\Control Panel\Desktop\

"SCRNSAVE.EXE" = "C:\WINDOWS\system32\sstext3d.scr" [MS]

(system) #18

Dalej siedzi czy użyłes killboxa ?? Bo jak tak to muismy zrobić inne usuwanie

Co do rejestru zobacz ten TEMAT


(szejk) #19
GMER 1.0.10.10122 - http://www.gmer.net

Rootkit 2006-07-12 00:05:33

Windows 5.1.2600 Dodatek Service Pack 2



---- Devices - GMER 1.0.10 ----


Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSEIRP_MJ_READ 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP 84022008

Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP_POWER 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSEIRP_MJ_READ 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP 84022008

Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP_POWER 84022008

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSEIRP_MJ_READ 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP 84034F00

Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP_POWER 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSEIRP_MJ_READ 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP_POWER 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSEIRP_MJ_READ 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP 84034F00

Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP_POWER 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSEIRP_MJ_READ 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP 84034F00

Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP_POWER 84034F00

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_CLOSEIRP_MJ_READ 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_WRITE 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_SET_INFORMATION 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_EA 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_SET_EA 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_SHUTDOWN 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_LOCK_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_CLEANUP 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_SECURITY 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_SET_SECURITY 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_POWER 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_QUERY_QUOTA 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_SET_QUOTA 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_PNP 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1Port3Path0Target0Lun0 IRP_MJ_PNP_POWER 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_CREATE 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_CREATE_NAMED_PIPE 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_CLOSEIRP_MJ_READ 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_WRITE 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_QUERY_INFORMATION 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_SET_INFORMATION 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_QUERY_EA 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_SET_EA 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_FLUSH_BUFFERS 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_QUERY_VOLUME_INFORMATION 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_SET_VOLUME_INFORMATION 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_DIRECTORY_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_FILE_SYSTEM_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_DEVICE_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_INTERNAL_DEVICE_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_SHUTDOWN 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_LOCK_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_CLEANUP 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_CREATE_MAILSLOT 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_QUERY_SECURITY 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_SET_SECURITY 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_POWER 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_SYSTEM_CONTROL 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_DEVICE_CHANGE 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_QUERY_QUOTA 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_SET_QUOTA 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_PNP 8400E008

Device \Driver\sojuscsi \Device\Scsi\sojuscsi1 IRP_MJ_PNP_POWER 8400E008

---- Processes - GMER 1.0.10 ----


Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\PROGRA~1\NEOSTR~1\NeostradaTP.exe [152] 0x00EA0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\csrss.exe [524] 0x01110000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\SYSTEM32\winlogon.exe [548] 0x01360000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\services.exe [592] 0x00A60000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\lsass.exe [604] 0x00B40000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\svchost.exe [760] 0x00A30000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\svchost.exe [808] 0x00B80000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\System32\svchost.exe [844] 0x013C0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\svchost.exe [912] 0x00990000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\svchost.exe [968] 0x00710000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\spoolsv.exe [1044] 0x01010000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [1168] 0x003E0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\Program Files\Alwil Software\Avast4\ashServ.exe [1180] 0x017A0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\Program Files\Spyware Doctor\sdhelp.exe [1272] 0x00E70000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\svchost.exe [1336] 0x00AE0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\wdfmgr.exe [1352] 0x006B0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\Explorer.EXE [1656] 0x00F90000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\WINDOWS\system32\VTTimer.exe [1884] 0x003E0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\PROGRA~1\NEOSTR~1\CnxMon.exe [1896] 0x003F0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [1904] 0x00D60000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe [1924] 0x00F30000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe [1952] 0x003F0000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [1960] 0x01400000 <-- ROOTKIT !


Process C:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe ( ***hidden*** ) 1992 <-- ROOTKIT !

Library C:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe ( ***hidden*** ) @ C:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe [1992] 0x00400000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe [1992] 0x10000000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe [1996] 0x01030000 <-- ROOTKIT !

Library c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.dll ( ***hidden*** ) @ C:\Program Files\QuickTime\qttask.exe [2016] 0x00D10000 <-- ROOTKIT !


Process C:\WINDOWS\SYSTEM32\findstr.exe ( ***hidden*** ) 3292 <-- ROOTKIT !


Process C:\WINDOWS\system32\cmd.exe ( ***hidden*** ) 3484 <-- ROOTKIT !


Process cmd.exe ( ***hidden*** ) 3968 <-- ROOTKIT !


---- Modules - GMER 1.0.10 ----


Module _________ F745F000


---- Registry - GMER 1.0.10 ----


Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@?_zskp`wzwhl^pdciyvsw50inkrwksz_ c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe

Reg \Registry\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices@?_zskp`wzwhl^pdciyvsw50inkrwksz_ c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe

Reg \Registry\USER\S-1-5-21-789336058-1682526488-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run@?_zskp`wzwhl^pdciyvsw50inkrwksz_ c:\windows\system32\_zskwrkni05wsvyicdp^lhwzw`p.exe


---- Files - GMER 1.0.10 ----


File C:\System Volume Information\MountPointManagerRemoteDatabase                                                                                  

File C:\System Volume Information\tracking.log                                                                                                     

File C:\System Volume Information\_restore{3F1FC80D-DA9B-4089-9749-F5FB23DAB24E}                                                                   

File C:\System Volume Information\_restore{DAEFAA36-5989-44B1-8AB6-A8BFFD6B89C5}                                                                   

File C:\WINDOWS\system32\_zskwrkni05S`MR[IPV_G`[`KXL.dll                                                                                           

File C:\WINDOWS\system32\_zskwrkni05S`MR[IPV_G`[`KXL.exe                                                                                           

File C:\WINDOWS\system32\_zskwrkni05WSVYICDP^LHWZW`P.dll                                                                                           

File E:\System Volume Information\MountPointManagerRemoteDatabase                                                                                  

File E:\System Volume Information\tracking.log                                                                                                     

File E:\System Volume Information\_restore{3F1FC80D-DA9B-4089-9749-F5FB23DAB24E}                                                                   

File E:\System Volume Information\_restore{888D7EFA-6EF1-40E4-A7F8-FC229C4D956B}                                                                   

File E:\System Volume Information\_restore{DAEFAA36-5989-44B1-8AB6-A8BFFD6B89C5}                                                                   

File F:\System Volume Information\MountPointManagerRemoteDatabase                                                                                  

File F:\System Volume Information\tracking.log                                                                                                     

File F:\System Volume Information\_restore{3F1FC80D-DA9B-4089-9749-F5FB23DAB24E}                                                                   

File F:\System Volume Information\_restore{888D7EFA-6EF1-40E4-A7F8-FC229C4D956B}                                                                   

File F:\System Volume Information\_restore{DAEFAA36-5989-44B1-8AB6-A8BFFD6B89C5}                                                                   


---- EOF - GMER 1.0.10 ----

[/code]

[color=darkblue][size=75]Złączono Posta: 12.07.2006 (Sro) 0:08[/size][/color]

wpis w" winlogon :usunołem ato"Zobacz tym killboxem czy pójdą pliki i usun to co napisałem z rejestru. "jakie pliki mam tym killboxem usunąć?a z rejestru usunołem ceły run


(system) #20

Ok zrób tak. Bedziesz miał 2 metody jeśli gmer zawiedzie

1.

Wchodzisz do Gmer-a i w zakładce cmd wlejasz

wybierasz regedit i wklejasz

Następnie przechodzisz do funckji zabij wszystko potem z powrotem do cmd i dla każdego z osobna cmd i regedit wybierasz uruchom. restart kompa

2.

Metoda druga to konsola zobacz jak uruchomić KONSOLĘ

Te same komendy wpisujesz w konsoli tylko przed tym zrób fix.

Otwórz notatnik i wklej w nim to

Następnie plik zapisz jako , Zmień rozszerzenie z TXT na Wszystkie pliki i pod nazwą fix.reg. Po usuwaniu plików w konsoli przechodziśz do trybu awaryjnego i urucho plik fiz.reg.

Po wszystkim nowe logi do kontroli mam nadzieje że pójdzie.

EDIT Miałeś zobaczyś czy usuniesz pliki killboxem podałem ci ścieżke i sposób usuwania.

Współpracuj zemną i czytaj co pisze bo będzie to najdłuższy temt w historii DD. To jest ciężki syf i pomagaj mi to usuwać odpawiadając na to co pisze