Problem z wirusami/antywirem

adam9870 · 6 Luty 2007 22:16

Czy zmieniałeś znaczki z disable na enable w Windows Worms Doors Cleanerze?

Start => uruchom => cmd => wpisz:

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\system32\ctpmon.exe

C:\WINDOWS\system32\rpcc.dll

C:\WINDOWS\system32\msasvc.exe

po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Po usunięciu, najlepiej jeszcze przed połączeniem się z internetem usuń folder kopii killboxa -> c:!killbox.

Usuń wpisy HJT.

Dziwi mnie ciągle powracanie tego samego syfu. Może to powodować np. odwiedzanie jakiejś strony ze szkodnikami lub siedzenie jakiegoś trojana typu downloader pobierającego na dysk malware lub coś trzymającego te wpisy np. ukryty sterownik. Dlatego jeśli chcesz walczyć z syfem to po wykonaniu pokaż nowy log z HJT, Silenta oraz dwa logi z Gmer’a wykonane przy takich ustawieniach:

Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, umieść je w plikach tekstowych, umieść w jakimś serwisie hostingowym, a tutaj tylko zlinkuj do nich.

http://forum.dobreprogramy.pl/viewtopic.php?t=96929

larekgi · 6 Luty 2007 22:38

Witam mi na podobny problem pomógł ten program http://www.pctools.com/pl/spyware-doctor/ .Po tygodniowej walce nic mi nie pomagało ciągle to samo a teraz śmiga aż miło. pzdr.

adam9870 · 6 Luty 2007 22:48

larekgi SpywareDoctor jest programem wątpliwej reputacji. Jego główną wadą jest m.in to, że pokazuje prawidłowe rzeczy jako szkodliwe. Tak więc nie polecam go używać. O wiele lepszy jest AVG Anti-Spyware.

giga89 · 6 Luty 2007 22:55

GMER 1.0.12.12027 - http://www.gmer.net Rootkit scan 2007-02-06 23:56:45 Windows 5.1.2600 Dodatek Service Pack 2 ---- User code sections - GMER 1.0.12 ---- .text C:\WINDOWS\system32\wbem\wmiprvse.exe[212] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[212] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[212] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\winlogon.exe[524] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\winlogon.exe[524] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\winlogon.exe[524] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\services.exe[568] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\services.exe[568] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\services.exe[568] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\lsass.exe[580] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\lsass.exe[580] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\lsass.exe[580] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\ati2evxx.exe[724] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\ati2evxx.exe[724] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\ati2evxx.exe[724] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\svchost.exe[740] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\svchost.exe[740] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\svchost.exe[740] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\svchost.exe[840] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\svchost.exe[840] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\svchost.exe[840] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\svchost.exe[1008] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\ati2evxx.exe[1132] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\ati2evxx.exe[1132] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\ati2evxx.exe[1132] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\wuauclt.exe[1144] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\wuauclt.exe[1144] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\wuauclt.exe[1144] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\explorer.exe[1208] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\explorer.exe[1208] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\explorer.exe[1208] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\spoolsv.exe[1280] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1340] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1340] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1340] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\Documents and Settings\Emosik\Pulpit\gmer\gmer.exe[1624] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\wuauclt.exe[1796] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\wuauclt.exe[1796] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\wuauclt.exe[1796] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1864] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1864] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe[1864] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\alg.exe[1872] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\alg.exe[1872] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\alg.exe[1872] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1956] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA1379 .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1956] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA13C6 .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1956] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA13D3 ---- EOF - GMER 1.0.12 ---- ------------=-=-=-=-===================== z 2 opcji uslugi : GMER 1.0.12.12027 - http://www.gmer.net Rootkit scan 2007-02-06 23:58:32 Windows 5.1.2600 Dodatek Service Pack 2 ---- Services - GMER 1.0.12 ---- Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\system32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service C:\WINDOWS\System32\Drivers\adildr.sys [AUTO] ADILOADER Service C:\WINDOWS\system32\DRIVERS\adiusbaw.sys [MANUAL] adiusbaw Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [sYSTEM] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM Service C:\WINDOWS\system32\svchost.exe [DISABLED] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service C:\WINDOWS\system32\DRIVERS\amdk7.sys [sYSTEM] AmdK7 Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service C:\WINDOWS\system32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\system32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\system32\Ati2evxx.exe [AUTO] Ati HotKey Poller Service C:\WINDOWS\system32\ati2sgag.exe [AUTO] ATI Smart Service C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag Service C:\WINDOWS\system32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\system32\DRIVERS\audstub.sys [MANUAL] audstub Service BattC Service [sYSTEM] Beep Service C:\WINDOWS\system32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\system32\svchost.exe [AUTO] Browser Service [DISABLED] cbidf2k Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\system32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\system32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch Service C:\WINDOWS\system32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\system32\DRIVERS\disk.sys [bOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [bOOT] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [bOOT] dmload Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\system32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\system32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\system32\DRIVERS\fdc.sys [MANUAL] Fdc Service [sYSTEM] Fips Service C:\WINDOWS\system32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service C:\WINDOWS\system32\DRIVERS\fltMgr.sys [bOOT] FltMgr Service [sYSTEM] Fs_Rec Service C:\WINDOWS\system32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\system32\DRIVERS\gameenum.sys [MANUAL] gameenum Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\system32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service [DISABLED] hpn Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\system32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service C:\WINDOWS\system32\DRIVERS\imapi.sys [sYSTEM] Imapi Service C:\WINDOWS\system32\imapi.exe [MANUAL] ImapiService Service inetaccs Service [DISABLED] ini910u Service Inport Service [DISABLED] IntelIde Service C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys [MANUAL] Ip6Fw Service C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\system32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\system32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\system32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\system32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\system32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\system32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\system32\svchost.exe [AUTO] LmHosts Service C:\WINDOWS\system32\svchost.exe [DISABLED] Messenger Service [sYSTEM] mnmdd Service C:\WINDOWS\system32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\system32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\system32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\system32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\WINDOWS\system32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service C:\WINDOWS\system32\DRIVERS\mssmbios.sys [MANUAL] mssmbios Service C:\WINDOWS\system32\drivers\msmpu401.sys [MANUAL] ms_mpu401 Service [bOOT] Mup Service [bOOT] NDIS Service C:\WINDOWS\system32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\system32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\system32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\system32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\system32\DRIVERS\netbt.sys [MANUAL] NetBT Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm Service C:\WINDOWS\system32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\system32\svchost.exe [MANUAL] Nla Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\system32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [sYSTEM] Null Service C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\WINDOWS\system32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\system32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service [DISABLED] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\system32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\system32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\system32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\system32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\system32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\system32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\system32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\system32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\system32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service C:\WINDOWS\system32\DRIVERS\rdpdr.sys [MANUAL] rdpdr Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\system32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\system32\svchost.exe [DISABLED] RemoteAccess Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry Service C:\WINDOWS\system32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\system32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139 Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\system32\DRIVERS\secdrv.sys [MANUAL] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\system32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\system32\DRIVERS\serial.sys [sYSTEM] Serial Service [sYSTEM] Sfloppy Service C:\WINDOWS\system32\svchost.exe [AUTO] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\system32\DRIVERS\sr.sys [bOOT] sr Service C:\WINDOWS\system32\svchost.exe [AUTO] srservice Service C:\WINDOWS\system32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\system32\svchost.exe [MANUAL] SSDPSRV Service C:\WINDOWS\system32\svchost.exe [MANUAL] stisvc Service C:\WINDOWS\system32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\system32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\system32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\system32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service C:\WINDOWS\system32\tlntsvr.exe [DISABLED] TlntSvr Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\system32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\system32\svchost.exe [MANUAL] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\system32\DRIVERS\usbehci.sys [MANUAL] usbehci Service C:\WINDOWS\system32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR Service C:\WINDOWS\system32\DRIVERS\usbuhci.sys [MANUAL] usbuhci Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service C:\WINDOWS\system32\DRIVERS\viaide.sys [bOOT] ViaIde Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\system32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\system32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi Service WmiApRpl Service C:\WINDOWS\system32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service [sYSTEM] WS2IFSL Service C:\WINDOWS\System32\svchost.exe [AUTO] wscsvc Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov Service {71AF2924-877E-4117-9F6F-F2DD96BE728A} ---- EOF - GMER 1.0.12 ----

rpcc w hjt dalej jest …omg…:(( a w wind doors cleanerze jest wszystko na zielono oprucz jednego na zolto…czyli ok…

adam9870 · 7 Luty 2007 14:34

Ja tu nic podejrzanego nie widzę. :roll:

Przeskanuj skanerami on-line i wrzuć nowe logi (hijack + silent).

giga89 · 7 Luty 2007 16:36

http://rapidshare.com/files/15371405/kasperski.html

logi :

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [file not found] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Komunikator” = ““C:\Program Files\Tlen.pl\tlen.exe” --confdir=home” [“o2.pl Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [file not found] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> instcat\DLLName = “instcat.dll” [MS] <> rpcc\DLLName = “C:\WINDOWS\system32\rpcc.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Emosik\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Emosik” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] Microsoft authenticate service, MsaSvc, “C:\WINDOWS\system32\msasvc.exe” [null data] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 37 seconds, including 4 seconds for message boxes)

=-=—=-==-=–=-=-=-=–==-

HJ :

Logfile of HijackThis v1.99.1 Scan saved at 17:40:29, on 2007-02-07 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msasvc.exe C:\WINDOWS\system32\ctpmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ctpmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\instalkii\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gadnet.hit.gemius.pl/hitredir/id … acharel.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Komunikator] “C:\Program Files\Tlen.pl\tlen.exe” --confdir=home O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O17 - HKLM\System\CCS\Services\Tcpip…{7F4CAF70-37DA-42A8-AF05-35CC9A760DBC}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe

omg dalej to gowno ;(

czy format calego dysku pomoze?

adam9870 · 7 Luty 2007 16:44

Start => uruchom => cmd => wpisz:

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\system32\ctpmon.exe

C:\WINDOWS\SYSTEM32\instcat.dll

C:\WINDOWS\system32\rpcc.dll

C:\WINDOWS\system32\msasvc.exe

po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Start => uruchom => regedit => przejdź do:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

i skasuj z prawokliku instcat oraz rpcc

Dodatkowo sprawdź czy w:

*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services*

*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services*

*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services*

masz MsaSvc , a jeśli tak to usuń.

Usuń wpisy HJT.

Użyj skanerów on-line. Szczególnie Kasperskiego oraz ewido.

Nie wiem skąd ten syf się ciągle bierze. Może odwiedzasz ciągle jakąś zainfekowaną stronę.

giga89 · 7 Luty 2007 16:48

dalem ci linka do raportu z kasperskiego musisz se sciagnac… w mojej poprzedniej odpowiedzi oblukaj a ja ide to zrobic zw;p

Złączono Posta : 07.02.2007 (Sro) 18:05

przed polaczeniem z netem log :

Logfile of HijackThis v1.99.1 Scan saved at 18:02:59, on 2007-02-07 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\WINDOWS\regedit.exe D:\instalkii\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gadnet.hit.gemius.pl/hitredir/id … acharel.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Komunikator] “C:\Program Files\Tlen.pl\tlen.exe” --confdir=home O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

/ znalazlo MsaSvc w Controlset002 i skasowalem…A czy jak znajde go gdzie indziej przy opcji “znajdz” to tez skasowac? bo jak tak wpisywalem to znalazlo nawet rpcc i jakies innne syfy tez

po polaczeniu z netem :

Logfile of HijackThis v1.99.1 Scan saved at 18:06:35, on 2007-02-07 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\WINDOWS\system32\msasvc.exe C:\WINDOWS\system32\ctpmon.exe C:\WINDOWS\system32\ctpmon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\max1d1641.exe C:\WINDOWS\system32\wuauclt.exe D:\instalkii\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/ R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gadnet.hit.gemius.pl/hitredir/id … acharel.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Komunikator] “C:\Program Files\Tlen.pl\tlen.exe” --confdir=home O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O17 - HKLM\System\CCS\Services\Tcpip…{7F4CAF70-37DA-42A8-AF05-35CC9A760DBC}: NameServer = 194.204.152.34 217.98.63.164 O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe

powodzenia …

tu ten link z raportem z kasperskiego http://rapidshare.com/files/15371405/kasperski.html

Gutek · 7 Luty 2007 19:42

Użyj Combofix - http://download.bleepingcomputer.com/sUBs/combofix.exe i daj loga jak skończy

giga89 · 7 Luty 2007 22:52

ten link nie dziala :S ale znalazlem gdzie indziej combofixa …robie scanna nim a nagle znajduje c;\windows\system32\rpcc.dll cos tam po angliesku nie wiem co bo nie zdazylem przeczytac i nagle wszystkie ikonki z pulpitu znikaja i czekalemz 10 min i /cenzura/.dalem restarta.Drugi raz tez probowalem i dalej to samo…zwiesza sie komp :X a co widac w tym raporcie kasperskiego?

Gutek · 8 Luty 2007 11:40

W czasie pracy combofix nic nie rób poczekaj aż skończy

giga89 · 8 Luty 2007 16:33

wiem jak dziala comboffix bo juz nim robilem kiedys skana i nie bylo tka jak teraz…

Złączono Posta : 09.02.2007 (Pią) 10:40

widze ez nikt nie ma juz pomyslu i sily do mojego komputera

kennex · 9 Luty 2007 15:04

Złączył Ci się post, przypadkowo zauważyłem to odpiszę, bo temat pójdzie w zapomnienie :).

Jak jeszcze nie zrobiłaś formatu, to możesz wrzucić loga z alternatywy, lm2fix z opcji 1 (http://downloads.subratam.org/l2mfix.exe).

adam9870 · 9 Luty 2007 15:08

Ma, tylko My musimy w końcu na jakiejś podstawie pracować i wiedzieć co masz w systemie, jakie pliki etc. a do tego są potrzebne logi i bez nich niestety niewiele poradzimy bo nie jesteśmy wróżkami. Tak więc użyj ComboFix (najlepiej na nowo) i pokaż raport.

giga89 · 9 Luty 2007 20:09

mowie … nie dziala mi Combofix… juz przedtem go uzywalem a teraz mi nie dziala

adam9870 · 9 Luty 2007 20:17

W takim razie wrzuć nowy log z Hijacka, Silenta oraz log z numer 1 z narzędzia L2Mfix.

giga89 · 9 Luty 2007 23:51

Logfile of HijackThis v1.99.1 Scan saved at 00:50, on 07-02-10 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\msmsgs.exe C:\WINDOWS\system32\msmsgs.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\NOTEPAD.EXE D:\instalkii\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://gadnet.hit.gemius.pl/hitredir/id … acharel.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [svcManager] svhostl5.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [Komunikator] “C:\Program Files\Tlen.pl\tlen.exe” --confdir=home O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.pl/resources/virus … nicode.cab O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://bezpieczenstwo.onet.pl/skaner/ArcaOnline.cab O17 - HKLM\System\CCS\Services\Tcpip…{7F4CAF70-37DA-42A8-AF05-35CC9A760DBC}: NameServer = 194.204.152.34 217.98.63.164 O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_sd.dll c:\windows\system32\ldcore.dll O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: HID Input Service WIN32 (HID_Input_Service_WIN32) - Unknown owner - C:\WINDOWS\system32\msiexecu.exe (file missing) O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe

L2MFIX find log 051206 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] “DLLName”=“Ati2evxx.dll” “Asynchronous”=dword:00000000 “Impersonate”=dword:00000001 “Lock”=“AtiLockEvent” “Logoff”=“AtiLogoffEvent” “Logon”=“AtiLogonEvent” “Disconnect”=“AtiDisConnectEvent” “Reconnect”=“AtiReConnectEvent” “Safe”=dword:00000000 “Shutdown”=“AtiShutdownEvent” “StartScreenSaver”=“AtiStartScreenSaverEvent” “StartShell”=“AtiStartShellEvent” “Startup”=“AtiStartupEvent” “StopScreenSaver”=“AtiStopScreenSaverEvent” “Unlock”=“AtiUnLockEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt] “DLLName”=“crypts.dll” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 “StartShell”=“Run” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 “Logoff”=“ChainWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Logoff”=“CryptnetWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] “DLLName”=“cscdll.dll” “Logon”=“WinlogonLogonEvent” “Logoff”=“WinlogonLogoffEvent” “ScreenSaver”=“WinlogonScreenSaverEvent” “Startup”=“WinlogonStartupEvent” “Shutdown”=“WinlogonShutdownEvent” “StartShell”=“WinlogonStartShellEvent” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rpcc] “DllName”=“C:\WINDOWS\system32\rpcc.dll” “Asynchronous”=dword:00000001 “Impersonate”=dword:00000001 “Startup”=“Startup” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] “DLLName”=“wlnotify.dll” “Logon”=“SCardStartCertProp” “Logoff”=“SCardStopCertProp” “Lock”=“SCardSuspendCertProp” “Unlock”=“SCardResumeCertProp” “Enabled”=dword:00000001 “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] “Asynchronous”=dword:00000000 “DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Impersonate”=dword:00000000 “StartShell”=“SchedStartShell” “Logoff”=“SchedEventLogOff” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] “Logoff”=“WLEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 “DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] “DLLName”=“WlNotify.dll” “Lock”=“SensLockEvent” “Logon”=“SensLogonEvent” “Logoff”=“SensLogoffEvent” “Safe”=dword:00000001 “MaxWait”=dword:00000258 “StartScreenSaver”=“SensStartScreenSaverEvent” “StopScreenSaver”=“SensStopScreenSaverEvent” “Startup”=“SensStartupEvent” “Shutdown”=“SensShutdownEvent” “StartShell”=“SensStartShellEvent” “PostShell”=“SensPostShellEvent” “Disconnect”=“SensDisconnectEvent” “Reconnect”=“SensReconnectEvent” “Unlock”=“SensUnlockEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] “Asynchronous”=dword:00000000 “DllName”=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Impersonate”=dword:00000000 “Logoff”=“TSEventLogoff” “Logon”=“TSEventLogon” “PostShell”=“TSEventPostShell” “Shutdown”=“TSEventShutdown” “StartShell”=“TSEventStartShell” “Startup”=“TSEventStartup” “MaxWait”=dword:00000258 “Reconnect”=“TSEventReconnect” “Disconnect”=“TSEventDisconnect” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] “DLLName”=“wlnotify.dll” “Logon”=“RegisterTicketExpiredNotificationEvent” “Logoff”=“UnregisterTicketExpiredNotificationEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] “SV1”="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] “{00022613-0000-0000-C000-000000000046}”=“Karta waciwoci pliku multimedialnego” “{176d6597-26d3-11d1-b350-080036a75b03}”=“ZarzĄdzanie skanerem ICM” “{1F2E5C40-9550-11CE-99D2-00AA006E086C}”=“Strona zabezpieczeä NTFS” “{3EA48300-8CF6-101B-84FB-666CCB9BCD32}”=“Strona waciwoci OLE Docfile” “{40dd6e20-7c17-11ce-a804-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{41E300E0-78B6-11ce-849B-444553540000}”=“PlusPack CPL Extension” “{42071712-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL karty graficznej” “{42071713-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL monitora wywietlania” “{42071714-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL kadrowania wywietlania” “{4E40F770-369C-11d0-8922-00A024AB2DBB}”=“Strona zabezpieczeä usugi DS” “{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}”=“Strona zgodnoci” “{56117100-C0CD-101B-81E2-00AA004AE837}”=“Program obsugi danych wycinkowych powoki” “{59099400-57FF-11CE-BD94-0020AF85B590}”=“Rozszerzenie Disc Copy” “{59be4990-f85c-11ce-aff7-00aa003ca9f6}”=“Rozszerzenia powoki dla obiekt˘w Microsoft Windows Network” “{5DB2625A-54DF-11D0-B6C4-0800091AA605}”=“ZarzĄdzanie monitorem ICM” “{675F097E-4C4D-11D0-B6C1-0800091AA605}”=“ZarzĄdzanie drukarkĄ ICM” “{764BF0E1-F219-11ce-972D-00AA00A14F56}”=“Rozszerzenia powoki dla kompresji plik˘w” “{77597368-7b15-11d0-a0c2-080036af3f03}”=“Rozszerzenie powoki drukarek sieci Web” “{7988B573-EC89-11cf-9C00-00AA00A14F56}”=“Disk Quota UI” “{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}”=“Menu kontekstowe szyfrowania” “{85BBD920-42A0-1069-A2E4-08002B30309D}”=“Akt˘wka” “{88895560-9AA2-1069-930E-00AA0030EBC8}”=“Rozszerzenie ikony HyperTerminalu” “{BD84B380-8CA2-1069-AB1D-08000948F534}”=“Fonts” “{DBCE2480-C732-101B-BE72-BA78E9AD5B27}”=“Profil ICC” “{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}”=“Strona zabezpieczeä drukarek” “{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}”=“Rozszerzenia powoki dla udost©pniania zasob˘w” “{f92e8c40-3d33-11d2-b1aa-080036a75b03}”=“Display TroubleShoot CPL Extension” “{7444C717-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto PKO” “{7444C719-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto Sign” “{7007ACC7-3202-11D1-AAD2-00805FC1270E}”=“PoĄczenia sieciowe” “{992CFFA0-F557-101A-88EC-00DD010CCC48}”=“PoĄczenia sieciowe” “{E211B736-43FD-11D1-9EFB-0000F8757FCD}”="&Skanery i aparaty fotograficzne" “{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}”="&Skanery i aparaty fotograficzne" “{905667aa-acd6-11d2-8080-00805f6596d2}”="&Skanery i aparaty fotograficzne" “{3F953603-1008-4f6e-A73A-04AAC7A992F1}”="&Skanery i aparaty fotograficzne" “{83bbcbf3-b28a-4919-a5aa-73027445d672}”="&Skanery i aparaty fotograficzne" “{F0152790-D56E-4445-850E-4F3117DB740C}”=“Remote Sessions CPL Extension” “{60254CA5-953B-11CF-8C96-00AA00B8708C}”=“Rozszerzenia powoki dla hosta skrypt˘w systemu Windows” “{2206CDB2-19C1-11D1-89E0-00C04FD7A829}”=“Microsoft Data Link” “{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Icon Handler” “{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Shell Extension” “{D6277990-4C6A-11CF-8D87-00AA0060F5BF}”=“Zaplanowane zadania” “{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}”=“Set Program Access and Defaults” “{5F327514-6C5E-4d60-8F16-D07FA08A78ED}”=“Auto Update Property Sheet Extension” “{0DF44EAA-FF21-4412-828E-260A8728E7F1}”=“Pasek zadaä i menu Start” “{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}”=“Wyszukaj” “{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}”=“Pomoc i obsuga techniczna” “{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}”=“Pomoc i obsuga techniczna” “{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}”=“Uruchom…” “{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}”=“Internet” “{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}”=“E-mail” “{D20EA4E1-3957-11d2-A40B-0C5020524152}”=“Czcionki” “{D20EA4E1-3957-11d2-A40B-0C5020524153}”=“Narz©dzia administracyjne” “{596AB062-B4D2-4215-9F74-E9109B0A8153}”=“Strona waciwoci Poprzednie wersje” “{9DB7A13C-F208-4981-8353-73CC61AE2783}”=“Poprzednie wersje” “{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}”=“Audio Media Properties Handler” “{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}”=“Video Media Properties Handler” “{E4B29F9D-D390-480b-92FD-7DDB47101D71}”=“Wav Properties Handler” “{87D62D94-71B3-4b9a-9489-5FE6850DC73E}”=“Avi Properties Handler” “{A6FD9E45-6E44-43f9-8644-08598F5A74D9}”=“Midi Properties Handler” “{c5a40261-cd64-4ccf-84cb-c394da41d590}”=“Video Thumbnail Extractor” “{5E6AB780-7743-11CF-A12B-00AA004AE837}”=“Pasek narz©dzi programu Microsoft Internet” “{22BF0C20-6DA7-11D0-B373-00A0C9034938}”=“Stan pobierania” “{91EA3F8B-C99B-11d0-9815-00C04FD91972}”=“Folder powoki zwi©kszonej” “{6413BA2C-B461-11d1-A18A-080036B11A03}”=“Folder powoki zwi©kszonej 2” “{F61FFEC1-754F-11d0-80CA-00AA005B4383}”=“BandProxy” “{7BA4C742-9E81-11CF-99D3-00AA004AE837}”=“Pasek przeglĄdarki Microsoft” “{30D02401-6A81-11d0-8274-00C04FD5AE38}”=“Pasek wyszukiwania” “{169A0691-8DF9-11d1-A1C4-00C04FD75D13}”=“Wyszukiwanie w okienku” “{07798131-AF23-11d1-9111-00A0C98BA67D}”=“Wyszukiwanie w sieci Web” “{AF4F6510-F982-11d0-8595-00AA004CD6D8}”=“Narz©dzie opcji drzewa rejestru” “{01E04581-4EEE-11d0-BFE9-00AA005B4383}”="&Adres" “{A08C11D2-A228-11d0-825B-00AA005B4383}”=“Pole edycji adresu” “{00BB2763-6A77-11D0-A535-00C04FD7D062}”=“Autouzupenianie Microsoft” “{7376D660-C583-11d0-A3A5-00C04FD706EC}”=“Wyodr©bnianie obraz˘w Trident” “{6756A641-DE71-11d0-831B-00AA005B4383}”=“Lista autouzupeniania MRU” “{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}”=“Niestandardowa lista autouzupeniania MRU” “{7e653215-fa25-46bd-a339-34a2790f3cb7}”=“Dost©pny” “{acf35015-526e-4230-9596-becbe19f0ac9}”=“Pasek podr©czny ledzenia” “{00BB2764-6A77-11D0-A535-00C04FD7D062}”=“Lista autouzupeniania historii Microsoft” “{03C036F1-A186-11D0-824A-00AA005B4383}”=“Lista autouzupeniania folderu powoki Microsoft” “{00BB2765-6A77-11D0-A535-00C04FD7D062}”=“Kontener wielu list autouzupeniania Microsoft” “{ECD4FC4E-521C-11D0-B792-00A0C90312E1}”=“Menu witryny paska powoki” “{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}”=“Shell DeskBarApp” “{ECD4FC4C-521C-11D0-B792-00A0C90312E1}”=“Pasek pulpitu powoki” “{ECD4FC4D-521C-11D0-B792-00A0C90312E1}”=“Shell Rebar BandSite” “{DD313E04-FEFF-11d1-8ECD-0000F87A470C}”=“Pomoc dla uľytkownika” “{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}”=“Globalne ustawienia folder˘w” “{EFA24E61-B078-11d0-89E4-00C04FC9E26E}”=“Favorites Band” “{0A89A860-D7B1-11CE-8350-444553540000}”=“Shell Automation Inproc Service” “{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}”=“Shell DocObject Viewer” “{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}”=“Microsoft Browser Architecture” “{FBF23B40-E3F0-101B-8488-00AA003E56F8}”=“InternetShortcut” “{3C374A40-BAE4-11CF-BF7D-00AA006946EE}”=“Microsoft Url History Service” “{FF393560-C2A7-11CF-BFF4-444553540000}”=“Historia” “{7BD29E00-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{7BD29E01-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=“Microsoft Url Search Hook” “{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}”=“Ekran powitalny pakietu IE4” “{67EA19A0-CCEF-11d0-8024-00C04FD75D13}”=“CDF Extension Copy Hook” “{131A6951-7F78-11D0-A979-00C04FD705A2}”=“ISFBand OC” “{9461b922-3c5a-11d2-bf8b-00c04fb93661}”=“Search Assistant OC” “{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}”=“Internet” “{871C5380-42A0-1069-A2EA-08002B30309D}”=“Internet Name Space” “{EFA24E64-B078-11d0-89E4-00C04FC9E26E}”=“Pasek eksploratora” “{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”=“WebCheck” “{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}”=“Subscription Mgr” “{F5175861-2688-11d0-9C5E-00AA00A45957}”=“Folder subskrypcji” “{08165EA0-E946-11CF-9C87-00AA005127ED}”=“WebCheckWebCrawler” “{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}”=“WebCheckChannelAgent” “{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}”=“TrayAgent” “{7D559C10-9FE9-11d0-93F7-00AA0059CE02}”=“Code Download Agent” “{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}”=“ConnectionAgent” “{D8BD2030-6FC9-11D0-864F-00AA006809D9}”=“PostAgent” “{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}”=“WebCheck SyncMgr Handler” “{352EC2B7-8B9A-11D1-B8AE-006008059382}”=“Menedľer aplikacji powoki” “{0B124F8F-91F0-11D1-B8B5-006008059382}”=“Wyliczanie zainstalowanych aplikacji” “{CFCCC7A0-A282-11D1-9082-006008059382}”=“Publikator aplikacji Darwin” “{e84fda7c-1d6a-45f6-b725-cb260c236066}”=“Shell Image Verbs” “{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}”=“Shell Image Data Factory” “{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}”=“Autoplay for SlideShow” “{3F30C968-480A-4C6C-862D-EFC0897BB84B}”=“GDI+program wyodr©bniajĄcy miniatury plik˘w” “{9DBD2C50-62AD-11d0-B806-00C04FD706EC}”=“Informacje podsumowujĄce obsugi miniatur (DOCFILES)” “{EAB841A0-9550-11cf-8C16-00805F1408F3}”=“Wyodr©bnianie miniatur HTML” “{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}”=“Shell Image Property Handler” “{CC6EEFFB-43F6-46c5-9619-51D571967F7D}”=“Kreator publikacji w sieci Web” “{add36aa8-751a-4579-a266-d66f5202ccbb}”=“Zamawianie odbitek w sieci Web” “{6b33163c-76a5-4b6c-bf21-45de9cd503a1}”=“Obiekt powoki kreatora publikacji” “{58f1f272-9240-4f51-b6d4-fd63d1618591}”=“Kreator uzyskiwania profilu usugi Passport” “{7A9D77BD-5403-11d2-8785-2E0420524153}”=“Konta uľytkownik˘w” “{BD472F60-27FA-11cf-B8B4-444553540000}”=“Compressed (zipped) Folder Right Drag Handler” “{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}”=“Compressed (zipped) Folder SendTo Target” “{f39a0dc0-9cc8-11d0-a599-00c04fd64433}”=“Plik kanau” “{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}”=“Skr˘t kanau” “{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}”=“Obiekt obsugi kanau” “{f3da0dc0-9cc8-11d0-a599-00c04fd64437}”=“Channel Menu” “{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}”=“Channel Properties” “{692F0339-CBAA-47e6-B5B5-3B84DB604E87}”=“Extensions Manager Folder” “{63da6ec0-2e98-11cf-8d82-444553540000}”=“FTP Folders Webview” “{883373C3-BF89-11D1-BE35-080036B11A03}”=“Microsoft DocProp Shell Ext” “{A9CF0EAE-901A-4739-A481-E35B73E47F6D}”=“Microsoft DocProp Inplace Edit Box Control” “{8EE97210-FD1F-4B19-91DA-67914005F020}”=“Microsoft DocProp Inplace ML Edit Box Control” “{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}”=“Microsoft DocProp Inplace Droplist Combo Control” “{6A205B57-2567-4A2C-B881-F787FAB579A3}”=“Microsoft DocProp Inplace Calendar Control” “{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}”=“Microsoft DocProp Inplace Time Control” “{8A23E65E-31C2-11d0-891C-00A024AB2DBB}”=“Directory Query UI” “{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}”=“Shell properties for a DS object” “{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}”=“Directory Object Find” “{F020E586-5264-11d1-A532-0000F8757D7E}”=“Directory Start/Search Find” “{0D45D530-764B-11d0-A1CA-00AA00C16E65}”=“Directory Property UI” “{62AE1F9A-126A-11D0-A14B-0800361B1103}”=“Directory Context Menu Verbs” “{ECF03A33-103D-11d2-854D-006008059367}”=“MyDocs Copy Hook” “{ECF03A32-103D-11d2-854D-006008059367}”=“MyDocs Drop Target” “{4a7ded0a-ad25-11d0-98a8-0800361b1103}”=“MyDocs Properties” “{750fdf0e-2a26-11d1-a3ea-080036587f03}”=“Offline Files Menu” “{10CFC467-4392-11d2-8DB4-00C04FA31A66}”=“Offline Files Folder Options” “{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}”=“Folder plik˘w trybu offline” “{143A62C8-C33B-11D1-84FE-00C04FA34A14}”=“Microsoft Agent Character Property Sheet Handler” “{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}”=“DfsShell” “{60fd46de-f830-4894-a628-6fa81bc0190d}”="%DESC_PublishDropTarget%" “{7A80E4A8-8005-11D2-BCF8-00C04F72C717}”=“MMC Icon Handler” “{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}”=".CAB file viewer" “{32714800-2E5F-11d0-8B85-00AA0044F941}”="&Do os˘b…" “{8DD448E6-C188-4aed-AF92-44956194EB1F}”=“Windows Media Player Play as Playlist Context Menu Handler” “{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}”=“Windows Media Player Burn Audio CD Context Menu Handler” “{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}”=“Windows Media Player Add to Playlist Context Menu Handler” “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”=“WinRAR shell extension” “{21569614-B795-46b1-85F4-E737A8DC09AD}”=“Shell Search Band” “{88C6C381-2E85-11D0-94DE-444553540000}”=“Folder pami©ci podr©cznej ActiveX” ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ crypts.dll Wed Feb 7 2007 6:30:14p A… 23,040 22.50 K ldcore.dll Thu Feb 8 2007 2:24:48a A… 6,689 6.53 K msvcrl.dll Wed Feb 7 2007 9:06:38p A… 44,032 43.00 K rpcc.dll Fri Feb 9 2007 11:51:50p A… 31,232 30.50 K svch2i.dll Wed Feb 7 2007 11:50:28p A…HR 4,096 4.00 K tmp_62.dll Wed Feb 7 2007 9:06:36p A…HR 4,096 4.00 K tmp_f.dll Thu Feb 8 2007 1:35:48p A…HR 4,096 4.00 K tmp_icq.dll Mon Feb 5 2007 10:10:52p A…HR 4,096 4.00 K tmp_sd.dll Thu Feb 8 2007 6:47:44p A…HR 4,096 4.00 K wmvcore.dll Thu Dec 7 2006 5:02:24p A… 2,174,976 2.07 M 10 items found: 10 files (5 H/S), 0 directories. Total of file sizes: 2,300,449 bytes 2.19 M Locate .tmp files: C:\WINDOWS\SYSTEM32\ trj45_1.tmp Wed Feb 7 2007 9:15:16p A… 0 0.00 K trj45_2.tmp Wed Feb 7 2007 9:15:16p A… 0 0.00 K 2 items found: 2 files, 0 directories. Total of file sizes: 0 bytes 0.00 K ********************************************************************************** Directory Listing of system files: Wolumin w stacji C nie ma etykiety. Numer seryjny woluminu: 744A-F491 Katalog: C:\WINDOWS\System32 07-02-04 14:04 07-02-02 15:25 04-08-04 00:44 76,561 dllgcd.exe 04-08-04 00:44 94,143 dllhtkch.exe~ 04-08-04 00:44 79,704 hssmkrsc.exe 04-08-04 00:44 77,465 amtlldm.exe~ 04-08-04 00:44 97,720 regnrzsn.exe~ 04-08-04 00:44 94,143 advrxfsc.exe~ 6 plik(˘w) 519,736 bajt˘w 2 katalog(˘w) 15,220,846,592 bajt˘w wolnych

“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS] “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [file not found] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z oo”] “Komunikator” = ““C:\Program Files\Tlen.pl\tlen.exe” --confdir=home” [“o2.pl Sp. z o.o.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [file not found] “ATIPTA” = “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe” [“ATI Technologies, Inc.”] “WinampAgent” = “C:\Program Files\Winamp\winampa.exe” [file not found] “SvcManager” = “svhostl5.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “C:\WINDOWS\system32\tmp_sd.dll c:\windows\system32\ldcore.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ <> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”] <> crypt\DLLName = “crypts.dll” [null data] <> rpcc\DLLName = “C:\WINDOWS\system32\rpcc.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “DisableTaskMgr” = (REG_DWORD) hex:0x00000000 {unrecognized setting} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Emosik\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Startup items in “Emosik” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “DSLMON” -> shortcut to: “C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe” [empty string] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): : ˙ţ[V e r s i o n] : S i g n a t u r e = " $ C H I C A G O $ " : A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l " : : [R e s t o r e H o m e P a g e] : A d d R e g = R e s t o r e H o m e P a g e . r e g : : [R e s t o r e B r o w s e r S e t t i n g s] : A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g : D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g : : [R e s t o r e H o m e P a g e . r e g] : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L % : : [R e s t o r e B r o w s e r S e t t i n g s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u " : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L % : : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " " : : t m " : t m " : H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * " : : [D e l e t e T e m p l a t e s . r e g] : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 " : H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 " : : [D e l e t e A u t o s e a r c h . r e g] : ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t : H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h " : : [S t r i n g s] : S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h " : S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m " : : ; I M P O R T A N T N O T E : : ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s . : ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s . : ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S . : M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e " : Missing lines (compared with English-language version): [Version]: 2 lines [RestoreHomePage]: 1 line [RestoreHomePage.reg]: 1 line [RestoreBrowserSettings.reg]: 12 lines [DeleteTemplates.reg]: 5 lines [DeleteAutosearch.reg]: 1 line [strings]: 1 line [RestoreBrowserSettings]: 2 lines [strings]: 3 lines Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 40 seconds, including 8 seconds for message boxes)

co chwile sciagaja mi sie wirusy…

adam9870 · 10 Luty 2007 09:19

Start => uruchom => cmd => wpisz:

Do usunięcia:

C:\Windows\system32\svhostl5.exe C:\WINDOWS\system32\msiexecu.exe C:\WINDOWS\system32\msasvc.exe C:\WINDOWS\SYSTEM32\ crypts.dll Wed Feb 7 2007 6:30:14p A… 23,040 22.50 K ldcore.dll Thu Feb 8 2007 2:24:48a A… 6,689 6.53 K msvcrl.dll Wed Feb 7 2007 9:06:38p A… 44,032 43.00 K —> Uważaj, nie pomyl nazwy! rpcc.dll Fri Feb 9 2007 11:51:50p A… 31,232 30.50 K svch2i.dll Wed Feb 7 2007 11:50:28p A…HR 4,096 4.00 K tmp_62.dll Wed Feb 7 2007 9:06:36p A…HR 4,096 4.00 K tmp_f.dll Thu Feb 8 2007 1:35:48p A…HR 4,096 4.00 K tmp_icq.dll Mon Feb 5 2007 10:10:52p A…HR 4,096 4.00 K tmp_sd.dll Thu Feb 8 2007 6:47:44p A…HR 4,096 4.00 K C:\WINDOWS\SYSTEM32\ trj45_1.tmp Wed Feb 7 2007 9:15:16p A… 0 0.00 K trj45_2.tmp Wed Feb 7 2007 9:15:16p A… 0 0.00 K Katalog: C:\WINDOWS\System32 04-08-04 00:44 76,561 dllgcd.exe 04-08-04 00:44 94,143 dllhtkch.exe~ 04-08-04 00:44 79,704 hssmkrsc.exe 04-08-04 00:44 77,465 amtlldm.exe~ 04-08-04 00:44 97,720 regnrzsn.exe~ 04-08-04 00:44 94,143 advrxfsc.exe~

Sposób usuwania znasz, a w razie jakiś problemów posłuż się killboxem z opcją delete on rebot.

Dodatkowo otwórz Notatnik i wklej:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Usuń wpisy HJT jeśli będą.

Po wykonaniu proszę wkleić nowe logi.

giga89 · 10 Luty 2007 12:42

mhm tak sie sklada ze nie wiem jak usunac i pracowac w tym programie l2 cos tam

adam9870 · 10 Luty 2007 12:59

W programie l2mfix tworzysz tylko log. W tym celu po uruchomieniu wybierasz 1. Zaś w tym logu widać śmieci będące w folderze c:\windows\system32. Ja zacytowałem i np. jak widzisz:

to masz usunąć plik crypts.dll z folderu C:\WINDOWS\SYSTEM32\ i tak z resztą plików, które wymieniłem