Prosba o pomoc - logi


(Olo) #1

Witam,

Uprzejmie prosze o pomoc w nekajacej mnie sprawie.

Po jakims czasie od kupna kompa postanowilem sprawdzic dysk.

Proba zainstalowania NOD czy Kaspersky konczyla sie tym ze program teoretycznie sie instaluje jednak jak probuje go uruchomic to program odpala sie i ... znika. W menadzerze zadan ani sladu.

Zainstalowalem wiec MKS 2007. Ten dziala i tak oto antyvir wykryl mi nastepujace rzeczy ale usunac ich juz nie chce:

Trojan.Rootkit.af w pliku C:/windows/system32/drivers/rmshjn.sys

i Worm.Email.Warezov.et w pliku C:/windows/system32/wmdrtc32.dll

Dodatkowo w akcie rozpaczy zainstalowalem avasta ktory wykryl hurtowe ilosci win32 sality.

Ponizej wklejam logi (bo jak zauwazylem o to najczesciej na forum prosicie gdyktos potrzebuje pomocy) i uprzejmie prosze o diagnoze :slight_smile: gdyz dla mnie jest to czarna magia.

I dodatkowo silnet runners:

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"swg" = "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]

"AzMixerSel" = "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" ["Realtek Semiconductor Corp."]

"mkstray" = "C:\Program Files\mks_vir_2007\bin\mkstray.exe" ["MKS Sp z o.o."]

"mks_mail" = "C:\Program Files\mks_vir_2007\bin\mks_mail.exe" ["MkS Sp. z o.o."]

"MKSRegmon" = "C:\Program Files\mks_vir_2007\bin\mksregmon.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"

-> {HKLM...CLSID} = "Portable Media Devices Menu"

\InProcServer32(Default) = "C:\WINDOWS\system32\audiodev.dll" [MS]

"{2F603045-309F-11CF-9774-0020AFD0CFF6}" = "Synaptics Control Panel"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\Program Files\Synaptics\SynTP\SynTPCpl.dll" ["Synaptics, Inc."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]

HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32(Default) = "c:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

EDSshellExt(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"

-> {HKLM...CLSID} = "eDSshlExt Class"

\InProcServer32(Default) = "C:\WINDOWS\system32\eDSshellExt.dll" ["HiTRUST"]

MkS_Vir(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

-> {HKLM...CLSID} = "MkS_Vir Shell Extension"

\InProcServer32(Default) = "C:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

WinExpert(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"

-> {HKLM...CLSID} = "Context Menu Shell Extension"

\InProcServer32(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

EDSshellExt(Default) = "{29FF7AB0-BE34-4992-A30B-53A9D86EE239}"

-> {HKLM...CLSID} = "eDSshlExt Class"

\InProcServer32(Default) = "C:\WINDOWS\system32\eDSshellExt.dll" ["HiTRUST"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

MkS_Vir(Default) = "{E64226E0-9DA1-479E-8265-8D65BA327BD4}"

-> {HKLM...CLSID} = "MkS_Vir Shell Extension"

\InProcServer32(Default) = "C:\Program Files\mks_vir_2007\bin\mksshell.dll" [null data]

WinExpert(Default) = "{19741013-C829-11D1-8233-0020AF3E97A9}"

-> {HKLM...CLSID} = "Context Menu Shell Extension"

\InProcServer32(Default) = "C:\WINDOWS\system32\context.dll" ["SuperLogix"]

WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

Group Policies {GPedit.msc branch and setting}:


Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme

{unrecognized setting}

Active Desktop and Wallpaper:


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\Windows\Web\Wallpaper\Acer.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\WINDOWS\WEB\WALLPAPER\ACER.BMP"

Startup items in "Guciowie" & "All Users" startup folders:


C:\Documents and Settings\Guciowie\Start Menu\Programs\Startup

"Launch Manager" -> shortcut to: "C:\Program Files\Launch Manager\LManager.exe Show_Panel" ["Dritek System Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\Program Files\mks_vir_2007\bin\mkslsp.dll [null data], 01 - 03, 23

%SystemRoot%\system32\mswsock.dll [MS], 04 - 08, 11 - 22

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"

-> {HKLM...CLSID} = "&Google"

\InProcServer32(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}"

-> {HKLM...CLSID} = "Acer eDataSecurity Management"

\InProcServer32(Default) = "C:\WINDOWS\system32\eDStoolbar.dll" ["HiTRUST"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

"{5CBE3B7C-1E47-477E-A7DD-396DB0476E29}" = (no title provided)

-> {HKLM...CLSID} = "Acer eDataSecurity Management"

\InProcServer32(Default) = "C:\WINDOWS\system32\eDStoolbar.dll" ["HiTRUST"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)

-> {HKLM...CLSID} = "&Google"

\InProcServer32(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = "&Badanie"

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.5.0_11"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.5.0_11"

\InProcServer32(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" ["Sun Microsystems, Inc."]

{77BF5300-1474-4EC7-9980-D32B190E9B07}\

"ButtonText" = "Skype"

"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"

-> {HKLM...CLSID} = "Skype add-on (button)"

\InProcServer32(Default) = "C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL" ["Skype Technologies S.A."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Badanie"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


AdminWorks Agent X6, AWService, ""C:\Acer\Empowering Technology\admServ.exe"" ["Avocent Inc."]

Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ""C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe"" ["Symantec Corporation"]

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

Intel® PROSet/Wireless Event Log, EvtEng, "C:\Program Files\Intel\Wireless\Bin\EvtEng.exe" ["Intel Corporation"]

Intel® PROSet/Wireless Registry Service, RegSrvc, "C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe" ["Intel Corporation"]

Intel® PROSet/Wireless Service, S24EventMonitor, "C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe" ["Intel Corporation "]

LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]

Logitech Process Monitor, LVPrcSrv, "c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe" ["Logitech"]

Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]

Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]

mks_vir file monitor, MksVirMonSvc, "C:\Program Files\mks_vir_2007\bin\mksvirmonsvc.exe" [null data]

MksFwall, MksFwall, ""C:\Program Files\mks_vir_2007\bin\MksFwall.exe"" ["MKS Sp z o.o."]

MksPC, MksPC, ""C:\Program Files\mks_vir_2007\bin\MksPC.exe"" [null data]

MksUpdate, MksUpdate, ""C:\Program Files\mks_vir_2007\bin\mksupdate.exe"" ["MKS Sp. z o. o."]

Print Monitors:


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


<>: Suspicious data at a malware launch point.

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 34 seconds.

---------- (total run time: 78 seconds)

Dzieki z gory za poswiecony czas i chec pomocy.

Z gory dodam iz jestem uzytkownikiem kompa ktory wie mniej wiecej tyle ze na pulpicie znajduja sie skroty do gier i worda :wink:

Pozdrawiam


(adam9870) #2

Oba logi czyste ale co z tego skoro siedzi Sality? :roll:

Jakiś dziwny sterownik ale przy salitym nie jest on w tej chwili ważny.

To jest właśnie plik Salitiego.

Poczytaj sobie o salitym:

http://www.searchengines.pl/phpbb203/in ... opic=75092

http://www.searchengines.pl/phpbb203/in ... opic=82616

Tak więc jednym dobrym rozwiązaniem na niego jest format wszystkich partycji nie zachowując w ogóle żadnych danych z nich!


(JNJN) #3

Proszę zmienić temat postu na konkretny i używać polskich znaków,opcja zmień i popraw.JNJN