Reset kompa + Log

polska88 · 11 Styczeń 2007 11:50

Witam. Od wczoraj mi się restartuje komp…niewiem co jest jego przczyna…jeden plik o nazwie “service.exe” ciagle proboje sie laczyc z internetem…zapora go blokuje, antywirus nie wykrywa nic. prosze o spr.loga

Logfile of HijackThis v1.99.1 Scan saved at 12:53:25, on 2007-01-11 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\Administrator\Pulpit\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM…\Run: [bDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe O4 - HKLM…\Run: [bDOESRV] “C:\Program Files\Softwin\BitDefender9\bdoesrv.exe” O4 - HKLM…\Run: [bDSwitchAgent] “C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe” O4 - HKLM…\Run: [bDNewsAgent] “C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe” O4 - HKLM…\Run: [LClock] C:\Program Files\LClock\LClock.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.pl/resources/virusscan … nicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MainControl Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan … asinst.cab O17 - HKLM\System\CCS\Services\Tcpip…{CB800EB8-8F74-42F1-AC8E-39078CF26C41}: NameServer = 10.0.0.1 O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\vsserv.exe" /service (file missing) O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Joan · 11 Styczeń 2007 12:02

Zafixuj, daj log z Silenta.

Przeczytaj to: KLIK i wklej zawartość pliku minidump

power88 · 11 Styczeń 2007 13:24

Log z SILENT:

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” [MS] “BDMCon” = “c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe” [“SOFTWIN S.R.L.”] “BDOESRV” = ““C:\Program Files\Softwin\BitDefender9\bdoesrv.exe”” [“SOFTWIN SRL”] “BDSwitchAgent” = ““C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe”” [null data] “BDNewsAgent” = ““C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe”” [“SOFTWIN S.R.L”] “LClock” = “C:\Program Files\LClock\LClock.exe” [null data] HKLM\Software\Microsoft\Active Setup\Installed Components\ >{26923b43-4d38-484f-9b9e-de460746276c}(Default) = “Internet Explorer” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE” [MS] >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS(Default) = “Dostosowywanie przeglądarki” \StubPath = “RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP” [MS] >{881dd1c5-3dcf-431b-b061-f3f88e8be88a}(Default) = “Outlook Express” \StubPath = “C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE” [MS] {2C7339CF-2B09-4501-B3F3-F3508C9228ED}(Default) = “Themes Setup” \StubPath = “C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall C:\WINDOWS\system32\themeui.dll” [MS] {44BBA840-CC51-11CF-AAFA-00AA00B6015C}(Default) = “Microsoft Outlook Express 6” \StubPath = ““C:\Program Files\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install” [MS] {5945c046-1e7d-11d1-bc44-00c04fd912be}(Default) = “Windows Messenger 4.7” \StubPath = “rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser” [MS] {7790769C-0471-11d2-AF11-00C04FA35D02}(Default) = “Książka adresowa 6” \StubPath = ““C:\Program Files\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install” [MS] {89820200-ECBD-11cf-8B85-00AA005B4340}(Default) = “Aktualizacja pulpitu Windows” \StubPath = “regsvr32.exe /s /n /i:U shell32.dll” [MS] {89820200-ECBD-11cf-8B85-00AA005B4383}(Default) = “Internet Explorer 6” \StubPath = “C:\WINDOWS\system32\ie4uinit.exe” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}(Default) = (no title provided) -> {HKLM…CLSID} = “IeCatch5 Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\jccatch.dll” [“FlashGet”] {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}(Default) = “BitComet ClickCapture” -> {HKLM…CLSID} = “BitComet Helper” \InProcServer32(Default) = “C:\Program Files\BitComet\tools\BitCometBHO.dll” [“BitComet”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) -> {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”] {F156768E-81EF-470C-9057-481BA8380DBA}(Default) = (no title provided) -> {HKLM…CLSID} = “gFlash Class” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\getflash.dll” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}” = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{087B3AE3-E237-4467-B8DB-5A38AB959AC9}” = “OpenOffice.org Infotip Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{63542C48-9552-494A-84F7-73AA6A7C99C1}” = “OpenOffice.org Property Sheet Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{3B092F0C-7696-40E3-A80F-68D74DA84210}” = “OpenOffice.org Thumbnail Viewer” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” -> {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler” -> {HKLM…CLSID} = “NeroDigitalIconHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [file not found] “{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler” -> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [file not found] “{ED65AC21-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens Device” -> {HKLM…CLSID} = “Siemens Device” \InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [null data] “{ED65AC22-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens Device ContextMenuHandler” -> {HKLM…CLSID} = “Siemens Device ContextMenuHandler” \InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [null data] “{ED65AC23-B24F-11d3-BA80-00C0CA16AA37}” = “Siemens SX1 PropertySheetHandler” -> {HKLM…CLSID} = “Siemens Device PropertySheetHandler” \InProcServer32(Default) = “C:\Program Files\Mobile Phone Manager\DES\DESShellExt.dll” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\ <> “AppInit_DLLs” = “sockspy.dll” [null data] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler” -> {HKLM…CLSID} = “NeroDigitalColumnHandler Class” \InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [file not found] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}(Default) = “OpenOffice.org Column Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = ““C:\Program Files\OpenOffice.org 2.0.3\program\shlxthdl.dll”” [“Sun Microsystems, Inc.”] {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “(Brak)” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “%SystemRoot%\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{E0E899AB-F487-11D5-8D29-0050BA6940E3}” = “FlashGet Bar” -> {HKLM…CLSID} = “FlashGet Bar” \InProcServer32(Default) = “C:\PROGRA~1\FlashGet\fgiebar.dll” [“Amaze Soft”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_09” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ “ButtonText” = “FlashGet” “MenuText” = “&FlashGet” “Exec” = “C:\PROGRA~1\FlashGet\flashget.exe” [“FlashGet.com”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- BitDefender Communicator, XCOMM, ““C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe” /service” [“Softwin”] BitDefender Desktop Update Service, LIVESRV, ““C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe” /service” [“SOFTWIN S.R.L.”] BitDefender Scan Server, bdss, ““C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe” /service” [null data] BitDefender Virus Shield, VSSERV, ““C:\Program Files\Softwin\BitDefender9\vsserv.exe” /service” [“SOFTWIN S.R.L.”] HTTP SSL, HTTPFilter, “C:\WINDOWS\System32\svchost.exe -k HTTPFilter” {“C:\WINDOWS\System32\w3ssl.dll” [MS]} Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\System32\wbem\wmiapsrv.exe” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Portable Media Serial Number Service, WmdmPmSN, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\mspmsnsv.dll” [MS]} Sentinel Protection Server, SentinelProtectionServer, ““C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe”” [“SafeNet, Inc”] Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINDOWS\System32\dmadmin.exe /com” [“Microsoft Corp., Veritas Software”] Usługa dostarczania sieci, xmlprov, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\xmlprov.dll” [MS]} Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 70 seconds, including 2 seconds for message boxes)

polska88 · 11 Styczeń 2007 13:47

W plikach minidump znalazlem cos niepokojącego "

Probably caused by: system32: lzx32.sys (lzx32+250b)"

Co to moze oznaczaC?

Joan · 11 Styczeń 2007 14:25

heh masz 2 konta :roll: ?

Użyj narzędzia Rustock.b-Fix

Daj loga z ComboFix.

Są inne dumpy?

polska88 · 11 Styczeń 2007 15:15

Korzystam z dwoch kont ale jedno jest brata :).

Log ComboFix

Robert - 07-01-11 16:17:34,98 Dodatek Service Pack 2 ComboFix 06.11.27 - Running from: “C:\Documents and Settings\Robert\Pulpit” ((((((((((((((((((((((((((((((( Files Created from 2006-12-11 to 2007-01-11 )))))))))))))))))))))))))))))))))) 2006-12-13 17:14 2006-12-13 17:14 (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-01-11 16:10 -------- d-------- C:\Program Files\Mozilla Firefox 2007-01-11 14:56 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\OpenOffice.org2 2007-01-10 21:17 -------- d-------- C:\Program Files\FlashGet 2007-01-09 20:20 -------- d-------- C:\Program Files\WinRAR 2007-01-09 20:20 -------- d-------- C:\Program Files\Windows Media Player 2007-01-09 20:16 -------- d-------- C:\Program Files\Messenger 2007-01-09 20:16 -------- d-------- C:\Program Files\LClock 2007-01-09 20:15 -------- d-------- C:\Program Files\Internet Explorer 2007-01-09 20:15 -------- d-------- C:\Program Files\Gadu-Gadu 2007-01-08 17:38 -------- d-------- C:\Program Files\Deutsch Translator 2 2007-01-07 16:46 -------- d-------- C:\Program Files\Common Files 2007-01-07 15:18 -------- d–h----- C:\Program Files\InstallShield Installation Information 2007-01-07 15:18 -------- d-------- C:\Program Files\Common Files\InstallShield 2007-01-06 10:45 -------- d-------- C:\Program Files\eSkiMoS R2 2006-12-28 16:59 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Skype 2006-12-25 21:58 -------- d-------- C:\Program Files\Outlook Express 2006-12-22 16:12 73728 --a------ C:\WINDOWS\system32\sockspy.dll 2006-12-22 16:11 77824 --a------ C:\WINDOWS\system32\xcomm.dll 2006-12-22 16:06 -------- d-------- C:\Program Files\Common Files\Softwin 2006-12-13 19:20 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Ahead 2006-12-13 17:31 -------- d-------- C:\Program Files\Common Files\Ahead 2006-12-13 17:14 -------- d-------- C:\Program Files\Glass2k 2006-12-13 17:07 -------- d-------- C:\Program Files\Common Files\System 2006-12-13 16:41 -------- d-------- C:\Program Files\Windows NT 2006-12-10 21:30 -------- d-------- C:\Program Files\Symantec 2006-12-07 17:06 -------- d-------- C:\Program Files\totalcmd 2006-12-07 17:06 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Help 2006-12-07 06:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll 2006-12-03 17:15 19968 --a------ C:\WINDOWS\system32\reico.exe 2006-12-03 17:15 111104 --a------ C:\WINDOWS\system32\Uharc.exe 2006-12-02 22:27 -------- d-------- C:\Program Files\Skype 2006-12-02 21:17 -------- d-------- C:\Program Files\Mobile Phone Manager 2006-12-02 20:32 -------- d-------- C:\Program Files\Common Files\Microsoft Shared 2006-12-02 16:07 -------- d—s---- C:\Documents and Settings\Robert\Dane aplikacji\Microsoft 2006-11-30 22:00 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\AdobeUM 2006-11-30 21:59 -------- d-------- C:\Program Files\Common Files\Adobe 2006-11-30 21:59 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Adobe 2006-11-30 21:57 -------- d-------- C:\Program Files\Adobe 2006-11-29 18:59 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Sun 2006-11-29 18:58 -------- d-------- C:\Program Files\Java 2006-11-29 18:54 -------- d-------- C:\Program Files\Common Files\Java 2006-11-27 21:23 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\SideBar 2006-11-27 17:59 -------- d-------- C:\Program Files\Stardock 2006-11-27 17:48 -------- d-------- C:\Program Files\Movie Maker 2006-11-27 17:42 -------- d-------- C:\Program Files\NetMeeting 2006-11-27 14:59 -------- d-------- C:\Program Files\BitComet 2006-11-27 14:58 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll 2006-11-27 14:54 -------- d-------- C:\Program Files\BitTorrent 2006-11-27 14:51 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\BitTorrent 2006-11-26 19:55 1004544 --a------ C:\WINDOWS\system32\logonuiX.exe 2006-11-25 22:49 -------- d–h----- C:\Program Files\WindowsUpdate 2006-11-25 21:47 -------- d-------- C:\Program Files\Ares 2006-11-25 20:41 -------- d-------- C:\Program Files\Nero 2006-11-25 15:16 -------- d-------- C:\Program Files\OpenOffice.org 2.0.3 2006-11-25 15:09 138 --a------ C:\Program Files\INSTALL.LOG 2006-11-25 14:55 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\eSkiMoS R2 2006-11-25 14:51 -------- d-------- C:\Program Files\Softwin 2006-11-25 14:36 46976 --a------ C:\WINDOWS\BricoPackUninst.cmd 2006-11-25 14:36 2155 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd 2006-11-25 13:45 -------- d-------- C:\Program Files\Winamp 2006-11-25 11:05 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Talkback 2006-11-25 11:04 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Mozilla 2006-11-24 22:41 -------- d-------- C:\Program Files\Wapster 2006-11-24 22:39 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Macromedia 2006-11-24 22:31 -------- d–h----- C:\Program Files\Uninstall Information 2006-11-24 22:31 -------- d-------- C:\Documents and Settings\Robert\Dane aplikacji\Identities 2006-11-24 22:27 -------- d-------- C:\Program Files\xerox 2006-11-24 22:27 -------- d-------- C:\Program Files\microsoft frontpage 2006-11-24 22:26 0 -rahs---- C:\MSDOS.SYS 2006-11-24 22:26 0 -rahs---- C:\IO.SYS 2006-11-24 22:26 0 --a------ C:\CONFIG.SYS 2006-11-24 22:26 0 --a------ C:\AUTOEXEC.BAT 2006-11-24 22:24 -------- d-------- C:\Program Files\Common Files\Services 2006-11-24 22:24 -------- d-------- C:\Program Files\Common Files\MSSoap 2006-11-24 22:23 -------- d-------- C:\Program Files\MSN Gaming Zone 2006-11-24 22:23 -------- d-------- C:\Program Files\MSN 2006-11-24 22:23 -------- d-------- C:\Program Files\ComPlus Applications 2006-11-24 22:16 62 --ahs---- C:\Documents and Settings\Robert\Dane aplikacji\desktop.ini 2006-11-24 22:16 -------- d-------- C:\Program Files\Common Files\SpeechEngines 2006-11-24 22:16 -------- d-------- C:\Program Files\Common Files\ODBC 2006-11-08 06:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll 2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll 2006-10-23 06:55 545 --a------ C:\WINDOWS\UC.PIF 2006-10-23 06:55 545 --a------ C:\WINDOWS\RAR.PIF 2006-10-23 06:55 545 --a------ C:\WINDOWS\PKZIP.PIF 2006-10-23 06:55 545 --a------ C:\WINDOWS\PKUNZIP.PIF 2006-10-23 06:55 545 --a------ C:\WINDOWS\NOCLOSE.PIF 2006-10-23 06:55 545 --a------ C:\WINDOWS\LHA.PIF 2006-10-23 06:55 545 --a------ C:\WINDOWS\ARJ.PIF 2006-10-20 02:39 714240 --a------ C:\WINDOWS\system32\sxs.dll 2006-10-13 13:41 65536 --a------ C:\WINDOWS\system32\nwwks.dll 2006-10-13 13:41 64000 --a------ C:\WINDOWS\system32\nwapi32.dll 2006-10-13 13:41 143872 --a------ C:\WINDOWS\system32\nwprovau.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” “NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit” “BDMCon”=“c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe” “BDOESRV”="“C:\Program Files\Softwin\BitDefender9\bdoesrv.exe”" “BDSwitchAgent”="“C:\PROGRA~1\softwin\BITDEF~1\bdswitch.exe”" “BDNewsAgent”="“C:\PROGRA~1\softwin\BITDEF~1\bdnagent.exe”" “LClock”=“C:\Program Files\LClock\LClock.exe” [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] “DeskHtmlVersion”=dword:00000110 “DeskHtmlMinorVersion”=dword:00000005 “Settings”=dword:00000001 “GeneralFlags”=dword:00000004 [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] “{438755C2-A8BA-11D1-B96B-00A0C90312E1}”=“Moduł wstępnego ładowania interfejsu Browseui” “{8C7461EF-2B13-11d2-BE35-3078302C2030}”=“Demon buforu kategorii składników” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{AEB6717E-7E19-11d0-97EE-00C04FD91972}”="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] “NoDriveTypeAutoRun”=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] “dontdisplaylastusername”=dword:00000000 “legalnoticecaption”="" “legalnoticetext”="" “shutdownwithoutlogon”=dword:00000001 “undockwithoutlogon”=dword:00000001 [HKEY_USERS.default\software\microsoft\windows\currentversion\policies\explorer] “NoDriveTypeAutoRun”=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] “NoDriveTypeAutoRun”=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] “PostBootReminder”="{7849596a-48ea-486e-8937-a2a3009f31a9}" “CDBurn”="{fbeb8a05-beee-4442-804e-409d6c4515e9}" “WebCheck”="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" “SysTray”="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk] “path”=“C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk” “backup”=“C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup” “location”=“Common Startup” “command”=“C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE " “item”=“Adobe Reader Speed Launch” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robert^Menu Start^Programy^Autostart^Stardock ObjectDock.lnk] “path”=“C:\Documents and Settings\Robert\Menu Start\Programy\Autostart\Stardock ObjectDock.lnk” “backup”=“C:\WINDOWS\pss\Stardock ObjectDock.lnkStartup” “location”=“Startup” “command”=“C:\WINDOWS\BRICOP~1\VISTAI~1\OBJECT~1\OBJECT~1.EXE " “item”=“Stardock ObjectDock” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Robert^Menu Start^Programy^Autostart^Y’z ToolBar.lnk] “path”=“C:\Documents and Settings\Robert\Menu Start\Programy\Autostart\Y’z ToolBar.lnk” “backup”=“C:\WINDOWS\pss\Y’z ToolBar.lnkStartup” “location”=“Startup” “command”=“C:\WINDOWS\BRICOP~1\VISTAI~1\YZTOOL~1\YZTOOL~1.EXE " “item”=“Y’z ToolBar” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NMBgMonitor” “hkey”=“HKCU” “command”=”“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“bittorrent” “hkey”=“HKCU” “command”=”“C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“RunDll32 cmicnfg” “hkey”=“HKLM” “command”=“RunDll32 cmicnfg.cpl,CMICtrlWnd” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“CTFMON” “hkey”=“HKCU” “command”=“C:\WINDOWS\System32\CTFMON.EXE” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“FreeCall” “hkey”=“HKCU” “command”="“C:\Program Files\FreeCall.com\FreeCall\FreeCall.exe” -nosplash -minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LClock] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“LClock” “hkey”=“HKLM” “command”=“C:\Program Files\LClock\LClock.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“msmsgs” “hkey”=“HKCU” “command”="“C:\Program Files\Messenger\msmsgs.exe” /background" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“NeroCheck” “hkey”=“HKLM” “command”=“C:\WINDOWS\system32\NeroCheck.exe” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“nwiz” “hkey”=“HKLM” “command”=“nwiz.exe /install” “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“Skype” “hkey”=“HKCU” “command”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized" “inimapping”=“0” [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] “key”=“SOFTWARE\Microsoft\Windows\CurrentVersion\Run” “item”=“jusched” “hkey”=“HKLM” “command”="“C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”" “inimapping”=“0” [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” Completion time: 07-01-11 16:18:32.37 C:\ComboFix.txt … 07-01-11 16:18 C:\ComboFix2.txt … 07-01-11 16:06 Złączono Posta: 11.01.2007 (Czw) 16:23 Log z RUSTBFIX:

adam9870 · 11 Styczeń 2007 15:28

Proszę przeskanować plik C:\WINDOWS\system32\reico.exe na stronie http://virusscan.jotti.org/. Jeśli okaże się szkodnikiem - usuń ręcznie w trybie awaryjnym.

Odpowiedz na pytanie Joan - Są inne dumpy?

Możesz puścić jeszcze raz Rustock.b-fix i pokazać nowy raport.

polska88 · 11 Styczeń 2007 15:38

Ten plik jest czysty, sprawdzone zgodnie z podaną stronką :). Są 4 dumpy, we wszystkich jest tak samo . czyli dokladnie chodzi o plik “lzx32.sys”

Co wyzej w postach zamieścilem. mam swoje podejrzenia na szkodnika Rustock A lub B. [Poniewaz usluga service.exe ciagle chce laczyc sie z internetem (ten szkodnik wlasnie atakuje tą usuluge aby nie byl widzialny przez firewaal oraz to ze atakuje plik :LZX32.sys , gdzie z moich logow widac ze cos z tym plikiem niejest tak.

adam9870 · 11 Styczeń 2007 15:45

Mówisz o Rustock.A bądź Backdoor.Rustock.B. Rzeczywiście istnieje szkodnik mający taką nazwę, który dla osób sprawdzających logi jest znany także jako rootkit pe386. On właśnie może powodować restarty czy pojawianie się niebieskich ekranów (BSOD) ale szczepionka przeciwko niemu - Rustock.b-fix znalazła tylko strumień ADS od niego ale został on usunięty.

Cóż, możesz pokazać dla pewności dwa logi z Gmer’a przy takich ustawieniach:

Zakładka Rootkit >>> Zaznaczone wszystko oprócz Pokaż wszystko >>> kliknij Szukaj >>> Czekaj cierpliwie aż skończy
Zakładka Rootkit >>> Zaznaczone tylko Usługi oraz Pokaż wszystko >>> kliknij Szukaj >>> Czekaj cierpliwie aż skończy

power88 · 11 Styczeń 2007 16:55

>

GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2007-01-11 17:57:46 Windows 5.1.2600 Dodatek Service Pack 2 ---- User code sections - GMER 1.0.12 ---- .text C:\WINDOWS\system32\services.exe[508] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\savedump.exe[520] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!sendto 71A52C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!recvfrom 71A52D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!bind 71A53E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!send 71A5428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!gethostbyname 71A54FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!listen 71A588D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\system32\lsass.exe[528] WS2_32.dll!accept 71A61028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!sendto 71A52C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!recvfrom 71A52D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!bind 71A53E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!send 71A5428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!gethostbyname 71A54FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!listen 71A588D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll .text C:\WINDOWS\explorer.exe[1164] WS2_32.dll!accept 71A61028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!sendto 71A52C69 5 Bytes JMP 10002D10 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!recvfrom 71A52D0F 5 Bytes JMP 10002CA0 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!bind 71A53E00 5 Bytes JMP 10003020 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!connect 71A5406A 5 Bytes JMP 10002DA0 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!send 71A5428A 5 Bytes JMP 10002AA0 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!gethostbyname 71A54FD4 5 Bytes JMP 10002D70 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!listen 71A588D3 5 Bytes JMP 10002A60 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 10003060 C:\WINDOWS\system32\sockspy.dll .text C:\PROGRA~1\MOZILL~1\firefox.exe[1452] WS2_32.dll!accept 71A61028 5 Bytes JMP 10002F30 C:\WINDOWS\system32\sockspy.dll .text C:\Documents and Settings\Administrator\Pulpit\gmer.exe[1848] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10003090 C:\WINDOWS\system32\sockspy.dll ---- EOF - GMER 1.0.12 ---- 2.)GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2007-01-11 17:58:35 Windows 5.1.2600 Dodatek Service Pack 2 ---- Services - GMER 1.0.12 ---- Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service C:\WINDOWS\system32\drivers\actser.sys [MANUAL] actser Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [sYSTEM] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\System32\svchost.exe [DISABLED] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service C:\WINDOWS\System32\DRIVERS\amdk7.sys [sYSTEM] AmdK7 Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\System32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub Service BattC Service C:\Program Files\Softwin\BitDefender9\bdfdll.sys [MANUAL] bdfdll Service C:\Program Files\Softwin\BitDefender9\bdfsdrv.sys [MANUAL] BDFsDrv Service C:\Program Files\Softwin\BitDefender9\bdrsdrv.sys [MANUAL] BDRsDrv Service C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe [AUTO] bdss Service [sYSTEM] Beep Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser Service [DISABLED] cbidf2k Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\System32\cisvc.exe [MANUAL] cisvc Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\system32\drivers\cmuda.sys [MANUAL] cmuda Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\System32\DRIVERS\disk.sys [bOOT] Disk Service system32\drivers\mqnrfwvi.sys [bOOT] djxydorb Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [bOOT] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [bOOT] dmload Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc Service C:\Program Files\Softwin\BitDefender9\filespy.sys [AUTO] FILESpy Service [sYSTEM] Fips Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service C:\WINDOWS\system32\drivers\fltmgr.sys [bOOT] FltMgr Service [sYSTEM] Fs_Rec Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\System32\DRIVERS\gameenum.sys [MANUAL] gameenum Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service [DISABLED] hpn Service [DISABLED] hpt3xx Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service [sYSTEM] Imapi Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService Service inetaccs Service [DISABLED] ini910u Service Inport Service [DISABLED] IntelIde Service C:\WINDOWS\system32\drivers\ip6fw.sys [MANUAL] ip6fw Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe [AUTO] LIVESRV Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger Service [sYSTEM] mnmdd Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service C:\WINDOWS\System32\DRIVERS\mssmbios.sys [MANUAL] mssmbios Service C:\WINDOWS\system32\drivers\msmpu401.sys [MANUAL] ms_mpu401 Service [bOOT] Mup Service [bOOT] NDIS Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\System32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\System32\DRIVERS\netbt.sys [sYSTEM] NetBT Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [sYSTEM] Null Service C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [MANUAL] nv Service C:\WINDOWS\System32\nvsvc32.exe [AUTO] NVSvc Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\System32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service C:\WINDOWS\System32\DRIVERS\pciide.sys [bOOT] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service [sYSTEM] PQNTDrv Service C:\WINDOWS\System32\DRIVERS\processr.sys [sYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [bOOT] PxHelp20 Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\System32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\system32\Drivers\regguard.sys [MANUAL] RegGuard Service C:\Program Files\Softwin\BitDefender9\regspy.sys [AUTO] REGSpy Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139 Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service ScsiPort Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [MANUAL] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\System32\Drivers\SENTINEL.SYS [AUTO] Sentinel Service C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe [AUTO] SentinelProtectionServer Service C:\WINDOWS\system32\DRIVERS\ser2pl.sys [MANUAL] Ser2pl Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\System32\DRIVERS\serial.sys [sYSTEM] Serial Service C:\WINDOWS\system32\DRIVERS\sermouse.sys [MANUAL] sermouse Service [sYSTEM] Sfloppy Service SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service C:\WINDOWS\System32\DRIVERS\sisagp.sys [bOOT] sisagp Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\System32\DRIVERS\sr.sys [DISABLED] sr Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\System32\svchost.exe [MANUAL] SSDPSRV Service C:\WINDOWS\System32\svchost.exe [MANUAL] stisvc Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv Service swwd Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\System32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service C:\WINDOWS\System32\tlntsvr.exe [MANUAL] TlntSvr Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\System32\wdfmgr.exe [AUTO] UMWdf Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\System32\svchost.exe [MANUAL] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\System32\DRIVERS\usbohci.sys [MANUAL] usbohci Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service [DISABLED] ViaIde Service C:\WINDOWS\system32\drivers\vinyl97.sys [MANUAL] VIAudio Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\Program Files\Softwin\BitDefender9\vsserv.exe [AUTO] VSSERV Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi Service WmiApRpl Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service C:\WINDOWS\System32\svchost.exe [AUTO] wscsvc Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe [AUTO] XCOMM Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov Service C:\WINDOWS\system32\drivers\XPROTECTOR.SYS [AUTO] XPROTECTOR Service {CB800EB8-8F74-42F1-AC8E-39078CF26C41} ---- EOF - GMER 1.0.12 ----

polska88 · 12 Styczeń 2007 13:28

Problem rozwiązany. :))