Rootkit, trojan Totour i inne - infekcja systemu

kateczka18 · 7 Kwiecień 2007 17:00

Witam. pojawiła mi się dziś informacja o trojanie “totour” i nie moge pomimo kilkukrotnego skanowania go usunąc. Bardzo prosze o sprawdzenia loga i jakieś wskazówki w pozbyciu się problemu. Dziękuje z góry.

Mój log:

Logfile of HijackThis v1.99.1 Scan saved at 18:53:17, on 2007-04-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\PWN\Definicje\Bin\Starter.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\Program Files\AntiVirenKit\AVKWCtl.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\Winamp\winampa.exe C:\windows\system32\uvnx.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\twain_32\CIS600X\WATCH.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE C:\Program Files\WordWeb\wweb32.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Kasia\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM…\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM…\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\Run: [uvnx] c:\windows\system32\uvnx.exe O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM…\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\wweb32.dll/lookup.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/Clien … /setup.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 8862428359 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 9207186609 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {9085316E-42BA-11D4-BAA3-0080C8D7ED4A} (GameDesire JungleHunter) - http://67.15.101.3/g_bin/pl/hunter_2_0_0_16.cab O17 - HKLM\System\CCS\Services\Tcpip…{18957F44-8EDE-425E-8A47-707FAD02D9F1}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe

adam9870 · 7 Kwiecień 2007 19:10

Co Wy piszecie? :evil:

kateczka18 zrób tak:

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

c:\windows\system32\uvnx.exe

C:\WINDOWS\System32\rpcc.dll

Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart.

Usuń wpisy HJT.

Poczytaj:

http://www.searchengines.pl/phpbb203/in … opic=87534

i spróbuj wykonać.

Po wykonaniu pokaż nowy log z HJT, ComboFix plus dwa logi z Gmer’a wykonane przy takich ustawieniach:

Zakładka Rootkit >>> zaznaczone wszystko oprócz Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta
Zakładka Rootkit >>> zaznaczone tylko Usługi i Pokazuj wszystko >>> kliknij Szukaj >>> czekaj cierpliwie aż skończy >>> Kopiuj >>> wklej do posta

Jeśli wszystkie logi nie zmieszczą się bezpośrednio do posta, to umieść je w jakimś serwisie hostingowym jako pliki *.txt, a tu tylko zlinkuj.

kateczka18 · 7 Kwiecień 2007 19:30

a wystarczy Ci log z HJT?? nie mam już nerwów na uczenie sie obsługi reszty… po ‘świetnych’ instruckjach przez godzine komputera nie mogłam właczyc…

adam9870 · 7 Kwiecień 2007 19:46

Nie, sam log z HJT nie wystarczy. Masz rootkita, a HJT prawie w ogóle nie pokazuje rootkitów, a nawet źle radzi sobie z nieco bardziej poważnymi trojanami (np. trojanem Vundo). Poczytaj materiały, do których zlinkowałem i pokaż komplet logów, o które prosiłem.

JNJN · 7 Kwiecień 2007 20:01

Lost World

Proszę ucz się gdzie indziej,tutaj jak coś piszesz to rób to dokładnie, albo wcale,następnym razem dostaniesz nagrodę.JNJN

kateczka18 · 7 Kwiecień 2007 20:07

Adamie mam już problem przy Kilboxie. nie moge skonczyć operacji, bo wyskakuje: “PendingFileRenomeOperations Registry Data has been Removed by External process!”

teraz logi:

HJT:

Logfile of HijackThis v1.99.1 Scan saved at 22:07:41, on 2007-04-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVirenKit\AVKWCtl.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\PWN\Definicje\Bin\Starter.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\twain_32\CIS600X\WATCH.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE C:\Program Files\WordWeb\wweb32.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\NOTEPAD.EXE C:\DOCUME~1\Kasia\USTAWI~1\Temp\Rar$EX00.829\gmer.exe C:\Documents and Settings\Kasia\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM…\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM…\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\wweb32.dll/lookup.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/Clien … /setup.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 8862428359 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 9207186609 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {9085316E-42BA-11D4-BAA3-0080C8D7ED4A} (GameDesire JungleHunter) - http://67.15.101.3/g_bin/pl/hunter_2_0_0_16.cab O17 - HKLM\System\CCS\Services\Tcpip…{18957F44-8EDE-425E-8A47-707FAD02D9F1}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe

Cambo:

ComboScan v20070306.20 run by Kasia on 2007-04-07 at 22:05:13 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as Kasia.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 22:03:09, on 2007-04-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\AntiVirenKit\AVKWCtl.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\PWN\Definicje\Bin\Starter.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\twain_32\CIS600X\WATCH.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE C:\Program Files\WordWeb\wweb32.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Kasia\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM…\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM…\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\wweb32.dll/lookup.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/Clien … /setup.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 8862428359 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 9207186609 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {9085316E-42BA-11D4-BAA3-0080C8D7ED4A} (GameDesire JungleHunter) - http://67.15.101.3/g_bin/pl/hunter_2_0_0_16.cab O17 - HKLM\System\CCS\Services\Tcpip…{18957F44-8EDE-425E-8A47-707FAD02D9F1}: NameServer = 194.204.159.1 217.98.63.164 O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe – Files created between 2007-03-07 and 2007-04-07 ----------------------------- 2007-04-07 20:48:47 77312 --a------ C:\WINDOWS\ua2.dll 2007-04-07 14:01:41 91648 --a------ C:\WINDOWS\msmgr32.dll 2007-04-07 14:01:34 30720 -----n— C:\WINDOWS\System32\rpcc.dll – Find3M Report --------------------------------------------------------------- 2007-04-07 21:48:04 0 d-------- C:\Program Files\Neostrada TP 2007-04-03 18:21:44 0 d-------- C:\Program Files\Leksykonia 2007-03-25 11:27:40 356508 --a------ C:\WINDOWS\System32\perfh015.dat 2007-03-25 11:27:40 50048 --a------ C:\WINDOWS\System32\perfc015.dat 2007-03-07 22:23:17 0 d-------- C:\Documents and Settings\Kasia\Dane aplikacji\WinRAR 2007-02-22 20:12:39 0 d-------- C:\Documents and Settings\Kasia\Dane aplikacji\AdobeUM 2007-01-15 19:32:07 689280 --a------ C:\WINDOWS\System32\aswBoot.exe 2007-01-15 19:23:20 90112 --a------ C:\WINDOWS\System32\AVASTSS.scr – Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “SoundMan”=“SOUNDMAN.EXE” “SMSERIAL”=“sm56hlpr.exe” “HPDJ Taskbar Utility”=“C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe” “HP Software Update”=“C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe” “DeviceDiscovery”=“C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” “DemonStarter”=“C:\Program Files\PWN\Definicje\Bin\Starter.exe” “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “InstantAccess”=“C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h” “RegisterDropHandler”=“C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE” “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “NoChange”=“1” “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “RegisterDropHandler”=“C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE” [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “Win32 Configuration”=“videosd32.exe” “Microsoft Secure Messenger.NET Service”=“securitychk.exe” “FireWire Driver”=“samx.exe” [HKEY_USERS.default\software\microsoft\windows\currentversion\runservices] “Windows Monitor”=“winmon.exe” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce] “Win32 Configuration”=“videosd32.exe” “Microsoft Secure Messenger.NET Service”=“securitychk.exe” “FireWire Driver”=“samx.exe” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices] “Windows Monitor”=“winmon.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] “{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}”=“Network Neighborhood” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” “Microsoft Secure Server Config”=“rpcxConfig.exe” “Win32 Configuration”=“videosd32.exe” “System Startup”=“voltio.exe” “MSVSync”=“videosync.exe” “Windows Monitor”=“winmon.exe” “Microsoft Secure Messenger.NET Service”=“securitychk.exe” “FireWire Driver”=“samx.exe” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” “Microsoft Secure Server Config”=“rpcxConfig.exe” “Win32 Configuration”=“videosd32.exe” “System Startup”=“voltio.exe” “MSVSync”=“videosync.exe” “Windows Monitor”=“winmon.exe” “Microsoft Secure Messenger.NET Service”=“securitychk.exe” “FireWire Driver”=“samx.exe” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “DisableRegistryTools”=dword:00000000 HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 – End of ComboScan: finished at 2007-04-07 at 22:05:34 ------------------------

adam9870 · 7 Kwiecień 2007 20:22

Przeskanuj plik C:\WINDOWS\msmgr32.dll na stronie http://virusscan.jotti.org/ lub http://www.virustotal.com/ a jeśli okaże się szkodliwy - ścieżkę do niego również wklej w killboxie.

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżki:

C:\WINDOWS\ua2.dll

C:\WINDOWS\System32\rpcc.dll

Po wklejeniu każdej ścieżki z osobna klikasz na czerwonego iksa, ale dopiero po wklejeniu ostatniej zgadzasz się na restart. Jeśli po wklejeniu którejś ze ścieżek pojawi się jakiś bład, nie przejmuj się nim tylko przejdź do wykonywania dalszych czynności.

Otwórz Notatnik i wklej w nim to:

Windows Registry Editor Version 5.00 [HKEY_USERS.default\software\microsoft\windows\currentversion\runonce] “Win32 Configuration”=- “Microsoft Secure Messenger.NET Service”=- “FireWire Driver”=- [HKEY_USERS.default\software\microsoft\windows\currentversion\runservices] “Windows Monitor”=- [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce] “Win32 Configuration”=- “Microsoft Secure Messenger.NET Service”=- “FireWire Driver”=- [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices] “Windows Monitor”=- [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] “{9F143C3A-1457-6CCA-03A7-7AA23B61E40F}”=- [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “Microsoft Secure Server Config”=- “Win32 Configuration”=- “System Startup”=- “MSVSync”=- “Windows Monitor”=- “Microsoft Secure Messenger.NET Service”=- “FireWire Driver”=- [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “Microsoft Secure Server Config”=- “Win32 Configuration”=- “System Startup”=- “MSVSync”=- “Windows Monitor”=- “Microsoft Secure Messenger.NET Service”=- “FireWire Driver”=- [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc]

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Poszukaj na dysku plików videosd32.exe, securitychk.exe, samx.exe, winmon.exe, rpcxConfig.exe, voltio.exe i usuń je jeśli będą. Powinny być one w katalogu C:\windows lub c:\windows\system32

Usuń wpis HJT jeśli będzie.

Po wykonaniu wklej nowy log z HJT, dwa logi z Gmer’a (patrz moje wcześniejsze posty) plus log z ComboFix. Aby zrobić w nim log należy go uruchomić => nacisnąć klawisz Y => czekać cierpliwie i log powinien być w formie pliku .txt o nazwie combofix na partycji C.

kateczka18 · 7 Kwiecień 2007 20:26

już się biore do roboty… a Gmer skanuje:)

M_i_r · 7 Kwiecień 2007 20:36

Ja program Prevx1 używam , jest co prawda trochę męczący ale

on-line usuwa i zabezpiecz przed szkodnikami jednocześnie

weryfikuje wielkość plików systemowych.

Informacje tutaj

http://cybertrash.netarteria.pl/cyber/i … 649.0.html

kateczka18 · 7 Kwiecień 2007 20:53

logi:

HJT:

Logfile of HijackThis v1.99.1 Scan saved at 22:50:20, on 2007-04-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\PWN\Definicje\Bin\Starter.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\AntiVirenKit\AVKWCtl.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\twain_32\CIS600X\WATCH.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE C:\Program Files\WordWeb\wweb32.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Kasia\USTAWI~1\Temp\Rar$EX00.532\gmer.exe C:\Documents and Settings\Kasia\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM…\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM…\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\wweb32.dll/lookup.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/Clien … /setup.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 8862428359 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 9207186609 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {9085316E-42BA-11D4-BAA3-0080C8D7ED4A} (GameDesire JungleHunter) - http://67.15.101.3/g_bin/pl/hunter_2_0_0_16.cab O17 - HKLM\System\CCS\Services\Tcpip…{18957F44-8EDE-425E-8A47-707FAD02D9F1}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe

Cambo:

ComboScan v20070306.20 run by Kasia on 2007-04-07 at 22:52:06 Computer is in Normal Mode. -------------------------------------------------------------------------------- – HijackThis (run as Kasia.exe) ----------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 22:52:08, on 2007-04-07 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\sm56hlpr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\Program Files\PWN\Definicje\Bin\Starter.exe C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Neostrada TP\taskbaricon.exe C:\Program Files\AntiVirenKit\AVKWCtl.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\WINDOWS\twain_32\CIS600X\WATCH.exe C:\Program Files\WinZip\WZQKPICK.EXE C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE C:\Program Files\WordWeb\wweb32.exe C:\Program Files\Neostrada TP\NeostradaTP.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\Program Files\Neostrada TP\ComComp.exe C:\Program Files\Neostrada TP\Watch.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Kasia\USTAWI~1\Temp\Rar$EX00.532\gmer.exe C:\Documents and Settings\Kasia\Moje dokumenty@neostrada.pl\comboscan.exe C:\DOCUME~1\Kasia\Pulpit\Kasia.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM…\Run: [sMSERIAL] sm56hlpr.exe O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM…\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe O4 - HKLM…\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe O4 - HKLM…\Run: [DemonStarter] C:\Program Files\PWN\Definicje\Bin\Starter.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM…\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM…\Run: [instantAccess] C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h O4 - HKLM…\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\Program Files\Neostrada TP\taskbaricon.exe O4 - HKLM…\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM…\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\TextBridge Classic 2.0\Ereg\REMIND32.EXE O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\CIS600X\WATCH.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\wweb32.dll/lookup.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://sib1.od2.com/common/Member/Clien … /setup.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda … 8862428359 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup … 9207186609 O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {9085316E-42BA-11D4-BAA3-0080C8D7ED4A} (GameDesire JungleHunter) - http://67.15.101.3/g_bin/pl/hunter_2_0_0_16.cab O17 - HKLM\System\CCS\Services\Tcpip…{18957F44-8EDE-425E-8A47-707FAD02D9F1}: NameServer = 194.204.159.1 217.98.63.164 O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Strażnik AVK (AVKWCtl) - Unknown owner - C:\Program Files\AntiVirenKit\AVKWCtl.exe – Files created between 2007-03-07 and 2007-04-07 ----------------------------- 2007-04-07 22:06:18 80 --a------ C:\WINDOWS\gmer_uninstall.cmd 2007-04-07 14:01:41 91648 --a------ C:\WINDOWS\msmgr32.dll – Find3M Report --------------------------------------------------------------- 2007-04-07 22:36:37 0 d-------- C:\Program Files\Neostrada TP 2007-04-03 18:21:44 0 d-------- C:\Program Files\Leksykonia 2007-03-25 11:27:40 356508 --a------ C:\WINDOWS\System32\perfh015.dat 2007-03-25 11:27:40 50048 --a------ C:\WINDOWS\System32\perfc015.dat 2007-03-07 22:23:17 0 d-------- C:\Documents and Settings\Kasia\Dane aplikacji\WinRAR 2007-02-22 20:12:39 0 d-------- C:\Documents and Settings\Kasia\Dane aplikacji\AdobeUM 2007-01-15 19:32:07 689280 --a------ C:\WINDOWS\System32\aswBoot.exe 2007-01-15 19:23:20 90112 --a------ C:\WINDOWS\System32\AVASTSS.scr – Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\ctfmon.exe” “Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray" “MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] “SoundMan”=“SOUNDMAN.EXE” “SMSERIAL”=“sm56hlpr.exe” “HPDJ Taskbar Utility”=“C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe” “HP Software Update”=“C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe” “DeviceDiscovery”=“C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe” “DemonStarter”=“C:\Program Files\PWN\Definicje\Bin\Starter.exe” “NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe” “SunJavaUpdateSched”=“C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe” “avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” “InstantAccess”=“C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h” “RegisterDropHandler”=“C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE” “WooCnxMon”=“C:\PROGRA~1\NEOSTR~1\CnxMon.exe” “WOOWATCH”=“C:\PROGRA~1\NEOSTR~1\Watch.exe” “WOOTASKBARICON”=“C:\Program Files\Neostrada TP\taskbaricon.exe” “WinampAgent”=“C:\Program Files\Winamp\winampa.exe” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] “NoChange”=“1” “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] “Installed”=“1” [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices] “RegisterDropHandler”=“C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE” [HKEY_USERS.default\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] “CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] “DisableRegistryTools”=dword:00000000 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] “SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll” [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 – End of ComboScan: finished at 2007-04-07 at 22:52:28

w Gmerze nadal skanuje…

Złączono Posta : 07.04.2007 (Sob) 23:08

Gmer pierwszy:

GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2007-04-07 23:07:47 Windows 5.1.2600 Dodatek Service Pack. 1 ---- System - GMER 1.0.12 ---- SSDT ??\C:\WINDOWS\System32\windev-3dbb-507a.sys ZwEnumerateKey <-- ROOTKIT ! SSDT ??\C:\WINDOWS\System32\windev-3dbb-507a.sys ZwEnumerateValueKey – ROOTKIT ! SSDT ??\C:\WINDOWS\System32\windev-3dbb-507a.sys ZwQueryDirectoryFile – ROOTKIT ! ---- Kernel code sections - GMER 1.0.12 ---- .text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 720342BA .text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034445 .text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034329 .text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 720342D8 ---- Devices - GMER 1.0.12 ---- Device \Driver\aswTdi \Device\AswUdpFilter IRP_MJ_DEVICE_CONTROL [bABA679C] windev-3dbb-507a.sys Device \Driver\aswTdi \Device\ASWTDI IRP_MJ_DEVICE_CONTROL [bABA679C] windev-3dbb-507a.sys Device \Driver\aswTdi \Device\AswTcpFilter IRP_MJ_DEVICE_CONTROL [bABA679C] windev-3dbb-507a.sys ---- Services - GMER 1.0.12 ---- Service C:\WINDOWS\System32\windev-3dbb-507a.sys (*** hidden *** ) [AUTO] windev-3dbb-507a – ROOTKIT ! ---- Registry - GMER 1.0.12 ---- Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-3DBB-507A Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-3DBB-507A@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000@DeviceDesc windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000@Service windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000@DeviceDesc windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_WINDEV-3DBB-507A@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@Start 2 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-3DBB-507A Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-3DBB-507A@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000@DeviceDesc windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000\Control@ActiveService windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000@DeviceDesc windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_WINDEV-3DBB-507A@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@Start 2 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a\Enum@0 Root\LEGACY_WINDEV-3DBB-507A\0000 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet002\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-3DBB-507A Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-3DBB-507A@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000@DeviceDesc windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_WINDEV-3DBB-507A@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@Type 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@Start 2 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-3DBB-507A Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-3DBB-507A@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000@DeviceDesc windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000\Control@ActiveService windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-3DBB-507A\0000@DeviceDesc windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDEV-3DBB-507A@NextInstance 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@Start 2 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@ErrorControl 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a\Enum@0 Root\LEGACY_WINDEV-3DBB-507A\0000 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@Type 1 Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@ImagePath ??\C:\WINDOWS\System32\windev-3dbb-507a.sys Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\windev-3dbb-507a@DisplayName windev-3dbb-507a ---- Files - GMER 1.0.12 ---- File C:\WINDOWS\system32\windev-3dbb-507a.sys – ROOTKIT ! File C:\WINDOWS\system32\windev-peers.ini ---- EOF - GMER 1.0.12 ---- Złączono Posta: 07.04.2007 (Sob) 23:10 gmer drugi: GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2007-04-07 23:10:36 Windows 5.1.2600 Dodatek Service Pack. 1 ---- Services - GMER 1.0.12 ---- Service [sYSTEM] Aavmker4 Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service C:\WINDOWS\System32\Drivers\adildr.sys [AUTO] ADILOADER Service C:\WINDOWS\System32\DRIVERS\adiusbaw.sys [MANUAL] adiusbaw Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD Service [sYSTEM] AFS2K Service C:\WINDOWS\System32\DRIVERS\agp440.sys [bOOT] agp440 Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\system32\drivers\ALCXSENS.SYS [MANUAL] ALCXSENS Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM Service C:\WINDOWS\System32\svchost.exe [MANUAL] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service C:\WINDOWS\System32\drivers\aspi32.sys [AUTO] Aspi32 Service [AUTO] aswMon2 Service [MANUAL] aswRdr Service [sYSTEM] aswTdi Service C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [AUTO] aswUpdSv Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\System32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\System32\Ati2evxx.exe [AUTO] Ati HotKey Poller Service C:\WINDOWS\system32\ati2sgag.exe [AUTO] ATI Smart Service C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [MANUAL] ati2mtag Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub Service C:\Program Files\Alwil Software\Avast4\ashServ.exe [AUTO] avast! Antivirus Service C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [MANUAL] avast! Web Scanner Service C:\Program Files\AntiVirenKit\AVKWCtl.exe [AUTO] AVKWCtl Service BattC Service [sYSTEM] Beep Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser Service [DISABLED] cbidf2k Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\System32\DRIVERS\disk.sys [bOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [DISABLED] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [DISABLED] dmload Service C:\WINDOWS\System32\svchost.exe [MANUAL] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\DRIVERS\e100b325.sys [MANUAL] E100B Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc Service [sYSTEM] Fips Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service [sYSTEM] Fs_Rec Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\System32\interceptor.sys [MANUAL] GDInterceptor Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\DOCUME~1\Kasia\USTAWI~1\Temp\gtermddo.sys [MANUAL] gtermddo Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service [DISABLED] hpn Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service C:\WINDOWS\System32\DRIVERS\imapi.sys [sYSTEM] Imapi Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService Service [sYSTEM] incdrm Service inetaccs Service [DISABLED] ini910u Service Inport Service [DISABLED] IntelIde Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger Service [sYSTEM] mnmdd Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\system32\drivers\MODEMCSA.sys [MANUAL] MODEMCSA Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service [bOOT] Mup Service [bOOT] NDIS Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\System32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\System32\DRIVERS\netbt.sys [sYSTEM] NetBT Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [sYSTEM] Null Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\System32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service C:\WINDOWS\System32\DRIVERS\pciide.sys [bOOT] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\drivers\pfc.sys [MANUAL] pfc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\System32\DRIVERS\processr.sys [sYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service C:\WINDOWS\System32\Drivers\PxHelp20.sys [bOOT] PxHelp20 Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti Service RAVGD Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\System32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [AUTO] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\System32\DRIVERS\serial.sys [sYSTEM] Serial Service C:\WINDOWS\System32\drivers\SFC4.sys [AUTO] SFC4 Service [sYSTEM] Sfloppy Service C:\WINDOWS\System32\svchost.exe [DISABLED] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service C:\WINDOWS\System32\DRIVERS\SMBios.sys [MANUAL] SMBios Service C:\WINDOWS\System32\DRIVERS\smserial.sys [MANUAL] smserial Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\System32\DRIVERS\sr.sys [bOOT] sr Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\System32\svchost.exe [AUTO] SSDPSRV Service C:\WINDOWS\System32\svchost.exe [MANUAL] stisvc Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service C:\WINDOWS\System32\Drivers\SYMIDSCO.SYS [MANUAL] SYMIDSCO Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\System32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr Service C:\WINDOWS\System32\svchost.exe [DISABLED] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\System32\DRIVERS\usbehci.sys [MANUAL] usbehci Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\System32\DRIVERS\usbprint.sys [MANUAL] usbprint Service C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service [DISABLED] ViaIde Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\System32\windev-3dbb-507a.sys (*** hidden *** ) [AUTO] windev-3dbb-507a – ROOTKIT ! Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [AUTO] WmdmPmSp Service WmiApRpl Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service {C529DDE6-4C26-4A05-B94F-1FF708E45A40} ---- EOF - GMER 1.0.12 ----

squeet · 7 Kwiecień 2007 21:44

Niepewne informacje - kosz.

Proszę nie robić bałaganu.

kateczka18 proszę o lekturę poniższych tematów:

http://forum.dobreprogramy.pl/viewtopic.php?t=36654

http://forum.dobreprogramy.pl/viewtopic.php?t=66889

Logi wstawiamy w tagach quote. Powyższe już sformatowałem, następne wklejaj już poprawnie.

adam9870 · 8 Kwiecień 2007 08:44

Nadaj sobie uprawnienia do kasowania kluczy typu LEGACY:

http://www.searchengines.pl/phpbb203/in … topic=6745

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

W zakładce Procesy wybierz Gmer awaryjny >>> komputer się zrestartuje i zostanie samo okienko Gmer’a >>> w zakładce Procesy przez … (trzy kropki) wskaż plik FIX.BAT >>> po chwilce mignie ekran i reset.

Sprawdź wielkość pliku ndis.sys według tego opisu:

http://www.searchengines.pl/phpbb203/in … opic=87534

Po wykonaniu wklej dwa nowe logi z Gmer’a plus log z ComboFix, a nie jak dotychczas - ComboScan oraz wynik szukania na windev-3dbb-507a w narzędziu Registry Search Tool.