Services.exe - problem z internetem

Anger · 20 Listopad 2007 19:09

Witam,

Problem polega na tym że proces “services.exe” obciąża mi tak sieć że praktycznie nic nie można zrobić :/. Czytałem o trojanie Backdoor.Win32.Prorat.19.ac , ale nie wykryłem żadnych z plików trojana na dysku. Oto logi :

Logfile of HijackThis v1.99.1 Scan saved at 19:51:37, on 2007-11-20 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: D:\WINDOWS\System32\smss.exe D:\WINDOWS\SYSTEM32\winlogon.exe D:\WINDOWS\system32\services.exe D:\WINDOWS\system32\lsass.exe D:\WINDOWS\system32\svchost.exe D:\WINDOWS\System32\svchost.exe D:\WINDOWS\system32\spoolsv.exe D:\WINDOWS\Explorer.EXE D:\Program Files\cFosSpeed\spd.exe D:\WINDOWS\System32\nvsvc32.exe C:\Program Files\RALINK\RT2400 Wireless LAN Card\Installer\WINXP\RaConfig.exe D:\Documents and Settings\Nowy\Pulpit\cfosspeed.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe D:\WINDOWS\SYSTEM32\services.exe C:\Program Files\Konnekt\konnekt.exe D:\Documents and Settings\LOL\Pulpit\HijackThis.exe O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKCU…\Run: [sUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O17 - HKLM\System\CCS\Services\Tcpip…{961A8719-F8BE-495D-AA25-2CEDBCE30F81}: NameServer = 83.17.121.13 83.18.180.74 O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - D:\Program Files\cFosSpeed\spd.exe" -service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe

A tu zdjęcie z Cfospeeda : http://img156.imageshack.us/img156/8214 … dqwxa1.jpg

Gutek · 20 Listopad 2007 21:37

Pobierz program SDFix

Anger · 21 Listopad 2007 05:22

No jest …

SDFix: Version 1.115 Run by Nowy on 2007-11-21 at 06:17 Microsoft Windows XP [Wersja 5.1.2600] Running From: D:\SDFix Safe Mode: Checking Services: Name: kcp Path: ??\D:\WINDOWS\system32\drivers\kcp.sys kcp - Deleted Infected Winlogon.exe Found! Winlogon File Locations: “D:\WINDOWS\system32\winlogon.exe” 433152 2007-11-20 14:21 “D:\WINDOWS\system32\dllcache\winlogon.exe” 432640 2007-11-20 16:33 Modified Files Are Listed Below: D:\WINDOWS\system32\winlogon.exe Note: SDFix Does Not Repair This File! Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: Trojan Files Found: D:\DOCUME~1\Nowy\USTAWI~1\Temp\0wl.tmp - Deleted D:\WINDOWS\dat.txt - Deleted D:\WINDOWS\rs.txt - Deleted D:\WINDOWS\search_res.txt - Deleted D:\WINDOWS\system32\9_exception.nls - Deleted D:\WINDOWS\system32\kr_done1 - Deleted D:\WINDOWS\system32\mstscex.dll - Deleted D:\WINDOWS\system32\RunOnce.t__ - Deleted D:\WINDOWS\system32\RunOnce.tmp - Deleted D:\WINDOWS\Temp\temp_12336639.bat - Deleted Removing Temp Files… ADS Check: D:\WINDOWS No streams found. D:\WINDOWS\system32 No streams found. D:\WINDOWS\system32\svchost.exe No streams found. D:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-21 06:20:10 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\Tcpip_{961A8719-F8BE-495D-AA25-2CEDBCE30F81}] “NetbiosOptions”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:fc699240 “s2”=dword:9df62333 “h0”=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:61,e2,dd,ef,ef,7e,d9,64,b0,de,6c,5a,e2,3c,1c,87,4a,28,41,aa,64,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,00,7b,f6,c2,51,74,89,d0,38,e4,61,a3,94,26,00,a2,56,… “khjeh”=hex:49,fb,16,85,04,57,6b,b3,d2,90,bd,25,00,48,a9,e9,ba,9d,b6,05,39,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:8c,91,ad,fb,0e,40,52,40,98,55,b0,bf,02,93,8d,e9,9e,50,f2,c9,6e,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces{961A8719-F8BE-495D-AA25-2CEDBCE30F81}] “DhcpIPAddress”=“10.1.0.29” “DhcpSubnetMask”=“255.255.255.255” “NameServer”=“83.17.121.13 83.18.180.74” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa] “LsaPid”=dword:000005e0 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Watchdog\Display] “ShutdownCount”=dword:0000000d [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\ACPI\PNPA000\4&487b740c&0] “Service”=“a3ozxqva” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_KCP\0000] “Service”=“kcp” “Legacy”=dword:00000001 “ConfigFlags”=dword:00000000 “Class”=“LegacyDriver” “ClassGUID”="{8ECC055D-047F-11D1-A537-0000F8753ED1}" “DeviceDesc”=“kcp” “Capabilities”=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kcp] “Type”=dword:00000001 “Start”=dword:00000001 “ErrorControl”=dword:00000000 “ImagePath”=str(2):"??\D:\WINDOWS\system32\drivers\kcp.sys" “DisplayName”=“kcp” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kcp\Parameters] “a0”=hex:29,3a,a2,ce,58,b3,05,2c,d2,cb,df,72,65,1c,ca,47,ec,51,eb,54,7f,… “a1”=hex:48,0a,ba,42,1e,90,94,64,76,19,36,86,9f,61,e7,d8,25,b6,95,ed,b2,… “b0”=hex:ec,d8,53,b6,e4,ed,aa,fb,b9,fe,45,3f,43,0f,43,83,0e,a0,93,e8,21,… “b1”=hex:05,2c,a9,cb,da,72,65,1c,ca,47,99,51,f4,54,7d,95,03,a5,1c,29,50,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\kcp\Security] “Security”=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “p0”=“D:\Program Files\DAEMON Tools” “h0”=dword:00000000 “khjeh”=hex:61,e2,dd,ef,ef,7e,d9,64,b0,de,6c,5a,e2,3c,1c,87,4a,28,41,aa,64,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,00,7b,f6,c2,51,74,89,d0,38,e4,61,a3,94,26,00,a2,56,… “khjeh”=hex:49,fb,16,85,04,57,6b,b3,d2,90,bd,25,00,48,a9,e9,ba,9d,b6,05,39,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:8c,91,ad,fb,0e,40,52,40,98,55,b0,bf,02,93,8d,e9,9e,50,f2,c9,6e,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces{1D394BC6-3323-4BD3-B013-94AA0B214D0E}] “DhcpServer”=“255.255.255.255” “Lease”=dword:00000000 “LeaseObtainedTime”=dword:4743be17 “T1”=dword:4743be17 “T2”=dword:4743be17 “LeaseTerminatesTime”=dword:7fffffff “IPAutoconfigurationAddress”=“169.254.28.133” “AddressType”=dword:00000001 “DhcpIPAddress”=“169.254.28.133” “DhcpSubnetMask”=“255.255.0.0” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services{1D394BC6-3323-4BD3-B013-94AA0B214D0E}\Parameters\Tcpip] “DhcpIPAddress”=“169.254.28.133” “DhcpSubnetMask”=“255.255.0.0” “DhcpServer”=“255.255.255.255” “Lease”=dword:00000000 “LeaseObtainedTime”=dword:4743be17 “T1”=dword:4743be17 “T2”=dword:4743be17 “LeaseTerminatesTime”=dword:7fffffff scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: Remaining Files: --------------- File Backups: - D:\SDFix\backups\backups.zip Files with Hidden Attributes: Sat 17 Nov 2007 10,240 A…H. — “D:\WINDOWS\system32\BIT13.tmp” Finished!

Gutek · 21 Listopad 2007 22:03

Daj log z ComboFix

Anger · 22 Listopad 2007 03:59

ComboFix 07-11-19.3 - Nowy 2007-11-22 4:57:43.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.0.1250.1.1045.18.132 [GMT 1:00] Running from: D:\Documents and Settings\Nowy\Pulpit\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 ))))))))))))))))))))))))))))))) . 2007-11-22 04:27 2007-11-21 22:13 2007-11-21 22:13 2007-11-21 22:08 2007-11-21 22:08 2007-11-21 21:56 2007-11-21 07:45 2007-11-21 06:16 2007-11-20 20:29 2007-11-20 20:29 2007-11-20 20:28 2007-11-20 20:28 2007-11-20 20:28 209,816 --a------ D:\WINDOWS\system32\drivers\pctfw2.sys 2007-11-20 20:28 120,832 --a------ D:\WINDOWS\system32\drivers\pctfw.sys 2007-11-20 20:28 40,856 --a------ D:\WINDOWS\system32\drivers\pctmp.sys 2007-11-20 20:28 18,328 --a------ D:\WINDOWS\system32\drivers\pctssipc.sys 2007-11-20 19:20 2007-11-20 19:19 2007-11-20 19:19 2007-11-20 19:19 2007-11-20 18:24 2007-11-20 17:40 2007-11-20 17:37 2007-11-20 17:37 2007-11-20 17:37 2007-11-20 17:37 2007-11-20 17:37 2007-11-20 17:37 2007-11-20 17:37 2007-11-20 15:09 24,576 --a------ D:\WINDOWS\system32\msxml3a.dll 2007-11-20 15:04 2007-11-20 15:04 2007-11-20 15:03 2007-11-20 15:02 2007-11-20 15:01 2007-11-20 15:01 2007-11-20 15:01 2007-11-20 15:01 745,472 --a------ D:\WINDOWS\system32\xvidcore.dll 2007-11-20 15:01 303,104 --a------ D:\WINDOWS\system32\RealMediaSplitter.ax 2007-11-20 15:01 180,224 --a------ D:\WINDOWS\system32\xvidvfw.dll 2007-11-20 15:01 157,696 --a------ D:\WINDOWS\system32\unrar.dll 2007-11-20 11:20 2007-11-20 10:44 2007-11-20 10:44 2007-11-20 06:18 21,840 --a----t- D:\WINDOWS\system32\SIntfNT.dll 2007-11-20 06:18 17,212 --a----t- D:\WINDOWS\system32\SIntf32.dll 2007-11-20 06:18 12,067 --a----t- D:\WINDOWS\system32\SIntf16.dll 2007-11-18 20:54 685,816 --a------ D:\WINDOWS\system32\drivers\sptd.sys 2007-11-18 10:42 2007-11-18 10:42 2007-11-18 10:42 2007-11-18 10:42 32 --a------ D:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat 2007-11-17 16:26 2007-11-17 16:26 2007-11-17 12:44 289,280 --a------ D:\WINDOWS\system32\libcurl.dll 2007-11-15 15:39 2007-11-15 12:57 2007-11-15 04:34 97,705 --a------ D:\WINDOWS\system32\tourstart.rar 2007-11-15 04:07 2007-11-14 19:54 2007-11-14 17:03 2007-11-14 17:03 2007-11-14 16:27 2007-11-14 16:21 2007-11-14 16:21 2,058,888 --a–c— D:\WINDOWS\system32\dllcache\wmvcore.dll 2007-11-14 16:21 981,504 --a–c— D:\WINDOWS\system32\dllcache\wmnetmgr.dll 2007-11-14 16:21 816,264 --a–c— D:\WINDOWS\system32\dllcache\wmvdmod.dll 2007-11-14 16:21 760,968 --a–c— D:\WINDOWS\system32\dllcache\wmsdmod.dll 2007-11-14 16:21 678,912 --a------ D:\WINDOWS\system32\drmv2clt.dll 2007-11-14 16:21 678,912 --a–c— D:\WINDOWS\system32\dllcache\drmv2clt.dll 2007-11-14 16:21 670,208 --a–c— D:\WINDOWS\system32\dllcache\wmadmoe.dll 2007-11-14 16:21 410,248 --a–c— D:\WINDOWS\system32\dllcache\wmadmod.dll 2007-11-14 16:21 301,712 --a------ D:\WINDOWS\system32\drmclien.dll 2007-11-14 16:21 301,712 --a–c— D:\WINDOWS\system32\dllcache\drmclien.dll 2007-11-14 16:21 218,112 --a–c— D:\WINDOWS\system32\dllcache\wmasf.dll 2007-11-14 16:21 217,600 --a–c— D:\WINDOWS\system32\dllcache\npdrmv2.dll 2007-11-14 16:21 82,432 --a------ D:\WINDOWS\system32\drmstor.dll 2007-11-14 16:21 82,432 --a–c— D:\WINDOWS\system32\dllcache\drmstor.dll 2007-11-14 16:21 81,408 --a------ D:\WINDOWS\system32\logagent.exe 2007-11-14 16:21 81,408 --a–c— D:\WINDOWS\system32\dllcache\logagent.exe 2007-11-14 16:21 9,728 --a–c— D:\WINDOWS\system32\dllcache\npwmsdrm.dll 2007-11-14 16:21 6,656 --a------ D:\WINDOWS\system32\laprxy.dll 2007-11-14 16:21 6,656 --a–c— D:\WINDOWS\system32\dllcache\laprxy.dll 2007-11-14 16:20 2007-11-14 16:20 47,104 --a------ D:\WINDOWS\system32\wstdecod.dll 2007-11-14 16:20 45,696 --a------ D:\WINDOWS\system32\drivers\stream.sys 2007-11-14 16:20 27,648 --a------ D:\WINDOWS\system32\vbisurf.ax 2007-11-14 16:20 18,688 --a–c— D:\WINDOWS\system32\dllcache\wstcodec.sys 2007-11-14 16:20 10,880 --a------ D:\WINDOWS\system32\drivers\slip.sys 2007-11-14 16:17 2007-11-14 16:17 2007-11-14 14:11 2007-11-14 08:13 2007-11-14 07:28 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-22 03:27 --------- d-----w D:\Program Files\cFosSpeed 2007-11-21 21:08 229,057 ----a-w D:\WINDOWS\Alcohol_Toolbar_Uninstaller_8590.exe 2007-11-20 13:21 433,152 ------w D:\WINDOWS\system32\winlogon.exe 2007-11-20 04:22 94,208 ----a-w D:\WINDOWS\DIIUnin.exe 2007-11-15 11:02 43,520 ----a-w D:\WINDOWS\system32\CmdLineExt03.dll 2007-11-14 05:13 --------- d-----w D:\Program Files\Java 2007-11-14 05:10 --------- d-----w D:\Program Files\Common Files\Java 2007-11-14 04:57 --------- d-----w D:\Documents and Settings\Nowy\Dane aplikacji\stamina 2007-11-14 04:52 --------- d-----w D:\Documents and Settings\Nowy\Dane aplikacji\Talkback 2007-11-14 04:46 --------- d-----w D:\Program Files\SiS7012 2007-11-14 04:46 --------- d-----w D:\Program Files\Common Files\InstallShield 2007-11-14 04:45 --------- d-----w D:\Program Files\Budzik 2007-11-14 04:37 --------- d-----w D:\Program Files\microsoft frontpage 2007-11-14 04:35 --------- d-----w D:\Program Files\Usługi online . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “SUPERAntiSpyware”=“D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06] “Gadu-Gadu”=“C:\Program Files\Gadu-Gadu\gg.exe” [2007-01-30 15:58] “AlcoholAutomount”=“D:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe” [2007-07-02 11:27] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] “NvCplDaemon”=“RUNDLL32.exe” [2001-10-26 18:30 D:\WINDOWS\system32\rundll32.exe] “00PCTFW”=“D:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe” [2007-11-09 16:00] “DAEMON Tools”=“D:\Program Files\DAEMON Tools\daemon.exe” [2006-11-12 11:48] [HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] “CTFMON.EXE”=“D:\WINDOWS\System32\CTFMON.EXE” [2001-10-26 18:29] [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks] “{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon] D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll R1 pctfw2;pctfw2;??\D:\WINDOWS\system32\drivers\pctfw2.sys R1 pctmp;PC Tools Firewall Memory Protection Driver;D:\WINDOWS\System32\drivers\pctmp.sys R1 pctssipc;PC Tools Security Suite IPC Driver;D:\WINDOWS\System32\drivers\pctssipc.sys R3 RT2400;RT2400 Wireless Driver;D:\WINDOWS\System32\DRIVERS\RT2400.sys R3 SiS7012;Service for AC’97 Sample Driver (WDM);D:\WINDOWS\System32\drivers\sis7012.sys S3 AvFlt;Antivirus Filter Driver;D:\WINDOWS\System32\drivers\av5flt.sys . Contents of the ‘Scheduled Tasks’ folder “2007-11-20 16:31:01 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job” - D:\Program Files\Apple Software Update\SoftwareUpdate.exe . ************************************************************************** catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-22 04:58:37 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden autostart entries … scanning hidden files … scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-22 4:59:07 . — E O F —

system · 22 Listopad 2007 20:42

Raczej nie, bo SDFix pokazuje:

Również w ComboFix widoczna jest modyfikacja winlogon.exe

Trzeba podmienić winlogon.exe za pomocą Konsoli Odzyskiwania.

Anger · 23 Listopad 2007 05:06

Hmmm a czy teraz wszystko dobrze :)?

SDFix: Version 1.115 Run by Nowy on 2007-11-23 at 05:59 Microsoft Windows XP [Wersja 5.1.2600] Running From: D:\SDFix Safe Mode: Checking Services: Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting… Normal Mode: Checking Files: No Trojan Files Found Removing Temp Files… ADS Check: D:\WINDOWS No streams found. D:\WINDOWS\system32 No streams found. D:\WINDOWS\system32\svchost.exe No streams found. D:\WINDOWS\system32\ntoskrnl.exe No streams found. Final Check: catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-23 06:02:38 Windows 5.1.2600 NTFS scanning hidden processes … scanning hidden services & system hive … [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] “s1”=dword:fc699240 “s2”=dword:9df62333 “h0”=dword:00000002 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“D:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:ab,da,e5,cf,fc,13,c3,5d,00,68,1e,85,3c,67,26,24,54,0e,ae,f2,eb,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:fb,db,0d,0e,2a,91,f3,7e,99,56,9a,a1,e0,ba,37,13,d7,54,70,8e,44,… “p0”=“D:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,5b,ee,e1,d1,10,18,4f,5e,57,92,ac,d0,3d,36,fc,bc,4d,… “khjeh”=hex:49,fb,16,85,04,57,6b,b3,d2,90,bd,25,00,48,a9,e9,ba,9d,b6,05,39,… [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:11,f3,64,b4,f6,6e,21,1d,9d,c7,b9,26,02,f2,bd,10,b2,b9,a8,0f,3e,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04] “p0”=“D:\Program Files\Alcohol Soft\Alcohol 120” “h0”=dword:00000001 “ujdew”=hex:ab,da,e5,cf,fc,13,c3,5d,00,68,1e,85,3c,67,26,24,54,0e,ae,f2,eb,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] “h0”=dword:00000000 “khjeh”=hex:fb,db,0d,0e,2a,91,f3,7e,99,56,9a,a1,e0,ba,37,13,d7,54,70,8e,44,… “p0”=“D:\Program Files\DAEMON Tools” [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] “a0”=hex:20,01,00,00,5b,ee,e1,d1,10,18,4f,5e,57,92,ac,d0,3d,36,fc,bc,4d,… “khjeh”=hex:49,fb,16,85,04,57,6b,b3,d2,90,bd,25,00,48,a9,e9,ba,9d,b6,05,39,… [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] “khjeh”=hex:11,f3,64,b4,f6,6e,21,1d,9d,c7,b9,26,02,f2,bd,10,b2,b9,a8,0f,3e,… scanning hidden registry entries … [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c] “Order”=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,… scanning hidden files … scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services: ------------------ Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] Remaining Files: --------------- Files with Hidden Attributes: Thu 22 Nov 2007 0 A…H. — “D:\WINDOWS\system32\BIT13.tmp” Fri 23 Nov 2007 0 A…H. — “D:\WINDOWS\SoftwareDistribution\Download\14fbbaa8c92acbeecbdf7b95f76dfd40\BIT1.tmp” Fri 23 Nov 2007 0 A…H. — “D:\WINDOWS\SoftwareDistribution\Download\16cdc67c6a13acb55fb99cca901e0dc2\BIT5.tmp” Fri 23 Nov 2007 0 A…H. — “D:\WINDOWS\SoftwareDistribution\Download\212a82f811a4eb500cf8ad38faaaae36\BIT4.tmp” Fri 23 Nov 2007 0 A…H. — “D:\WINDOWS\SoftwareDistribution\Download\29fb055e02d68a64d31fe01ab46e0066\BIT3.tmp” Fri 23 Nov 2007 0 A…H. — “D:\WINDOWS\SoftwareDistribution\Download\54dbc63f1d5c6e757d662759806e34c4\BIT7.tmp” Fri 23 Nov 2007 0 A…H. — “D:\WINDOWS\SoftwareDistribution\Download\ad1066a32bdb84f11897b70efc19574b\BIT9.tmp” Fri 23 Nov 2007 0 A…H. — “D:\WINDOWS\SoftwareDistribution\Download\c68473efbad5749d3d8bf01a4318e5bd\BIT6.tmp” Fri 23 Nov 2007 0 A…H. — “D:\WINDOWS\SoftwareDistribution\Download\f9bdc3fccd60c1752eff176f77e23f07\BIT8.tmp” Finished!

system · 23 Listopad 2007 21:25

Usuń kwarantannę D:\SDFix\backups\backups.zip.

No i wypadałoby uaktualnić system.