Spowolnienie pracy kompa, problem z gg

Arizona · 27 Grudzień 2006 00:50

Objawy jak w temacie…a co do gg to ja moge odczytywac wiadomosci, ale inni nie otrzymuja wiadomosci ode mnie…

oto log:

Logfile of HijackThis v1.99.1 Scan saved at 01:52:48, on 2006-12-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\wscntfy.exe D:\programy\Gadu-Gadu\gg.exe C:\Documents and Settings\ALL\Pulpit\ArcaMicroScan\ArcaMicroScan.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start24.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM…\RunServices: [˙_zskdk]bah^ibfmvi[lyniwmdksz_] c:\windows\system32_zskdmwinyl[ivmfbi^hab]kd.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} - http://bismark.extracon.it/mirrorcoolst … Beta02.exe O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

Gutek · 27 Grudzień 2006 01:39

wpisy usuń HJT po raz n-ty masz kłopt z plikiem - _zskdmwinyl[ivmfbi^hab]kd.exe

Ściągnij program Gmer>>>uruchom>>>przejdź do zakładki rootkit>>>wybierz szukaj>>>czekaż aż program zakończy pracę>>> i klikasz kopiuj>>>ctrl + v i wklej do posta.

Arizona · 27 Grudzień 2006 12:01

Wpisy usuniete :

Logfile of HijackThis v1.99.1 Scan saved at 13:02:58, on 2006-12-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\programy\Gadu-Gadu\gg.exe C:\WINDOWS\system32\wuauclt.exe E:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start24.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM…\RunServices: [˙_zskdk]bah^ibfmvi[lyniwmdksz_] c:\windows\system32_zskdmwinyl[ivmfbi^hab]kd.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} - http://bismark.extracon.it/mirrorcoolst … Beta02.exe O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

Jak mozna zauwazyc te wpis

nadal jest (schodzilem ze awaryjnego z wylaczonym przywracaniem sysyemu)

A oto log z Gmera

GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2006-12-27 12:52:41 Windows 5.1.2600 Dodatek Service Pack 2 ---- Devices - GMER 1.0.12 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [FC7BCA7C] GDTdiIcpt.sys Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN F8C88C74 Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP F8C85400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP F8C85400 Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible F8C88BCE ---- Threads - GMER 1.0.12 ---- Thread 520:528 75B37D5B Thread 520:532 75B3BEDD Thread 520:536 75B14616 Thread 520:540 75B13B3A Thread 520:552 75B14616 Thread 520:556 75B37CD7 Thread 520:560 75B37CD7 Thread 520:608 75B37CD7 Thread 520:348 75B37FCC Thread 824:828 7C810867 Thread 824:840 7C810856 Thread 824:844 7C810856 Thread 824:848 7C810856 Thread 824:868 7C810856 Thread 824:892 7C810856 Thread 824:900 7C810856 Thread 824:1124 7C810856 Thread 824:1128 7C810856 Thread 824:1132 7C810856 Thread 824:1200 7C810856 Thread 824:1204 7C810856 Thread 824:1212 7C810856 Thread 824:1220 7C810856 Thread 824:1224 7C810856 Thread 824:1268 7C810856 Thread 824:1272 7C810856 Thread 824:1292 7C810856 Thread 824:1328 7C810856 Thread 824:1372 7C810856 Thread 824:1376 7C810856 Thread 824:1716 7C810856 Thread 824:1728 7C810856 Thread 824:1776 7C810856 Thread 824:1784 7C810856 Thread 824:1788 7C810856 Thread 824:1824 7C810856 Thread 824:1828 7C810856 Thread 824:1832 7C810856 Thread 824:1888 7C810856 Thread 824:1892 7C810856 Thread 824:1896 7C810856 Thread 824:1900 7C810856 Thread 824:1944 7C810856 Thread 824:2036 7C810856 Thread 824:2040 7C810856 Thread 824:2044 7C810856 Thread 824:184 7C810856 Thread 824:192 7C810856 Thread 824:196 7C810856 Thread 824:200 7C810856 Thread 824:188 7C810856 Thread 824:212 7C810856 Thread 824:228 7C810856 Thread 824:236 7C810856 Thread 824:244 7C810856 Thread 824:512 7C810856 Thread 824:860 7C810856 Thread 824:884 7C810856 Thread 824:888 7C810856 Thread 824:928 7C810856 Thread 824:944 7C810856 Thread 824:952 7C810856 Thread 824:872 7C810856 Thread 824:1100 7C810856 Thread 824:1136 7C810856 Thread 824:1148 7C810856 Thread 824:1172 7C810856 Thread 824:1092 7C810856 Thread 824:1044 7C810856 Thread 824:1168 7C810856 Thread 824:1184 7C810856 Thread 824:1048 7C810856 Thread 824:1480 7C810856 Thread 824:1264 7C810856 Thread 824:232 7C810856 Thread 824:1336 7C810856 Thread 824:1040 7C810856 Thread 824:1332 7C810856 Thread 1528:504 7C810867 Thread 1528:1996 7C810856 Thread 1528:1548 7C810856 Thread 1528:1552 7C810856 Thread 1528:1588 7C810856 Thread 1528:1596 7C810856 Thread 1528:1600 7C810856 Thread 1528:1836 7C810856 Thread 1528:1840 7C810856 Thread 1528:1852 7C810856 Thread 1528:1864 7C810856 Thread 1528:1928 7C810856 Thread 1528:820 7C810856 Thread 1528:480 7C810856 Thread 1528:580 7C810856 ---- Files - GMER 1.0.12 ---- ADS C:\boot.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Cookies\index.dat:KAVICHS ADS C:\Documents and Settings\Administrator\Dane aplikacji\desktop.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Dane aplikacji\Microsoft\Internet Explorer\brndlog.bak:KAVICHS ADS C:\Documents and Settings\Administrator\Dane aplikacji\Microsoft\Internet Explorer\brndlog.txt:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\desktop.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\desktop.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\Kreator zgodno:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\Rozrywka\desktop.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\Rozrywka\Windows Media Player.lnk:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\U:KAVICHS ADS … ADS C:\Documents and Settings\ALL\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat:KAVICHS ADS C:\Documents and Settings\ALL\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS ---- EOF - GMER 1.0.12 ----

adam9870 · 27 Grudzień 2006 12:08

W Gmerze:

W zakładce Procesy kliknij Zabij wszystko
Kliknij Pliki i skasuj następujący plik:

c:\windows\system32** _zskdmwinyl[ivmfbi^hab]kd.exe**

Przez … (trzy kropki) wskaż hijacka i usuń wpis:

Restart i pokaż nowe logi:

Gmer na opcjach:

Zakładka Rootkit >>> Zaznaczone wszystko oprócz Pokaż wszystko >>> kliknij Szukaj >>> Czekaj cierpliwie aż skończy

Zakładka Rootkit >>> Zaznaczone tylko Usługi oraz Pokaż wszystko >>> kliknij Szukaj >>> Czekaj cierpliwie aż skończy

Silent.

Arizona · 27 Grudzień 2006 18:34

Zrobilem tak jak napisales, ale

taki plik u mnie nie istnieje (domniemam, ze to po prostu pozostalosc po tym jak mialem ten syf…ale fizycznie nie ma go w tym katalogu wiec nie raczej nie istnieje)

Logi:

Uslugi:

GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2006-12-27 19:30:24 Windows 5.1.2600 Dodatek Service Pack 2 ---- Services - GMER 1.0.12 ---- Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\system32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [sYSTEM] AFD Service C:\WINDOWS\system32\DRIVERS\agp440.sys [bOOT] agp440 Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\system32\svchost.exe [DISABLED] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service C:\WINDOWS\system32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\system32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\system32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\system32\DRIVERS\audstub.sys [MANUAL] audstub Service System32\Drivers\avg7core.sys [sYSTEM] Avg7Core Service System32\Drivers\avg7rsw.sys [sYSTEM] Avg7RsW Service System32\Drivers\avg7rsxp.sys [sYSTEM] Avg7RsXP Service C:\WINDOWS\System32\Drivers\avgtdi.sys [AUTO] AvgTdi Service BattC Service [sYSTEM] Beep Service C:\WINDOWS\system32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [MANUAL] BlueletAudio Service C:\WINDOWS\system32\svchost.exe [AUTO] Browser Service C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [MANUAL] BT Service C:\WINDOWS\System32\Drivers\btcusb.sys [MANUAL] Btcsrusb Service C:\WINDOWS\system32\DRIVERS\vbtenum.sys [MANUAL] BTHidEnum Service C:\WINDOWS\System32\Drivers\BTHidMgr.sys [bOOT] BTHidMgr Service [DISABLED] cbidf2k Service C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [MANUAL] CCDECODE Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\system32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc Service C:\WINDOWS\system32\clipsrv.exe [DISABLED] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\system32\drivers\cmaudio.sys [MANUAL] cmpci Service C:\WINDOWS\system32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch Service C:\WINDOWS\system32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\system32\DRIVERS\disk.sys [bOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [bOOT] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [bOOT] dmload Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\system32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\system32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\system32\DRIVERS\fdc.sys [MANUAL] Fdc Service [sYSTEM] Fips Service C:\WINDOWS\system32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service C:\WINDOWS\system32\DRIVERS\fltMgr.sys [bOOT] FltMgr Service [sYSTEM] Fs_Rec Service C:\WINDOWS\system32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\system32\DRIVERS\gameenum.sys [MANUAL] gameenum Service C:\WINDOWS\system32\drivers\GDTdiIcpt.sys [AUTO] GDTdiInterceptor Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] Gmer Service C:\WINDOWS\system32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service C:\WINDOWS\system32\DRIVERS\hidusb.sys [MANUAL] HidUsb Service [DISABLED] hpn Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\system32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service C:\WINDOWS\system32\DRIVERS\imapi.sys [sYSTEM] Imapi Service C:\WINDOWS\system32\imapi.exe [MANUAL] ImapiService Service inetaccs Service [DISABLED] ini910u Service Inport Service C:\WINDOWS\system32\DRIVERS\intelide.sys [bOOT] IntelIde Service C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys [MANUAL] Ip6Fw Service C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\system32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\system32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\system32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\system32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\system32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\system32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\system32\svchost.exe [AUTO] LmHosts Service C:\WINDOWS\system32\svchost.exe [DISABLED] Messenger Service [sYSTEM] mnmdd Service C:\WINDOWS\system32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\system32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service C:\WINDOWS\system32\DRIVERS\mouhid.sys [MANUAL] mouhid Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\system32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\system32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\WINDOWS\system32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service C:\WINDOWS\system32\DRIVERS\mssmbios.sys [MANUAL] mssmbios Service C:\WINDOWS\system32\drivers\MSTEE.sys [MANUAL] MSTEE Service [bOOT] Mup Service C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [MANUAL] NABTSFEC Service [bOOT] NDIS Service C:\WINDOWS\system32\DRIVERS\NdisIP.sys [MANUAL] NdisIP Service C:\WINDOWS\system32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\system32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\system32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\system32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\system32\DRIVERS\netbt.sys [MANUAL] NetBT Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDE Service C:\WINDOWS\system32\netdde.exe [DISABLED] NetDDEdsdm Service C:\WINDOWS\system32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\system32\svchost.exe [MANUAL] Nla Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\system32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [sYSTEM] Null Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [MANUAL] nv Service C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\WINDOWS\system32\DRIVERS\p3.sys [sYSTEM] P3 Service C:\WINDOWS\system32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\system32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service [DISABLED] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\system32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\system32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\system32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\system32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\system32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\system32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\system32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\system32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\system32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service C:\WINDOWS\system32\DRIVERS\rdpdr.sys [MANUAL] rdpdr Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\system32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\system32\svchost.exe [DISABLED] RemoteAccess Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry Service C:\WINDOWS\System32\Drivers\RootMdm.sys [MANUAL] ROOTMODEM Service C:\WINDOWS\system32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\system32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [MANUAL] rtl8139 Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\system32\DRIVERS\secdrv.sys [MANUAL] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\system32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\system32\DRIVERS\serial.sys [sYSTEM] Serial Service [sYSTEM] Sfloppy Service C:\WINDOWS\System32\svchost.exe [AUTO] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service C:\WINDOWS\system32\DRIVERS\SLIP.sys [MANUAL] SLIP Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\system32\DRIVERS\sr.sys [DISABLED] sr Service C:\WINDOWS\system32\svchost.exe [AUTO] srservice Service C:\WINDOWS\system32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\system32\svchost.exe [MANUAL] SSDPSRV Service C:\WINDOWS\system32\svchost.exe [MANUAL] stisvc Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys [MANUAL] streamip Service C:\WINDOWS\system32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\system32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\system32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\system32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service C:\WINDOWS\system32\tlntsvr.exe [DISABLED] TlntSvr Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\system32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\system32\svchost.exe [MANUAL] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\system32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\system32\DRIVERS\usbprint.sys [MANUAL] usbprint Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR Service C:\WINDOWS\system32\DRIVERS\usbuhci.sys [MANUAL] usbuhci Service C:\WINDOWS\system32\DRIVERS\VComm.sys [MANUAL] VComm Service C:\WINDOWS\System32\Drivers\VcommMgr.sys [MANUAL] VcommMgr Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service [DISABLED] ViaIde Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\system32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\system32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi Service WmiApRpl Service C:\WINDOWS\system32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service C:\WINDOWS\System32\drivers\ws2ifsl.sys [sYSTEM] WS2IFSL Service C:\WINDOWS\System32\svchost.exe [AUTO] wscsvc Service C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [MANUAL] WSTCODEC Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov Service {55233CCE-287F-4E64-AC2E-5B88B0DB276F} Service {58110484-C1DB-4AB5-A5FE-B1268D9D012F} ---- EOF - GMER 1.0.12 ----

calosc :

GMER 1.0.12.12010 - http://www.gmer.net Rootkit scan 2006-12-27 14:39:41 Windows 5.1.2600 Dodatek Service Pack 2 ---- Devices - GMER 1.0.12 ---- Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [FC8B4A7C] GDTdiIcpt.sys Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN F7617C74 Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP F7614400 Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP F7614400 Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible F7617BCE ---- Threads - GMER 1.0.12 ---- Thread 500:520 7C810867 Thread 516:524 75B37D5B Thread 516:528 75B3BEDD Thread 516:532 75B14616 Thread 516:536 75B13B3A Thread 516:548 75B14616 Thread 516:552 75B37CD7 Thread 516:556 75B37CD7 Thread 516:604 75B37CD7 Thread 516:1232 75B14616 Thread 516:204 75B37FCC ---- Files - GMER 1.0.12 ---- ADS C:\boot.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Cookies\index.dat:KAVICHS ADS C:\Documents and Settings\Administrator\Dane aplikacji\desktop.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Dane aplikacji\Microsoft\Internet Explorer\brndlog.bak:KAVICHS ADS C:\Documents and Settings\Administrator\Dane aplikacji\Microsoft\Internet Explorer\brndlog.txt:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\desktop.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\desktop.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\Kreator zgodno:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\Rozrywka\desktop.ini:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\Rozrywka\Windows Media Player.lnk:KAVICHS ADS C:\Documents and Settings\Administrator\Menu Start\Programy\Akcesoria\U:KAVICHS ADS … ADS C:\Documents and Settings\ALL\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat:KAVICHS ADS C:\Documents and Settings\ALL\Ustawienia lokalne\Dane aplikacji\Microsoft\Windows\UsrClass.dat.LOG:KAVICHS ---- EOF - GMER 1.0.12 ----

adam9870 · 27 Grudzień 2006 19:04

Syfu nie widać.

Wklej jeszcze kontrolne logi z hijacka i silenta.

Arizona · 27 Grudzień 2006 19:20

Logfile of HijackThis v1.99.1 Scan saved at 20:16:50, on 2006-12-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe D:\programy\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start24.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM…\RunServices: [˙_zskdk]bah^ibfmvi[lyniwmdksz_] c:\windows\system32_zskdmwinyl[ivmfbi^hab]kd.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} - http://bismark.extracon.it/mirrorcoolst … Beta02.exe O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “HPDJ Taskbar Utility” = “C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe” [“HP”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided) -> {HKLM…CLSID} = “AcroIEHlprObj Class” \InProcServer32(Default) = “D:\programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\programy\WinRar\rarext.dll” [null data] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\programy\WinRar\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\programy\WinRar\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” -> {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “D:\programy\WinRar\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “DisableRegistryTools” = (REG_DWORD) hex:0x00000000 {User Configuration|Administrative Templates|System| Prevent access to registry editing tools} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\ALL\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\logon.scr” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” -> {HKLM…CLSID} = “&Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided) -> {HKLM…CLSID} = “&Yahoo! Toolbar” \InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll” [“Yahoo! Inc.”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC}” -> {HKLM…CLSID} = “Java Plug-in 1.5.0_05” \InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll” [“Sun Microsystems, Inc.”] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ “ButtonText” = “Messenger” “MenuText” = “Windows Messenger” “Exec” = “C:\Program Files\Messenger\msmsgs.exe” [file not found] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ hpzlnt03\Driver = “hpzlnt03.dll” [“HP”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 68 seconds. ---------- (total run time: 189 seconds)

adam9870 · 27 Grudzień 2006 19:27

Usuń w hjt i pokaż nowy log z hijacka.

Arizona · 27 Grudzień 2006 21:01

OK, teraz dla odmiany przy normalnym uruchomieniu kompa usunalem ten wpis, ale nadal siedzi…czy to normalne ? ;>

Logfile of HijackThis v1.99.1 Scan saved at 22:04:20, on 2006-12-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe E:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start24.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM…\RunServices: [˙_zskdk]bah^ibfmvi[lyniwmdksz_] c:\windows\system32_zskdmwinyl[ivmfbi^hab]kd.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} - http://bismark.extracon.it/mirrorcoolst … Beta02.exe O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

Bieniol · 27 Grudzień 2006 21:04

Uruchamiasz narzędzie KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

c:\windows\system32_zskdmwinyl[ivmfbi^hab]kd.exe

Klikasz X i restart kompa

Usuwasz wpis:

Dajesz nowe logi

Arizona · 27 Grudzień 2006 21:30

Jak wklejam ta sciezke do pliku w KillBoxie to mi nic nie wyswietla - wniosek ? tego pliku nie ma - pytanie - czemu wpis caly czas pozostaje ??

Dwa pozostale wpisy ciachniete:

oto log

Logfile of HijackThis v1.99.1 Scan saved at 22:31:34, on 2006-12-27 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe E:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start24.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM…\RunServices: [˙_zskdk]bah^ibfmvi[lyniwmdksz_] c:\windows\system32_zskdmwinyl[ivmfbi^hab]kd.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} - http://bismark.extracon.it/mirrorcoolst … Beta02.exe O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

Bieniol · 27 Grudzień 2006 21:32

Pobierz i uruchom narzędzie The Avenger. Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\ backup.zip i wklejasz na forum raport: C:\ avenger.txt

Arizona · 28 Grudzień 2006 02:24

Raport sam mi sie pojawil po wykonaniu restartu:

Bieniol · 28 Grudzień 2006 08:18

Po przetłumaczeniu: Pliku nie znaleziono…

Czy nadal jest w Hijacku?

Arizona · 28 Grudzień 2006 10:38

Nadal jest…dziwne…zastanawiam sie co moge robic zle…ze ten wpis nadal siedzi ;/

Logfile of HijackThis v1.99.1 Scan saved at 11:41:23, on 2006-12-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe C:\WINDOWS\system32\wscntfy.exe D:\programy\Gadu-Gadu\gg.exe C:\Program Files\Mozilla Firefox\firefox.exe E:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start24.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM…\RunServices: [˙_zskdk]bah^ibfmvi[lyniwmdksz_] c:\windows\system32_zskdmwinyl[ivmfbi^hab]kd.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} - http://bismark.extracon.it/mirrorcoolst … Beta02.exe O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

adam9870 · 28 Grudzień 2006 10:44

Start => uruchom => wpisz regedit i kliknij ok => przejdź do klucza:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

i sprawdź czy znajduje się tam wartość ˙_zskdk]bah^ibfmvi[lyniwmdksz_, a jeśli tak to usuń ją z prawokliku.

Arizona · 28 Grudzień 2006 11:17

Takowa wartosc znajdowala sie tam, oczywiscie usunalem ja.

Jak widac, niechcianej pozycji nie ma, wiec domniemam, ze wszystko ok

Oto log:

Logfile of HijackThis v1.99.1 Scan saved at 12:18:23, on 2006-12-28 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\wuauclt.exe D:\programy\Gadu-Gadu\gg.exe E:\instalki\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start24.pl/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\programy\Acrobat Reader\Reader\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb03.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll O16 - DPF: {3D8700FB-86A4-4CB4-B738-6F0FC016AC7D} (MainControl Class) - http://arcaonline.arcabit.com/ArcaOnline.cab O16 - DPF: {9242BB35-0DB0-43AC-8DFC-8EA07E63B92A} - http://bismark.extracon.it/mirrorcoolst … Beta02.exe O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} - http://skaner.mks.com.pl/SkanerOnline.cab

Mam jeszcze takie pytanko…otoz jak wchodze w zaklade autorun to mam tylko odchaczone ze ma sie uruchamiac drukarka wraz z systemem…moge ja wylaczyc ? ;>

adam9870 · 28 Grudzień 2006 11:23

Już jest ok.

Przejrzyj "ZBĘDNIKI " w autostarcie..

BTW. Czy Ty nie masz żadnych programów zabezpieczających, bo w logu nie widać? Jeśli rzeczywiście tak jest to koniecznie jakiś zainstaluj:

http://forum.dobreprogramy.pl/viewtopic.php?t=60116

Arizona · 28 Grudzień 2006 13:37

Juz mam zainstalowalem NOD’a…(zwlekalem z tym bo na tym komputerze zamieszczony jest modul 128 pamieci sdram - tylko ;-p )

A co do autorun’a to tam jest tylko ta drukarka…nie powinna byc wlaczona jakas windowsowska pozycja ? ;> bo to troche dziwne ze nic tam nie ma

adam9870 · 28 Grudzień 2006 14:00

Jak zapewne zauważyłeś zlinkowanym przeze mnie w temacie o zbędnikach w autostarcie to pozycje w autostarcie można ograniczyć naprawdę minimum.

W autostarcie powinien być koniecznie program zabezpieczający (np. antyvirus) oraz sterowniki do karty graficznej jeśli tego wymagają.