Wirusy, net zmulony, nie działa gg ani strony www

Great_Sniper · 26 Marzec 2007 17:44

tak jak w temacie. prosze o sprawdzenie logów

“Silent Runners.vbs”, revision 47, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] “lrtsm” = “C:\WINDOWS\system32\qttsk.exe” [file not found] “NBJ” = ““C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] “Symantec Antivirus professional” = “flushdns.exe” [null data] “MicrosoftPersonalFirewall” = “spoolsrv.exe” [null data] “Internet Security Service” = “msq32.exe” [null data] “Live-Help” = “links.exe” [null data] “Office Monitors” = “C:\WINDOWS\System32\GoogleUpdater.exe” [null data] “rasman” = “C:\WINDOWS\System32\rasman32.exe” [null data] “Microsoft Directx push” = “directxpushup.exe” [null data] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “Symantec Antivirus professional” = “flushdns.exe” [null data] “MicrosoftPersonalFirewall” = “spoolsrv.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “AudioDeck” = “C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1” [“VIA Technologies, Inc.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] “Symantec Antivirus professional” = “flushdns.exe” [null data] “msvccc66” = “svcchosst.exe” [null data] “Internet Security Service” = “msq32.exe” [null data] “MicrosoftPersonalFirewall” = “spoolsrv.exe” [null data] “Messanger Read System” = “C:\WINDOWS\System32\msnrd.exe” [null data] “Live-Help” = “links.exe” [null data] “Office Monitors” = “C:\WINDOWS\System32\GoogleUpdater.exe” [null data] “rasman” = “C:\WINDOWS\System32\rasman32.exe” [null data] “Microsoft Directx push” = “directxpushup.exe” [null data] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++} “Symantec Antivirus professional” = “flushdns.exe” [null data] “MicrosoftPersonalFirewall” = “spoolsrv.exe” [null data] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Bartek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Bartek” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “VIA RAID TOOL” -> shortcut to: “C:\Program Files\VIA\RAID\raid_tool.exe” [“VIA Technologies”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] MicrosoftPersonalFirewall, WindowsUpdater, ““C:\WINDOWS\System32\spoolsrv.exe” -netsvcs” [null data] Network helper Service, MSDisk, ““C:\WINDOWS\System32\irdvxc.exe” /service” [null data] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] Symantec Antivirus professional, Symantec Antivirus professional, ““C:\WINDOWS\System32\flushdns.exe” -netsvcs” [null data] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 59 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 13 seconds. ---------- (total run time: 121 seconds)

Logfile of HijackThis v1.99.1 Scan saved at 19:24:38, on 2004-03-27 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\irdvxc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\flushdns.exe C:\WINDOWS\System32\spoolsrv.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\System32\svcchosst.exe C:\WINDOWS\System32\msq32.exe C:\WINDOWS\System32\msnrd.exe C:\WINDOWS\System32\links.exe C:\WINDOWS\System32\GoogleUpdater.exe C:\WINDOWS\System32\rasman32.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\directxpushup.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Documents and Settings\Bartek\Ustawienia lokalne\Temp\Katalog tymczasowy 1 dla hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\Run: [msvccc66] svcchosst.exe O4 - HKLM…\Run: [internet Security Service] msq32.exe O4 - HKLM…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\Run: [Messanger Read System] C:\WINDOWS\System32\msnrd.exe O4 - HKLM…\Run: [Live-Help] links.exe O4 - HKLM…\Run: [Office Monitors] C:\WINDOWS\System32\GoogleUpdater.exe O4 - HKLM…\Run: [rasman] C:\WINDOWS\System32\rasman32.exe O4 - HKLM…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunServices: [msvccc66] svcchosst.exe O4 - HKLM…\RunServices: [internet Security Service] msq32.exe O4 - HKLM…\RunServices: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\RunServices: [Messanger Read System] C:\WINDOWS\System32\msnrd.exe O4 - HKLM…\RunServices: [Live-Help] links.exe O4 - HKLM…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [lrtsm] C:\WINDOWS\system32\qttsk.exe O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [internet Security Service] msq32.exe O4 - HKCU…\Run: [Live-Help] links.exe O4 - HKCU…\Run: [Office Monitors] C:\WINDOWS\System32\GoogleUpdater.exe O4 - HKCU…\Run: [rasman] C:\WINDOWS\System32\rasman32.exe O4 - HKCU…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Joan · 26 Marzec 2007 18:31

Ale nałapałeś śmieci

Użyj narzędzia WWDC (pozwoli Ci to zamknąć robaczywe porty), zmień znaczki z Disable na Enable (wszystkie mają być zielone lub żółte) i zresetuj sysa.

Otwórz notatnik i wklej w nim to:

Plik -> zapisz jako -> zmień rozszerzenie na wszystkie pliki -> zapisz pod nazwą FIX.BAT

W trybie awaryjnym odpal plik FIX.BAT i restart kompa

O4 - HKLM…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\Run: [msvccc66] svcchosst.exe O4 - HKLM…\Run: [internet Security Service] msq32.exe O4 - HKLM…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\Run: [Messanger Read System] C:\WINDOWS\System32\msnrd.exe O4 - HKLM…\Run: [Live-Help] links.exe O4 - HKLM…\Run: [Office Monitors] C:\WINDOWS\System32\GoogleUpdater.exe O4 - HKLM…\Run: [rasman] C:\WINDOWS\System32\rasman32.exe O4 - HKLM…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunServices: [msvccc66] svcchosst.exe O4 - HKLM…\RunServices: [internet Security Service] msq32.exe O4 - HKLM…\RunServices: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\RunServices: [Messanger Read System] C:\WINDOWS\System32\msnrd.exe O4 - HKLM…\RunServices: [Live-Help] links.exe O4 - HKLM…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [lrtsm] C:\WINDOWS\system32\qttsk.exe O4 - HKCU…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [internet Security Service] msq32.exe O4 - HKCU…\Run: [Live-Help] links.exe O4 - HKCU…\Run: [Office Monitors] C:\WINDOWS\System32\GoogleUpdater.exe O4 - HKCU…\Run: [rasman] C:\WINDOWS\System32\rasman32.exe O4 - HKCU…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)

Wszystko co na czerwono w trybie awaryjnym usuwasz z dysku, wpisy kasujesz w Hijacku. Koniecznie instalujesz antywirusa i wracasz z nowymi logami HJt +SilentRunners i z ComboFix oraz z GMERA

Zakładka Rootkit > zaznacz wszystko oprócz Pokaż wszystko > kliknij Szukaj
Zakładka Rootkit > zaznacz tylko Usługi oraz Pokaż wszystko > kliknij Szukaj i w obydwu przypadkach poczekaj cierpliwie, aż skończy pracę

Great_Sniper · 26 Marzec 2007 19:58

GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2004-03-27 21:53:12 Windows 5.1.2600 ---- Services - GMER 1.0.12 ---- Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\System32\DRIVERS\alcan5wn.sys [MANUAL] alcan5wn Service C:\WINDOWS\System32\DRIVERS\alcaudsl.sys [MANUAL] alcaudsl Service C:\WINDOWS\System32\svchost.exe [MANUAL] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\System32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub Service BattC Service [sYSTEM] Beep Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser Service [DISABLED] cbidf2k Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\System32\cisvc.exe [MANUAL] cisvc Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service C:\WINDOWS\System32\DRIVERS\d347bus.sys [bOOT] d347bus Service C:\WINDOWS\System32\Drivers\d347prt.sys [bOOT] d347prt Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\System32\DRIVERS\disk.sys [bOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [bOOT] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [bOOT] dmload Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc Service C:\WINDOWS\System32\DRIVERS\fetnd5.sys [MANUAL] FETNDIS Service C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [MANUAL] FETNDISB Service [sYSTEM] Fips Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service [sYSTEM] Fs_Rec Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service [DISABLED] hpn Service [DISABLED] hpt3xx Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service [sYSTEM] Imapi Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService Service [DISABLED] InCDfs Service C:\WINDOWS\System32\DRIVERS\InCDPass.sys [sYSTEM] InCDPass Service [sYSTEM] InCDrec Service C:\Program Files\Ahead\InCD\InCDsrv.exe [AUTO] InCDsrv Service inetaccs Service [DISABLED] ini910u Service Inport Service [DISABLED] IntelIde Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts Service C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [AUTO] MDM Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger Service [sYSTEM] mnmdd Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\Documents and Settings\Bartek\msdirectxpush.sys [MANUAL] msdirectxpushup Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service [bOOT] Mup Service [bOOT] NDIS Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\System32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\System32\DRIVERS\netbt.sys [sYSTEM] NetBT Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service C:\WINDOWS\System32\ntsim.sys [MANUAL] NTSIM Service [sYSTEM] Null Service C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [MANUAL] nv Service nv4 Service C:\WINDOWS\System32\nvsvc32.exe [AUTO] NVSvc Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\System32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service [DISABLED] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\drivers\pfc.sys [MANUAL] pfc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\System32\DRIVERS\processr.sys [sYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\System32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [AUTO] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\System32\DRIVERS\serial.sys [sYSTEM] Serial Service [sYSTEM] Sfloppy Service C:\WINDOWS\System32\svchost.exe [DISABLED] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\System32\DRIVERS\sr.sys [bOOT] sr Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\System32\svchost.exe [MANUAL] SSDPSRV Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv Service C:\WINDOWS\System32\flushdns.exe [DISABLED] Symantec Antivirus professional Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\System32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service C:\WINDOWS\System32\tlntsvr.exe [MANUAL] TlntSvr Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr Service C:\WINDOWS\System32\svchost.exe [MANUAL] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\System32\DRIVERS\usbscan.sys [MANUAL] usbscan Service C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service VIA Codec Default Service C:\WINDOWS\System32\DRIVERS\viaagp1.sys [bOOT] viaagp1 Service C:\WINDOWS\System32\DRIVERS\viaidexp.sys [bOOT] ViaIde Service C:\WINDOWS\System32\DRIVERS\viamraid.sys [bOOT] viamraid Service C:\WINDOWS\system32\drivers\viaudios.sys [MANUAL] VIAudio Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\System32\Drivers\vulfnth.sys [MANUAL] vulfnths Service C:\WINDOWS\System32\Drivers\vulfntr.sys [MANUAL] vulfntrs Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\System32\spoolsrv.exe [DISABLED] WindowsUpdater Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [AUTO] WmdmPmSp Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi Service WmiApRpl Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service C:\WINDOWS\system32\svchost.exe [DISABLED] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service {65EAFBB2-507F-41DE-9E8A-C2CC7C944816} ---- EOF - GMER 1.0.12 ----

GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2004-03-27 21:52:03 Windows 5.1.2600 ---- System - GMER 1.0.12 ---- SSDT d347bus.sys ZwClose SSDT d347bus.sys ZwCreateKey SSDT d347bus.sys ZwCreatePagingFile SSDT d347bus.sys ZwEnumerateKey SSDT d347bus.sys ZwEnumerateValueKey SSDT d347bus.sys ZwOpenKey SSDT d347bus.sys ZwQueryKey SSDT d347bus.sys ZwQueryValueKey SSDT d347bus.sys ZwSetSystemPowerState ---- Kernel code sections - GMER 1.0.12 ---- .text ntoskrnl.exe!KeInitializeInterrupt + B79 804D4F8E 1 Byte [06] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 804FC688 4 Bytes [18, 78, 22, F9] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 804FC6C8 4 Bytes [D0, 77, 22, F9] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1C0 804FC6D8 4 Bytes [20, BA, 21, F9] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 228 804FC740 4 Bytes [A8, C2, 21, F9] .text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 230 804FC748 4 Bytes [10, 79, 22, F9] .text … ---- Devices - GMER 1.0.12 ---- Device \FileSystem\Ntfs \Ntfs IRP_MJ_READ 80F06868 Device \FileSystem\Fastfat \FatCdrom IRP_MJ_READ FF9E4598 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_NAMED_PIPE FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_INFORMATION FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_INFORMATION FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_EA FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_EA FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_VOLUME_INFORMATION FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_VOLUME_INFORMATION FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DIRECTORY_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_FILE_SYSTEM_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_LOCK_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLEANUP FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE_MAILSLOT FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_SECURITY FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_SECURITY FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CHANGE FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_QUERY_QUOTA FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_SET_QUOTA FFB75828 Device \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP FFB75828 Device \FileSystem\Rdbss \Device\FsWrap IRP_MJ_READ FF899160 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_NAMED_PIPE FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLOSE FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_READ FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_WRITE FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_EA FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_EA FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FLUSH_BUFFERS FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_VOLUME_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_VOLUME_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DIRECTORY_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_FILE_SYSTEM_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_LOCK_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CLEANUP FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_CREATE_MAILSLOT FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_SECURITY FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_SECURITY FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_POWER FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SYSTEM_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_DEVICE_CHANGE FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_QUERY_QUOTA FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SET_QUOTA FF890B50 Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_PNP FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_NAMED_PIPE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLOSE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_READ FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_WRITE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_EA FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_EA FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FLUSH_BUFFERS FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_VOLUME_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_VOLUME_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DIRECTORY_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_FILE_SYSTEM_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_LOCK_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CLEANUP FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_CREATE_MAILSLOT FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_SECURITY FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_SECURITY FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_POWER FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SYSTEM_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_DEVICE_CHANGE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_QUERY_QUOTA FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SET_QUOTA FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_PNP FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_NAMED_PIPE FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLOSE FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_READ FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_WRITE FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_EA FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_EA FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FLUSH_BUFFERS FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_VOLUME_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_VOLUME_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DIRECTORY_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_FILE_SYSTEM_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_LOCK_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CLEANUP FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_CREATE_MAILSLOT FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_SECURITY FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_SECURITY FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_POWER FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SYSTEM_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_DEVICE_CHANGE FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_QUERY_QUOTA FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SET_QUOTA FF890B50 Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_PNP FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_NAMED_PIPE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLOSE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_READ FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_WRITE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_EA FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_EA FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FLUSH_BUFFERS FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_VOLUME_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_VOLUME_INFORMATION FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DIRECTORY_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_FILE_SYSTEM_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_INTERNAL_DEVICE_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SHUTDOWN FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_LOCK_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CLEANUP FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_CREATE_MAILSLOT FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_SECURITY FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_SECURITY FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_POWER FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SYSTEM_CONTROL FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_DEVICE_CHANGE FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_QUERY_QUOTA FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_SET_QUOTA FF890B50 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e IRP_MJ_PNP FF890B50 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_NAMED_PIPE FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLOSE FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_READ FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_WRITE FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_INFORMATION FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_INFORMATION FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_EA FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_EA FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FLUSH_BUFFERS FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_VOLUME_INFORMATION FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_VOLUME_INFORMATION FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DIRECTORY_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_FILE_SYSTEM_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_INTERNAL_DEVICE_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SHUTDOWN FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_LOCK_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CLEANUP FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_CREATE_MAILSLOT FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_SECURITY FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_SECURITY FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_POWER FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SYSTEM_CONTROL FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_DEVICE_CHANGE FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_QUERY_QUOTA FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_SET_QUOTA FFB75828 Device \Driver\Cdrom \Device\CdRom1 IRP_MJ_PNP FFB75828 Device \FileSystem\InCDfs \Device\InCDfsComm IRP_MJ_READ FFB389F0 Device \FileSystem\Srv \Device\LanmanServer IRP_MJ_READ FFB9B2A8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ FF8C0160 Device \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ FF8C0160 Device \FileSystem\Npfs \Device\NamedPipe IRP_MJ_READ FF933EA0 Device \FileSystem\Msfs \Device\Mailslot IRP_MJ_READ FF8F6A58 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CREATE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CREATE_NAMED_PIPE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CLOSE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_READ FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_WRITE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_INFORMATION FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_INFORMATION FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_EA FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_EA FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_FLUSH_BUFFERS FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_VOLUME_INFORMATION FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_VOLUME_INFORMATION FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_DIRECTORY_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_FILE_SYSTEM_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SHUTDOWN FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_LOCK_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CLEANUP FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_CREATE_MAILSLOT FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_SECURITY FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_SECURITY FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_POWER FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SYSTEM_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_DEVICE_CHANGE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_QUERY_QUOTA FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_SET_QUOTA FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1Port3Path0Target0Lun0 IRP_MJ_PNP FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_NAMED_PIPE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLOSE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_READ FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_WRITE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_INFORMATION FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_INFORMATION FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_EA FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_EA FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FLUSH_BUFFERS FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_VOLUME_INFORMATION FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_VOLUME_INFORMATION FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DIRECTORY_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_FILE_SYSTEM_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_INTERNAL_DEVICE_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SHUTDOWN FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_LOCK_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CLEANUP FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_CREATE_MAILSLOT FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_SECURITY FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_SECURITY FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_POWER FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SYSTEM_CONTROL FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_DEVICE_CHANGE FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_QUERY_QUOTA FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_SET_QUOTA FF81D890 Device \Driver\d347prt \Device\Scsi\d347prt1 IRP_MJ_PNP FF81D890 Device \FileSystem\Fastfat \Fat IRP_MJ_READ FF9E4598 Device \FileSystem\InCDfs \GLOBAL??\BsUDF IRP_MJ_READ FFB389F0 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_READ FFB38A70 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_READ FFB38A70 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_READ FFB38A70 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_READ FFB38A70 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_READ FFB38A70 Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ FFB992F0 ---- Modules - GMER 1.0.12 ---- Module _________ F9195000 ---- Files - GMER 1.0.12 ---- ADS C:\Documents and Settings\Bartek\Pulpit\Filmy:SummaryInformation ADS C:\Documents and Settings\Bartek\Pulpit\Filmy:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} ---- EOF - GMER 1.0.12 ----

Logfile of HijackThis v1.99.1 Scan saved at 21:34:33, on 2004-03-27 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\flushdns.exe C:\WINDOWS\System32\spoolsrv.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\System32\directxpushup.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Documents and Settings\Bartek\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKLM…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunServices: [msvccc66] svcchosst.exe O4 - HKLM…\RunServices: [internet Security Service] msq32.exe O4 - HKLM…\RunServices: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\RunServices: [Messanger Read System] C:\WINDOWS\System32\msnrd.exe O4 - HKLM…\RunServices: [Live-Help] links.exe O4 - HKLM…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - HKCU…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

adam9870 · 26 Marzec 2007 20:16

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.BAT

Teraz czynności będziesz wykonywał w Gmerze więc uruchom go, poczekaj chwilkę, kliknij na zakładkę >>> w celu otworzenia pozostałych.

W zakładce Procesy wybierz Gmer awaryjny >>> komputer się zrestartuje i zostanie samo okienko Gmer’a >>> w zakładce Procesy przez … (trzy kropki) wskaż plik FIX.BAT >>> po chwilce mignie ekran i reset >>> po resecie otwórz Gmer’a i w zakładce CMD z zaznaczoną opcją REGEDIT.EXE wklej:

>>> kliknij Uruchom i reset.

O4 - HKLM…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\RunServices: [msvcc25] svcchost.exe O4 - HKLM…\RunServices: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunServices: [msvccc66] svcchosst.exe O4 - HKLM…\RunServices: [internet Security Service] msq32.exe O4 - HKLM…\RunServices: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKLM…\RunServices: [Messanger Read System] C:\WINDOWS\System32\msnrd.exe O4 - HKLM…\RunServices: [Live-Help] links.exe O4 - HKLM…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKLM…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKLM…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\Run: [MicrosoftPersonalFirewall] spoolsrv.exe O4 - HKCU…\Run: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunServices: [Microsoft Directx push] directxpushup.exe O4 - HKCU…\RunOnce: [symantec Antivirus professional] flushdns.exe O4 - HKCU…\RunOnce: [MicrosoftPersonalFirewall] spoolsrv.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll

Usuń wpisy HJT jeśli będą.

Po wykonaniu wklej log z ComboFix, log z Gmer’a (tylko ten z usług) i log z hijacka.

Great_Sniper · 27 Marzec 2007 17:38

no chyba wszystko zrobiłem.

Logfile of HijackThis v1.99.1 Scan saved at 20:31:58, on 2004-03-28 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCD.exe C:\Program Files\VIAudioi\SBADeck\ADeck.exe C:\Program Files\D-Tools\daemon.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Documents and Settings\Bartek\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotinfolink.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM…\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM…\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033 O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray O4 - HKCU…\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe” O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

GMER 1.0.12.12086 - http://www.gmer.net Rootkit scan 2004-03-28 20:35:46 Windows 5.1.2600 ---- Services - GMER 1.0.12 ---- Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\System32\DRIVERS\ACPI.sys [bOOT] ACPI Service [DISABLED] ACPIEC Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [AUTO] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\System32\DRIVERS\alcan5wn.sys [MANUAL] alcan5wn Service C:\WINDOWS\System32\DRIVERS\alcaudsl.sys [MANUAL] alcaudsl Service C:\WINDOWS\System32\svchost.exe [MANUAL] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service [DISABLED] amsint Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service C:\WINDOWS\System32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service C:\WINDOWS\System32\DRIVERS\atapi.sys [bOOT] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\System32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\System32\DRIVERS\audstub.sys [MANUAL] audstub Service BattC Service [sYSTEM] Beep Service C:\WINDOWS\System32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\System32\svchost.exe [AUTO] Browser Service [DISABLED] cbidf2k Service [DISABLED] cd20xrnt Service [sYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\System32\DRIVERS\cdrom.sys [sYSTEM] Cdrom Service [sYSTEM] Changer Service C:\WINDOWS\System32\cisvc.exe [MANUAL] cisvc Service C:\WINDOWS\system32\clipsrv.exe [MANUAL] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\System32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service C:\WINDOWS\System32\DRIVERS\d347bus.sys [bOOT] d347bus Service C:\WINDOWS\System32\Drivers\d347prt.sys [bOOT] d347prt Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\System32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\System32\DRIVERS\disk.sys [bOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [bOOT] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [bOOT] dmload Service C:\WINDOWS\System32\svchost.exe [AUTO] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\System32\svchost.exe [AUTO] Dnscache Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\System32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\System32\DRIVERS\fdc.sys [MANUAL] Fdc Service C:\WINDOWS\System32\DRIVERS\fetnd5.sys [MANUAL] FETNDIS Service C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [MANUAL] FETNDISB Service [sYSTEM] Fips Service C:\WINDOWS\System32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service [sYSTEM] Fs_Rec Service C:\WINDOWS\System32\DRIVERS\ftdisk.sys [bOOT] Ftdisk Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\System32\DRIVERS\msgpc.sys [MANUAL] Gpc Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [DISABLED] HidServ Service [DISABLED] hpn Service [DISABLED] hpt3xx Service [sYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\System32\DRIVERS\i8042prt.sys [sYSTEM] i8042prt Service [sYSTEM] Imapi Service C:\WINDOWS\System32\imapi.exe [MANUAL] ImapiService Service [DISABLED] InCDfs Service C:\WINDOWS\System32\DRIVERS\InCDPass.sys [sYSTEM] InCDPass Service [sYSTEM] InCDrec Service C:\Program Files\Ahead\InCD\InCDsrv.exe [AUTO] InCDsrv Service inetaccs Service [DISABLED] ini910u Service Inport Service [DISABLED] IntelIde Service C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\System32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\System32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\System32\DRIVERS\ipsec.sys [sYSTEM] IPSec Service C:\WINDOWS\System32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\System32\DRIVERS\isapnp.sys [bOOT] isapnp Service C:\WINDOWS\System32\DRIVERS\kbdclass.sys [sYSTEM] Kbdclass Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [bOOT] KSecDD Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\System32\svchost.exe [AUTO] lanmanworkstation Service [sYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\System32\svchost.exe [AUTO] LmHosts Service C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [AUTO] MDM Service C:\WINDOWS\System32\svchost.exe [DISABLED] Messenger Service [sYSTEM] mnmdd Service C:\WINDOWS\System32\mnmsrvc.exe [MANUAL] mnmsrvc Service [MANUAL] Modem Service C:\WINDOWS\System32\DRIVERS\mouclass.sys [sYSTEM] Mouclass Service [bOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\System32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\System32\DRIVERS\mrxsmb.sys [sYSTEM] MRxSmb Service C:\WINDOWS\System32\msdtc.exe [MANUAL] MSDTC Service [sYSTEM] Msfs Service C:\WINDOWS\System32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service [bOOT] Mup Service [bOOT] NDIS Service C:\WINDOWS\System32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\System32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\System32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\System32\DRIVERS\netbios.sys [sYSTEM] NetBIOS Service C:\WINDOWS\System32\DRIVERS\netbt.sys [sYSTEM] NetBT Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDE Service C:\WINDOWS\system32\netdde.exe [MANUAL] NetDDEdsdm Service C:\WINDOWS\System32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\System32\svchost.exe [MANUAL] Nla Service [sYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\System32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service C:\WINDOWS\System32\ntsim.sys [MANUAL] NTSIM Service [sYSTEM] Null Service C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [MANUAL] nv Service nv4 Service C:\WINDOWS\System32\nvsvc32.exe [AUTO] NVSvc Service C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\WINDOWS\System32\DRIVERS\parport.sys [MANUAL] Parport Service [bOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\System32\DRIVERS\pci.sys [bOOT] PCI Service [sYSTEM] PCIDump Service [DISABLED] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\drivers\pfc.sys [MANUAL] pfc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\System32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\System32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\System32\DRIVERS\processr.sys [sYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\WINDOWS\System32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\System32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\System32\DRIVERS\rasacd.sys [sYSTEM] RasAcd Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\System32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\System32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\System32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\System32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\System32\DRIVERS\rdbss.sys [sYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [sYSTEM] RDPCDD Service RDPDD Service C:\WINDOWS\System32\DRIVERS\rdpdr.sys [MANUAL] rdpdr Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\System32\DRIVERS\redbook.sys [sYSTEM] redbook Service C:\WINDOWS\System32\svchost.exe [DISABLED] RemoteAccess Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteRegistry Service C:\WINDOWS\System32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\System32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardDrv Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\System32\DRIVERS\secdrv.sys [AUTO] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\System32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\System32\DRIVERS\serial.sys [sYSTEM] Serial Service [sYSTEM] Sfloppy Service C:\WINDOWS\System32\svchost.exe [DISABLED] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service [DISABLED] Simbad Service [DISABLED] Sparrow Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\System32\DRIVERS\sr.sys [bOOT] sr Service C:\WINDOWS\System32\svchost.exe [AUTO] srservice Service C:\WINDOWS\System32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\System32\svchost.exe [MANUAL] SSDPSRV Service C:\WINDOWS\System32\svchost.exe [AUTO] stisvc Service C:\WINDOWS\System32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\System32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\System32\DRIVERS\tcpip.sys [sYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\System32\DRIVERS\termdd.sys [sYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service C:\WINDOWS\System32\tlntsvr.exe [MANUAL] TlntSvr Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\System32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\System32\svchost.exe [AUTO] uploadmgr Service C:\WINDOWS\System32\svchost.exe [MANUAL] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\System32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\System32\DRIVERS\usbscan.sys [MANUAL] usbscan Service C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR Service C:\WINDOWS\System32\DRIVERS\usbuhci.sys [MANUAL] usbuhci Service C:\WINDOWS\System32\drivers\vga.sys [sYSTEM] VgaSave Service VIA Codec Default Service C:\WINDOWS\System32\DRIVERS\viaagp1.sys [bOOT] viaagp1 Service C:\WINDOWS\System32\DRIVERS\viaidexp.sys [bOOT] ViaIde Service C:\WINDOWS\System32\DRIVERS\viamraid.sys [bOOT] viamraid Service C:\WINDOWS\system32\drivers\viaudios.sys [MANUAL] VIAudio Service [bOOT] VolSnap Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\System32\Drivers\vulfnth.sys [MANUAL] vulfnths Service C:\WINDOWS\System32\Drivers\vulfntr.sys [MANUAL] vulfntrs Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\System32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\System32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [AUTO] WmdmPmSp Service C:\WINDOWS\System32\svchost.exe [MANUAL] Wmi Service WmiApRpl Service C:\WINDOWS\System32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service C:\WINDOWS\system32\svchost.exe [DISABLED] wuauserv Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service {65EAFBB2-507F-41DE-9E8A-C2CC7C944816} ---- EOF - GMER 1.0.12 ----

“Silent Runners.vbs”, revision 47, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “CTFMON.EXE” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu Sp. z o.o.”] “NBJ” = ““C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”” [“Ahead Software AG”] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Ahead Software AG”] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “AudioDeck” = “C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1” [“VIA Technologies, Inc.”] “NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS] “DAEMON Tools-1033” = ““C:\Program Files\D-Tools\daemon.exe” -lang 1033” [“DAEMON’S HOME”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper” -> {HKLM…CLSID} = “NVIDIA CPL Extension” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class” -> {HKLM…CLSID} = “DesktopContext Class” \InProcServer32(Default) = “C:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”] “{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer” -> {HKLM…CLSID} = “Desktop Explorer” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu” -> {HKLM…CLSID} = “nView Desktop Context Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” -> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS] “{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW” -> {HKLM…CLSID} = “Shell Extension for CDRW” \InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Ahead Software AG”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! rpcc\DLLName = “C:\WINDOWS\System32\rpcc.dll” [null data] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Documents and Settings\Bartek\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp” Startup items in “Bartek” & “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS] “VIA RAID TOOL” -> shortcut to: “C:\Program Files\VIA\RAID\raid_tool.exe” [“VIA Technologies”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars Dormant Explorer Bars in “View, Explorer Bar” menu HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo” Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar] InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string] Miscellaneous IE Hijack Points ------------------------------ HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ Missing lines (compared with English-language version): “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) -> {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Ahead Software AG”] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS] NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 63 seconds. + The search for all Registry CLSIDs containing dormant Explorer Bars took 11 seconds. ---------- (total run time: 128 seconds)

adam9870 · 27 Marzec 2007 18:24

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\System32\rpcc.dll

Klikasz X czerwony i restart kompa.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Usuń wpis HJT jeśli będzie.

Po wykonaniu wklej log z ComboFix:

http://unicorn.ksiezyc.pl/WWW/instrukcje/combofix.html