Liczba postów: 4
Liczba wątków: 1
Dołączył: 21.07.2006
Reputacja:
0
Liczba postów: 53
Liczba wątków: 2
Dołączył: 01.11.2006
Reputacja:
0
Po pierwsze:
Cytat: COCUME~1MichalUSTAWI~1Temp_tcHijackThis.exe
Nie używaj Hijacka z folderu tymczasowego - stwórz dla niego nowy folder na dysku
Co do problemu i loga, to użyj narzędzia -> [Aby zobaczyć linki, zarejestruj się tutaj] (w trybie awaryjnym z opcji 2 )
Po zabiegach nowy log z Hijacka + log z [Aby zobaczyć linki, zarejestruj się tutaj] + raport ze SmitFraudFix
Liczba postów: 4
Liczba wątków: 1
Dołączył: 21.07.2006
Reputacja:
0
Dzięki za pomoc :wink:
Smitfraudem przeczyscilem rejestr ale zostało w hijacku ten isaddoni z file missing wiec usunałem. A dla pewności przejechałem AVG Anti-Spyware 7.5 (ten Ewido), znalazł dllki i je usunął.
Wszystko jest już ok daje logi dla pewności...
Na początek HijackThis!
Cytat: Logfile of HijackThis v1.99.1
Scan saved at 12:45:47, on 2006-11-08
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
Crogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe
Crogram FilesIcecast2 Win32icecastService.exe
C:WINDOWSsystem32Ati2evxx.exe
Crogram FilesATI TechnologiesATI.ACEcli.exe
DowerDVDPDVDServ.exe
Crogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe
Crogram FilesRay AdamsATI Tray Toolsatitray.exe
Crogram FilesCommon FilesAheadLibNMBgMonitor.exe
Crogram FilesWhatPulseWhatPulse.exe
Crogram FilesSlySoftAnyDVDAnyDVD.exe
Crogram FilesCommon FilesAheadLibNMIndexStoreSvr.exe
Crogram FilesNetMeterNetMeter.exe
Crogram FilesATI TechnologiesATI.ACEcli.exe
Crogram FilesATI TechnologiesATI.ACEcli.exe
C:totalcmdTOTALCMD.EXE
Crogram FilesMozilla Firefox 2 Beta 2firefox.exe
C:WINDOWSexplorer.exe
C:WINDOWSNOTEPAD.EXE
c:HijackHijackThis.exe
O4 - HKLM..Run: [ATICCC]"Crogram FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay
O4 - HKLM..Run: [LogonStudio]"Crogram FilesWinCustomizeLogonStudiologonstudio.exe" /RANDOM
O4 - HKLM..Run: [NeroFilterCheck]Crogram FilesCommon FilesAheadLibNeroCheck.exe
O4 - HKLM..Run: [RemoteControl]DowerDVDPDVDServ.exe
O4 - HKLM..Run: [BootSkin Startup Jobs]"CROGRA~1StardockWinCustomizeBootSkinBootSkin.exe" /StartupJobs
O4 - HKLM..Run: [!AVG Anti-Spyware]"Crogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized
O4 - HKCU..Run: [AtiTrayTools]"Crogram FilesRay AdamsATI Tray Toolsatitray.exe"
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]"Crogram FilesCommon FilesAheadLibNMBgMonitor.exe"
O4 - HKCU..Run: [WhatPulse]Crogram FilesWhatPulseWhatPulse.exe
O4 - HKCU..Run: [AnyDVD]Crogram FilesSlySoftAnyDVDAnyDVD.exe
O4 - HKCU..Run: [Crogram FilesNetMeterNetMeter.exe]Crogram FilesNetMeterNetMeter.exe
O23 - Service: Adobe LM Service - Adobe Systems - Crogram FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - Crogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - Crogram FilesIcecast2 Win32icecastService.exe" "Crogram FilesIcecast2 Win32 (file missing)
O23 - Service: NBService - Nero AG - D:Ahead NeroNero 7Nero BackItUpNBService.exe
O23 - Service: RadClock - Unknown owner - C:WINDOWSsystem32RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%WinPcaprpcapd.exe" -d -f "%ProgramFiles%WinPcaprpcapd.ini (file missing)
Teraz Silent Runners8) Cytat: "Silent Runners.vbs", revision 49, [Aby zobaczyć linki, zarejestruj się tutaj]
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"AtiTrayTools" = ""Crogram FilesRay AdamsATI Tray Toolsatitray.exe"" ["Ray Adams"]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""Crogram FilesCommon FilesAheadLibNMBgMonitor.exe"" ["Nero AG"]
"WhatPulse" = "Crogram FilesWhatPulseWhatPulse.exe" ["WhatPulse.org"]
"AnyDVD" = "Crogram FilesSlySoftAnyDVDAnyDVD.exe" ["SlySoft, Inc."]
"Crogram FilesNetMeterNetMeter.exe" = "Crogram FilesNetMeterNetMeter.exe" [null data]
HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"ATICCC" = ""Crogram FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay" [null data]
"LogonStudio" = ""Crogram FilesWinCustomizeLogonStudiologonstudio.exe" /RANDOM" ["Stardock and Luca Saggese"]
"NeroFilterCheck" = "Crogram FilesCommon FilesAheadLibNeroCheck.exe" ["Nero AG"]
"RemoteControl" = "DowerDVDPDVDServ.exe" ["Cyberlink Corp."]
"BootSkin Startup Jobs" = ""CROGRA~1StardockWinCustomizeBootSkinBootSkin.exe" /StartupJobs" [empty string]
"!AVG Anti-Spyware" = ""Crogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized" ["Anti-Malware Development a.s."]
HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
InProcServer32(Default) = "Crogram FilesATI TechnologiesATI.ACEatiacmxx.dll" [empty string]
"{36518101-49AC-42CB-8E4C-40C1F328A565}" = "Rad2 Extension"
-> {HKLM...CLSID} = "RadPropExt2 Class"
InProcServer32(Default) = "C:WINDOWSsystem32Rad.dll" [empty string]
"{5380C14E-C0A1-4D66-87DB-5995E6FF4623}" = "Rad Extension"
-> {HKLM...CLSID} = "RadPropExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32Rad.dll" [empty string]
"{75B8D633-9021-442C-9EA4-FF4BE72CE20F}" = "NRad2 Extension"
-> {HKLM...CLSID} = "NRadExt2 Class"
InProcServer32(Default) = "C:WINDOWSsystem32NRad.dll" ["ChrisW"]
"{C6844A1E-2C59-415A-84B3-C6A458372779}" = "RadType Extension"
-> {HKLM...CLSID} = "RadTypeExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadType.dll" [empty string]
"{D00900BC-23F7-4FD6-BFA2-8232112C5C49}" = "NRad Extension"
-> {HKLM...CLSID} = "NRadExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32NRad.dll" ["ChrisW"]
"{D2FD83AE-994A-4D4B-9097-2C9E11ED85F0}" = "RadClkr Extension"
-> {HKLM...CLSID} = "RadClkRExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadClkR.dll" [empty string]
"{7700EB62-DB7C-47AF-A092-04376CA1D24C}" = "RadMnu Extension"
-> {HKLM...CLSID} = "RadMnuExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadMnu.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
InProcServer32(Default) = "C:WINDOWSsystem32SHDOCVW.DLL" [MS]
"{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}" = "Notepad++ Shell Extension"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "Crogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "Crogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "Crogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
<<!>> "{35B2861B-2B26-4691-9FF0-09083722C736}" = "RadExe Extension"
-> {HKLM...CLSID} = "RadExeExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadExe.dll" [empty string]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
InProcServer32(Default) = "Crogram FilesGrisoftAVG Anti-Spyware 7.5shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
<<!>> AtiExtEventDLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLMSoftwareClasses*shellexContextMenuHandlers
AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
InProcServer32(Default) = "Crogram FilesGrisoftAVG Anti-Spyware 7.5context.dll" ["Anti-Malware Development a.s."]
NppShellExt(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "Crogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "Crogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
InProcServer32(Default) = "Crogram FilesGrisoftAVG Anti-Spyware 7.5context.dll" ["Anti-Malware Development a.s."]
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "Crogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
NppShellExt(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "Crogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "Crogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
HKLMSoftwareClassesFoldershellexContextMenuHandlers
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "Crogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "Crogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "Crogram FilesWinRARrarext.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
"NoSMBalloonTip" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"MemCheckBoxInRunDlg" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoAutoTrayNotify" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoResolveTrack" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"NoResolveSearch" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"LinkResolveIgnoreLinkInfo" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoStartBanner" = (REG_BINARY) hex:01 00 00 00
{Remove "Click here to begin" from Start button}
"NoWelcomeScreen" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoRecentDocsNetHood" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoSharedDocuments" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoStrCmpLogical" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
"NoClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}
HKLMSoftwarePoliciesMicrosoftInternet ExplorerInfodeliveryRestrictions
"NoUpdateCheck" = (REG_DWORD) hex:0x00000001
{unrecognized setting}
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"RunStartupScriptSync" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"SynchronousMachineGroupPolicy" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
"SynchronousUserGroupPolicy" = (REG_DWORD) hex:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
Transport Service Providers
HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name] , (at) ## range:
%SystemRoot%system32mswsock.dll [MS] , 01 - 03, 06 - 13
%SystemRoot%system32rsvpsp.dll [MS] , 04 - 05
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:WINDOWSsystem32Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "Crogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe" ["Anti-Malware Development a.s."]
Icecast Media Server, Icecast, ""Crogram FilesIcecast2 Win32icecastService.exe" "Crogram FilesIcecast2 Win32"" [null data]
----------
<<!>>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 124 seconds, including 8 seconds for message boxes)
I ten SmitFraudFix
Cytat: SmitFraudFix v2.119
Scan done at 12:49:40,66, 2006-11-08
Run from c:HijackSmitfraudFixSmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600]- Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:
»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSsystem
»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSWeb
»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSsystem32
»»»»»»»»»»»»»»»»»»»»»»»» Cocuments and SettingsMichal
»»»»»»»»»»»»»»»»»»»»»»»» Cocuments and SettingsMichalApplication Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» COCUME~1MichalUlubione
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» Crogram Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler''s .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Liczba postów: 108
Liczba wątków: 4
Dołączył: 13.07.2006
Reputacja:
0
Cytat: »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
Rootkit pe386- użyj narzędzia [Aby zobaczyć linki, zarejestruj się tutaj]
Liczba postów: 4
Liczba wątków: 1
Dołączył: 21.07.2006
Reputacja:
0
Cytat: ************************* Rustock.b-fix -- By ejvindh *************************
2006-11-09 15:28:27,20
No Rustock.b-rootkits found
******************************* End of Logfile ********************************
:shock:
Liczba postów: 108
Liczba wątków: 4
Dołączył: 13.07.2006
Reputacja:
0
Na wszelki wypadek - log z [Aby zobaczyć linki, zarejestruj się tutaj] , bo nie dowierzam [Zakładka rootkit, bez włączonej opcji "pokazuj wszystko"]
Liczba postów: 4
Liczba wątków: 1
Dołączył: 21.07.2006
Reputacja:
0
Gmerem sprawdzalem - wszystko ok [Aby zobaczyć linki, zarejestruj się tutaj]
Cytat: GMER 1.0.10.10122 - [Aby zobaczyć linki, zarejestruj się tutaj]
Rootkit 2006-11-09 21:00:01
Windows 5.1.2600 Dodatek Service Pack 2
---- System - GMER 1.0.10 ----
SSDTsptd.sys ZwCreateKey
SSDTsptd.sys ZwEnumerateKey
SSDTsptd.sys ZwEnumerateValueKey
SSDTsptd.sys ZwOpenKey
SSDT??Crogram FilesGrisoftAVG Anti-Spyware 7.5guard.sysZwOpenProcess
SSDTsptd.sys ZwQueryKey
SSDTsptd.sys ZwQueryValueKey
SSDTsptd.sys ZwSetValueKey
SSDT??Crogram FilesGrisoftAVG Anti-Spyware 7.5guard.sysZwTerminateProcess
---- Devices - GMER 1.0.10 ----
DeviceFileSystemNtfs Ntfs IRP_MJ_CREATE 828F81D8
DeviceDriverusbuhci DeviceUSBPDO-0 IRP_MJ_CREATE 825521D8
DeviceDriver\00000109 Device\00000051 IRP_MJ_SYSTEM_CONTROL[F7383DB6]sptd.sys
DeviceDriver\00000109 Device\00000051 IRP_MJ_DEVICE_CHANGE [F739973C]sptd.sys
DeviceDriver\00000109 Device\00000051 IRP_MJ_PNP_POWER [F739277E]sptd.sys
DeviceDriverdmio DeviceDmControlDmIoDaemon IRP_MJ_CREATE829671D8
DeviceDriverdmio DeviceDmControlDmConfig IRP_MJ_CREATE829671D8
DeviceDriverdmio DeviceDmControlDmPnP IRP_MJ_CREATE 829671D8
DeviceDriverdmio DeviceDmControlDmInfo IRP_MJ_CREATE829671D8
DeviceDriverusbuhci DeviceUSBPDO-1 IRP_MJ_CREATE 825521D8
DeviceDriverFtdisk DeviceHarddiskVolume1 IRP_MJ_CREATE 828FA1D8
DeviceDriverFtdisk DeviceHarddiskVolume2 IRP_MJ_CREATE 828FA1D8
DeviceDriverCdrom DeviceCdRom0 IRP_MJ_CREATE 8257C1D8
DeviceDriverCdrom DeviceCdRom1 IRP_MJ_CREATE 8257C1D8
DeviceDriveratapi DeviceIdeIdeDeviceP1T1L0-17 IRP_MJ_CREATE 828F91D8
DeviceDriveratapi DeviceIdeIdeDeviceP1T1L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL[F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP1T1L0-17 IRP_MJ_SHUTDOWN [F779044A]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdePort0 IRP_MJ_CREATE 828F91D8
DeviceDriveratapi DeviceIdeIdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL[F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdePort0 IRP_MJ_SHUTDOWN [F779044A]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP0T0L0-3 IRP_MJ_CREATE828F91D8
DeviceDriveratapi DeviceIdeIdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN[F779044A]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdePort1 IRP_MJ_CREATE 828F91D8
DeviceDriveratapi DeviceIdeIdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL[F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdePort1 IRP_MJ_SHUTDOWN [F779044A]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP1T0L0-f IRP_MJ_CREATE828F91D8
DeviceDriveratapi DeviceIdeIdeDeviceP1T0L0-f IRP_MJ_INTERNAL_DEVICE_CONTROL [F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP1T0L0-f IRP_MJ_SHUTDOWN[F779044A]AnyDVD.sys
DeviceDriverCdrom DeviceCdRom2 IRP_MJ_CREATE 8257C1D8
DeviceDriverNetBT DeviceNetBt_Wins_Export IRP_MJ_CREATE823DE990
DeviceDriverNetBT DeviceNetbiosSmb IRP_MJ_CREATE 823DE990
DeviceDriverusbuhci DeviceUSBFDO-0 IRP_MJ_CREATE 825521D8
DeviceDriverusbuhci DeviceUSBFDO-1 IRP_MJ_CREATE 825521D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CREATE823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_WRITE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_INFORMATION 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_EA823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_EA823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SHUTDOWN823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_LOCK_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CLEANUP 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_SECURITY823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_SECURITY823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_POWER 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_QUOTA 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_PNP 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_PNP_POWER 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CREATE823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_WRITE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_INFORMATION 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_INFORMATION 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_EA823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_EA823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_FLUSH_BUFFERS 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_DIRECTORY_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_DEVICE_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SHUTDOWN823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_LOCK_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CLEANUP 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CREATE_MAILSLOT 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_SECURITY823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_SECURITY823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_POWER 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SYSTEM_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_DEVICE_CHANGE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_QUOTA 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_QUOTA 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_PNP 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_PNP_POWER 823C51D8
DeviceDriverFtdisk DeviceFtControl IRP_MJ_CREATE 828FA1D8
DeviceDriverNetBT DeviceNetBT_Tcpip_{6B896EC0-01C4-46A5-B816-A1A213B1B22E} IRP_MJ_CREATE 823DE990
DeviceDriveragydapd9 DeviceScsiagydapd91Port2Path0Target0Lun0 IRP_MJ_CREATE 8253A1D8
DeviceDriveragydapd9 DeviceScsiagydapd91Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL[F7790222]AnyDVD.sys
DeviceDriveragydapd9 DeviceScsiagydapd91Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN [F779044A]AnyDVD.sys
DeviceDriveragydapd9 DeviceScsiagydapd91 IRP_MJ_CREATE8253A1D8
DeviceDriveragydapd9 DeviceScsiagydapd91 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7790222]AnyDVD.sys
DeviceDriveragydapd9 DeviceScsiagydapd91 IRP_MJ_SHUTDOWN[F779044A]AnyDVD.sys
DeviceFileSystemFastfat Fat IRP_MJ_CREATE 8236B990
DeviceFileSystemCdfs Cdfs IRP_MJ_CREATE 8238E990
Liczba postów: 108
Liczba wątków: 4
Dołączył: 13.07.2006
Reputacja:
0
Log niecały, ale podejrzewam, że nic szkodliwego nie powinno się w nim pojawić.
|