CentrumXP Forum Tematyka portalu CentrumXP.pl Bezpieczeństwo RootkitReveal - proszę o pomoc

RootkitReveal - proszę o pomoc

postanowilem sprawdzic RootkitReveal swój system no i mam coś takiego: [quote]HKLM\SECURITY\Policy\Secrets\SAC* 2007-02-01 14:28 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 2007-02-01 14:28 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\Microsoft\RootCertExtraction 2007-06-15 21:46 8 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ienggkbc.exe 2007-06-13 14:50 47 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ienggkbc.exe 2007-06-13 14:50 47 bytes Data mismatch between Windows API and raw hive data. [/quote] co mogę z tym zrobić? czy mam rootkita? jak to usunąć?

Odpowiedzi: 5

VundoFix wykrył mi dokładnie te dwie biblioteki o których pisałem wczesniej: ddayw.dll oraz rqrstss.dll - usunąłem. Poniżej logi z: hijackthis: [quote] Logfile of HijackThis v1.99.1 Scan saved at 17:07:21, on 2007-06-17 Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16473) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe E:\programy\spf\smc.exe E:\programy\Avast\aswUpdSv.exe E:\programy\Avast\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE E:\programy\Avast\ashDisp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe C:\WINDOWS\system32\ctfmon.exe E:\programy\Ashampoo Magical Defrag\bin\aDefragService.exe E:\programy\TrueCrypt\TrueCrypt.exe E:\programy\Ashampoo Magical Defrag\bin\aDefragCtrl.exe g:\usr\MYSQL\bin\mysqld.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Protexis\License Service\PSIService.exe E:\programy\Mała Księgowość Rzeczpospolitej\SerwerU.exe C:\WINDOWS\system32\svchost.exe E:\programy\Avast\ashMaiSv.exe E:\programy\Avast\ashWebSv.exe J:\progs\totalcmd\TOTALCMD.EXE G:\DOKUMENTY\walka_z_rootkitem\VundoFix.exe E:\programy\Opera\Opera.exe E:\programy\Gadu-Gadu\gg.exe C:\WINDOWS\system32\wuauclt.exe I:\wlasny\pen\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - (no file) O4 - HKLM\..\Run: [SmcService] E:\programy\spf\smc.exe -startgui O4 - HKLM\..\Run: [avast!] E:\programy\Avast\ashDisp.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTO O4 - HKCU\..\Run: [TrueCrypt] "E:\programy\TrueCrypt\TrueCrypt.exe" /q preferences /a devices O4 - Startup: start.exe.lnk = C:\Documents and Settings\daniel\Dane aplikacji\Cream Software\start.exe O4 - Global Startup: Ashampoo Magical Defrag.lnk = E:\programy\Ashampoo Magical Defrag\bin\aDefragCtrl.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O17 - HKLM\System\CCS\Services\Tcpip\..\{2C127943-3BAC-4E9C-A448-01DA3A51A91C}: NameServer = 208.67.222.222,208.67.220.220 O23 - Service: AshampooDefragService - - E:\programy\Ashampoo Magical Defrag\bin\aDefragService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - E:\programy\Avast\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - E:\programy\Avast\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - E:\programy\Avast\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - E:\programy\Avast\ashWebSv.exe" /service (file missing) O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ienggkbc.exe (file missing) O23 - Service: MySql - Unknown owner - g:\usr/MYSQL/bin/mysqld.exe O23 - Service: DDE sieci (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing) O23 - Service: DSDM DDE sieci (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe O23 - Service: Serwer Małej Księgowości "Rzeczpospolitej" (SerwerMK) - Usługi Informatyczne Andrzej Ciupiński - E:\programy\Mała Księgowość Rzeczpospolitej\SerwerU.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\programy\spf\smc.exe [/quote] z Silent Runners: [quote] "Silent Runners.vbs", revision R50, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "ccleaner" = ""C:\Program Files\CCleaner\ccleaner.exe" /AUTO" ["Piriform Ltd"] "TrueCrypt" = ""E:\programy\TrueCrypt\TrueCrypt.exe" /q preferences /a devices" ["TrueCrypt Foundation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "SmcService" = "E:\programy\spf\smc.exe -startgui" ["Sygate Technologies, Inc."] "avast!" = "E:\programy\Avast\ashDisp.exe" ["ALWIL Software"] "SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."] "NVMixerTray" = ""C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"" ["NVIDIA Corporation"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"] "NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS] "WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co., Ltd."] "ISUSPM Startup" = "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup" ["InstallShield Software Corporation"] "NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"] HKLM\Software\Microsoft\Active Setup\Installed Components>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer" \StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania" -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania" \InProcServer32\(Default) = "deskpan.dll" [file not found] "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu" -> {HKLM...CLSID} = "HyperTerminal Icon Ext" \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."] "{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band" -> {HKLM...CLSID} = "History Band" \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS] "{472083B0-C522-11CF-8763-00608CC02F24}" = "avast" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "E:\programy\Avast\ashShell.dll" ["ALWIL Software"] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "E:\programy\7-Zip\7-zip.dll" ["Igor Pavlov"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}" = "Notepad++ Shell Extension" -> {HKLM...CLSID} = "Notepad++ Shell Extension" \InProcServer32\(Default) = "E:\programy\Notepad++\nppshellext.dll" ["Notepad++ team"] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {HKLM...CLSID} = "Microsoft Office Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler" -> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook" \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "E:\programy\Combined Community Codec Pack\Filters\Haali\mmfinfo.dll" [null data] "{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook" -> {HKCU...CLSID} = "VPCHostCopyHook" \InProcServer32\(Default) = "E:\programy\Microsoft Virtual PC\VPCShExH.DLL" [MS] "{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler" -> {HKLM...CLSID} = "Microsoft Office Metadata Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] "{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler" -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler" \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS] HKLM\Software\Classes\PROTOCOLS\Filter<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider" -> {HKLM...CLSID} = "Haali Column Provider" \InProcServer32\(Default) = "E:\programy\Combined Community Codec Pack\Filters\Haali\mmfinfo.dll" [null data] HKLM\Software\Classes\*\shellex\ContextMenuHandlers7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "E:\programy\7-Zip\7-zip.dll" ["Igor Pavlov"] avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "E:\programy\Avast\ashShell.dll" ["ALWIL Software"] NppShellExt\(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}" -> {HKLM...CLSID} = "Notepad++ Shell Extension" \InProcServer32\(Default) = "E:\programy\Notepad++\nppshellext.dll" ["Notepad++ team"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "E:\programy\7-Zip\7-zip.dll" ["Igor Pavlov"] NppShellExt\(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}" -> {HKLM...CLSID} = "Notepad++ Shell Extension" \InProcServer32\(Default) = "E:\programy\Notepad++\nppshellext.dll" ["Notepad++ team"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlersavast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}" -> {HKLM...CLSID} = "avast" \InProcServer32\(Default) = "E:\programy\Avast\ashShell.dll" ["ALWIL Software"] Group Policies {policy setting}: -------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoRecentDocsMenu" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001 {unrecognized setting} "NoStartBanner" = (REG_DWORD) hex:0x00000001 {Remove "Click here to begin" from Start button} "NoToolbarCustomize" = (REG_DWORD) hex:0x00000000 {Disable customizing browser toolbar buttons} "NoBandCustomize" = (REG_DWORD) hex:0x00000000 {Disable customizing browser toolbars} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop"Wallpaper" = "G:\DOKUMENTY\SCIAGNIK\programy\yod\desktopwallpaper0.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop"SCRNSAVE.EXE" = "none" [file not found] Startup items in "daniel" & "All Users" startup folders: -------------------------------------------------------- C:\Documents and Settings\daniel\Menu Start\Programy\Autostart "start.exe" -> shortcut to: "C:\Documents and Settings\daniel\Dane aplikacji\Cream Software\start.exe" [null data] C:\Documents and Settings\All Users\Menu Start\Programy\Autostart "Ashampoo Magical Defrag" -> shortcut to: "E:\programy\Ashampoo Magical Defrag\bin\aDefragCtrl.exe -startup" [" "] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions{92780B25-18CC-41C8-B9BE-3C9C571A8263}"ButtonText" = "Badanie" Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ AshampooDefragService, AshampooDefragService, "E:\programy\Ashampoo Magical Defrag\bin\aDefragService.exe" [" "] avast! Antivirus, avast! Antivirus, ""E:\programy\Avast\ashServ.exe"" ["ALWIL Software"] avast! iAVS4 Control Service, aswUpdSv, ""E:\programy\Avast\aswUpdSv.exe"" ["ALWIL Software"] avast! Mail Scanner, avast! Mail Scanner, ""E:\programy\Avast\ashMaiSv.exe" /service" ["ALWIL Software"] avast! Web Scanner, avast! Web Scanner, ""E:\programy\Avast\ashWebSv.exe" /service" ["ALWIL Software"] MySql, MySql, "g:\usr/MYSQL/bin/mysqld.exe" [null data] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] ProtexisLicensing, ProtexisLicensing, ""C:\Program Files\Common Files\Protexis\License Service\PSIService.exe"" [null data] Serwer Małej Księgowości "Rzeczpospolitej", SerwerMK, "E:\programy\Mała Księgowość Rzeczpospolitej\SerwerU.exe -u" ["Usługi Informatyczne Andrzej Ciupiński"] Sygate Personal Firewall, SmcService, "E:\programy\spf\smc.exe" ["Sygate Technologies, Inc."] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\MonitorsMicrosoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS] PDFCreator\Driver = "pdfcmnnt.dll" [null data] SUGS1 Langmon\Driver = "SUGS1LMK.DLL" ["Samsung Electronics."] ---------- <>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer "No" at the first message box and "Yes" at the second message box. ---------- (total run time: 61 seconds, including 18 seconds for message boxes) [/quote] oraz combofix: [quote] ComboFix 07-06-17 - G:\DOKUMENTY\walka_z_rootkitem\ComboFix.exe "daniel" - 2007-06-17 18:01:51 - Dodatek Service Pack 2 NTFS ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) -------\nm ((((((((((((((((((((((((( Files Created from 2007-05-17 to 2007-06-17 ))))))))))))))))))))))))))))))) 2007-06-17 18:01 49,152 --a------ C:\WINDOWS\nircmd.exe 2007-06-17 16:43 d-------- C:\VundoFix Backups 2007-06-15 21:59 dr------- C:\DOCUME~1\LOCALS~1\Moje dokumenty 2007-06-05 12:42 d-------- C:\DOCUME~1\daniel\DANEAP~1\ACStealth4 2007-06-01 20:42 d-------- C:\WINDOWS\pss 2007-05-25 10:20 d-------- C:\DOCUME~1\daniel\DANEAP~1\SecondLife (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) 2007-06-16 22:31:07 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\The Bat! Pwd 2007-06-15 22:28:29 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\Notepad++ 2007-06-15 18:52:06 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\foobar2000 2007-06-13 12:56:31 58,420 ----a-w C:\WINDOWS\system32\fakokeqb_dll 2007-06-13 12:48:14 903,965 --sha-w C:\WINDOWS\system32\wyadd_bak2 2007-06-08 14:32:10 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\gtk-2.0 2007-06-08 10:22:59 -------- d--h--w C:\Program Files\InstallShield Installation Information 2007-06-06 22:12:24 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\GanymedeNet 2007-06-05 22:09:59 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\Skype 2007-06-01 17:02:24 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\TrueCrypt 2007-06-01 11:30:14 -------- d-----w C:\Program Files\Creative 2007-05-17 13:04:46 69,270 ----a-w C:\WINDOWS\system32\perfc015.dat 2007-05-17 13:04:46 441,214 ----a-w C:\WINDOWS\system32\perfh015.dat 2007-05-06 14:29:31 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\Real 2007-05-06 14:29:31 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\Media Player Classic 2007-05-06 14:29:15 -------- d-----w C:\Program Files\Media Player Classic 2007-05-04 20:10:03 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\Corel 2007-05-04 15:51:23 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\Ahead 2007-05-04 15:49:36 -------- d-----w C:\Program Files\Common Files\Ahead 2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe 2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys 2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys 2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys 2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys 2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys 2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr 2007-04-25 14:23:30 144,896 ----a-w C:\WINDOWS\system32\schannel.dll 2007-04-22 19:36:53 -------- d-----w C:\DOCUME~1\daniel\DANEAP~1\Talkback 2007-04-18 16:14:32 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll 2007-04-16 20:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll 2007-04-16 20:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll 2007-04-16 20:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll 2007-04-16 20:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll 2007-04-16 20:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll 2007-04-16 20:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll 2007-04-16 20:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe 2007-04-16 20:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll 2007-04-16 20:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll 2007-04-16 20:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll 2007-04-15 17:10:58 3,296 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2007-04-15 17:10:53 88 --sh--r C:\WINDOWS\system32\BCDCDC3C58.sys 2007-04-15 16:37:21 4 ----a-w C:\WINDOWS\system32\proc1395793746.bin 2007-04-15 16:37:21 3,898 ----a-w C:\WINDOWS\mozver.dat 2007-03-17 13:45:36 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SmcService"="E:\programy\spf\smc.exe" [2004-10-15 20:40] "avast!"="E:\programy\Avast\ashDisp.exe" [2007-04-30 17:42] "SoundMan"="SOUNDMAN.EXE" [2006-06-21 06:42 C:\WINDOWS\soundman.exe] "NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 18:12] "nwiz"="nwiz.exe" [2005-07-20 15:07 C:\WINDOWS\system32\nwiz.exe] "WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2004-08-25 07:35] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 17:15] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-20 15:07] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44] "ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2006-12-15 14:13] "TrueCrypt"="E:\programy\TrueCrypt\TrueCrypt.exe" [2007-03-19 16:25] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"=1 (0x1) "NoRecentDocsMenu"=1 (0x1) "NoRecentDocsHistory"=1 (0x1) "NoStartBanner"=1 (0x1) "NoToolbarCustomize"=0 (0x0) "NoBandCustomize"=0 (0x0) [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"=1 (0x1) "NoRecentDocsMenu"=1 (0x1) "NoRecentDocsHistory"=1 (0x1) "NoStartBanner"=1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^TB-Tray.lnk] path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\TB-Tray.lnk backup=C:\WINDOWS\pss\TB-Tray.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe ************************************************************************** catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2007-06-17 18:04:10 Windows 5.1.2600 Dodatek Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** Completion time: 2007-06-17 18:05:15 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2007-06-17 18:05 --- E O F --- [/quote]
theniel
Dodano
17.06.2007 20:29:43
  • Żółty 17.06.2007 21:52:42

    Zafixuj [quote]O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - (no file) O17 - HKLM\System\CCS\Services\Tcpip\..\{2C127943-3BAC-4E9C-A448-01DA3A51A91C}: NameServer = 208.67.222.222,208.67.220.220[/quote] Drugi wpis (O17)to adresy DNS wskazane w np w [url]http://www.idg.pl/news/112297/Chcesz.przyspieszyc.Internet..Zmodyfikuj.DNS..html[/url] - jak sam to ustawialeś - zostaw ten wpis w spokoju Usługa do usunięcia [quote] O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ienggkbc.exe (file missing) [/quote] Plecenia w wierszu polecenia wydaj [quote] sc stop DomainService sc delete DomainService[/quote] Pliki do skasowania [quote] C:\WINDOWS\nircmd.exe C:\WINDOWS\system32\fakokeqb_dll C:\WINDOWS\system32\wyadd_bak2 [/quote] Rzeczy, które mi się nie podobają Katalog C:\WINDOWS\pss - sprawdź co tam jest Pliki [quote] C:\WINDOWS\system32\BCDCDC3C58.sys C:\WINDOWS\system32\proc1395793746.bin[/quote] Sprawdź ich wydawców (o ile są wskazani). Ewentualnie spróbuj zmienić nazwy i sprawdź czy coś z systemem się będzie działo Wpis [quote] [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "nltide3"=cmd.exe /C rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [/quote] Pokaż zawartość pliku nLite.inf Dodatkowo pokaż zawartość klucza HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\nm Po robocie logi ponownie pokaż + ten klucz i to co w tym pliku inf siedzi.

Daj logi - HijackThis, SilentRunners i ComboFix. Bo jednak wyglada na to, że sieci Ci syf w systemie. Przed zrobieniem logów - skorzystaj z tego [url]http://www.atribune.org/content/view/24/2/[/url] - uruchom go tyle razy, dopoki nic nie znajdzie. Resztę spróbujemy wyrżnąć ręcznie - na podstawie pozostałych logów. Przy okazji - nie rob flooda - używaj opcji edycyjnych zamiast pisać post pod postem.
Żółty
Dodano
17.06.2007 17:17:44
ostatnie zapisane biblioteki w system32/ noszą nazwy: ddayw.dll oraz rqrstss.dll - komus coś to mówi może? Będe wdzięczny za pomoc.
theniel
Dodano
17.06.2007 16:35:05
logi z gmera w ustawieniu: 1. [quote] GMER 1.0.12.12244 - http://www.gmer.net Rootkit scan 2007-06-17 14:18:21 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.12 ---- SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwAllocateVirtualMemory SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwCreateThread SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwMapViewOfSection SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwShutdownSystem SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwTerminateProcess SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.12 ---- ? C:\WINDOWS\system32\DRIVERS\update.sys ---- Devices - GMER 1.0.12 ---- Device \Driver\aswTdi \Device\AswUdpFilter IRP_MJ_CREATE [F5E76220] wpsdrvnt.sys Device \Driver\aswTdi \Device\AswUdpFilter IRP_MJ_CLOSE [F5E76480] wpsdrvnt.sys Device \Driver\aswTdi \Device\AswUdpFilter IRP_MJ_DEVICE_CONTROL [F5E765A0] wpsdrvnt.sys Device \Driver\aswTdi \Device\AswUdpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [F5E765D0] wpsdrvnt.sys Device \Driver\aswTdi \Device\ASWTDI IRP_MJ_CREATE [F5E76220] wpsdrvnt.sys Device \Driver\aswTdi \Device\ASWTDI IRP_MJ_CLOSE [F5E76480] wpsdrvnt.sys Device \Driver\aswTdi \Device\ASWTDI IRP_MJ_DEVICE_CONTROL [F5E765A0] wpsdrvnt.sys Device \Driver\aswTdi \Device\ASWTDI IRP_MJ_INTERNAL_DEVICE_CONTROL [F5E765D0] wpsdrvnt.sys Device \Driver\aswTdi \Device\AswTcpFilter IRP_MJ_CREATE [F5E76220] wpsdrvnt.sys Device \Driver\aswTdi \Device\AswTcpFilter IRP_MJ_CLOSE [F5E76480] wpsdrvnt.sys Device \Driver\aswTdi \Device\AswTcpFilter IRP_MJ_DEVICE_CONTROL [F5E765A0] wpsdrvnt.sys Device \Driver\aswTdi \Device\AswTcpFilter IRP_MJ_INTERNAL_DEVICE_CONTROL [F5E765D0] wpsdrvnt.sys ---- EOF - GMER 1.0.12 ---- [/quote] oraz ustawieniu 2: [quote] GMER 1.0.12.12244 - http://www.gmer.net Rootkit scan 2007-06-17 14:20:18 Windows 5.1.2600 Dodatek Service Pack 2 ---- Services - GMER 1.0.12 ---- Service .NET CLR Data Service .NET CLR Networking Service .NETFramework Service [SYSTEM] Aavmker4 Service [DISABLED] Abiosdsk Service [DISABLED] abp480n5 Service C:\WINDOWS\system32\DRIVERS\ACPI.sys [BOOT] ACPI Service [DISABLED] ACPIEC Service [DISABLED] adpu160m Service C:\WINDOWS\system32\drivers\aec.sys [MANUAL] aec Service C:\WINDOWS\System32\drivers\afd.sys [SYSTEM] AFD Service [DISABLED] Aha154x Service [DISABLED] aic78u2 Service [DISABLED] aic78xx Service C:\WINDOWS\system32\drivers\ALCXWDM.SYS [MANUAL] ALCXWDM Service C:\WINDOWS\system32\svchost.exe [AUTO] Alerter Service C:\WINDOWS\System32\alg.exe [MANUAL] ALG Service [DISABLED] AliIde Service C:\WINDOWS\system32\DRIVERS\Amfilter.sys [SYSTEM] Amfilter Service C:\WINDOWS\system32\DRIVERS\Amps2prt.sys [MANUAL] Amps2prt Service [DISABLED] amsint Service C:\WINDOWS\system32\DRIVERS\Amusbprt.sys [MANUAL] Amusbprt Service C:\WINDOWS\system32\svchost.exe [MANUAL] AppMgmt Service [DISABLED] asc Service [DISABLED] asc3350p Service [DISABLED] asc3550 Service E:\programy\Ashampoo Magical Defrag\bin\aDefragService.exe [AUTO] AshampooDefragService Service ASP.NET Service ASP.NET_1.1.4322 Service ASPI32 Service C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [MANUAL] aspnet_state Service [AUTO] aswMon2 Service [MANUAL] aswRdr Service [SYSTEM] aswTdi Service E:\programy\Avast\aswUpdSv.exe [AUTO] aswUpdSv Service C:\WINDOWS\system32\DRIVERS\asyncmac.sys [MANUAL] AsyncMac Service [DISABLED] atapi Service [DISABLED] Atdisk Service C:\WINDOWS\system32\DRIVERS\atmarpc.sys [MANUAL] Atmarpc Service C:\WINDOWS\System32\svchost.exe [AUTO] AudioSrv Service C:\WINDOWS\system32\DRIVERS\audstub.sys [MANUAL] audstub Service E:\programy\Avast\ashServ.exe [AUTO] avast! Antivirus Service E:\programy\Avast\ashMaiSv.exe [MANUAL] avast! Mail Scanner Service E:\programy\Avast\ashWebSv.exe [MANUAL] avast! Web Scanner Service C:\WINDOWS\System32\DRIVERS\avgarkt.sys [BOOT] AVG Anti-Rootkit Service C:\WINDOWS\System32\DRIVERS\AvgArCln.sys [SYSTEM] AvgArCln Service BattC Service [SYSTEM] Beep Service C:\WINDOWS\system32\svchost.exe [MANUAL] BITS Service C:\WINDOWS\system32\DRIVERS\blueletaudio.sys [MANUAL] BlueletAudio Service E:\programy\BlueSoleil\BTNtService.exe [DISABLED] BlueSoleil Hid Service Service C:\WINDOWS\system32\svchost.exe [AUTO] Browser Service C:\WINDOWS\system32\DRIVERS\btnetdrv.sys [MANUAL] BT Service C:\WINDOWS\System32\Drivers\btcusb.sys [MANUAL] Btcsrusb Service C:\WINDOWS\system32\DRIVERS\vbtenum.sys [MANUAL] BTHidEnum Service C:\WINDOWS\System32\Drivers\BTHidMgr.sys [BOOT] BTHidMgr Service [DISABLED] cbidf2k Service C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [MANUAL] CCDECODE Service [DISABLED] cd20xrnt Service [SYSTEM] Cdaudio Service [DISABLED] Cdfs Service C:\WINDOWS\system32\DRIVERS\cdrom.sys [SYSTEM] Cdrom Service [SYSTEM] Changer Service C:\WINDOWS\system32\cisvc.exe [MANUAL] CiSvc Service C:\WINDOWS\system32\clipsrv.exe [AUTO] ClipSrv Service [DISABLED] CmdIde Service C:\WINDOWS\system32\dllhost.exe [MANUAL] COMSysApp Service ContentFilter Service ContentIndex Service [DISABLED] Cpqarray Service C:\WINDOWS\system32\svchost.exe [AUTO] CryptSvc Service [DISABLED] dac2w2k Service [DISABLED] dac960nt Service C:\WINDOWS\system32\svchost.exe [AUTO] DcomLaunch Service C:\WINDOWS\system32\svchost.exe [AUTO] Dhcp Service C:\WINDOWS\system32\DRIVERS\disk.sys [BOOT] Disk Service C:\WINDOWS\System32\dmadmin.exe [MANUAL] dmadmin Service C:\WINDOWS\System32\drivers\dmboot.sys [DISABLED] dmboot Service C:\WINDOWS\System32\drivers\dmio.sys [DISABLED] dmio Service C:\WINDOWS\System32\drivers\dmload.sys [DISABLED] dmload Service C:\WINDOWS\System32\svchost.exe [MANUAL] dmserver Service C:\WINDOWS\system32\drivers\DMusic.sys [MANUAL] DMusic Service C:\WINDOWS\system32\svchost.exe [AUTO] Dnscache Service C:\WINDOWS\system32\ienggkbc.exe [AUTO] DomainService Service [DISABLED] dpti2o Service C:\WINDOWS\system32\drivers\drmkaud.sys [MANUAL] drmkaud Service EPAR Service C:\WINDOWS\System32\svchost.exe [AUTO] ERSvc Service C:\WINDOWS\system32\services.exe [AUTO] Eventlog Service C:\WINDOWS\system32\svchost.exe [MANUAL] EventSystem Service [DISABLED] Fastfat Service C:\WINDOWS\System32\svchost.exe [MANUAL] FastUserSwitchingCompatibility Service C:\WINDOWS\system32\DRIVERS\fdc.sys [MANUAL] Fdc Service [SYSTEM] Fips Service C:\WINDOWS\system32\DRIVERS\flpydisk.sys [MANUAL] Flpydisk Service C:\WINDOWS\system32\DRIVERS\fltMgr.sys [BOOT] FltMgr Service [SYSTEM] Fs_Rec Service C:\WINDOWS\system32\DRIVERS\ftdisk.sys [BOOT] Ftdisk Service C:\WINDOWS\System32\DRIVERS\gmer.sys [MANUAL] gmer Service C:\WINDOWS\system32\DRIVERS\msgpc.sys [MANUAL] Gpc Service [MANUAL] GVCplDrv Service C:\WINDOWS\System32\svchost.exe [AUTO] helpsvc Service C:\WINDOWS\System32\svchost.exe [AUTO] HidServ Service C:\WINDOWS\system32\DRIVERS\hidusb.sys [MANUAL] hidusb Service [DISABLED] hpn Service C:\WINDOWS\System32\Drivers\HTTP.sys [MANUAL] HTTP Service C:\WINDOWS\System32\svchost.exe [MANUAL] HTTPFilter Service [SYSTEM] i2omgmt Service [DISABLED] i2omp Service C:\WINDOWS\system32\DRIVERS\i8042prt.sys [SYSTEM] i8042prt Service C:\WINDOWS\system32\DRIVERS\imapi.sys [SYSTEM] Imapi Service C:\WINDOWS\system32\imapi.exe [MANUAL] ImapiService Service inetaccs Service [DISABLED] ini910u Service Inport Service [DISABLED] IntelIde Service C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys [MANUAL] Ip6Fw Service C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys [MANUAL] IpFilterDriver Service C:\WINDOWS\system32\DRIVERS\ipinip.sys [MANUAL] IpInIp Service C:\WINDOWS\system32\DRIVERS\ipnat.sys [MANUAL] IpNat Service C:\WINDOWS\system32\DRIVERS\ipsec.sys [SYSTEM] IPSec Service C:\WINDOWS\system32\DRIVERS\irenum.sys [MANUAL] IRENUM Service ISAPISearch Service C:\WINDOWS\system32\DRIVERS\isapnp.sys [BOOT] isapnp Service C:\WINDOWS\system32\DRIVERS\k750bus.sys [MANUAL] k750bus Service C:\WINDOWS\system32\DRIVERS\k750mdfl.sys [MANUAL] k750mdfl Service C:\WINDOWS\system32\DRIVERS\k750mdm.sys [MANUAL] k750mdm Service C:\WINDOWS\system32\DRIVERS\k750mgmt.sys [MANUAL] k750mgmt Service C:\WINDOWS\system32\DRIVERS\k750obex.sys [MANUAL] k750obex Service C:\WINDOWS\system32\DRIVERS\kbdclass.sys [SYSTEM] Kbdclass Service C:\WINDOWS\system32\DRIVERS\kbdhid.sys [SYSTEM] kbdhid Service C:\WINDOWS\system32\drivers\kmixer.sys [MANUAL] kmixer Service [BOOT] KSecDD Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanserver Service C:\WINDOWS\system32\svchost.exe [AUTO] lanmanworkstation Service [SYSTEM] lbrtfdc Service ldap Service LicenseService Service C:\WINDOWS\system32\svchost.exe [AUTO] LmHosts Service C:\WINDOWS\system32\svchost.exe [AUTO] Messenger Service [MANUAL] Modem Service C:\WINDOWS\system32\DRIVERS\mouclass.sys [SYSTEM] Mouclass Service C:\WINDOWS\system32\DRIVERS\mouhid.sys [MANUAL] mouhid Service [BOOT] MountMgr Service [DISABLED] mraid35x Service C:\WINDOWS\system32\DRIVERS\mrxdav.sys [MANUAL] MRxDAV Service C:\WINDOWS\system32\DRIVERS\mrxsmb.sys [SYSTEM] MRxSmb Service C:\WINDOWS\system32\msdtc.exe [MANUAL] MSDTC Service [SYSTEM] Msfs Service C:\WINDOWS\system32\msiexec.exe [MANUAL] MSIServer Service C:\WINDOWS\system32\drivers\MSKSSRV.sys [MANUAL] MSKSSRV Service C:\WINDOWS\system32\drivers\MSPCLOCK.sys [MANUAL] MSPCLOCK Service C:\WINDOWS\system32\drivers\MSPQM.sys [MANUAL] MSPQM Service C:\WINDOWS\system32\DRIVERS\mssmbios.sys [MANUAL] mssmbios Service C:\WINDOWS\system32\drivers\MSTEE.sys [MANUAL] MSTEE Service [BOOT] Mup Service g:\usr\MYSQL\bin\mysqld.exe [AUTO] MySql Service C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [MANUAL] NABTSFEC Service [BOOT] NDIS Service C:\WINDOWS\system32\DRIVERS\NdisIP.sys [MANUAL] NdisIP Service C:\WINDOWS\system32\DRIVERS\ndistapi.sys [MANUAL] NdisTapi Service C:\WINDOWS\system32\DRIVERS\ndisuio.sys [MANUAL] Ndisuio Service C:\WINDOWS\system32\DRIVERS\ndiswan.sys [MANUAL] NdisWan Service [MANUAL] NDProxy Service C:\WINDOWS\system32\DRIVERS\netbios.sys [SYSTEM] NetBIOS Service C:\WINDOWS\system32\DRIVERS\netbt.sys [SYSTEM] NetBT Service C:\WINDOWS\system32\netdde.exe [AUTO] NetDDE Service C:\WINDOWS\system32\netdde.exe [AUTO] NetDDEdsdm Service C:\WINDOWS\system32\lsass.exe [MANUAL] Netlogon Service C:\WINDOWS\System32\svchost.exe [MANUAL] Netman Service C:\WINDOWS\system32\svchost.exe [MANUAL] Nla Service nm Service [SYSTEM] Npfs Service [DISABLED] Ntfs Service C:\WINDOWS\system32\lsass.exe [MANUAL] NtLmSsp Service C:\WINDOWS\system32\svchost.exe [MANUAL] NtmsSvc Service [SYSTEM] Null Service C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [MANUAL] nv Service C:\WINDOWS\system32\DRIVERS\nvatabus.sys [BOOT] nvatabus Service C:\WINDOWS\system32\drivers\nvax.sys [MANUAL] nvax Service C:\WINDOWS\system32\DRIVERS\nvcchflt.sys [BOOT] nvcchflt Service C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [MANUAL] NVENETFD Service C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [MANUAL] nvnetbus Service C:\WINDOWS\system32\drivers\nvapu.sys [MANUAL] nvnforce Service C:\WINDOWS\system32\DRIVERS\nvraid.sys [BOOT] nvraid Service C:\WINDOWS\system32\nvsvc32.exe [AUTO] NVSvc Service C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys [MANUAL] NwlnkFlt Service C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys [MANUAL] NwlnkFwd Service C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [MANUAL] ose Service Outlook Service C:\WINDOWS\system32\DRIVERS\parport.sys [MANUAL] Parport Service [BOOT] PartMgr Service [AUTO] ParVdm Service C:\WINDOWS\system32\DRIVERS\pci.sys [BOOT] PCI Service [SYSTEM] PCIDump Service [DISABLED] PCIIde Service [DISABLED] Pcmcia Service [MANUAL] PDCOMP Service [MANUAL] PDFRAME Service [MANUAL] PDRELI Service [MANUAL] PDRFRAME Service [DISABLED] perc2 Service [DISABLED] perc2hib Service PerfDisk Service PerfNet Service PerfOS Service PerfProc Service C:\WINDOWS\system32\services.exe [AUTO] PlugPlay Service C:\WINDOWS\system32\lsass.exe [AUTO] PolicyAgent Service C:\WINDOWS\system32\DRIVERS\raspptp.sys [MANUAL] PptpMiniport Service C:\WINDOWS\system32\DRIVERS\processr.sys [SYSTEM] Processor Service C:\WINDOWS\system32\lsass.exe [AUTO] ProtectedStorage Service C:\Program Files\Common Files\Protexis\License Service\PSIService.exe [AUTO] ProtexisLicensing Service C:\WINDOWS\system32\DRIVERS\psched.sys [MANUAL] PSched Service C:\WINDOWS\system32\DRIVERS\ptilink.sys [MANUAL] Ptilink Service [DISABLED] ql1080 Service [DISABLED] Ql10wnt Service [DISABLED] ql12160 Service [DISABLED] ql1240 Service [DISABLED] ql1280 Service C:\WINDOWS\system32\DRIVERS\rasacd.sys [SYSTEM] RasAcd Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasAuto Service C:\WINDOWS\system32\DRIVERS\rasl2tp.sys [MANUAL] Rasl2tp Service C:\WINDOWS\system32\svchost.exe [MANUAL] RasMan Service C:\WINDOWS\system32\DRIVERS\raspppoe.sys [MANUAL] RasPppoe Service C:\WINDOWS\system32\DRIVERS\raspti.sys [MANUAL] Raspti Service C:\WINDOWS\system32\DRIVERS\rdbss.sys [SYSTEM] Rdbss Service C:\WINDOWS\System32\DRIVERS\RDPCDD.sys [SYSTEM] RDPCDD Service RDPDD Service RDPNP Service [MANUAL] RDPWD Service C:\WINDOWS\system32\sessmgr.exe [MANUAL] RDSessMgr Service C:\WINDOWS\system32\DRIVERS\redbook.sys [SYSTEM] redbook Service C:\WINDOWS\system32\svchost.exe [AUTO] RemoteAccess Service C:\WINDOWS\System32\Drivers\RootMdm.sys [MANUAL] ROOTMODEM Service C:\WINDOWS\system32\locator.exe [MANUAL] RpcLocator Service C:\WINDOWS\system32\svchost.exe [AUTO] RpcSs Service C:\WINDOWS\system32\rsvp.exe [MANUAL] RSVP Service C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys [MANUAL] RTL8023xp Service C:\WINDOWS\system32\lsass.exe [AUTO] SamSs Service C:\WINDOWS\System32\SCardSvr.exe [MANUAL] SCardSvr Service C:\WINDOWS\System32\svchost.exe [AUTO] Schedule Service C:\WINDOWS\system32\DRIVERS\secdrv.sys [MANUAL] Secdrv Service C:\WINDOWS\System32\svchost.exe [AUTO] seclogon Service C:\WINDOWS\system32\svchost.exe [AUTO] SENS Service C:\WINDOWS\system32\DRIVERS\serenum.sys [MANUAL] serenum Service C:\WINDOWS\system32\DRIVERS\serial.sys [SYSTEM] Serial Service E:\programy\Ma?a [AUTO] SerwerMK Service [SYSTEM] Sfloppy Service C:\WINDOWS\system32\svchost.exe [AUTO] SharedAccess Service C:\WINDOWS\System32\svchost.exe [AUTO] ShellHWDetection Service Si3132r5 Service [DISABLED] Simbad Service C:\WINDOWS\system32\DRIVERS\SLIP.sys [MANUAL] SLIP Service E:\programy\spf\smc.exe [AUTO] SmcService Service [DISABLED] Sparrow Service system32\DRIVERS\splitcam.sys [MANUAL] SPLITCAM Service C:\WINDOWS\system32\drivers\splitter.sys [MANUAL] splitter Service C:\WINDOWS\system32\spoolsv.exe [AUTO] Spooler Service C:\WINDOWS\system32\DRIVERS\sr.sys [BOOT] sr Service C:\WINDOWS\system32\svchost.exe [AUTO] srservice Service C:\WINDOWS\system32\DRIVERS\srv.sys [MANUAL] Srv Service C:\WINDOWS\system32\svchost.exe [MANUAL] SSDPSRV Service C:\WINDOWS\system32\svchost.exe [AUTO] stisvc Service C:\WINDOWS\system32\DRIVERS\StreamIP.sys [MANUAL] streamip Service G:\DOKUMENTY\walka_z_rootkitem\svv-2.3-bin\svv.sys [MANUAL] SVV Service C:\WINDOWS\system32\DRIVERS\swenum.sys [MANUAL] swenum Service C:\WINDOWS\system32\drivers\swmidi.sys [MANUAL] swmidi Service C:\WINDOWS\system32\dllhost.exe [MANUAL] SwPrv Service [DISABLED] symc810 Service [DISABLED] symc8xx Service [DISABLED] sym_hi Service [DISABLED] sym_u3 Service C:\WINDOWS\system32\drivers\sysaudio.sys [MANUAL] sysaudio Service C:\WINDOWS\system32\smlogsvc.exe [MANUAL] SysmonLog Service C:\WINDOWS\System32\svchost.exe [MANUAL] TapiSrv Service C:\WINDOWS\system32\DRIVERS\tcpip.sys [SYSTEM] Tcpip Service [MANUAL] TDPIPE Service [MANUAL] TDTCP Service C:\WINDOWS\SYSTEM32\Drivers\Teefer.sys [BOOT] Teefer Service C:\WINDOWS\system32\DRIVERS\termdd.sys [SYSTEM] TermDD Service C:\WINDOWS\System32\svchost.exe [MANUAL] TermService Service C:\WINDOWS\System32\svchost.exe [AUTO] Themes Service [DISABLED] TosIde Service C:\WINDOWS\system32\svchost.exe [AUTO] TrkWks Service C:\WINDOWS\System32\drivers\truecrypt.sys [SYSTEM] truecrypt Service TSDDD Service [DISABLED] Udfs Service [DISABLED] ultra Service C:\WINDOWS\system32\DRIVERS\update.sys [MANUAL] Update Service C:\WINDOWS\system32\svchost.exe [MANUAL] upnphost Service C:\WINDOWS\System32\ups.exe [MANUAL] UPS Service C:\WINDOWS\system32\drivers\usbaudio.sys [MANUAL] usbaudio Service C:\WINDOWS\system32\DRIVERS\usbccgp.sys [MANUAL] usbccgp Service C:\WINDOWS\system32\DRIVERS\usbehci.sys [MANUAL] usbehci Service C:\WINDOWS\system32\DRIVERS\usbhub.sys [MANUAL] usbhub Service C:\WINDOWS\system32\DRIVERS\usbohci.sys [MANUAL] usbohci Service C:\WINDOWS\system32\DRIVERS\usbprint.sys [MANUAL] usbprint Service C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [MANUAL] USBSTOR Service C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [MANUAL] V0260VID Service C:\WINDOWS\system32\DRIVERS\VComm.sys [MANUAL] VComm Service C:\WINDOWS\System32\Drivers\VcommMgr.sys [MANUAL] VcommMgr Service C:\WINDOWS\System32\drivers\vga.sys [SYSTEM] VgaSave Service [DISABLED] ViaIde Service C:\WINDOWS\system32\Drivers\vmm.sys [SYSTEM] vmm Service [BOOT] VolSnap Service C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys [MANUAL] VPCNetS2 Service [DISABLED] vsdatant Service C:\WINDOWS\System32\vssvc.exe [MANUAL] VSS Service C:\WINDOWS\system32\DRIVERS\VX3000.sys [MANUAL] VX3000 Service C:\WINDOWS\system32\DRIVERS\VX6000Xp.sys [MANUAL] VX6000 Service C:\WINDOWS\System32\svchost.exe [AUTO] W32Time Service W3SVC Service C:\WINDOWS\system32\DRIVERS\wanarp.sys [MANUAL] Wanarp Service [MANUAL] WDICA Service C:\WINDOWS\system32\drivers\wdmaud.sys [MANUAL] wdmaud Service C:\WINDOWS\system32\svchost.exe [AUTO] WebClient Service C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [AUTO] wg3n Service C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [AUTO] wg4n Service C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [AUTO] wg5n Service C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [AUTO] wg6n Service C:\WINDOWS\system32\svchost.exe [AUTO] winmgmt Service [MANUAL] Winsock Service WinSock2 Service WinTrust Service C:\WINDOWS\System32\svchost.exe [MANUAL] WmdmPmSN Service WmiApRpl Service C:\WINDOWS\system32\wbem\wmiapsrv.exe [MANUAL] WmiApSrv Service C:\Program Files\Windows Media Player\WMPNetwk.exe [MANUAL] WMPNetworkSvc Service C:\WINDOWS\system32\drivers\wpsdrvnt.sys [SYSTEM] wpsdrvnt Service [SYSTEM] WS2IFSL Service C:\WINDOWS\System32\svchost.exe [AUTO] wscsvc Service C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [MANUAL] WSTCODEC Service C:\WINDOWS\system32\svchost.exe [AUTO] wuauserv Service C:\WINDOWS\system32\DRIVERS\WudfPf.sys [MANUAL] WudfPf Service C:\WINDOWS\system32\DRIVERS\wudfrd.sys [MANUAL] WudfRd Service C:\WINDOWS\system32\svchost.exe [MANUAL] WudfSvc Service C:\WINDOWS\System32\svchost.exe [AUTO] WZCSVC Service C:\WINDOWS\System32\svchost.exe [MANUAL] xmlprov Service {28250C21-F4D8-4097-B77F-F8187A6005F0} Service {2C127943-3BAC-4E9C-A448-01DA3A51A91C} Service {6F6F12B9-B3E8-4241-9A3A-FD5272F2DF2E} Service {E09EF8A0-3D74-488F-A565-17B7340F314D} ---- EOF - GMER 1.0.12 ---- [/quote] wiem ze cos tu siedzi bo czasem wyskakuje mi okno IE z reklama :/ dodam ze uzywam tylko opery a IE otwiera sie z nieznanych mi przyczyn... Plik o nazwie: ienggkbc.exe zmieniłem na ienggkbc_exe nie mam pojecia do czego on sluzy (ale dodalem go do grona podejrzanych ;) ) no i zrobilem to w ramach testow - niestety nie pomoglo IE nadal sie czasem samoczynnie otwiera...
theniel
Dodano
17.06.2007 16:24:20
[quote]HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ienggkbc.exe 2007-06-13 14:50 47 bytes Data mismatch between Windows API and raw hive data. HKLM\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\ienggkbc.exe[/quote] Wartość rejstru uległa zmianie podaczas skanowania musiałeś coś klikać ale lepiej sprawdzić Daj logi z programu [b]gmer[/b] [b]Gmer[/b] http://www.gmer.net/index.php?lang=pl w takim ustawieniu 1. Rootkit=>szukaj=>bez zaznaczania pokaż wszystko=> jak skończy KOPIUJ=> Ctrl + V do posta wklej 2. Rootkit => zaznaczone tylko Pokazuj wszystko + Usługi => Szukaj => Kopiuj => Ctrl + V do posta wklej
Wiewia
Dodano
16.06.2007 13:08:03
theniel
Dodano:
16.06.2007 00:06:43
Komentarzy:
5
Strona 1 / 1