nie ścięgajcie cracków z podejrzanych zrodel
#1
Złapałem przyjaciela który informuje mnie że moj system jest zainfekowany. Jest tak pomocny ze proponuje usuniecie tychże wirusów! Oczywiscie nie za darmo....

Ktoś pomoże mi go wywalić na zbity pysk ?

Cytat: Logfile of HijackThis v1.99.1
Scan saved at 23:06:48, on 2006-11-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
CTonguerogram FilesIcecast2 Win32icecastService.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
CTonguerogram FilesiVideoCodecpmsngr.exe
CTonguerogram FilesATI TechnologiesATI.ACEcli.exe
DTongueowerDVDPDVDServ.exe
CTonguerogram FilesDAEMON Toolsdaemon.exe
CTonguerogram FilesKonnektkonnekt.exe
CTonguerogram FilesRay AdamsATI Tray Toolsatitray.exe
CTonguerogram FilesCommon FilesAheadLibNMBgMonitor.exe
CTonguerogram FilesWhatPulseWhatPulse.exe
CTonguerogram FilesSlySoftAnyDVDAnyDVD.exe
CTonguerogram FilesCommon FilesAheadLibNMIndexStoreSvr.exe
CTonguerogram FilesNetMeterNetMeter.exe
CTonguerogram FilesXfireXfire.exe
CTonguerogram FilesATI TechnologiesATI.ACEcli.exe
CTonguerogram FilesATI TechnologiesATI.ACEcli.exe
C:totalcmdTOTALCMD.EXE
CTonguerogram FilesiVideoCodecpmmon.exe
CTonguerogram FilesiVideoCodecisamini.exe
CTonguerogram FilesiVideoCodecisamonitor.exe
CTonguerogram FilesMozilla Firefox 2 Beta 2firefox.exe
CGrinOCUME~1MichalUSTAWI~1Temp_tcHijackThis.exe

O2 - BHO: (no name) - {274c0420-ebe0-4f1d-b473-edd1aa9b85dd} - CTonguerogram FilesiVideoCodecisaddon.dll
O4 - HKLM..Run: [ATICCC]"CTonguerogram FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay
O4 - HKLM..Run: [LogonStudio]"CTonguerogram FilesWinCustomizeLogonStudiologonstudio.exe" /RANDOM
O4 - HKLM..Run: [NeroFilterCheck]CTonguerogram FilesCommon FilesAheadLibNeroCheck.exe
O4 - HKLM..Run: [RemoteControl]DTongueowerDVDPDVDServ.exe
O4 - HKLM..Run: [BootSkin Startup Jobs]"CTongueROGRA~1StardockWinCustomizeBootSkinBootSkin.exe" /StartupJobs
O4 - HKLM..Run: [DAEMON Tools]"CTonguerogram FilesDAEMON Toolsdaemon.exe" -lang 1033
O4 - HKCU..Run: [Konnekt]"CTonguerogram FilesKonnektkonnekt.exe" /autostart
O4 - HKCU..Run: [VirtualDiskAutomount]rundll32 "C:totalcmdpluginswfxVirtualDiskVirtualDisk.wfx",MountAfterReboot
O4 - HKCU..Run: [AtiTrayTools]"CTonguerogram FilesRay AdamsATI Tray Toolsatitray.exe"
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]"CTonguerogram FilesCommon FilesAheadLibNMBgMonitor.exe"
O4 - HKCU..Run: [WhatPulse]CTonguerogram FilesWhatPulseWhatPulse.exe
O4 - HKCU..Run: [AnyDVD]CTonguerogram FilesSlySoftAnyDVDAnyDVD.exe
O4 - HKCU..Run: [CTonguerogram FilesNetMeterNetMeter.exe]CTonguerogram FilesNetMeterNetMeter.exe
O4 - Startup: Xfire.lnk = CTonguerogram FilesXfireXfire.exe
O23 - Service: Adobe LM Service - Adobe Systems - CTonguerogram FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - CTonguerogram FilesIcecast2 Win32icecastService.exe" "CTonguerogram FilesIcecast2 Win32 (file missing)
O23 - Service: NBService - Nero AG - D:Ahead NeroNero 7Nero BackItUpNBService.exe
O23 - Service: RadClock - Unknown owner - C:WINDOWSsystem32RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%WinPcaprpcapd.exe" -d -f "%ProgramFiles%WinPcaprpcapd.ini (file missing)
Odpowiedz
#2
Po pierwsze:
Cytat: CGrinOCUME~1MichalUSTAWI~1Temp_tcHijackThis.exe

Nie używaj Hijacka z folderu tymczasowego - stwórz dla niego nowy folder na dysku Smile

Co do problemu i loga, to użyj narzędzia ->

[Aby zobaczyć linki, zarejestruj się tutaj]

(w trybie awaryjnym z opcji 2 )

Po zabiegach nowy log z Hijacka + log z

[Aby zobaczyć linki, zarejestruj się tutaj]

+ raport ze SmitFraudFix Smile
Odpowiedz
#3
Dzięki za pomoc :wink:
Smitfraudem przeczyscilem rejestr ale zostało w hijacku ten isaddoni z file missing wiec usunałem. A dla pewności przejechałem AVG Anti-Spyware 7.5 (ten Ewido), znalazł dllki i je usunął.

Wszystko jest już ok daje logi dla pewności...

Na początek HijackThis!
Cytat: Logfile of HijackThis v1.99.1
Scan saved at 12:45:47, on 2006-11-08
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe
CTonguerogram FilesIcecast2 Win32icecastService.exe
C:WINDOWSsystem32Ati2evxx.exe
CTonguerogram FilesATI TechnologiesATI.ACEcli.exe
DTongueowerDVDPDVDServ.exe
CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe
CTonguerogram FilesRay AdamsATI Tray Toolsatitray.exe
CTonguerogram FilesCommon FilesAheadLibNMBgMonitor.exe
CTonguerogram FilesWhatPulseWhatPulse.exe
CTonguerogram FilesSlySoftAnyDVDAnyDVD.exe
CTonguerogram FilesCommon FilesAheadLibNMIndexStoreSvr.exe
CTonguerogram FilesNetMeterNetMeter.exe
CTonguerogram FilesATI TechnologiesATI.ACEcli.exe
CTonguerogram FilesATI TechnologiesATI.ACEcli.exe
C:totalcmdTOTALCMD.EXE
CTonguerogram FilesMozilla Firefox 2 Beta 2firefox.exe
C:WINDOWSexplorer.exe
C:WINDOWSNOTEPAD.EXE
c:HijackHijackThis.exe

O4 - HKLM..Run: [ATICCC]"CTonguerogram FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay
O4 - HKLM..Run: [LogonStudio]"CTonguerogram FilesWinCustomizeLogonStudiologonstudio.exe" /RANDOM
O4 - HKLM..Run: [NeroFilterCheck]CTonguerogram FilesCommon FilesAheadLibNeroCheck.exe
O4 - HKLM..Run: [RemoteControl]DTongueowerDVDPDVDServ.exe
O4 - HKLM..Run: [BootSkin Startup Jobs]"CTongueROGRA~1StardockWinCustomizeBootSkinBootSkin.exe" /StartupJobs
O4 - HKLM..Run: [!AVG Anti-Spyware]"CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized
O4 - HKCU..Run: [AtiTrayTools]"CTonguerogram FilesRay AdamsATI Tray Toolsatitray.exe"
O4 - HKCU..Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]"CTonguerogram FilesCommon FilesAheadLibNMBgMonitor.exe"
O4 - HKCU..Run: [WhatPulse]CTonguerogram FilesWhatPulseWhatPulse.exe
O4 - HKCU..Run: [AnyDVD]CTonguerogram FilesSlySoftAnyDVDAnyDVD.exe
O4 - HKCU..Run: [CTonguerogram FilesNetMeterNetMeter.exe]CTonguerogram FilesNetMeterNetMeter.exe
O23 - Service: Adobe LM Service - Adobe Systems - CTonguerogram FilesCommon FilesAdobe Systems SharedServiceAdobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:WINDOWSsystem32Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:WINDOWSsystem32ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - CTonguerogram FilesIcecast2 Win32icecastService.exe" "CTonguerogram FilesIcecast2 Win32 (file missing)
O23 - Service: NBService - Nero AG - D:Ahead NeroNero 7Nero BackItUpNBService.exe
O23 - Service: RadClock - Unknown owner - C:WINDOWSsystem32RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%WinPcaprpcapd.exe" -d -f "%ProgramFiles%WinPcaprpcapd.ini (file missing)


Teraz Silent Runners8)
Cytat: "Silent Runners.vbs", revision 49,

[Aby zobaczyć linki, zarejestruj się tutaj]

Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCUSoftwareMicrosoftWindowsCurrentVersionRun {++}
"AtiTrayTools" = ""CTonguerogram FilesRay AdamsATI Tray Toolsatitray.exe"" ["Ray Adams"]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""CTonguerogram FilesCommon FilesAheadLibNMBgMonitor.exe"" ["Nero AG"]
"WhatPulse" = "CTonguerogram FilesWhatPulseWhatPulse.exe" ["WhatPulse.org"]
"AnyDVD" = "CTonguerogram FilesSlySoftAnyDVDAnyDVD.exe" ["SlySoft, Inc."]
"CTonguerogram FilesNetMeterNetMeter.exe" = "CTonguerogram FilesNetMeterNetMeter.exe" [null data]

HKLMSoftwareMicrosoftWindowsCurrentVersionRun {++}
"ATICCC" = ""CTonguerogram FilesATI TechnologiesATI.ACEcli.exe" runtime -Delay" [null data]
"LogonStudio" = ""CTonguerogram FilesWinCustomizeLogonStudiologonstudio.exe" /RANDOM" ["Stardock and Luca Saggese"]
"NeroFilterCheck" = "CTonguerogram FilesCommon FilesAheadLibNeroCheck.exe" ["Nero AG"]
"RemoteControl" = "DTongueowerDVDPDVDServ.exe" ["Cyberlink Corp."]
"BootSkin Startup Jobs" = ""CTongueROGRA~1StardockWinCustomizeBootSkinBootSkin.exe" /StartupJobs" [empty string]
"!AVG Anti-Spyware" = ""CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
InProcServer32(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
InProcServer32(Default) = "C:WINDOWSsystem32hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
InProcServer32(Default) = "CTonguerogram FilesATI TechnologiesATI.ACEatiacmxx.dll" [empty string]
"{36518101-49AC-42CB-8E4C-40C1F328A565}" = "Rad2 Extension"
-> {HKLM...CLSID} = "RadPropExt2 Class"
InProcServer32(Default) = "C:WINDOWSsystem32Rad.dll" [empty string]
"{5380C14E-C0A1-4D66-87DB-5995E6FF4623}" = "Rad Extension"
-> {HKLM...CLSID} = "RadPropExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32Rad.dll" [empty string]
"{75B8D633-9021-442C-9EA4-FF4BE72CE20F}" = "NRad2 Extension"
-> {HKLM...CLSID} = "NRadExt2 Class"
InProcServer32(Default) = "C:WINDOWSsystem32NRad.dll" ["ChrisW"]
"{C6844A1E-2C59-415A-84B3-C6A458372779}" = "RadType Extension"
-> {HKLM...CLSID} = "RadTypeExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadType.dll" [empty string]
"{D00900BC-23F7-4FD6-BFA2-8232112C5C49}" = "NRad Extension"
-> {HKLM...CLSID} = "NRadExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32NRad.dll" ["ChrisW"]
"{D2FD83AE-994A-4D4B-9097-2C9E11ED85F0}" = "RadClkr Extension"
-> {HKLM...CLSID} = "RadClkRExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadClkR.dll" [empty string]
"{7700EB62-DB7C-47AF-A092-04376CA1D24C}" = "RadMnu Extension"
-> {HKLM...CLSID} = "RadMnuExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadMnu.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "CTonguerogram FilesWinRARrarext.dll" [null data]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
InProcServer32(Default) = "C:WINDOWSsystem32SHDOCVW.DLL" [MS]
"{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}" = "Notepad++ Shell Extension"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "CTonguerogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "CTonguerogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}" = "jetAudio"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "CTonguerogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]

HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks
<<!>> "{35B2861B-2B26-4691-9FF0-09083722C736}" = "RadExe Extension"
-> {HKLM...CLSID} = "RadExeExt Class"
InProcServer32(Default) = "C:WINDOWSsystem32RadExe.dll" [empty string]
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
InProcServer32(Default) = "CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
<<!>> AtiExtEventDLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLMSoftwareClasses*shellexContextMenuHandlers
AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
InProcServer32(Default) = "CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5context.dll" ["Anti-Malware Development a.s."]
NppShellExt(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "CTonguerogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "CTonguerogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "CTonguerogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesDirectoryshellexContextMenuHandlers
AVG Anti-Spyware(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
InProcServer32(Default) = "CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5context.dll" ["Anti-Malware Development a.s."]
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "CTonguerogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
NppShellExt(Default) = "{1CE8B2C9-EAEF-43fc-8218-F092E4F94A47}"
-> {HKLM...CLSID} = "Notepad++ Shell Extension"
InProcServer32(Default) = "CTonguerogram FilesNotepad++nppshellext.dll" ["Notepad++ team"]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "CTonguerogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "CTonguerogram FilesWinRARrarext.dll" [null data]

HKLMSoftwareClassesFoldershellexContextMenuHandlers
jetAudio(Default) = "{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"
-> {HKLM...CLSID} = "JetFlExt"
InProcServer32(Default) = "CTonguerogram FilesJetAudioJetFlExt.dll" ["JetAudio, Inc."]
PowerISO(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
-> {HKLM...CLSID} = "PowerISO"
InProcServer32(Default) = "CTonguerogram FilesPowerISOPWRISOSH.DLL" ["PowerISO Computing, Inc."]
WinRAR(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
InProcServer32(Default) = "CTonguerogram FilesWinRARrarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

"NoSMBalloonTip" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"CDRAutoRun" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoLowDiskSpaceChecks" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"MemCheckBoxInRunDlg" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoAutoTrayNotify" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoResolveTrack" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoStartBanner" = (REG_BINARY) hex:01 00 00 00
{Remove "Click here to begin" from Start button}

"NoWelcomeScreen" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoRecentDocsNetHood" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoDesktopCleanupWizard" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoSharedDocuments" = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer

"NoRemoteRecursiveEvents" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoStrCmpLogical" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

"NoClose" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

HKLMSoftwarePoliciesMicrosoftInternet ExplorerInfodeliveryRestrictions

"NoUpdateCheck" = (REG_DWORD) hex:0x00000001
{unrecognized setting}

HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"RunStartupScriptSync" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"SynchronousMachineGroupPolicy" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"SynchronousUserGroupPolicy" = (REG_DWORD) hex:0x00000000
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCUSoftwareMicrosoftInternet ExplorerDesktopGeneral
"Wallpaper" = "C:WINDOWSsystem32configsystemprofileUstawienia lokalneDane aplikacjiMicrosoftWallpaper1.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersNameSpace_Catalog5Catalog_Entries {++}
000000000001LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]
000000000002LibraryPath = "%SystemRoot%System32winrnr.dll" [MS]
000000000003LibraryPath = "%SystemRoot%System32mswsock.dll" [MS]

Transport Service Providers

HKLMSystemCurrentControlSetServicesWinsock2ParametersProtocol_Catalog9Catalog_Entries {++}
0000000000##PackedCatalogItem (contains) DLL [Company Name] , (at) ## range:
%SystemRoot%system32mswsock.dll [MS] , 01 - 03, 06 - 13
%SystemRoot%system32rsvpsp.dll [MS] , 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:WINDOWSsystem32Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5guard.exe" ["Anti-Malware Development a.s."]
Icecast Media Server, Icecast, ""CTonguerogram FilesIcecast2 Win32icecastService.exe" "CTonguerogram FilesIcecast2 Win32"" [null data]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 124 seconds, including 8 seconds for message boxes)


I ten SmitFraudFix
Cytat: SmitFraudFix v2.119

Scan done at 12:49:40,66, 2006-11-08
Run from c:HijackSmitfraudFixSmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600]- Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:


»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSsystem


»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSWeb


»»»»»»»»»»»»»»»»»»»»»»»» C:WINDOWSsystem32


»»»»»»»»»»»»»»»»»»»»»»»» CGrinocuments and SettingsMichal


»»»»»»»»»»»»»»»»»»»»»»»» CGrinocuments and SettingsMichalApplication Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» CGrinOCUME~1MichalUlubione


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» CTonguerogram Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler''s .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Odpowiedz
#4
Cytat: »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32

Rootkit pe386- użyj narzędzia

[Aby zobaczyć linki, zarejestruj się tutaj]

Smile
Odpowiedz
#5
Cytat: ************************* Rustock.b-fix -- By ejvindh *************************
2006-11-09 15:28:27,20


No Rustock.b-rootkits found


******************************* End of Logfile ********************************

:shock:
Odpowiedz
#6
Na wszelki wypadek - log z

[Aby zobaczyć linki, zarejestruj się tutaj]

, bo nie dowierzam Smile [Zakładka rootkit, bez włączonej opcji "pokazuj wszystko"]
Odpowiedz
#7
Gmerem sprawdzalem - wszystko ok

[Aby zobaczyć linki, zarejestruj się tutaj]



Cytat: GMER 1.0.10.10122 -

[Aby zobaczyć linki, zarejestruj się tutaj]

Rootkit 2006-11-09 21:00:01
Windows 5.1.2600 Dodatek Service Pack 2


---- System - GMER 1.0.10 ----

SSDTsptd.sys ZwCreateKey
SSDTsptd.sys ZwEnumerateKey
SSDTsptd.sys ZwEnumerateValueKey
SSDTsptd.sys ZwOpenKey
SSDT??CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5guard.sysZwOpenProcess
SSDTsptd.sys ZwQueryKey
SSDTsptd.sys ZwQueryValueKey
SSDTsptd.sys ZwSetValueKey
SSDT??CTonguerogram FilesGrisoftAVG Anti-Spyware 7.5guard.sysZwTerminateProcess

---- Devices - GMER 1.0.10 ----

DeviceFileSystemNtfs Ntfs IRP_MJ_CREATE 828F81D8
DeviceDriverusbuhci DeviceUSBPDO-0 IRP_MJ_CREATE 825521D8
DeviceDriver\00000109 Device\00000051 IRP_MJ_SYSTEM_CONTROL[F7383DB6]sptd.sys
DeviceDriver\00000109 Device\00000051 IRP_MJ_DEVICE_CHANGE [F739973C]sptd.sys
DeviceDriver\00000109 Device\00000051 IRP_MJ_PNP_POWER [F739277E]sptd.sys
DeviceDriverdmio DeviceDmControlDmIoDaemon IRP_MJ_CREATE829671D8
DeviceDriverdmio DeviceDmControlDmConfig IRP_MJ_CREATE829671D8
DeviceDriverdmio DeviceDmControlDmPnP IRP_MJ_CREATE 829671D8
DeviceDriverdmio DeviceDmControlDmInfo IRP_MJ_CREATE829671D8
DeviceDriverusbuhci DeviceUSBPDO-1 IRP_MJ_CREATE 825521D8
DeviceDriverFtdisk DeviceHarddiskVolume1 IRP_MJ_CREATE 828FA1D8
DeviceDriverFtdisk DeviceHarddiskVolume2 IRP_MJ_CREATE 828FA1D8
DeviceDriverCdrom DeviceCdRom0 IRP_MJ_CREATE 8257C1D8
DeviceDriverCdrom DeviceCdRom1 IRP_MJ_CREATE 8257C1D8
DeviceDriveratapi DeviceIdeIdeDeviceP1T1L0-17 IRP_MJ_CREATE 828F91D8
DeviceDriveratapi DeviceIdeIdeDeviceP1T1L0-17 IRP_MJ_INTERNAL_DEVICE_CONTROL[F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP1T1L0-17 IRP_MJ_SHUTDOWN [F779044A]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdePort0 IRP_MJ_CREATE 828F91D8
DeviceDriveratapi DeviceIdeIdePort0 IRP_MJ_INTERNAL_DEVICE_CONTROL[F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdePort0 IRP_MJ_SHUTDOWN [F779044A]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP0T0L0-3 IRP_MJ_CREATE828F91D8
DeviceDriveratapi DeviceIdeIdeDeviceP0T0L0-3 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN[F779044A]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdePort1 IRP_MJ_CREATE 828F91D8
DeviceDriveratapi DeviceIdeIdePort1 IRP_MJ_INTERNAL_DEVICE_CONTROL[F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdePort1 IRP_MJ_SHUTDOWN [F779044A]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP1T0L0-f IRP_MJ_CREATE828F91D8
DeviceDriveratapi DeviceIdeIdeDeviceP1T0L0-f IRP_MJ_INTERNAL_DEVICE_CONTROL [F7790222]AnyDVD.sys
DeviceDriveratapi DeviceIdeIdeDeviceP1T0L0-f IRP_MJ_SHUTDOWN[F779044A]AnyDVD.sys
DeviceDriverCdrom DeviceCdRom2 IRP_MJ_CREATE 8257C1D8
DeviceDriverNetBT DeviceNetBt_Wins_Export IRP_MJ_CREATE823DE990
DeviceDriverNetBT DeviceNetbiosSmb IRP_MJ_CREATE 823DE990
DeviceDriverusbuhci DeviceUSBFDO-0 IRP_MJ_CREATE 825521D8
DeviceDriverusbuhci DeviceUSBFDO-1 IRP_MJ_CREATE 825521D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CREATE823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CLOSEIRP_MJ_READ823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_WRITE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_INFORMATION 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_EA823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_EA823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SHUTDOWN823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_LOCK_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CLEANUP 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_SECURITY823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_SECURITY823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_POWER 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_QUERY_QUOTA 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_SET_QUOTA 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_PNP 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanDatagramReceiver IRP_MJ_PNP_POWER 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CREATE823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CREATE_NAMED_PIPE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CLOSEIRP_MJ_READ823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_WRITE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_INFORMATION 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_INFORMATION 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_EA823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_EA823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_FLUSH_BUFFERS 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_DIRECTORY_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_DEVICE_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SHUTDOWN823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_LOCK_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CLEANUP 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_CREATE_MAILSLOT 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_SECURITY823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_SECURITY823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_POWER 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SYSTEM_CONTROL823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_DEVICE_CHANGE 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_QUERY_QUOTA 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_SET_QUOTA 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_PNP 823C51D8
DeviceFileSystemMRxSmb DeviceLanmanRedirector IRP_MJ_PNP_POWER 823C51D8
DeviceDriverFtdisk DeviceFtControl IRP_MJ_CREATE 828FA1D8
DeviceDriverNetBT DeviceNetBT_Tcpip_{6B896EC0-01C4-46A5-B816-A1A213B1B22E} IRP_MJ_CREATE 823DE990
DeviceDriveragydapd9 DeviceScsiagydapd91Port2Path0Target0Lun0 IRP_MJ_CREATE 8253A1D8
DeviceDriveragydapd9 DeviceScsiagydapd91Port2Path0Target0Lun0 IRP_MJ_INTERNAL_DEVICE_CONTROL[F7790222]AnyDVD.sys
DeviceDriveragydapd9 DeviceScsiagydapd91Port2Path0Target0Lun0 IRP_MJ_SHUTDOWN [F779044A]AnyDVD.sys
DeviceDriveragydapd9 DeviceScsiagydapd91 IRP_MJ_CREATE8253A1D8
DeviceDriveragydapd9 DeviceScsiagydapd91 IRP_MJ_INTERNAL_DEVICE_CONTROL [F7790222]AnyDVD.sys
DeviceDriveragydapd9 DeviceScsiagydapd91 IRP_MJ_SHUTDOWN[F779044A]AnyDVD.sys
DeviceFileSystemFastfat Fat IRP_MJ_CREATE 8236B990
DeviceFileSystemCdfs Cdfs IRP_MJ_CREATE 8238E990
Odpowiedz
#8
Log niecały, ale podejrzewam, że nic szkodliwego nie powinno się w nim pojawić.
Odpowiedz


Skocz do:


Użytkownicy przeglądający ten wątek: 1 gości