xentaxa utworzono 12 października 2009 utworzono 12 października 2009 Chyba Rootkit potrzebna pomoc. Witam wszystkich ,mam problem z systemem a objawia się nadmierny zużyciem zasobów: procesora, pamięci i dziwnie zachowujący się dysk (ciągle aktywny) ogólnie system strasznie zwalnia programy uruchamiają się bardzo wolno explorer się wiesza itp. oto log z gmera jak ktoś wie co z tym zrobić to bardzo proszę o pomoc. GMER 1.0.15.15125 - http://www.gmer.net Rootkit scan 2009-10-11 16:16:52 Windows 6.1.7600 Running: vicuwbyk.exe; Driver: C:\Users\Sise\AppData\Local\Temp\kxldypow.sys ---- System - GMER 1.0.15 ---- SSDT 858E6B70 ZwAlertResumeThread SSDT 858E6C50 ZwAlertThread SSDT 858E4570 ZwAllocateVirtualMemory SSDT 8579EBB8 ZwAlpcConnectPort SSDT 858E6318 ZwAssignProcessToJobObject SSDT 858E68C0 ZwCreateMutant SSDT 858F1008 ZwCreateSymbolicLinkObject SSDT 858E06E0 ZwCreateThread SSDT 858E6128 ZwCreateThreadEx SSDT 858E63F8 ZwDebugActiveProcess SSDT 858E4740 ZwDuplicateObject SSDT 858DF370 ZwFreeVirtualMemory SSDT 858E69B0 ZwImpersonateAnonymousToken SSDT 858E6A90 ZwImpersonateThread SSDT 8583CC18 ZwLoadDriver SSDT 858DF270 ZwMapViewOfSection SSDT 858E67E0 ZwOpenEvent SSDT 858E0588 ZwOpenProcess SSDT 858E4660 ZwOpenProcessToken SSDT 858E6620 ZwOpenSection SSDT 858E0498 ZwOpenThread SSDT 858E6228 ZwProtectVirtualMemory SSDT 858E6D30 ZwResumeThread SSDT 858E6FD0 ZwSetContextThread SSDT 858DF0A0 ZwSetInformationProcess SSDT 858E64D8 ZwSetSystemInformation SSDT 858E6700 ZwSuspendProcess SSDT 858E6E10 ZwSuspendThread SSDT 858DB4A8 ZwTerminateProcess SSDT 858E6EF0 ZwTerminateThread SSDT 858DF190 ZwUnmapViewOfSection SSDT 858E4480 ZwWriteVirtualMemory INT 0x30 \SystemRoot\system32\halacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82823CA4 INT 0x38 \SystemRoot\system32\halacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82814C6C ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 8286F8E9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8288F3B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 139B 82896628 8 Bytes [70, 6B, 8E, 85, 50, 6C, 8E, ...] {JO 0x6d; MOV ES, [EBP-0x7a7193b0]} .text ntoskrnl.exe!KeRemoveQueueEx + 13B3 82896640 4 Bytes [70, 45, 8E, 85] .text ntoskrnl.exe!KeRemoveQueueEx + 13BF 8289664C 4 Bytes [B8, EB, 79, 85] .text ntoskrnl.exe!KeRemoveQueueEx + 1413 828966A0 4 Bytes [18, 63, 8E, 85] .text ntoskrnl.exe!KeRemoveQueueEx + 148F 8289671C 4 Bytes [C0, 68, 8E, 85] {SHR BYTE [EAX-0x72], 0x85} .text ... ? System32\Drivers\spkc.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 91B86CA0 5 Bytes JMP 864651D8 .text aorewt0c.SYS 929C4000 22 Bytes [70, 46, 81, 82, 94, 49, 81, ...] .text aorewt0c.SYS 929C4017 85 Bytes [00, DE, D7, 30, 89, E6, D5, ...] .text aorewt0c.SYS 929C406D 29 Bytes [C0, 86, 82, 50, E1, 88, 82, ...] .text aorewt0c.SYS 929C408B 19 Bytes [82, 9C, E3, 88, 82, CC, 33, ...] .text aorewt0c.SYS 929C409F 34 Bytes [82, C0, AC, 86, 82, E8, D0, ...] .text ... .text peauth.sys 946A3C9D 28 Bytes [C4, 3E, 22, 5A, BF, 6B, 38, ...] .text peauth.sys 946A3CC1 28 Bytes [C4, 3E, 22, 5A, BF, 6B, 38, ...] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice] [89233C4C] \SystemRoot\System32\Drivers\spkc.sys IAT \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [89233CA0] \SystemRoot\System32\Drivers\spkc.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [89203042] \SystemRoot\System32\Drivers\spkc.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [892036D6] \SystemRoot\System32\Drivers\spkc.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [89203800] \SystemRoot\System32\Drivers\spkc.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8920313E] \SystemRoot\System32\Drivers\spkc.sys IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortNotification] 000003E3 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortQuerySystemTime] 8B24568B IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortReadPortUchar] 50522046 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortStallExecution] FFEC9FE8 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortWritePortUchar] 08C483FF IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortWritePortUlong] 0874FF85 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortGetPhysicalAddress] FF53006A IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 08C483D7 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortGetScatterGatherList] 81107D8B IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortGetParentBusType] 0003E5FF IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortRequestCallback] 0F840F00 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 81000001 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0003E3FF IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortCompleteRequest] EC840F00 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortCopyMemory] 8B000000 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortEtwTraceLog] 0001F88E IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] FC8E0B00 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 0F000001 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 0000DA84 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortReadPortBufferUshort] ECD8E800 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortInitialize] 8E8BFFFF IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortGetDeviceBase] 000001F8 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[ataport.SYS!AtaPortDeviceStateChange] 01E08E01 IAT \SystemRoot\System32\Drivers\aorewt0c.SYS[NTOSKRNL.exe!KeTickCount] 74000000 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\System32\rundll32.exe[3524] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [757C5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3524] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [757C5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3524] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [757C5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3524] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [757C5D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 848761F8 Device \FileSystem\udfs \UdfsCdRom 870F81F8 Device \FileSystem\udfs \UdfsDisk 870F81F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{21623726-D6AF-42FD-ADA6-CB2E62FF1245} 858681F8 Device \Driver\volmgr \Device\VolMgrControl 848721F8 Device \Driver\usbuhci \Device\USBPDO-0 864661F8 Device \Driver\usbuhci \Device\USBPDO-1 864661F8 Device \Driver\usbuhci \Device\USBPDO-2 864661F8 Device \Driver\usbuhci \Device\USBPDO-3 864661F8 Device \Driver\usbehci \Device\USBPDO-4 86469500 AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\volmgr \Device\HarddiskVolume1 848721F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume2 848721F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 857961F8 Device \Driver\volmgr \Device\HarddiskVolume3 848721F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 857961F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 848741F8 Device \Driver\atapi \Device\Ide\IdePort0 848741F8 Device \Driver\atapi \Device\Ide\IdePort1 848741F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 848741F8 Device \Driver\volmgr \Device\HarddiskVolume4 848721F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{D5BB0262-F96D-46F7-AC56-976C9819C42F} 858681F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 858681F8 AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\ACPI_HAL \Device\0000005d halacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbuhci \Device\USBFDO-0 864661F8 Device \Driver\sptd \Device\3553689984 spkc.sys Device \Driver\PCI_PNP7104 \Device\0000006c spkc.sys Device \Driver\usbuhci \Device\USBFDO-1 864661F8 Device \Driver\usbuhci \Device\USBFDO-2 864661F8 Device \Driver\usbuhci \Device\USBFDO-3 864661F8 Device \Driver\usbehci \Device\USBFDO-4 86469500 Device \Driver\NetBT \Device\NetBT_Tcpip_{3865C289-586A-4ADC-99F8-5079E377AC4F} 858681F8 Device \Driver\aorewt0c \Device\Scsi\aorewt0c1Port2Path0Target0Lun0 867181F8 Device \Driver\aorewt0c \Device\Scsi\aorewt0c1 867181F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00037a2944d2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0x78 0xFF 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x9B 0xE1 0x08 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9E 0xD7 0x52 0xD7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00037a2944d2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAD 0x78 0xFF 0x03 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x9B 0xE1 0x08 0x9C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x9E 0xD7 0x52 0xD7 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION E1AAC2433C2CB97B9CCFED47CD2808BA14BB5431F4690BA5C231A1A0E48CC594D4E6FADAB88687A19845BC0CA48DA8C872F5CADB3B52E56D6FC66ED03F06482058DBC48983B318C1DEABBB3860EBE66A5AD2A382B33622A88DB34A9D76E13D0E85E3AEC45D98E58B0374B87F09C8CC9A72790CB44F60F9C17BF066900550B1D6946E8B36E76870A235A2C7C68C80EBCD88A17A3663702E16408D366B49D437E3E58071BCAAADB8A0CECE3F2AB941D6E58E1A26FD295A847885ACF423054AE515FC2FB96893464710CBA53B78460EA5BD17428A373F66C52D99831EDFDFDBD33E7EFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452FEBC9E127BECC74C8EDD5E5BE2F6E667D7E74DDE8C17CA5623FCD3036AE28C2D1D0F0A2F39C68F3B5ABE13706B2BE1711F5B9129FCA71A810906C9A7BEA6603479D994C3EC9F49D65932A99319DA09B3A9F2AD3161C8689B61E79A867CE61685A13972B40BB94132B0614585C751886BD0BF846E7ADCB0CCDCB8A71F4757B89FB962202ABB38B0C297C121B4C440E629801BADB7DBC6E7DD3BCF8552182BC8267A4FD0307F42C0275B0FAAF5B3DF1C213C21F5CCECF1F23D55CB7CE73B9DB6DF2DBE68B4A57F939D5D4986030D6C962F17B15BCC6AC7AAFA130E8888536CE Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOCC06.00.00.01WSSV 429793A1D816CFBE08EDA952A56E8D412D5848AFE395BCE0F957C9925B3E2E7486D8D2C29C115EA580D182DF3410CA66CC69F6682F0C9D77ED2E9BBFF0A22182496AC7D2D8528FBAAB7332C3B01FA397A89D2F29F943861AC833C1DAFA70082304FBFED32725A45A0EDB389ED40EDC24FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452FEBC9E127BECC74CA9C6AECB7A5D140794473A8337CA30E21EC778D075F479BB5340AA326A2F4DCF96698BE1BB8E55F10421EA23041BEC273A0A62AF85B382977AB2D038B37EB6181252B2F17E6CDCBD19903CB5FECDBD08FDE4C9AD686F359462FA25154ED395E6C6B1920535F0E23D86A1AF537D03DB7A293DA884107351187777B5C3E9C3CD326CFC6AF6ED971018F1015B5A87C353F6ED1988B1216E668D97A6218369C694F6314C92E766C35E7C7601EAEB59F805FB73A40A7875745B649A2C1C57E2B8F535365D71BC123A201921179BEB64EF250B54ACDE5D9A7C698D45516E0620DB506F1090069D992476A4735DC004CCDDBD2A21A44E2CD2631E005580F51BA0D155AD48EA61F5D78DDAD564913EA16A57AAE25BA335F21366DC37F94AA1E597248E7B5A9627765CEA98EADD9591F64AD61D427AE5828204A9D9325862F679E8C0D3E8395E9392E90FCF2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL 3DCEA78F66503ED31AFEFA4E58674EC941E918CB08E70A13C1E67B1BAE4E08D6D909F694C32B25BC675C87E6D0AEFD789E2DF5B314B1B67B1E65403C77E114234476E226D36C640461D263C086C2B53C30FA33EC536E61602512E1059C7562680711975E6446FE42E1F8ED57A4413EDDBC220873EDC538572A170B90E358253123F9D61C7953C993B5069D690BABB4287D95BE0AC1BF3BFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452BA7FD869164D6794C038D530D6EB34524472724A0A395DA03F8B45BB30B849458C84021B10615417516A96F58EBE902D42A4A832DF0D556D7F72A96E609B0C12F43A6C3000829383542051E4CBA8B2039AF6FE35EF131D9D26FC30A1DF1281FBDF638AF3FD2BB174EEB20D84DDE7CC767E6F064112620CC4969BA1978AAE0EFA8201809F020D3A64C6CEE69EFE6DB42CA506F35661C7624BB8B4EAA67BBC76DB1684147D4B0D9C2807941E15B15AA119CC28200BBD413EECFAA320B916B7E63FD85530EBDCC4AC63DD17175C35863088B3378809CC82A7384CB476CEFDCEEC1B0C4EE4DE7C02218FFE5FD7FB927AE0991D07CD0CF5740791A22A47F71CE7FA36753FE4DDB2C6167CA0E70F0F95F6993E50E034E465312A3175BA10DA9E9BE5AE5F6A8583CE470BCA7 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ... ---- EOF - GMER 1.0.15 ---- a to log z HijackThis . Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:09:10, on 2009-10-11 Platform: Unknown Windows (WinNT 6.01.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16385) Boot mode: Normal Running processes: C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe C:\Windows\system32\taskhost.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\System32\rundll32.exe C:\Program Files\OO Software\CleverCache\ooccctrl.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Internet Download Manager\IDMan.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Internet Download Manager\IEMonitor.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/ O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\IPSBHO.DLL O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O2 - BHO: IEPluginBHO - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Users\Sise\AppData\Roaming\Nowe Gadu-Gadu\_userdata\ggbho.1.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\coIEPlg.dll O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START O4 - HKLM\..\Run: [ooccctrl.exe] C:\Program Files\OO Software\CleverCache\ooccctrl.exe /tasktray O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O4 - Global Startup: Bluetooth Manager.lnk = ? O8 - Extra context menu item: Dołącz do istniejącego pliku PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Dołącz obiekt docelowy łącza do istniejącego pliku PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Konwertuj do Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Konwertuj obiekt docelowy łącza na plik Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Ściągnij przez IDM - C:\Program Files\Internet Download Manager\IEExt.htm O8 - Extra context menu item: Ściągnij wszystkie linki przez IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm O8 - Extra context menu item: Ściągnij zawartość wideo FLV przez IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm O9 - Extra button: Wpis w blogu - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Wpis w blogu w Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\Microsoft Office\Office12\ONBttnIE.dll O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\Skype4COM.dll O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe O23 - Service: EBDBN - Unknown owner - C:\Users\Sise\AppData\Local\Temp\EBDBN.exe (file missing) O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Usługa Google Update (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: GWCXHNOT - Unknown owner - C:\Users\Sise\AppData\Local\Temp\GWCXHNOT.exe (file missing) O23 - Service: Usługa iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: JJLQTGCF - Unknown owner - C:\Users\Sise\AppData\Local\Temp\JJLQTGCF.exe (file missing) O23 - Service: LEVJFYAQTBT - Unknown owner - C:\Users\Sise\AppData\Local\Temp\LEVJFYAQTBT.exe (file missing) O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\17.0.0.136\ccSvcHst.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\Program Files\OO Software\Defrag\oodag.exe O23 - Service: O&O CleverCache Agent (OOCleverCacheAgent) - O&O Software GmbH - C:\Program Files\OO Software\CleverCache\ooccag.exe O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: UQX - Unknown owner - C:\Users\Sise\AppData\Local\Temp\UQX.exe (file missing) -- End of file - 9338 bytes
Gość komentarz 12 października 2009 komentarz 12 października 2009 Daj log z ComboFixa: http://www.forumpc.pl/index.php?showtopic=120614&st=0&p=837303&fromsearch=1&#entry837303 .
xentaxa komentarz 12 października 2009 Autor komentarz 12 października 2009 [quote name='KamilJB' date='12 październik 2009 - 07:01 ' timestamp='1255327300' post='878843'] Daj log z ComboFixa: http://www.forumpc.pl/index.php?showtopic=120614&st=0&p=837303&fromsearch=1&#entry837303 . [/quote] niestety ComboFix na windows 7 nie działa ,próbowałam już kilka razy
Gość komentarz 12 października 2009 komentarz 12 października 2009 Daj log z OTL: http://www.forumpc.pl/index.php?showtopic=104338&st=0&p=728645&fromsearch=1&#entry728645 .
xentaxa komentarz 12 października 2009 Autor komentarz 12 października 2009 [quote name='KamilJB' date='12 październik 2009 - 14:14 ' timestamp='1255353250' post='878978'] Daj log z OTL: http://www.forumpc.pl/index.php?showtopic=104338&st=0&p=728645&fromsearch=1&#entry728645 . [/quote] Prosze oto log z OTL
Wciąż szukasz rozwiązania problemu? Napisz teraz na forum!
Możesz zadać pytanie bez konieczności rejestracji - wystarczy, że wypełnisz formularz.