rootkit?

**Posty:** 95 · przez **Pl4tin3** 04 Lip 2008, 23:27

Witam,

Ostatnio komputer się zawiesza, wyskakuję BSOD z informacja o sterowniku usbport.sys albo imapi.sys. Skanowałem KAV 2009 - czysto. Przeinstalowywałem sterowniki USB i dalej jest to samo. Nie wiem co robić. Daje logi z HijackThis i GMER'a. Poza tym, miałem włamanie na pocztę, hasło trudne do zgadnięcia wiec myślę że, jest to jakiś haker co umieścił rootkit i teraz się ze mną bawi.

GMER

Kod: Zaznacz wszystko: GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-07-04 23:20:09 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwAdjustPrivilegesToken [0xF011FAB2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwClose [0xF011FF84] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwConnectPort [0xF012171E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateFile [0xF012116A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateKey [0xF011F4EE] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF7312A20] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xF0122E52] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwCreateThread [0xF011FDAE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteKey [0xF011F82A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeleteValueKey [0xF011F9C8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDeviceIoControlFile [0xF0121438] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwDuplicateObject [0xF012327C] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF73132A8] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF731E910] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwFsControlFile [0xF012132C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwLoadDriver [0xF01229C4] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenFile [0xF0120FC6] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF731E794] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenProcess [0xF011FBD6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwOpenSection [0xF0122E7C] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF73132C8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryMultipleValueKey [0xF011F8EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueryValueKey [0xF011F72A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwQueueApcThread [0xF0122BFA] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwReplaceKey [0xF011F1BE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRequestWaitReplyPort [0xF0121EB0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwRestoreKey [0xF011F320] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwResumeThread [0xF012315A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSaveKey [0xF011F010] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSecureConnectPort [0xF01215EE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetContextThread [0xF011FEAC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSecurityObject [0xF0122A8C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetSystemInformation [0xF0122EA6] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF731E0B0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSetValueKey [0xF011F60C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendProcess [0xF0122F54] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSuspendThread [0xF0123038] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwSystemDebugControl [0xF0122936] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwTerminateProcess [0xF011FC7E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) ZwWriteVirtualMemory [0xF011FCF0] INT 0x63 ? 86CECBF8 INT 0x73 ? 86F69BF8 INT 0x73 ? 86F69BF8 INT 0x73 ? 86FDABF8 INT 0x73 ? 86CECBF8 INT 0x73 ? 86F69BF8 INT 0x83 ? 86CECBF8 INT 0x94 ? 86CECBF8 INT 0xB4 ? 86CECBF8 Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.14 ---- .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAE40 5 Bytes JMP F01334E0 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) .text ntkrnlpa.exe!IoIsOperationSynchronous 804EF634 5 Bytes JMP F013389A \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter fre_wnet_x86/Kaspersky Lab) .text ntkrnlpa.exe!ZwCallbackReturn + 2E6E 80503A6E 6 Bytes [ 12, F0, 10, F0, 11, F0 ] .text ntkrnlpa.exe!ZwCallbackReturn + 2F28 80503B28 5 Bytes [ 54, 2F, 12, F0, 38 ] .text ntkrnlpa.exe!ZwCallbackReturn + 2F2E 80503B2E 6 Bytes [ 12, F0, 36, 29, 12, F0 ] ? spuk.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload F6A6B62C 5 Bytes JMP 86CEC1D8 ---- User code sections - GMER 1.0.14 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[376] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[376] USER32.dll!VRipOutput + FFFA5010 77D42A78 4 Bytes [ 70, 11, 41, 35 ] ? C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1880] C:\WINDOWS\system32\kernel32.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe[1880] USER32.dll!VRipOutput + FFFA5010 77D42A78 4 Bytes [ 70, 11, 41, 35 ] .text C:\Program Files\Tibia\Tibia.exe[3884] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes [ 47, E4, 60, 87 ] .text C:\Program Files\Tibia\Tibia.exe[3884] USER32.dll!GetMessageA 77D6EA45 6 Bytes JMP 5F040F5A .text C:\Program Files\Tibia\Tibia.exe[3884] WS2_32.dll!connect 71AB406A 6 Bytes JMP 5F0D0F5A .text C:\Program Files\Tibia\Tibia.exe[3884] WS2_32.dll!send 71AB428A 6 Bytes JMP 5F0A0F5A ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7351040] spuk.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F735113C] spuk.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73510BE] spuk.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73517FC] spuk.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73516D2] spuk.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7361048] spuk.sys IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] 864C9DC0 IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] 864C9DC0 ---- User IAT/EAT - GMER 1.0.14 ---- IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 01120D60 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 01120A50 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01119540 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 0111AA80 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0111DBF0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 0111B7D0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 0111ADB0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0111CF30 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0111FF30 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0111FF70 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 011210B0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0111FB20 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0111DB50 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 0111C2F0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 0111B480 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 0111BD70 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 01121630 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0111D280 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0111D9B0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0111E5E0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0111E0C0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0111E560 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0111F080 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0111E750 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 0111B130 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 0111C1A0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 01120050 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0111E200 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0111DAF0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0111D6B0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0111DD00 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 011210D0 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0111E000 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 01121370 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 01121310 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 01121560 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 01121600 IAT C:\Program Files\TibiaBot NG\loader.exe[3520] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 01121430 ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 86F671F8 AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\usbuhci \Device\USBPDO-0 86CEB1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 86FD81F8 Device \Driver\dmio \Device\DmControl\DmConfig 86FD81F8 Device \Driver\dmio \Device\DmControl\DmPnP 86FD81F8 Device \Driver\dmio \Device\DmControl\DmInfo 86FD81F8 Device \Driver\usbuhci \Device\USBPDO-1 86CEB1F8 Device \Driver\usbehci \Device\USBPDO-2 86CDD500 Device \Driver\usbuhci \Device\USBPDO-3 86CEB1F8 Device \Driver\usbuhci \Device\USBPDO-4 86CEB1F8 AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\usbuhci \Device\USBPDO-5 86CEB1F8 Device \Driver\usbehci \Device\USBPDO-6 86CDD500 Device \Driver\Ftdisk \Device\HarddiskVolume1 86F6A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 86F6A1F8 Device \Driver\Cdrom \Device\CdRom0 86BA0318 Device \FileSystem\Rdbss \Device\FsWrap 869DB310 Device \Driver\atapi \Device\Ide\IdePort0 86F691F8 Device \Driver\atapi \Device\Ide\IdePort1 86F691F8 Device \Driver\atapi \Device\Ide\IdePort2 86F691F8 Device \Driver\atapi \Device\Ide\IdePort3 86F691F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 864863D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1975B402-0703-43DD-A370-FCCA23519F54} 864863D8 Device \FileSystem\Srv \Device\LanmanServer 86DB3278 AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys (Kaspersky Unified Driver/Kaspersky Lab) Device \Driver\usbuhci \Device\USBFDO-0 86CEB1F8 Device \Driver\usbuhci \Device\USBFDO-1 86CEB1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 864A91F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 869D4DF0 Device \Driver\usbehci \Device\USBFDO-2 86CDD500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 864A91F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 869D4DF0 Device \Driver\usbuhci \Device\USBFDO-3 86CEB1F8 Device \FileSystem\Npfs \Device\NamedPipe 86A9FC28 Device \Driver\usbuhci \Device\USBFDO-4 86CEB1F8 Device \Driver\Ftdisk \Device\FtControl 86F6A1F8 Device \FileSystem\Msfs \Device\Mailslot 86AD8980 Device \Driver\usbuhci \Device\USBFDO-5 86CEB1F8 Device \Driver\usbehci \Device\USBFDO-6 86CDD500 Device \Driver\NetBT \Device\NetBT_Tcpip_{AFCA640A-15BF-4F85-B678-F01041D8A306} 864863D8 Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 86B9EAE8 Device \Driver\JRAID \Device\Scsi\JRAID1 86B9EAE8 Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target1Lun0 86B9EAE8 Device \Driver\d347prt \Device\Scsi\d347prt1 86F681F8 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 869D43B0 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 869D43B0 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 869D43B0 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 869D43B0 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 869D43B0 Device \FileSystem\Cdfs \Cdfs 86371500 ---- Threads - GMER 1.0.14 ---- Thread 4:640 865057D0 Thread 4:644 865057D0 Thread 4:648 864D6EB0 Thread 4:652 864D6EB0 Thread 4:656 864D6EB0 Thread 4:2616 86076E60 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x90 0x48 0xCF 0xDF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x90 0x48 0xCF 0xDF ... ---- EOF - GMER 1.0.14 ----

HIJACKTHIS

Kod: Zaznacz wszystko: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:24:52, on 2008-07-04 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\RTHDCPL.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\Program Files\Gadu-Gadu\gg.exe C:\Program Files\Logitech\SetPoint\SetPoint.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE c:\program files\freecall.com\freecall\freecall.exe C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Ventrilo\Ventrilo.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\DOCUME~1\Pawel\LOCALS~1\Temp\Rar$EX00.250\gmer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray O4 - HKCU\..\Run: [FreeCall] "c:\program files\freecall.com\freecall\freecall.exe" -nosplash -minimized O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe O8 - Extra context menu item: Dodaj do listy blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{1975B402-0703-43DD-A370-FCCA23519F54}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS2\Services\Tcpip\..\{1975B402-0703-43DD-A370-FCCA23519F54}: NameServer = 194.204.159.1 217.98.63.164 O17 - HKLM\System\CS3\Services\Tcpip\..\{1975B402-0703-43DD-A370-FCCA23519F54}: NameServer = 194.204.159.1 217.98.63.164 O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Kaspersky Internet Security (avp) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe -- End of file - 5067 bytes

Z góry dziękuję za pomoc.

**Posty:** 7956 · przez **Magik** 04 Lip 2008, 23:39

Witam

log z HijackThis wzorowo czysty
wrzuc jeszcze log z combofix'a i

Zastosuj SDFix . Po pobraniu uruchom go a rozpakuje się do C:\SDFix. Uruchom komputer w trybie awaryjnym (F8 przy stracie systemu). Będąc w awaryjnym uruchom plik RunThis.bat z folderu SDFixa. Zatwierdź czyszczenie przez Y. Poczekaj aż ukończy i komputer zresetuje

Potem wejdz do folderu C:\SDFix wrzuc zawartość pliku Report.txt

przelec kompa AVG Anti-rootkit

**Posty:** 3854 · przez **Dzi@dek** 04 Lip 2008, 23:53

Pl4tin3 napisał(a):Ostatnio komputer się zawiesza, wyskakuję BSOD z informacja o sterowniku usbport.sys albo imapi.sys.

Podaj info z BSOD
Problem nie dotyczy wirusów tylko sprzętu bądź sterowników. Czy coś ostatnio instalowałeś ( programy , sprzęt :?:

)

**Posty:** 95 · przez **Pl4tin3** 05 Lip 2008, 00:07

Jak tylko mi wyskoczy BSOD, to postaram się zrobić mu zdjęcie.

Log z ComboFix

Kod: Zaznacz wszystko: ComboFix 08-07-04.1 - Pawel 2008-07-04 23:42:12.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.531 [GMT 2:00] Running from: D:\ComboFix.exe [color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color] . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\setup.ini . ((((((((((((((((((((((((( Files Created from 2008-06-04 to 2008-07-04 ))))))))))))))))))))))))))))))) . 2008-07-04 23:14 . 2008-07-04 23:14 250 --a------ C:\WINDOWS\gmer.ini 2008-07-04 20:45 . 2008-07-04 20:45 <DIR> d-------- C:\Program Files\LittleFighter2 2008-07-02 17:26 . 2008-07-02 17:26 <DIR> d-------- C:\Automap 2008-07-02 16:33 . 2003-08-04 13:22 94,208 --a------ C:\WINDOWS\system32\W32n50.dll 2008-07-02 16:33 . 2003-08-04 13:22 16,128 --------- C:\WINDOWS\system32\PCANDIS5.SYS 2008-06-29 11:27 . 2008-06-29 11:27 <DIR> d-------- C:\players 2008-06-29 10:43 . 2008-06-29 10:45 <DIR> d--h----- C:\WINDOWS\$hf_mig$ 2008-06-29 07:16 . 2008-06-29 07:16 <DIR> d-------- C:\Program Files\SpeedTouch 2008-06-29 06:54 . 2008-06-29 06:55 <DIR> d-------- C:\Program Files\Debugging Tools for Windows (x86) 2008-06-28 18:23 . 2008-06-28 18:23 <DIR> d-------- C:\Program Files\Google 2008-06-28 15:28 . 2008-06-28 15:28 <DIR> d-------- C:\Program Files\QuickTime 2008-06-28 15:28 . 2008-06-28 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-06-28 15:27 . 2008-06-28 15:27 <DIR> d-------- C:\Program Files\Apple Software Update 2008-06-28 15:27 . 2008-06-28 15:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple 2008-06-28 04:47 . 2008-06-28 04:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files 2008-06-27 21:45 . 2004-08-23 13:50 32,768 --a------ C:\WINDOWS\system32\WooDial2000.dll 2008-06-27 21:44 . 2008-07-02 16:50 <DIR> d-------- C:\Program Files\Neostrada TP 2008-06-26 14:27 . 2008-06-26 14:27 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-06-24 23:08 . 2004-08-04 00:56 116,224 --a--c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll 2008-06-24 23:08 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe 2008-06-24 23:08 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll 2008-06-24 23:08 . 2001-08-17 22:36 17,408 --a--c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll 2008-06-24 23:06 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys 2008-06-24 23:05 . 2001-08-17 22:36 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll 2008-06-24 23:04 . 2004-08-03 22:59 2,056,832 --a--c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-06-24 23:03 . 2004-08-04 00:56 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll 2008-06-24 23:02 . 2001-08-17 13:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys 2008-06-24 23:01 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll 2008-06-24 23:00 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys 2008-06-24 22:59 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys 2008-06-24 22:58 . 2004-08-04 00:56 1,888,992 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll 2008-06-24 22:57 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys 2008-06-24 22:56 . 2004-08-03 23:20 2,180,992 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-06-24 22:56 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll 2008-06-17 18:12 . 2008-06-17 18:12 <DIR> d-------- C:\kupciak 2008-06-16 22:32 . 2008-06-16 22:32 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-06-16 15:34 . 2008-06-16 15:34 827 --a------ C:\WINDOWS\GTA-SA_Trn_Settings.ini 2008-06-15 16:47 . 2008-06-15 16:47 <DIR> d-------- C:\Documents and Settings\Pawel\Application Data\Ahead 2008-06-15 16:46 . 2008-06-15 16:46 <DIR> d-------- C:\Program Files\Common Files\Ahead 2008-06-15 16:46 . 2008-06-15 16:46 <DIR> d-------- C:\Program Files\Ahead 2008-06-15 16:46 . 2001-07-06 14:41 569,344 --a------ C:\WINDOWS\system32\imagr5.dll 2008-06-15 16:46 . 2001-07-06 12:44 544,768 --a------ C:\WINDOWS\system32\imagx5.dll 2008-06-15 16:46 . 2001-07-06 18:24 283,920 --a------ C:\WINDOWS\system32\ImagXpr5.dll 2008-06-15 16:46 . 2001-07-09 11:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe 2008-06-15 16:46 . 2003-03-29 16:45 89,184 --a------ C:\WINDOWS\system32\drivers\imagedrv.sys 2008-06-15 16:46 . 2003-07-22 16:29 57,344 --a------ C:\WINDOWS\system32\ImageDrive.cpl 2008-06-15 16:46 . 2001-06-26 08:15 38,912 --a------ C:\WINDOWS\system32\picn20.dll 2008-06-14 14:44 . 2008-06-14 14:44 <DIR> d-------- C:\Program Files\Rockstar Games 2008-06-14 14:40 . 2008-06-14 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime 2008-06-14 14:34 . 2008-06-14 14:34 <DIR> d-------- C:\Program Files\ToniArts 2008-06-14 14:25 . 2008-06-14 14:25 <DIR> d-------- C:\Program Files\ffdshow 2008-06-14 14:25 . 2007-04-24 17:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll 2008-06-14 14:25 . 2008-03-28 19:41 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll 2008-06-14 14:25 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest 2008-06-14 01:02 . 2008-06-14 01:02 <DIR> d-------- C:\Documents and Settings\Pawel\Application Data\DAEMON Tools 2008-06-14 01:02 . 2008-06-14 01:02 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys 2008-06-14 00:07 . 2008-06-14 00:07 98,304 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2008-06-13 23:35 . 2004-08-22 16:31 155,136 --a------ C:\WINDOWS\system32\drivers\d347bus.sys 2008-06-13 23:35 . 2004-08-22 16:31 5,248 --a------ C:\WINDOWS\system32\drivers\d347prt.sys 2008-06-13 23:34 . 2008-06-13 23:34 <DIR> d-------- C:\WINDOWS\Downloaded Installations 2008-06-13 20:59 . 2008-06-13 20:59 <DIR> d-------- C:\Program Files\PlayFirst 2008-06-13 20:59 . 2008-06-13 20:59 <DIR> d-------- C:\Documents and Settings\Pawel\Application Data\PlayFirst 2008-06-13 11:29 . 2008-06-13 11:29 <DIR> d-------- C:\Program Files\uTorrent 2008-06-13 11:29 . 2008-06-16 16:06 <DIR> d-------- C:\Documents and Settings\Pawel\Application Data\uTorrent 2008-06-10 19:24 . 2008-06-10 19:24 <DIR> d-------- C:\Program Files\Teamspeak2_RC2 2008-06-10 19:24 . 2008-06-10 19:24 <DIR> d-------- C:\Documents and Settings\Pawel\Application Data\teamspeak2 2008-06-10 19:24 . 2008-06-10 19:24 34,064 --a------ C:\WINDOWS\system32\lhacm.acm 2008-06-07 22:16 . 2008-06-07 23:36 <DIR> d-------- C:\Documents and Settings\Pawel\Application Data\BESTplayer 2008-06-07 22:13 . 2008-06-07 22:13 <DIR> d-------- C:\Documents and Settings\Pawel\Application Data\Media Player Classic 2008-06-07 22:08 . 2008-06-07 22:08 <DIR> d-------- C:\Program Files\Real Alternative 2008-06-06 23:47 . 2008-07-01 19:05 <DIR> d-------- C:\Program Files\mIRC 2008-06-06 23:47 . 2008-07-01 19:17 <DIR> d-------- C:\Documents and Settings\Pawel\Application Data\mIRC 2008-06-05 13:47 . 2008-06-05 13:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-06-05 13:47 . 2008-07-04 18:37 136,888 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-06-05 13:47 . 2008-07-04 18:36 111,928 --a------ C:\WINDOWS\system32\PnkBstrB.exe 2008-06-05 13:47 . 2008-06-29 12:06 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe 2008-06-05 13:47 . 2008-06-29 11:53 22,328 --a------ C:\Documents and Settings\Pawel\Application Data\PnkBstrK.sys 2008-06-05 13:47 . 2008-06-29 11:52 281 --a------ C:\WINDOWS\game.ini 2008-06-05 13:24 . 2008-06-05 13:24 <DIR> d-------- C:\Program Files\Activision 2008-06-05 13:10 . 2008-06-05 13:10 <DIR> d--hs---- C:\WINDOWS\ftpcache 2008-06-05 12:15 . 2008-06-05 12:15 <DIR> d-------- C:\Program Files\Lavasoft 2008-06-05 12:15 . 2008-06-05 12:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-04 13:01 . 2008-06-04 13:01 <DIR> d-------- C:\Program Files\Trend Micro . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-04 21:50 77,780 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx 2008-07-04 21:50 5,571,360 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat 2008-07-04 21:50 262,176 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat 2008-07-04 21:50 22,268 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx 2008-07-04 21:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab 2008-07-04 21:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-04 14:48 --------- d-----w C:\Program Files\Tibia 2008-07-04 11:09 --------- d-----w C:\Program Files\TibiaBot NG 2008-06-29 09:16 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-28 02:48 --------- d-----w C:\Program Files\Kaspersky Lab 2008-06-27 21:41 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-06-27 20:32 --------- d-----w C:\Documents and Settings\Pawel\Application Data\Tibia 2008-06-24 21:03 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS 2008-06-05 10:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-05 08:30 --------- d-----w C:\Documents and Settings\Pawel\Application Data\PowerChallenge 2008-06-03 10:26 --------- d-----w C:\Documents and Settings\Pawel\Application Data\FreeCall 2008-06-03 10:24 --------- d-----w C:\Program Files\FreeCall.com 2008-05-31 11:30 --------- d-----w C:\Program Files\Java 2008-05-31 11:27 --------- d-----w C:\Program Files\Common Files\Java 2008-05-29 23:37 --------- d-----w C:\Documents and Settings\Pawel\Application Data\Winamp 2008-05-29 23:30 --------- d-----w C:\Program Files\Winamp 2008-05-29 18:38 --------- d-----w C:\Program Files\Ventrilo 2008-05-29 18:38 --------- d-----w C:\Documents and Settings\Pawel\Application Data\Ventrilo 2008-05-29 17:20 --------- d-----w C:\Documents and Settings\Pawel\Application Data\Gadu-Gadu 2008-05-29 17:05 --------- d-----w C:\Program Files\Common Files\LogiShared 2008-05-29 17:05 --------- d-----w C:\Documents and Settings\Pawel\Application Data\Logitech 2008-05-29 17:05 --------- d-----w C:\Documents and Settings\Pawel\Application Data\Leadertech 2008-05-29 17:04 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2008-05-29 17:04 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf 2008-05-29 17:04 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf 2008-05-29 17:03 --------- d-----w C:\Program Files\Logitech 2008-05-29 17:03 --------- d-----w C:\Program Files\Common Files\Logitech 2008-05-29 17:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech 2008-05-29 17:02 --------- d-----w C:\Documents and Settings\Pawel\Application Data\InstallShield 2008-05-29 17:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd 2008-05-29 16:59 96,966 ----a-w C:\WINDOWS\system32\drivers\klin.dat 2008-05-29 16:59 88,774 ----a-w C:\WINDOWS\system32\drivers\klick.dat 2008-05-29 16:59 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys 2008-05-29 16:42 --------- d-----w C:\Program Files\Gadu-Gadu 2008-05-29 16:29 --------- d-----w C:\Program Files\GIGABYTE 2008-05-29 16:28 --------- d-----w C:\Program Files\Realtek 2008-05-29 16:26 --------- d-----w C:\Program Files\Intel 2008-05-29 16:18 --------- d-----w C:\Program Files\microsoft frontpage 2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe 2008-04-30 15:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE 2008-04-25 16:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}] 2008-04-25 18:22 62728 --a------ C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-03-20 12:04 2127296] "FreeCall"="C:\program files\freecall.com\freecall\freecall.exe" [2007-04-17 14:28 7247408] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 20:49 36352] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 18:21 201992] "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 10:56 16261632 C:\WINDOWS\RTHDCPL.exe] "SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe] "nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe] "AdslTaskBar"="stmctrl.dll" [2006-06-02 15:01 151552 C:\WINDOWS\system32\stmctrl.dll] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-05-29 19:03:33 692224] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\kav\\kis7.0\\english\\setup.exe"= "C:\\Program Files\\FreeCall.com\\FreeCall\\FreeCall.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "D:\\Gry\\Call Of Duty 4\\iw3mp.exe"= R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29] R3 KLFLTDEV;Kaspersky Lab KLFltDev;C:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 19:02] R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07] R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2003-08-12 18:51] R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\system32\DRIVERS\torususb.sys [2006-05-25 19:28] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba0b2b42-2da9-11dd-8f85-806d6172696f}] \Shell\AutoRun\command - E:\Run.exe . Contents of the 'Scheduled Tasks' folder "2008-07-01 18:13:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe . - - - - ORPHANS REMOVED - - - - HKLM-Run-DAEMON Tools-1033 - C:\Program Files\D-Tools\daemon.exe ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-04 23:51:43 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe C:\WINDOWS\system32\wdfmgr.exe . ************************************************************************** . Completion time: 2008-07-04 23:53:06 - machine was rebooted [Pawel] ComboFix-quarantined-files.txt 2008-07-04 21:53:02 Pre-Run: 11,813,965,824 bytes free Post-Run: 12,832,886,784 bytes free 226

**Posty:** 7956 · przez **Magik** 05 Lip 2008, 00:15

Pl4tin3 napisał(a):Jak tylko mi wyskoczy BSOD, to postaram się zrobić mu zdjęcie.

no to czekamy, bo poza tym

wklej do notatnika

Kod: Zaznacz wszystko: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba0b2b42-2da9-11dd-8f85-806d6172696f}] \Shell\AutoRun\command - E:\Run.exe

zapisz jako fix.reg i odpal

rootkit?

rootkit?

Kto jest na forum