Services.exe - Nie Wirus!

[mmauriced]

Mam problem, który z teego co zobaczyłem po wpisaniu w googlach jest dosć powszechny, ale u każdego jest on utozsamiany z wirusem. U mnie nie jest to wirus, bo po wpisaniu w "szukaj" w starcie komp znajduje mi tylko jeden plik o nazwie services.exe. Problem polega na tym, że włąsnie od jakiegos czasu po uruchomieniu komputera wyswietla się ramka z błędem services.exe. Jeżeli nacisne "Nie wysyłaj" to pokaże się ramka z czerwonym krzyżykiem, że komputer za minute się wyłączy. Jeżeli pozostawia to w spokoju, to komputer dalej działa. o dziwo błąd ten wyskakuje zupełnie losowo. Raz tak, raz nie, ale zawsze bezposrednio po właczeniu komputera.

Mam jeszcze jeden problem. Za każdym razem jak właczam komputer jeszcze przed włączeniem Windowsa pokazuje sie opcja wyboru systemu

 

1 . Windows XP Home Edition

2. Instalator systemu Windows

 

Na nacisniecie którejs z tych opcji mam 5 sek. Jesli nie zdąże, to komputer ponownie sie restartuje. Jesli nacisnę pierwszą zakładke przed czasem to Windows włącza się normalnie.

Co zrobić, by z powrotem włączał sie liniowo bez obowiązku towarzyszenia komputerowi podczas jego właczania?

 

Nie są to jakies poważne błedy, ale przyznam się że mnie denerwują, i poniekąd ciekawią.

prosiłbym zatem bardzo o pomoc.

[Kolobos]

Na poczatek zainstaluj aktualizacje z www.windowsupdate.com oraz zamknij porty przy pomocy wwdc.exe.

Uzyj tez combofix, wklej log na http://wklej.org i podaj link na forum.

[mmauriced]

zrobione

 

http://wklej.org/id/a140ae8f0d

[Kolobos]

Wywal Windows Defender.

Slusznie, to nie byl wirus. Tylko rootkit oraz trojany.

 

Daj jeszcze log z hijackthis.

 

Utworz na pulpicie plik CFScript.txt, wklej do niego:

 

Driver::

yqfprhqr

 

Folder::

C:\WINDOWS\update\

 

Rgistry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{367c57c2-047e-11dc-8c39-000fea5417b8}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\update]

 

Zapisz i przeciagnij go na ikone combofix, po uzyciu daj nowy log z combofix.

[Mario2k]

Niejako sie podloncze pod temat , wlasnie looknolem w menadzera zadan

i tez mam wlaczona usluge Services.exe

na Bank tydzien temu jej nie mialem ??

[Kolobos]

:arrow: Mario2k

Musiales miec, bez niego nie uruchomisz żadnej uslugi.

[mmauriced]

zrobione:

 

drugi log z combofix:

 

http://wklej.org/id/c2adcbac79

 

i hijackthis

 

http://wklej.org/id/ddc497590d

[mmauriced]

zaraz zrobie

 

ale co do mojego drugiego problemu to mam pytanie i może rozwiązenie

wchodze do Panel sterowania/system/zaawansowane/uruchamianie i odzyskiwanie/ustawienia/edytuj

 

i wyskakuje boot.ini o tresci:

 

 

[boot Loader]

Timeout=5

Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[Operating Systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

C:\$WIN_NT$.~BT\BOOTSECT.DAT="Instalator systemu Windows"

 

i teraz pytanie. Które dokładnie linijki moge usunać z tego wpisu, aby włączanie kompa była na powrót liniowe? I czy w ogóle moge tu coś przestawiać?

 

 

ok logi zrobione:

 

raport w Smitfraudfix

po wciśnięciu 2

http://www.wklej.org/id/c8e62bb229

 

po wciśnieciu 5

 

http://www.wklej.org/id/314cf501e7

 

combofix

 

http://www.wklej.org/id/1d23ab8c3d

 

i hijackthis

 

http://www.wklej.org/id/9adb8541a1

[mmauriced]

log z fixwareout

 

http://www.wklej.org/id/ca6411c81e

 

log z hijackthis

 

http://www.wklej.org/id/6bc1bd7311

[Kolobos]

Usun w hijackthis:

R3 - URLSearchHook: tosearch Toolbar - {a6c55440-7bbd-47b1-97d5-de36584fdcde} - C:\Program Files\tosearch\tbtose.dll

R3 - URLSearchHook: (no name) - {8A4E1972-8F42-4B50-AA71-29DCA9F336BC} - (no file)

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - (no file)

O2 - BHO: tosearch Toolbar - {a6c55440-7bbd-47b1-97d5-de36584fdcde} - C:\Program Files\tosearch\tbtose.dll

O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll__PointstoneDisabled (file missing)

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O3 - Toolbar: tosearch Toolbar - {a6c55440-7bbd-47b1-97d5-de36584fdcde} - C:\Program Files\tosearch\tbtose.dll

O3 - Toolbar: (no name) - {25F97EB4-1C02-45BA-BA0C-E67AACE64D4A} - (no file)

O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://plugin.driveragent.com/files/driveragent.cab

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205

O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.118 85.255.112.205

[mmauriced]

zrobione

 

a co z tym liniowym uruchamianiem, o którym pisałem w poście dziewiątym?

[Je m appelle Ferdinand]

[boot Loader]

Timeout=5

Default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[Operating Systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

C:\$WIN_NT$.~BT\BOOTSECT.DAT="Instalator systemu Windows"

 

Usuń pogrubioną linijkę

 

EDIT:

I chyba możesz przestawić timeout na 0

Edytowane 25 Lutego 2008 przez kretfr

[mmauriced]

Póki co ten błąd się już nie uruchamia.

Tak więc dziekuje bardzo użytkownikom XaD_ , Kolobos i kretfr

za udzielone rady

Mysle, że temat mozna zamknąć, choć prosiłbym poczekać jeszcze z 3 dni, bo może akurat sie znów pojawi ten komunikat.

[Milan1899]

witam, mam podobny problem co tworca tematu. Otoz od kilku dni, praktycznie z dnia na dzien, plik services.exe zaczal wariowac. Uzycie pamieci rosnie do 440 000 K, a uzycie procesora do 100%. Spada i wzrasta spowrotem, i tak w kolko. W tle nie ma odpalonych zadnych programow. Przyznam, ze jest mi to bardzo nie na reke, bo w css mam pokaz slajdow, a mecze czekaja.

Nie jest to raczej wirus, bo wyszukuje mi 2 pliki services.exe. Systemowy i service packa.

 

Kompletnie nie wiem co zrobic, z tej dziedziny po prostu jestem kiepski :D

 

 

pozdr i z gory dzieki za pomoc.

Edytowane 29 Marca 2008 przez Milan1899

[Milan1899]

Hijack

» Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... «

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:59:20, on 2008-03-30

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\windows\system32\nvsvc32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\windows\System32\svchost.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\windows\Explorer.EXE

C:\windows\system32\wscntfy.exe

C:\Program Files\VDOTool\TBPanel.exe

C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

C:\windows\system32\devldr32.exe

C:\windows\system32\RUNDLL32.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\windows\system32\ctfmon.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Steam\Steam.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Tlen.pl\tlen.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O4 - HKLM\..\Run: [Gainward] C:\Program Files\VDOTool\TBPanel.exe /A

O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\windows\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

 

--

End of file - 5105 bytes

 

 

Combofix

» Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... «

ComboFix 08-03-29.3 - artur 2008-03-30 10:02:56.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.951 [GMT 2:00]

Running from: C:\Downloads\ComboFix.exe

* Created a new restore point

* Resident AV is active

 

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Program Files\myglobalsearch

C:\Program Files\myglobalsearch\bar\History\search

 

.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))

.

 

2008-03-30 09:59 . 2008-03-30 09:59 <DIR> d-------- C:\Program Files\Trend Micro

2008-03-27 22:23 . 2008-03-27 22:23 <DIR> d-------- C:\Program Files\Grupa IMAGE

2008-03-26 20:57 . 2008-03-26 20:57 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\Samsung

2008-03-26 20:56 . 2006-05-03 23:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll

2008-03-26 20:55 . 2008-03-26 20:55 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers

2008-03-26 20:55 . 2008-03-26 20:55 <DIR> d-------- C:\Program Files\Samsung

2008-03-26 20:55 . 2007-05-02 12:12 109,704 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys

2008-03-26 20:55 . 2007-05-02 12:12 83,592 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys

2008-03-26 20:55 . 2007-05-02 12:12 15,112 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys

2008-03-26 20:55 . 2007-05-02 12:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys

2008-03-26 20:55 . 2007-05-02 12:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys

2008-03-26 20:55 . 2007-05-02 12:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys

2008-03-26 20:55 . 2007-05-02 12:12 12,424 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys

2008-03-26 20:55 . 2006-07-24 17:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys

2008-03-26 20:55 . 2005-08-28 21:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico

2008-03-25 17:43 . 2008-03-26 21:22 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-03-25 17:43 . 2008-03-25 17:43 1,409 --a------ C:\WINDOWS\QTFont.for

2008-03-22 16:32 . 2008-03-22 16:32 <DIR> d-------- C:\Program Files\EA GAMES

2008-03-16 21:26 . 2008-03-16 21:32 <DIR> d-------- C:\Program Files\GameSpy Arcade

2008-03-08 23:00 . 2006-10-26 20:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

2008-03-08 22:57 . 2008-03-08 22:57 <DIR> d-------- C:\Program Files\MSBuild

2008-03-08 22:57 . 2008-03-08 22:57 <DIR> d-------- C:\Program Files\Microsoft Works

2008-03-08 22:56 . 2008-03-08 22:56 <DIR> d-------- C:\Program Files\Microsoft.NET

2008-03-08 22:54 . 2008-03-08 22:54 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8

2008-03-08 22:53 . 2008-03-08 22:53 <DIR> d-------- C:\WINDOWS\SHELLNEW

2008-03-08 22:52 . 2008-03-08 22:52 <DIR> dr-h----- C:\MSOCache

2008-03-06 16:17 . 2008-03-06 16:17 <DIR> d-------- C:\Program Files\Common Files\Adobe

2008-03-06 14:37 . 2008-03-15 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help

2008-03-03 13:54 . 2008-03-03 13:54 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\Apple Computer

2008-03-02 11:56 . 2008-03-02 11:56 <DIR> d-------- C:\Program Files\QuickTime

2008-03-02 11:56 . 2008-03-02 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple Computer

2008-03-02 11:55 . 2008-03-02 11:55 <DIR> d-------- C:\Program Files\Apple Software Update

2008-03-02 11:55 . 2008-03-02 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Apple

2008-03-01 15:42 . 2006-11-30 16:14 97,088 -ra------ C:\WINDOWS\system32\drivers\se45mdm.sys

2008-03-01 15:42 . 2006-11-30 16:14 90,800 -ra------ C:\WINDOWS\system32\drivers\se45unic.sys

2008-03-01 15:42 . 2006-11-30 16:14 88,624 -ra------ C:\WINDOWS\system32\drivers\se45mgmt.sys

2008-03-01 15:42 . 2006-11-30 16:14 86,432 -ra------ C:\WINDOWS\system32\drivers\se45obex.sys

2008-03-01 15:42 . 2006-11-30 16:14 18,704 -ra------ C:\WINDOWS\system32\drivers\se45nd5.sys

2008-03-01 15:42 . 2006-11-30 16:14 9,360 -ra------ C:\WINDOWS\system32\drivers\se45mdfl.sys

2008-03-01 15:42 . 2006-11-30 16:13 6,240 -ra------ C:\WINDOWS\system32\drivers\se45cmnt.sys

2008-03-01 15:42 . 2006-11-30 16:13 6,240 -ra------ C:\WINDOWS\system32\drivers\se45cm.sys

2008-03-01 15:42 . 2006-11-30 16:14 4,128 -ra------ C:\WINDOWS\system32\drivers\se45cr.sys

2008-03-01 15:40 . 2006-11-30 16:13 61,536 -ra------ C:\WINDOWS\system32\drivers\se45bus.sys

2008-03-01 15:40 . 2006-11-30 16:14 5,872 -ra------ C:\WINDOWS\system32\drivers\se45whnt.sys

2008-03-01 15:40 . 2006-11-30 16:14 5,872 -ra------ C:\WINDOWS\system32\drivers\se45wh.sys

2008-03-01 15:37 . 2008-03-01 15:37 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\Sony Ericsson

2008-03-01 15:33 . 2008-03-01 15:33 <DIR> d-------- C:\Program Files\Sony Ericsson

2008-03-01 15:33 . 2008-03-01 15:33 <DIR> d-------- C:\Program Files\Common Files\Sony Ericsson Shared

2008-03-01 15:33 . 2008-03-01 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Teleca

2008-03-01 15:33 . 2008-03-01 15:33 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sony Ericsson

2008-03-01 13:46 . 2008-03-01 13:46 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\BSplayer Pro

2008-03-01 13:46 . 2008-03-01 13:47 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\BSplayer

2008-03-01 02:53 . 2008-03-01 02:53 38 --a------ C:\WINDOWS\avisplitter.INI

2008-02-25 19:03 . 2008-02-25 19:03 <DIR> d-------- C:\Program Files\Skype

2008-02-25 19:03 . 2008-02-25 19:03 <DIR> d-------- C:\Program Files\Common Files\Skype

2008-02-25 19:03 . 2008-03-29 11:40 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\Skype

2008-02-24 21:48 . 2008-02-27 21:57 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\Move Networks

2008-02-24 21:33 . 2008-02-24 21:33 <DIR> d-------- C:\Program Files\TVAnts

2008-02-22 20:46 . 2008-02-22 20:46 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\Microsoft Games

2008-02-22 20:00 . 2008-02-22 20:00 <DIR> d-------- C:\Program Files\Microsoft Games

2008-02-22 16:21 . 2008-02-22 16:43 <DIR> d-------- C:\Program Files\RACE 07 Offline

2008-02-22 13:48 . 2006-12-15 04:09 49,265 --a------ C:\WINDOWS\system32\jpicpl32.cpl

2008-02-19 18:51 . 1999-09-23 00:18 2,259,067 --a------ C:\WINDOWS\system32\default.ecw

2008-02-19 18:51 . 2002-07-19 11:56 270,336 --a------ C:\WINDOWS\system32\sfms32.dll

2008-02-19 18:51 . 2002-07-19 12:07 53,248 --a------ C:\WINDOWS\system32\AC3API.DLL

2008-02-19 18:49 . 2001-10-26 18:29 51,200 --a------ C:\WINDOWS\system32\sfman32.dll

2008-02-19 18:37 . 2002-07-19 11:43 65,536 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll

2008-02-19 18:37 . 2002-07-19 11:43 65,536 --a------ C:\WINDOWS\system32\a3d.dll

2008-02-19 10:28 . 2008-02-19 10:28 <DIR> d-------- C:\Program Files\Gadu-Gadu

2008-02-19 10:20 . 2008-02-19 10:20 <DIR> d-------- C:\Program Files\K-Lite Codec Pack

2008-02-19 10:20 . 2007-11-30 00:30 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll

2008-02-19 10:20 . 2007-12-24 14:49 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll

2008-02-19 10:20 . 2007-07-10 18:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest

2008-02-19 10:10 . 2008-02-19 10:10 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\Media Player Classic

2008-02-16 21:34 . 2004-08-04 00:00 149,376 --a------ C:\WINDOWS\system32\drivers\tffsport.sys

2008-02-16 21:34 . 2004-08-04 00:00 149,376 --a--c--- C:\WINDOWS\system32\dllcache\tffsport.sys

2008-02-16 17:08 . 2008-03-01 15:33 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared

2008-02-16 17:08 . 2008-02-16 17:11 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\Teleca

2008-02-16 17:06 . 2008-03-01 15:34 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE

2008-02-16 16:57 . 2008-02-16 16:57 96,224 --a------ C:\WINDOWS\system32\drivers\w800mdm.sys

2008-02-16 16:57 . 2008-02-16 16:57 87,792 --a------ C:\WINDOWS\system32\drivers\w800mgmt.sys

2008-02-16 16:57 . 2008-02-16 16:57 85,664 --a------ C:\WINDOWS\system32\drivers\w800obex.sys

2008-02-16 16:57 . 2008-02-16 16:57 60,768 --a------ C:\WINDOWS\system32\drivers\w800bus.sys

2008-02-16 16:57 . 2008-02-16 16:57 9,264 --a------ C:\WINDOWS\system32\drivers\w800mdfl.sys

2008-02-16 16:57 . 2008-02-16 16:57 6,144 --a------ C:\WINDOWS\system32\drivers\w800cmnt.sys

2008-02-16 16:57 . 2008-02-16 16:57 6,144 --a------ C:\WINDOWS\system32\drivers\w800cm.sys

2008-02-16 16:57 . 2008-02-16 16:57 5,744 --a------ C:\WINDOWS\system32\drivers\w800whnt.sys

2008-02-16 16:57 . 2008-02-16 16:57 5,744 --a------ C:\WINDOWS\system32\drivers\w800wh.sys

2008-02-16 16:56 . 2008-02-16 16:56 <DIR> d-------- C:\WINDOWS\Downloaded Installations

2008-02-11 14:22 . 2008-02-11 14:22 <DIR> d---s---- C:\Documents and Settings\artur\UserData

2008-02-11 14:20 . 2008-02-11 14:20 <DIR> d-------- C:\Documents and Settings\artur\Dane aplikacji\HP

2008-02-11 14:20 . 2008-02-11 14:20 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\HP

2008-02-11 14:16 . 2008-02-11 14:16 <DIR> d-------- C:\Program Files\Common Files\Sonic Shared

2008-02-11 14:16 . 2008-02-11 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Sonic

2008-02-11 14:12 . 2008-02-11 14:15 <DIR> d-------- C:\Program Files\Common Files\HP

2008-02-11 14:09 . 2008-02-11 14:09 <DIR> d-------- C:\Program Files\Hewlett-Packard

2008-02-11 14:09 . 2008-02-11 14:09 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard

2008-02-11 14:08 . 2006-01-04 11:12 77,824 -ra------ C:\WINDOWS\system32\HPZIDS01.dll

2008-02-11 14:08 . 2006-04-13 02:04 49,664 -ra------ C:\WINDOWS\system32\drivers\HPZid412.sys

2008-02-11 14:08 . 2006-04-13 02:04 16,496 -ra------ C:\WINDOWS\system32\drivers\HPZipr12.sys

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-30 08:11 19,733,536 --sha-w C:\windows\system32\drivers\fidbox.dat

2008-03-30 08:11 1,483,296 --sha-w C:\windows\system32\drivers\fidbox2.dat

2008-03-30 08:10 --------- d-----w C:\Program Files\Kaspersky Lab

2008-03-30 07:44 --------- d-----w C:\Program Files\Steam

2008-03-29 20:36 266,708 --sha-w C:\windows\system32\drivers\fidbox.idx

2008-03-29 20:36 140,816 --sha-w C:\windows\system32\drivers\fidbox2.idx

2008-03-29 20:27 --------- d-----w C:\Documents and Settings\artur\Dane aplikacji\Tlen.pl

2008-03-29 09:39 --------- d-----w C:\Documents and Settings\artur\Dane aplikacji\skypePM

2008-03-26 18:55 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-03-23 11:57 22,328 ----a-w C:\windows\system32\drivers\PnkBstrK.sys

2008-03-10 18:17 --------- d-----w C:\Program Files\Ubisoft

2008-02-28 14:39 --------- d-----w C:\Documents and Settings\artur\Dane aplikacji\Bioshock

2008-02-25 17:03 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Skype

2008-02-24 10:12 --------- d-----w C:\Program Files\Common Files\InstallShield

2008-02-23 23:04 --------- d-----w C:\Program Files\Sierra Entertainment

2008-02-22 11:48 --------- d-----w C:\Program Files\Java

2008-02-19 17:11 --------- d-----w C:\Documents and Settings\artur\Dane aplikacji\Xfire

2008-02-19 16:52 --------- d-----w C:\Program Files\Creative

2008-02-16 18:44 --------- d-----w C:\Program Files\JetAudio

2008-02-14 14:33 --------- d-----w C:\Program Files\Xfire

2008-01-28 18:50 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\nView_Profiles

2008-01-28 18:44 --------- d-----w C:\Program Files\Nvidia Omega Drivers

2008-01-26 21:45 472,576 ----a-w C:\windows\Nvidia Omega Drivers v2.169.21 Uninstall.exe

2008-01-20 11:47 22,328 ----a-w C:\Documents and Settings\artur\Dane aplikacji\PnkBstrK.sys

2008-01-06 19:02 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat

2007-12-27 20:10 60,416 ----a-w C:\windows\ALCFDRTM.EXE

2006-02-19 02:28 12,288 ----a-w C:\windows\Fonts\RandFont.dll

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\windows\system32\ctfmon.exe" [2004-08-04 01:44 15360]

"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2007-12-14 15:18 482760]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Gainward"="C:\Program Files\VDOTool\TBPanel.exe" [2007-11-01 14:25 2165272]

"kav"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" [2006-03-24 20:09 139367]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 07:41 8523776]

"nwiz"="nwiz.exe" [2007-12-05 07:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 07:41 81920]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-11-24 02:06 487424]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47 31016]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:44 15360]

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^HP Photosmart Premier - Szybkie uruchomienie.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\HP Photosmart Premier - Szybkie uruchomienie.lnk

backup=C:\WINDOWS\pss\HP Photosmart Premier - Szybkie uruchomienie.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2006-02-19 03:41 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]

C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

-ra------ 2006-11-24 02:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

C:\WINDOWS\UpdReg.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\WINDOWS\\system32\\PnkBstrA.exe"=

"C:\\WINDOWS\\system32\\PnkBstrB.exe"=

"C:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe"=

"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=

"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"=

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

 

R0 JAHCI;JAHCI;C:\windows\system32\DRIVERS\JAHCI.sys [2005-05-12 15:12]

R0 tffsport;M-Systems DiskOnChip 2000;C:\windows\system32\DRIVERS\tffsport.sys [2004-08-04 00:00]

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780};{DEF85C80-216A-43ab-AF70-1665EDBE2780};C:\windows\TEMP\2E.tmp []

S3 kxwdmdrv;kX WDM Driver Service;C:\windows\system32\drivers\kx.sys []

 

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-30 10:11:45

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{DEF85C80-216A-43ab-AF70-1665EDBE2780}]

"ImagePath"="\??\C:\windows\TEMP\2E.tmp"

.

Completion time: 2008-03-30 10:18:44

ComboFix-quarantined-files.txt 2008-03-30 08:18:38

Pre-Run: 8,797,900,800 bajtów wolnych

Post-Run: 8,696,958,976 bajtów wolnych

.

2008-01-08 16:04:44 --- E O F ---

Edytowane 30 Marca 2008 przez Milan1899

[Kolobos]

:arrow: Milan1899

Wyglada na rootkita w mbr, zrob skan przy pomocy:

http://www.freedrweb.com/cureit/

Po przeskanowaniu sprawdz czy znalazl cos w mbr i czy wyleczyl.

Najlepiej wklej wynik na forum.

Daj tez log z SDFix zrobiony w trybie awaryjnym.

Nie zaszkodzi tez log z: http://www2.gmer.net/mbr/mbr.exe

[Milan1899]

Dr. Web:

 

 

SDFix:

» Naciśnij, żeby pokazać/ukryć tekst oznaczony jako spoiler... «

SDFix: Version 1.164

 

Run by artur on 2008-03-30 at 12:56

 

Microsoft Windows XP [Wersja 5.1.2600]

Running From: C:\SDFix

 

Checking Services :

 

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting

 

 

Checking Files :

 

Trojan Files Found:

 

C:\windows\Temp\bca4e2da.$$$ - Deleted

C:\windows\Temp\fa56d7ec.$$$ - Deleted

 

 

 

 

 

Removing Temp Files

 

ADS Check :

 

 

 

Final Check :

 

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-30 13:02:53

Windows 5.1.2600 Dodatek Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden services & system hive ...

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000001

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000000

"khjeh"=hex:1a,74,69,a3,5b,31,83,cf,c2,20,a4,b3,5b,a3,94,da,53,75,53,94,36,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,ac,20,dc,7a,9d,71,af,e7,8c,f9,49,cc,70,01,d4,48,e2,..

"khjeh"=hex:e2,23,e0,17,8e,7b,93,57,17,ba,65,62,63,81,76,f9,11,44,ed,e5,86,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:4b,2f,70,69,62,ab,49,dd,fc,31,6c,27,b6,96,ad,ce,ed,e1,5c,a4,cc,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools Lite\"

"h0"=dword:00000000

"khjeh"=hex:1a,74,69,a3,5b,31,83,cf,c2,20,a4,b3,5b,a3,94,da,53,75,53,94,36,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,ac,20,dc,7a,9d,71,af,e7,8c,f9,49,cc,70,01,d4,48,e2,..

"khjeh"=hex:e2,23,e0,17,8e,7b,93,57,17,ba,65,62,63,81,76,f9,11,44,ed,e5,86,..

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:4b,2f,70,69,62,ab,49,dd,fc,31,6c,27,b6,96,ad,ce,ed,e1,5c,a4,cc,..

 

scanning hidden registry entries ...

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]

"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..

 

scanning hidden files ...

 

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

 

 

Remaining Services :

 

 

Files associated with the MBR Rootkit found, use GMER to scan for Rootkits!

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"

"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"

"C:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe"="C:\\Program Files\\Sierra Entertainment\\FEAR Perseus Mandate\\FEARXP2.exe:*:Enabled:FEARXP2"

"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"="C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe:*:Enabled:Pro Evolution Soccer 2008"

"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"

"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"

"C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe"="C:\\Program Files\\Microsoft Games\\Gears of War\\Binaries\\WarGame-G4WLive.exe:*:Enabled:Gears of War"

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe:*:Enabled:World in Conflict"

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe:*:Enabled:World in Conflict - Online Only"

"C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="C:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe:*:Enabled:World in Conflict - Dedicated Server"

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

 

Remaining Files :

 

 

File Backups: - C:\SDFix\backups\backups.zip

 

Files with Hidden Attributes :

 

Sat 16 Feb 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"

Wed 2 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Wed 27 Feb 2008 19,456 ...H. --- "C:\Documents and Settings\artur\Dane aplikacji\Microsoft\Word\~WRL0003.tmp"

Wed 27 Feb 2008 19,456 ...H. --- "C:\Documents and Settings\artur\Dane aplikacji\Microsoft\Word\~WRL0005.tmp"

Mon 3 Mar 2008 8,073 ...HR --- "C:\Documents and Settings\artur\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"

 

Finished!

 

 

Uzycie procka nie spadlo, services.exe nadal wariuje, ale juz chyba juz wiem gdzie tkwi problem dokaldnie, tyle ze sam sobie nie poradze z moja znikoma wiedza :D A wiec, zrobilem loga mbr i wyszlo:

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

MBR rootkit infection detected !

MBR INT 0x13 hook detected !

malicious code @ sector 0x1d1c4581 size 0x1ca !

copy of MBR has been found in sector 62 !

 

Gdzies napisala pewna osoba, ze "Jeśli pojawi się tam "hook detected", to zastartuj do trybu awaryjnego z obsługą linii komend i wpisz polecenie C:\mbr.exe -f. Reset komputera, robisz nowy log przez mbr.exe. Jeśli wynikiem będzie "OK" = spraswa rozwiązana.".

Teraz pytanie, jak odpalic ten tryb awaryjny z obsluga linii komend i gdzie to wpisac? I nie chodzi mi o wcisniecie F8.

 

pozdr i licze na lopatologiczna pomoc ;)

Edytowane 30 Marca 2008 przez Milan1899

[Milan1899]

device: opened successfully

user: MBR read successfully

kernel: MBR read successfully

user & kernel MBR OK

 

 

Wyglada na to, ze wirus pokonany, mam nadzieje, ze na tym moje klopoty sie skoncza.

Dziekuje bardzo wam za pomoc :)