Skocz do zawartości


Zdjęcie

Logi - Długi okres bez antyvirusa


  • Zamknięty Temat jest zamknięty
36 odpowiedzi w tym temacie

#21 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 19 06 2007 - 21:26

Pozamykaj dziurawe porty narzędziem Windows Worms Doors Cleaner. Wszystkie znaczki mają być na zielono! Po użyciu zresetuj komputer.

Pobierz narzędzie The Avenger.

Uruchom program w Trybie Awaryjnym i zaznacz opcję Input script manually. Następnie kliknij w "lupkę" po prawej stronie okna programu, a w okienku które Ci się otworzy wklej taki tekst:

Drivers to unload:

Winkbpk

Files to delete:

C:\WINDOWS\System32\Winkbpk.exe
C:\Program Files\Jpu5.exe
C:\Program Files\Ghm10.exe
C:\Program Files\Djd1.exe
C:\Program Files\Yyn10.exe
C:\Program Files\Ulu1.exe
C:\Program Files\Hw5.exe
C:\Program Files\Mcp1.exe
C:\Program Files\Jdh10.exe
C:\Program Files\Nf1.exe
C:\Program Files\Uix10.exe
C:\Program Files\Bu1.exe
C:\Program Files\Gxa1.exe
C:\Program Files\RwB.exe
C:\Program Files\Lbs1.exe
C:\Program Files\Szu4.exe
C:\Program Files\Efw1.exe
C:\Program Files\QhqE.exe
C:\Program Files\SlF.exe
C:\Program Files\Fzm1.exe
C:\Program Files\OqsE.exe
C:\Program Files\Rz1.exe
C:\Program Files\Vlg1.exe
C:\Program Files\Tny1.exe
C:\Program Files\DymF.exe
C:\Program Files\Yv1.exe
C:\Program Files\Dwu6.exe
C:\Program Files\Jo1.exe
C:\Program Files\Jot8.exe
C:\Program Files\Ev1.exe
C:\Program Files\Znh4.exe
C:\Program Files\Gx1.exe
C:\Program Files\NpoE.exe
C:\Program Files\Tl1.exe
C:\Program Files\Hre7.exe
C:\Program Files\Te1.exe
C:\Program Files\Fmo1.exe
C:\Program Files\Wrh1.exe
C:\Program Files\RkC.exe
C:\Program Files\Qfq1.exe
C:\WINDOWS\system32\bszip.dll
C:\onoes.exe
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\cmd.com
C:\Program Files\Fy13.exe
C:\Program Files\Om1.exe
C:\Program Files\Pa3.exe
C:\Program Files\Lln1.exe

Folders to delete:

C:\Program Files\outlook

Registry values to delete: 

"HKLM\Software\Microsoft\Windows\CurrentVersion\Run" | "outlook"

Kliknij klawisz Done, a następnie 'zielone światełko'. Na komunikat który się wyświetli odpowiadasz OK.

O23 - Service: Winkbpk - Unknown owner - C:\WINDOWS\System32\Winkbpk.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/

Wpisy zafixuj w Hijack This!

Po pracy nowe logi!

  • 0

#22 diablllooo

diablllooo

    Początkujący

  • 18 postów

Napisano 20 06 2007 - 16:01

Logfile of HijackThis v1.99.1
Scan saved at 15:59:00, on 2007-06-20
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Winkmvp.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRARcbu.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.422\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkmvp - Unknown owner - C:\WINDOWS\System32\Winkmvp.exe




"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"







Tylko do tego momentu, bo potem jakis blad wyskakuje.

  • 0

#23 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 20 06 2007 - 17:49

A ComboFix?
  • 0

#24 diablllooo

diablllooo

    Początkujący

  • 18 postów

Napisano 20 06 2007 - 20:33

ComboFix 07-06-18.2 - C:\Documents and Settings\Karol\Pulpit\ComboFix.exe
"Karol" - 2007-06-20 20:03:46 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-20 19:57 10,240 --a------ C:\Program Files\Kkr1.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-20 13:46 10,240 --a------ C:\Program Files\UrF.exe
2007-06-20 09:04 10,240 --a------ C:\Program Files\Ic10.exe
2007-06-20 09:03 10,240 --a------ C:\Program Files\Gll1.exe
2007-06-19 23:19 10,240 --a------ C:\Program Files\Xex2.exe
2007-06-19 22:52 10,240 --a------ C:\Program Files\Jf8.exe
2007-06-19 22:51 10,240 --a------ C:\Program Files\Jvi1.exe
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache
2007-05-22 18:25 <DIR> d-------- C:\Program Files\EA SPORTS
2007-05-22 18:23 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2007-05-22 18:23 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2007-05-22 18:22 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2007-05-22 18:22 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-05-22 18:22 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-05-22 18:22 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-05-22 18:22 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2007-05-22 18:22 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2007-05-22 18:22 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-05-22 18:22 667,648 --a------ C:\WINDOWS\system32\dinput8.dll
2007-05-22 18:22 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2007-05-22 18:22 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2007-05-22 18:22 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-05-22 18:22 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-05-22 18:22 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-05-22 18:22 491,520 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-05-22 18:22 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-05-22 18:22 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2007-05-22 18:22 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-05-22 18:22 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-05-22 18:22 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2007-05-22 18:22 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-05-22 18:22 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2007-05-22 18:22 381,952 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-05-22 18:22 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2007-05-22 18:22 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2007-05-22 18:22 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2007-05-22 18:22 324,096 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-05-22 18:22 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2007-05-22 18:22 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2007-05-22 18:22 257,024 --a------ C:\WINDOWS\system32\qcap.dll
2007-05-22 18:22 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2007-05-22 18:22 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2007-05-22 18:22 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2007-05-22 18:22 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2007-05-22 18:22 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-05-22 18:22 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2007-05-22 18:22 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2007-05-22 18:22 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-05-22 18:22 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-05-22 18:22 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-05-22 18:22 132,608 --a------ C:\WINDOWS\system32\devenum.dll
2007-05-22 18:22 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-05-22 18:22 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2007-05-22 18:22 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2007-05-22 18:22 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2007-05-22 18:22 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2007-05-22 18:22 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-05-22 18:22 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-05-22 18:22 10,496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys
2007-05-22 18:22 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-05-22 18:22 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2007-05-22 18:22 1,798,144 --a------ C:\WINDOWS\system32\qedit.dll
2007-05-22 18:22 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2007-05-22 18:22 1,703,936 --a------ C:\WINDOWS\system32\d3d9.dll
2007-05-22 18:22 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-05-22 18:22 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2007-05-22 18:22 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-05-22 18:21 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2007-05-22 18:21 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-05-22 18:21 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-05-22 18:21 77,824 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-05-22 18:21 723,968 --a------ C:\WINDOWS\system32\dpnet.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 13:47:12 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-06-03 16:51:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-04-12 10:31:21 95,368 --sha-r C:\WINDOWS\system32\Winkmvp.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-20 20:04:09
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-20 20:04:35
C:\ComboFix2.txt ... 2007-06-19 17:29

--- E O F ---
  • 0

#25 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 21 06 2007 - 12:11

Wklejasz i usuwasz The Avenegr`em:

Drivers to unload:

Winkmvp

Files to delete:

C:\WINDOWS\system32\Winkmvp.exe
C:\Program Files\Kkr1.exe
C:\Program Files\UrF.exe
C:\Program Files\Ic10.exe
C:\Program Files\Gll1.exe
C:\Program Files\Xex2.exe
C:\Program Files\Jf8.exe
C:\Program Files\Jvi1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
O23 - Service: Winkmvp - Unknown owner - C:\WINDOWS\System32\Winkmvp.exe

Fix w Hjt.

jakis blad


Może uchylisz rąbek tajemnicy? Dołączona grafika

Po pracy nowe logi.
  • 0

#26 diablllooo

diablllooo

    Początkujący

  • 18 postów

Napisano 21 06 2007 - 21:45

Logfile of HijackThis v1.99.1
Scan saved at 21:35, on 2007-06-21
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Winkov.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.922\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = L1cza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkov - Unknown owner - C:\WINDOWS\System32\Winkov.exe







"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"






ComboFix 07-06-18.2 - C:\Documents and Settings\Karol\Pulpit\ComboFix.exe
"Karol" - 2007-06-21 21:41:36 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-21 to 2007-06-21 )))))))))))))))))))))))))))))))


2007-06-21 20:46 10,240 --a------ C:\Program Files\Fkq1.exe
2007-06-21 18:38 10,240 --a------ C:\Program Files\JftF.exe
2007-06-21 18:34 10,240 --a------ C:\Program Files\Fj1.exe
2007-06-21 17:56 10,240 --a------ C:\Program Files\DyeC.exe
2007-06-21 17:55 10,240 --a------ C:\Program Files\Vzz1.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache
2007-05-22 18:25 <DIR> d-------- C:\Program Files\EA SPORTS
2007-05-22 18:23 292,864 --a------ C:\WINDOWS\system32\ddraw.dll
2007-05-22 18:23 24,064 --a------ C:\WINDOWS\system32\ddrawex.dll
2007-05-22 18:22 98,816 --a------ C:\WINDOWS\system32\dmstyle.dll
2007-05-22 18:22 974,848 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-05-22 18:22 83,968 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2007-05-22 18:22 80,896 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-05-22 18:22 76,800 --a------ C:\WINDOWS\system32\dmscript.dll
2007-05-22 18:22 733,184 --a------ C:\WINDOWS\system32\qedwipes.dll
2007-05-22 18:22 7,424 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2007-05-22 18:22 667,648 --a------ C:\WINDOWS\system32\dinput8.dll
2007-05-22 18:22 64,512 --a------ C:\WINDOWS\system32\amstream.dll
2007-05-22 18:22 58,368 --a------ C:\WINDOWS\system32\dmcompos.dll
2007-05-22 18:22 52,096 --a------ C:\WINDOWS\system32\drivers\msdv.sys
2007-05-22 18:22 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2007-05-22 18:22 5,248 --a------ C:\WINDOWS\system32\drivers\mspclock.sys
2007-05-22 18:22 491,520 --a------ C:\WINDOWS\system32\dsdmoprp.dll
2007-05-22 18:22 48,512 --a------ C:\WINDOWS\system32\drivers\stream.sys
2007-05-22 18:22 470,528 --a------ C:\WINDOWS\system32\qdvd.dll
2007-05-22 18:22 47,104 --a------ C:\WINDOWS\system32\wstdecod.dll
2007-05-22 18:22 46,592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-05-22 18:22 4,608 --a------ C:\WINDOWS\system32\drivers\mspqm.sys
2007-05-22 18:22 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2007-05-22 18:22 4,096 --a------ C:\WINDOWS\system32\drivers\swenum.sys
2007-05-22 18:22 381,952 --a------ C:\WINDOWS\system32\dpvoice.dll
2007-05-22 18:22 354,816 --a------ C:\WINDOWS\system32\psisdecd.dll
2007-05-22 18:22 34,304 --a------ C:\WINDOWS\system32\mciqtz32.dll
2007-05-22 18:22 33,280 --a------ C:\WINDOWS\system32\dmloader.dll
2007-05-22 18:22 324,096 --a------ C:\WINDOWS\system32\mswebdvd.dll
2007-05-22 18:22 316,928 --a------ C:\WINDOWS\system32\qdv.dll
2007-05-22 18:22 27,136 --a------ C:\WINDOWS\system32\dmband.dll
2007-05-22 18:22 257,024 --a------ C:\WINDOWS\system32\qcap.dll
2007-05-22 18:22 19,968 --a------ C:\WINDOWS\system32\dpvacm.dll
2007-05-22 18:22 186,880 --a------ C:\WINDOWS\system32\dsdmo.dll
2007-05-22 18:22 181,248 --a------ C:\WINDOWS\system32\dmime.dll
2007-05-22 18:22 18,944 --a------ C:\WINDOWS\system32\encapi.dll
2007-05-22 18:22 18,688 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2007-05-22 18:22 18,432 --a------ C:\WINDOWS\system32\dswave.dll
2007-05-22 18:22 16,896 --a------ C:\WINDOWS\system32\msyuv.dll
2007-05-22 18:22 16,384 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2007-05-22 18:22 15,104 --a------ C:\WINDOWS\system32\drivers\mpe.sys
2007-05-22 18:22 14,976 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2007-05-22 18:22 132,608 --a------ C:\WINDOWS\system32\devenum.dll
2007-05-22 18:22 130,304 --a------ C:\WINDOWS\system32\drivers\ks.sys
2007-05-22 18:22 13,312 --a------ C:\WINDOWS\system32\msdmo.dll
2007-05-22 18:22 122,880 --a------ C:\WINDOWS\system32\dmusic.dll
2007-05-22 18:22 112,128 --a------ C:\WINDOWS\system32\dpvvox.dll
2007-05-22 18:22 11,392 --a------ C:\WINDOWS\system32\drivers\bdasup.sys
2007-05-22 18:22 100,864 --a------ C:\WINDOWS\system32\dmsynth.dll
2007-05-22 18:22 10,880 --a------ C:\WINDOWS\system32\drivers\slip.sys
2007-05-22 18:22 10,496 --a------ C:\WINDOWS\system32\drivers\dxapi.sys
2007-05-22 18:22 10,112 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2007-05-22 18:22 1,962,496 --a------ C:\WINDOWS\system32\quartz.dll
2007-05-22 18:22 1,798,144 --a------ C:\WINDOWS\system32\qedit.dll
2007-05-22 18:22 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2007-05-22 18:22 1,703,936 --a------ C:\WINDOWS\system32\d3d9.dll
2007-05-22 18:22 1,230,336 --a------ C:\WINDOWS\system32\msvidctl.dll
2007-05-22 18:22 1,201,152 --a------ C:\WINDOWS\system32\d3d8.dll
2007-05-22 18:22 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-05-22 18:21 8,192 --a------ C:\WINDOWS\system32\d3d8thk.dll
2007-05-22 18:21 797,184 --a------ C:\WINDOWS\system32\d3dim700.dll
2007-05-22 18:21 79,360 --a------ C:\WINDOWS\system32\dpwsockx.dll
2007-05-22 18:21 77,824 --a------ C:\WINDOWS\system32\dpmodemx.dll
2007-05-22 18:21 723,968 --a------ C:\WINDOWS\system32\dpnet.dll
2007-05-22 18:21 68,096 --a------ C:\WINDOWS\system32\dpnhupnp.dll
2007-05-22 18:21 648,704 --a------ C:\WINDOWS\system32\dinput.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-21 18:58:06 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-06-03 16:51:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-05-18 20:54:46 93,602 --sha-r C:\WINDOWS\system32\Winkov.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-21 21:42:49
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-21 21:43:14
C:\ComboFix2.txt ... 2007-06-20 20:04
C:\ComboFix3.txt ... 2007-06-19 17:29

--- E O F ---

Załączone pliki


  • 0

#27 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 21 06 2007 - 23:17

Znowu usuwasz The Avanger`em:

Drivers to unload:

Winkov

Files to delete:

C:\WINDOWS\System32\Winkov.exe
C:\Program Files\Fkq1.exe
C:\Program Files\JftF.exe
C:\Program Files\Fj1.exe
C:\Program Files\DyeC.exe
C:\Program Files\Vzz1.exe

O23 - Service: Winkov - Unknown owner - C:\WINDOWS\System32\Winkov.exe

Fix w Hjt.

Nowe logi...
  • 0

#28 diablllooo

diablllooo

    Początkujący

  • 18 postów

Napisano 23 06 2007 - 09:33

ComboFix 07-06-18.2 - C:\Documents and Settings\Karol\Pulpit\ComboFix.exe
"Karol" - 2007-06-23 9:27:09 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))


2007-06-23 09:26 10,240 --a------ C:\Program Files\Yq1.exe
2007-06-23 09:10 10,240 --a------ C:\Program Files\Bp1.exe
2007-06-23 07:42 10,240 --a------ C:\Program Files\VykF.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 07:26:35 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-06-03 16:51:45 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 16:25:10 -------- d-----w C:\Program Files\EA SPORTS
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-05-21 19:06:29 -------- d-----w C:\Program Files\Ahead
2007-05-21 19:06:20 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-21 09:02:29 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\U3
2007-05-21 08:56:18 92,134 --sha-r C:\WINDOWS\system32\Winkhx.exe
2006-08-18 08:11:33 94,549 --sha-r C:\WINDOWS\system32\Winkav.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]

*Newly Created Service* - WINKAV

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 09:28:25
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-23 9:28:42
C:\ComboFix2.txt ... 2007-06-21 21:43



Logfile of HijackThis v1.99.1
Scan saved at 09:33:11, on 2007-06-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\BearShare\BearShare.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\Winkav.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRARcbu.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.718\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkav - Unknown owner - C:\WINDOWS\System32\Winkav.exe



"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
  • 0

#29 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 23 06 2007 - 13:43

Znowu usuwasz The Avenger`em:

Drivers to unload:

Winkav 

Files to delete:

C:\WINDOWS\system32\Winkhx.exe
C:\WINDOWS\System32\Winkav.exe
C:\Program Files\Yq1.exe
C:\Program Files\Bp1.exe
C:\Program Files\VykF.exe

Nowe logi.
  • 0

#30 diablllooo

diablllooo

    Początkujący

  • 18 postów

Napisano 23 06 2007 - 17:55

Logfile of HijackThis v1.99.1
Scan saved at 17:51:43, on 2007-06-23
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Winkoe.exe
C:\Program Files\Kl1.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\Messenger\msmsgsgmw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Jp4.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\WinRAR\WinRARcbu.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Karol\USTAWI~1\Temp\Rar$EX00.500\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Winkoe - Unknown owner - C:\WINDOWS\System32\Winkoe.exe




ComboFix 07-06-18.2 - C:\Documents and Settings\Karol\Pulpit\ComboFix.exe
"Karol" - 2007-06-23 17:52:47 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))


2007-06-23 17:50 10,240 --a------ C:\Program Files\Kl1.exe
2007-06-23 17:50 10,240 --a------ C:\Program Files\Jp4.exe
2007-06-23 12:47 10,240 --a------ C:\Program Files\Dt10.exe
2007-06-23 12:16 10,240 --a------ C:\Program Files\Qot1.exe
2007-06-23 12:14 <DIR> d-------- C:\Program Files\BitTorrent
2007-06-23 11:35 <DIR> d-------- C:\Program Files\LimeWire
2007-06-23 11:20 <DIR> d-------- C:\Program Files\Infogrames
2007-06-23 11:18 <DIR> d-------- C:\temp\asterixdemo
2007-06-23 11:18 <DIR> d-------- C:\temp
2007-06-23 11:05 10,240 --a------ C:\Program Files\Ye1.exe
2007-06-20 15:17 <DIR> d-------- C:\Program Files\7-Zip
2007-06-19 17:21 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 22:41 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-18 22:41 <DIR> dr-h----- C:\DOCUME~1\ADMINI~1\Dane aplikacji
2007-06-18 22:41 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Start
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Ustawienia lokalne
2007-06-18 22:41 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Szablony
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ulubione
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Pulpit
2007-06-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Moje dokumenty
2007-06-18 22:36 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-17 18:07 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-06-17 18:07 <DIR> d-------- C:\Program Files\EA GAMES
2007-06-17 15:13 <DIR> d-------- C:\Program Files\Volleyball Manager
2007-06-06 08:06 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-06 08:06 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-06 08:05 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-06 08:05 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2007-06-06 08:05 348,160 --a------ C:\WINDOWS\system32\MSVCR71.dll
2007-06-06 08:05 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-06-06 08:03 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-05 22:20 4 --a------ C:\WINDOWS\system32\proc625010911.bin
2007-06-05 22:20 <DIR> d-------- C:\DOCUME~1\Karol\DANEAP~1\GanymedeNet
2007-06-03 18:51 <DIR> d-------- C:\Program Files\GSC Game World
2007-06-01 12:40 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-01 08:14 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-01 08:08 <DIR> d-------- C:\Program Files\BearShare
2007-06-01 08:08 <DIR> d-------- C:\My Downloads
2007-05-23 19:19 <DIR> d-------- C:\WINDOWS\Cache


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 09:20:18 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-23 07:26:35 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\Skype
2007-06-19 17:49:33 67,078 ----a-w C:\WINDOWS\system32\perfc015.dat
2007-06-19 17:49:33 435,978 ----a-w C:\WINDOWS\system32\perfh015.dat
2007-06-13 19:27:40 2,320 ----a-w C:\WINDOWS\mozver.dat
2007-05-23 17:08:54 -------- d-----w C:\Program Files\Gadu-Gadu
2007-05-22 16:25:10 -------- d-----w C:\Program Files\EA SPORTS
2007-05-22 15:59:24 -------- d-----w C:\Program Files\Messenger
2007-05-21 19:06:29 -------- d-----w C:\Program Files\Ahead
2007-05-21 19:06:20 -------- d-----w C:\Program Files\Common Files\Ahead
2007-05-21 09:02:29 -------- d-----w C:\DOCUME~1\Karol\DANEAP~1\U3
1617-10-26 20:34:13 89,144 --sha-r C:\WINDOWS\system32\Winkoe.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll [2003-11-04 00:17]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll [2006-11-09 16:21]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 16:07]
"SoundMan"="SOUNDMAN.EXE" []
"BearShare"="C:\Program Files\BearShare\BearShare.exe" [2006-08-01 17:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 08:14]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2006-11-14 11:12]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-23 17:54:05
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-23 17:54:31
C:\ComboFix2.txt ... 2007-06-23 09:28
C:\ComboFix3.txt ... 2007-06-21 21:43

--- E O F ---




"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay" [null data]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SoundMan" = "SOUNDMAN.EXE" [file not found]
"BearShare" = ""C:\Program Files\BearShare\BearShare.exe" /pause" ["Free Peers, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{32714800-2E5F-11d0-8B85-00AA0044F941}" = "&Do osób..."
-> {HKLM...CLSID} = "&Do osób..."
\InProcServer32\(Default) = "C:\Program Files\Outlook Express\wabfind.dll" [file not found]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "%APPDATA%\Mozilla\Firefox\Tapeta pulpitu.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Karol\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
  • 0

#31 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 23 06 2007 - 19:43

Szkodniki nadal wchodzą. Czy pozamykałeś dziurawe porty narzędziem Windows Worms Doors Cleaner?

  • 0

#32 diablllooo

diablllooo

    Początkujący

  • 18 postów

Napisano 23 06 2007 - 19:51

Przy jednym nie mozna zrobic, zeby znaczek obok byl na zielono.

http://img255.imageshack.us/my.php?image=aaaox8.png






znalazlem posta, w ktorym facet ma podobny problem do mojego, jednak tam mu nie pomogli

http://forum.idg.pl/lofiversion/index.php/t26630.html

  • 0

#33 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 23 06 2007 - 22:03

Hmmm, w WWDC jest w porządku.

Użyj SmitFraudFix z opcji 2 i pokaż później log z tejże aplikacji.
  • 0

#34 diablllooo

diablllooo

    Początkujący

  • 18 postów

Napisano 23 06 2007 - 22:47

SmitFraudFix v2.195

Scan done at 22:45:30,74, 2007-06-23
Run from C:\Documents and Settings\Karol\Pulpit\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
Dołączona grafika!Attention, following keys are not inevitably infected!Dołączona grafika

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Ralink RT2500 Wireless LAN Card - Sterownik miniport Harmonogramu pakietów
DNS Server Search Order: 192.168.8.1
DNS Server Search Order: 194.204.152.34

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1F562149-36F1-4206-81FC-614613D5647D}: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.8.1 194.204.152.34


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
Dołączona grafika!Attention, following keys are not inevitably infected!Dołączona grafika

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
Dołączona grafika!Attention, following keys are not inevitably infected!Dołączona grafika

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

#35 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 24 06 2007 - 11:24

Pobierz GMER`a.

1. Rootkit => Szukaj => Bez zaznaczania Pokaż Wszystko => Ctrl + V Wklej do posta.
  • 0

#36 diablllooo

diablllooo

    Początkujący

  • 18 postów

Napisano 24 06 2007 - 11:45

GMER 1.0.12.12244 - http://www.gmer.net

Rootkit scan 2007-06-24 11:44:02

Windows 5.1.2600 





---- System - GMER 1.0.12 ----



SSDT	sptd.sys																								 ZwCreateKey

SSDT	sptd.sys																								 ZwEnumerateKey

SSDT	sptd.sys																								 ZwEnumerateValueKey

SSDT	sptd.sys																								 ZwOpenKey

SSDT	sptd.sys																								 ZwQueryKey

SSDT	sptd.sys																								 ZwQueryValueKey

SSDT	sptd.sys																								 ZwSetValueKey



---- Kernel code sections - GMER 1.0.12 ----



.text   ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 130														  804F2098 4 Bytes  [ D0, D0, 42, F8 ]

.text   ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 1A8														  804F2110 4 Bytes  [ B2, 2F, 43, F8 ]

.text   ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 1B0														  804F2118 4 Bytes  [ 40, 33, 43, F8 ]

.text   ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 268														  804F21D0 4 Bytes  [ B0, D0, 42, F8 ]

.text   ntoskrnl.exe!FsRtlLegalAnsiCharacterArray + 30C														  804F2274 4 Bytes  [ 18, 34, 43, F8 ]

.text   ...																									  

?	   C:\WINDOWS\system32\drivers\sptd.sys																	 Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces.

.text   USBPORT.SYS!DllUnload																					F804EDBC 5 Bytes  JMP 81D581C8 



---- Devices - GMER 1.0.12 ----



Device  \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE																	 81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE																	  81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_READ																	   81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE																	  81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION														  81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION															81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA																   81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA																	 81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS															  81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION												   81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION													 81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL														  81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL														81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL															 81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN																   81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL															   81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP																	81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY															 81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY															   81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA																81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA																  81F691E8

Device  \FileSystem\Ntfs \Ntfs IRP_MJ_PNP																		81F691E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_CREATE				   81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_CLOSE					81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_DEVICE_CONTROL		   81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_INTERNAL_DEVICE_CONTROL  81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_CLEANUP				  81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{1F562149-36F1-4206-81FC-614613D5647D} IRP_MJ_PNP					  81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_CREATE				   81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_CLOSE					81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_DEVICE_CONTROL		   81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_INTERNAL_DEVICE_CONTROL  81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_CLEANUP				  81B641E8

Device  \Driver\NetBT \Device\NetBT_Tcpip_{8EBB19A8-9505-4C23-AA68-3B891CE5DA7C} IRP_MJ_PNP					  81B641E8

Device  \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CREATE														   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_CLOSE															81E061E8

Device  \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_DEVICE_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL										  81E061E8

Device  \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_POWER															81E061E8

Device  \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_SYSTEM_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-0 IRP_MJ_PNP															  81E061E8

Device  \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CREATE														   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_CLOSE															81E061E8

Device  \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_DEVICE_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL										  81E061E8

Device  \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_POWER															81E061E8

Device  \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_SYSTEM_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-1 IRP_MJ_PNP															  81E061E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CREATE												  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_CLOSE												   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_READ													81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_WRITE												   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_FLUSH_BUFFERS										   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_DEVICE_CONTROL										  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_INTERNAL_DEVICE_CONTROL								 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SHUTDOWN												81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_POWER												   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_SYSTEM_CONTROL										  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmIoDaemon IRP_MJ_PNP													 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CREATE													81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_CLOSE													 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_READ													  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_WRITE													 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_FLUSH_BUFFERS											 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_DEVICE_CONTROL											81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_INTERNAL_DEVICE_CONTROL								   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SHUTDOWN												  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_POWER													 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_SYSTEM_CONTROL											81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmConfig IRP_MJ_PNP													   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CREATE													   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_CLOSE														81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_READ														 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_WRITE														81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_FLUSH_BUFFERS												81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_DEVICE_CONTROL											   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_INTERNAL_DEVICE_CONTROL									  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SHUTDOWN													 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_POWER														81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_SYSTEM_CONTROL											   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmPnP IRP_MJ_PNP														  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CREATE													  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_CLOSE													   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_READ														81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_WRITE													   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_FLUSH_BUFFERS											   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_DEVICE_CONTROL											  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_INTERNAL_DEVICE_CONTROL									 81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SHUTDOWN													81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_POWER													   81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_SYSTEM_CONTROL											  81FDC1E8

Device  \Driver\dmio \Device\DmControl\DmInfo IRP_MJ_PNP														 81FDC1E8

Device  \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CREATE														   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_CLOSE															81E061E8

Device  \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_DEVICE_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL										  81E061E8

Device  \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_POWER															81E061E8

Device  \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_SYSTEM_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBPDO-2 IRP_MJ_PNP															  81E061E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CREATE													 81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_READ													   81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_WRITE													  81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_FLUSH_BUFFERS											  81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_DEVICE_CONTROL											 81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_INTERNAL_DEVICE_CONTROL									81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SHUTDOWN												   81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_CLEANUP													81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_POWER													  81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_SYSTEM_CONTROL											 81F6B1E8

Device  \Driver\Ftdisk \Device\HarddiskVolume1 IRP_MJ_PNP														81F6B1E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CREATE															   81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_CLOSE																81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_READ																 81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_WRITE																81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_FLUSH_BUFFERS														81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_DEVICE_CONTROL													   81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_INTERNAL_DEVICE_CONTROL											  81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SHUTDOWN															 81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_POWER																81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_SYSTEM_CONTROL													   81E071E8

Device  \Driver\Cdrom \Device\CdRom0 IRP_MJ_PNP																  81E071E8

Device  \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CREATE													81B641E8

Device  \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLOSE													 81B641E8

Device  \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_DEVICE_CONTROL											81B641E8

Device  \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_INTERNAL_DEVICE_CONTROL								   81B641E8

Device  \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_CLEANUP												   81B641E8

Device  \Driver\NetBT \Device\NetBt_Wins_Export IRP_MJ_PNP													   81B641E8

Device  \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CREATE														   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_CLOSE															81E061E8

Device  \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_DEVICE_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_INTERNAL_DEVICE_CONTROL										  81E061E8

Device  \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_POWER															81E061E8

Device  \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_SYSTEM_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-0 IRP_MJ_PNP															  81E061E8

Device  \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CREATE														   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_CLOSE															81E061E8

Device  \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_DEVICE_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_INTERNAL_DEVICE_CONTROL										  81E061E8

Device  \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_POWER															81E061E8

Device  \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_SYSTEM_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-1 IRP_MJ_PNP															  81E061E8

Device  \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CREATE														   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_CLOSE															81E061E8

Device  \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_DEVICE_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_INTERNAL_DEVICE_CONTROL										  81E061E8

Device  \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_POWER															81E061E8

Device  \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_SYSTEM_CONTROL												   81E061E8

Device  \Driver\usbuhci \Device\USBFDO-2 IRP_MJ_PNP															  81E061E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE										  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_NAMED_PIPE							   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLOSE										   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_READ											817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_WRITE										   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_INFORMATION							   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_INFORMATION								 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_EA										817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_EA										  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FLUSH_BUFFERS								   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_VOLUME_INFORMATION						817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_VOLUME_INFORMATION						  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DIRECTORY_CONTROL							   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_FILE_SYSTEM_CONTROL							 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CONTROL								  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_INTERNAL_DEVICE_CONTROL						 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SHUTDOWN										817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_LOCK_CONTROL									817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CLEANUP										 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_CREATE_MAILSLOT								 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_SECURITY								  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_SECURITY									817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_POWER										   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SYSTEM_CONTROL								  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_DEVICE_CHANGE								   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_QUERY_QUOTA									 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_SET_QUOTA									   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanDatagramReceiver IRP_MJ_PNP											 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE												817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_NAMED_PIPE									 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLOSE												 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_READ												  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_WRITE												 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_INFORMATION									 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_INFORMATION									   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_EA											  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_EA												817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FLUSH_BUFFERS										 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_VOLUME_INFORMATION							  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_VOLUME_INFORMATION								817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DIRECTORY_CONTROL									 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_FILE_SYSTEM_CONTROL								   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CONTROL										817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_INTERNAL_DEVICE_CONTROL							   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SHUTDOWN											  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_LOCK_CONTROL										  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CLEANUP											   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_CREATE_MAILSLOT									   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_SECURITY										817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_SECURITY										  817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_POWER												 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SYSTEM_CONTROL										817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_DEVICE_CHANGE										 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_QUERY_QUOTA										   817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_SET_QUOTA											 817D31E8

Device  \FileSystem\MRxSmb \Device\LanmanRedirector IRP_MJ_PNP												   817D31E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_CREATE														   81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_READ															 81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_WRITE															81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_FLUSH_BUFFERS													81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_DEVICE_CONTROL												   81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_INTERNAL_DEVICE_CONTROL										  81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_SHUTDOWN														 81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_CLEANUP														  81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_POWER															81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_SYSTEM_CONTROL												   81F6B1E8

Device  \Driver\Ftdisk \Device\FtControl IRP_MJ_PNP															  81F6B1E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE																	 81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE																	  81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_READ																	   81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION														  81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION															81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION												   81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL														  81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL														81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL															 81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN																   81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL															   81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP																	81B741E8

Device  \FileSystem\Cdfs \Cdfs IRP_MJ_PNP																		81B741E8



---- EOF - GMER 1.0.12 ----

  • 0

#37 Maciej13

Maciej13

    SecurityMaster

  • 261 postów

Napisano 25 06 2007 - 10:31

W logu nic nie widzę. Zastanawia mnie tylko, skąd ten syf nadciąga. :D Przeskanuj komputer skanerami Online - /index.php?showt...&hl=skanery Podaj później raporty ze skanowań.

  • 0




Użytkownicy przeglądający ten temat: 0

0 użytkowników, 0 gości, 0 anonimowych