winsock32.exe dziadyga :)
Witam.
Ostatnimi czasy uruchomiłem jakieś dziadostwo na komputerze, szczerze wierząc w jego dobre zamiary.
Po restarcie komputera okazalo sie, że mam masę dziwnych stworów, były na tyle natarczywe, że komputer był nie do użycia, zmianiły i wyłączyły wszystko co mogłoby pomóc mi to zlikwidować.
Na szczęście znalazłem mały programik o nazwie combofix który uleczył windows z robactwa, a przynajmniej tak mi się zdaje.
O ile się zorientowałem przyczyną całego zamieszania był trojan o nazwie virtumonde (straszne dziadostwo - nie polecam ;))
Ok a teraz do rzeczy, komputer wydaje się pracować tak jak to robił wcześniej, lecz zouważyłem dziwną rzecz, prawdopodobnie coś z czym combofix sobie nie poradził i obawiam się następnego ataku z tego powodu.
Po każdym uruchomieniu procesu explorer.exe, czy to przy starcie windowsa czy też sztucznym jego restarcie poprzez task menager na chwilę pojawia się popup w lewym, górnym kącie ekranu o nazwie "personalized settings", a treść okana udało mi się uchwycić poprzez prt scr (okno zamykla się prawie natychmaist) i jest to c:\windows\system32::winsock32.exe
oczywiście tego pliku winsock32 już nie ma (pewnie sprawka combofix) ale sam popup jest niepokojący.
Przeszukałem chyba cały internet i rozwiązania znaleźć nie mogę.
Dodam tylko, że skanowałem chyba wszystkimi możliwymi skanerami i antywirusami które nie rozwiązują/nie znajdują przyczyny tego problemu.
Czy ktoś spotkał się już z tym dziadem i czy zna jakieś lekarstwo? Jak można sprawdzić co explorer.exe uruchamia po swoim starcie?
Dzięki wielkie za przeczytanie tych wypocin ;)
Pozdrawiam
Odpowiedzi: 7
Zrób sobie konto uzytkownika bez uprawnień administracyjnych i zobacz czy w dalszym ciągu możesz bezkarnie grzebać po Windows\System32 ;)
Jak działasz na koncie z uprawnieniami admina to co się dziwisz, że wszystko co połapiesz może bezkarnie hulać i po systemie plików i po kluczach rejestru. Przed tym Cie fat nie zabezpieczy.
ten ftpcache wydaje się być pusty, aczkolwiek jest ukryty, prawdopodobnie pozostałość po jakimś sofcie...chyba
Co do NPF.sys zielonego pojęcia nie mam co to może być, próbowałem pogoglować ale nic pewnego się na jego temat nie dowiedziałem.
Moj system jest trochę zaśmiecony, próbuję instalować masę programów by wybrać ten najlepszy (pewnie wielu tak robi)
Z tego co wyczytałem o tych strumieniach to w moim przypadku plik winsock32.exe nigdy nie znajdował się w folderze system32 a był do niego "podpięty", ale dlaczego i jak uruchamiany był poprzez explorer.exe.
Ciekawy temat, a może jest tam coś jeszcze ....
no i teraz nasuwa mi się kolejne pytanie, jeżeli piszący robactwo zaczną częściej wykorzystywać te ADS to chyba trzeba powrócić do starego FAT
Tu -> http://www.grzegorz.net/articles/index.php?id=ntfsstreams masz o alternatywnych strumieniach danych.
Zaglądnij jeszcze do katalogu Windows\ftpcache bo jakiś taki podejrzany jest - normalnie go nie ma ....
I jeszcze ten wpisik:
S3 NPF;WinPcap Packet Driver (NPF);C:\WINDOWS\system32\drivers\NPF.sys [2008-05-03 04:29]
Sam instalowałeś tego cosia ??
Hmm
Znalazł jeden strumień, ten właściwy, usunołem go (po zamknięciu procesu explorer.exe który go blokował)
Skasowałem klucz rejestru.
Uruchomilem combofix.
No i problem zniknął :)
Zółty - złoty chłopak z Ciebie ;)
Sliczne podziękowania i pozdrowienia.
Aczkolwiek nurtuje mnie teraz, czym są te strumienie i do czego one służą, muszę trochę się podzkolić.
na wszelki wypadek nowy combofix log
[code]
ComboFix 08-08-10.04 - Grzes 2008-08-11 17:23:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1033.18.562 [GMT 2:00]
Running from: D:\Documents\Grzes\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-07-11 to 2008-08-11 )))))))))))))))))))))))))))))))
.
2008-08-11 16:57 . 2008-08-11 16:57 d-------- C:\VundoFix Backups
2008-08-10 15:27 . 2008-08-10 15:27 d-------- D:\Program Files\Trend Micro
2008-08-10 15:10 . 2008-08-10 15:10 31,056 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 31,056 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 30,528 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 30,528 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-08-10 15:10 . 2008-08-10 15:10 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-08-10 14:30 . 2008-08-10 14:30 d-------- D:\Program Files\SUPERAntiSpyware
2008-08-10 14:30 . 2008-08-10 14:30 d-------- D:\Documents\Grzes\Application Data\SUPERAntiSpyware.com
2008-08-10 14:30 . 2008-08-10 14:30 d-------- D:\Documents\All Users\Application Data\SUPERAntiSpyware.com
2008-08-10 11:54 . 2008-08-10 11:54 d-------- D:\Program Files\Avira
2008-08-10 11:54 . 2008-08-10 11:54 d-------- D:\Documents\All Users\Application Data\Avira
2008-08-10 08:41 . 2008-08-10 08:41 d-------- D:\Documents\All Users\Application Data\SlySoft
2008-08-09 16:25 . 2008-08-09 16:25 140 --a------ C:\WINDOWS\wininit.ini
2008-08-09 15:38 . 2008-08-09 15:39 d-------- D:\Program Files\Ssd
2008-08-09 15:38 . 2008-08-09 15:39 d-------- D:\Documents\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 15:34 . 2008-08-09 15:34 d-------- D:\Program Files\Avira GmbH
2008-08-09 15:21 . 2008-08-09 15:21 d-------- D:\Program Files\Lavasoft
2008-08-09 15:21 . 2008-08-09 15:21 d-------- D:\Documents\All Users\Application Data\Lavasoft
2008-08-09 14:03 . 2008-08-09 14:03 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-09 12:09 . 2008-08-09 12:09 d-------- D:\Documents\Grzes\Application Data\ImgBurn
2008-08-09 12:08 . 2008-08-09 12:08 d-------- D:\Program Files\ImgBurn
2008-08-09 11:49 . 2008-08-09 11:49 d-------- D:\Program Files\Hex Editor Neo
2008-08-09 11:46 . 2008-08-09 11:46 d-------- D:\Program Files\Cygnus
2008-08-09 10:07 . 2008-08-09 10:10 d-------- D:\Program Files\IsoBuster
2008-08-09 09:20 . 2008-08-09 09:20 d-------- D:\Program Files\Alcohol Soft
2008-08-08 15:04 . 2008-08-08 15:03 27,958 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Musepack Codec.bmp
2008-08-08 15:04 . 2008-08-08 15:04 3,441 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Musepack Codec.dat
2008-08-08 15:03 . 2008-08-08 15:03 27,958 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.bmp
2008-08-08 15:03 . 2008-08-08 15:03 2,265 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.dat
2008-08-08 15:02 . 2008-08-08 19:37 d-------- D:\Program Files\dBpowerAMP
2008-08-08 15:02 . 2008-08-08 15:04 167,424 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-08-08 15:02 . 2008-08-08 15:02 36,593 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2008-08-08 15:02 . 2008-08-08 15:02 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2008-08-07 15:47 . 2008-08-07 15:50 1,054 --a------ C:\WINDOWS\UAMedytor.ini
2008-08-07 15:21 . 2008-08-07 15:21 d-------- D:\Program Files\AbleMP3
2008-08-07 09:44 . 2008-08-07 09:44 d-------- D:\Program Files\Garmin
2008-08-06 13:16 . 2008-08-06 13:16 d-------- D:\Program Files\DAEMON Tools Lite
2008-08-06 12:22 . 2008-08-06 12:22 d-------- D:\Documents\Grzes\Application Data\InstallShield
2008-08-05 08:21 . 2008-08-05 08:21 d-------- D:\Program Files\SlySoft
2008-08-04 15:43 . 2008-08-04 15:44 d-------- D:\Program Files\ActvMap V 4.7
2008-08-03 09:02 . 2008-08-03 10:35 d-------- C:\tt7
2008-08-02 15:01 . 2008-08-02 15:01 d-------- D:\Documents\Grzes\Application Data\Nokia Multimedia Player
2008-07-26 15:36 . 2008-07-26 15:36 d-------- D:\Program Files\MSXML 4.0
2008-07-26 08:25 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-26 08:25 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-26 08:25 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-26 08:25 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-26 08:25 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-26 08:25 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-26 08:25 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-26 08:23 . 2008-07-26 08:23 d-------- C:\WINDOWS\Logs
2008-07-25 15:52 . 2008-07-25 15:52 d--hs---- C:\WINDOWS\ftpcache
2008-07-21 22:38 . 2008-07-21 22:38 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2008-07-21 22:37 . 2008-07-21 22:37 d-------- D:\Program Files\My Common Files\SWF Studio
2008-07-17 13:34 . 2008-07-18 14:33 d-------- D:\Program Files\mIRC
2008-07-17 13:34 . 2008-07-17 13:34 d-------- D:\Documents\Grzes\Application Data\mIRC
2008-07-16 14:06 . 2008-07-16 14:09 d-------- D:\Program Files\QBot
2008-07-15 19:04 . 2008-07-15 19:04 d-------- D:\Program Files\DVD Shrink
2008-07-15 19:04 . 2008-07-15 19:07 d-------- D:\Documents\All Users\Application Data\DVD Shrink
2008-07-15 18:56 . 2008-07-15 18:56 d-------- D:\Documents\Grzes\Application Data\DivX
2008-07-15 16:54 . 2008-07-15 16:54 d-------- D:\Program Files\Exif Tag Remover
2008-07-15 16:54 . 2004-03-09 00:00 609,824 --a------ C:\WINDOWS\system32\COMCTL32.ocx
2008-07-15 16:54 . 1999-05-07 01:00 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-07-14 17:47 . 2008-07-14 17:47 d-------- D:\Program Files\DivX
2008-07-14 17:47 . 2008-06-11 02:07 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-07-14 17:47 . 2008-06-11 02:07 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-07-14 17:47 . 2008-06-11 02:07 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-07-14 13:15 . 2008-08-04 18:51 d-------- D:\Program Files\Invision
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 12:29 --------- d-----w D:\Program Files\My Common Files\Wise Installation Wizard
2008-08-09 13:34 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-08-08 12:05 --------- d-----w D:\Program Files\emule
2008-08-06 11:18 --------- d-----w D:\Program Files\Google
2008-08-06 10:20 --------- d-----w D:\Program Files\Microsoft Visual Studio 8
2008-08-06 10:18 --------- d-----w D:\Documents\All Users\Application Data\Microsoft Help
2008-08-06 10:14 --------- d-----w D:\Program Files\Samsung
2008-07-09 08:04 --------- d-----w D:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-08 09:40 --------- d-----w D:\Program Files\PhotoTrack
2008-07-05 08:03 --------- d-----w D:\Documents\Grzes\Application Data\Dev-Cpp
2008-07-04 06:59 --------- d-----w D:\Program Files\Opera
2008-06-27 15:27 --------- d-----w D:\Program Files\Winamp
2008-06-27 15:27 --------- d-----w D:\Documents\Grzes\Application Data\Winamp
2008-06-26 12:04 --------- d-----w D:\Documents\Grzes\Application Data\Gadu-Gadu
2008-06-25 09:42 --------- d-----w D:\Program Files\Datum Software
2008-06-25 06:37 --------- d-----w D:\Program Files\Blender Foundation
2008-06-25 06:37 --------- d-----w D:\Documents\Grzes\Application Data\Blender Foundation
2008-06-24 10:59 --------- d-----w D:\Program Files\totalcmd
2008-06-24 10:43 --------- d-----w D:\Program Files\iLiberty
2008-06-23 09:59 --------- d-----w D:\Documents\Grzes\Application Data\Apple Computer
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 09:10 --------- d-----w D:\Program Files\SSinger
2008-06-11 09:04 --------- d-----w D:\Program Files\SISSigner
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-29 16:26 99,328 ----a-w C:\WINDOWS\system32\winscard.dll
2008-05-24 16:51 160,221 ----a-w C:\WINDOWS\MOV Booster Pack Uninstaller.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 15:39 1289000]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\My Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-08-03 12:51 1422632]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PC Suite Tray"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"MSConfig"="C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 02:12 169984]
"CTHelper"="CTHELPER.EXE" [2006-08-11 16:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 16:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="C:\WINDOWS\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 12:06 13801]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"StartMenuLogoff"= 0 (0x0)
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\D:^Documents^Grzes^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=D:\Documents\Grzes\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 00:16 39792 D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-03-20 18:46 217544 D:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 D:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\My Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 D:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 06:25 144784 D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 10:33 1506544 D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"ScsiAccess"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodata Limited License Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\emule\\emule.exe"=
"D:\\Program Files\\Opera\\Opera.exe"=
"D:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\Program Files\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"=
"D:\\Program Files\\Midnight Club II\\mc2.exe"=
"D:\\Program Files\\Valve\\Steam\\SteamApps\\amayan\\counter-strike source\\hl2.exe"=
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Garmin\\UMP-pcPL\\rsync.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Program Files\\Invision\\mirc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2005-03-17 10:00]
R3 Egatebus;Egatebus;C:\WINDOWS\system32\drivers\egatebus.sys [2006-05-19 10:22]
R3 Egaterdr;Egaterdr;C:\WINDOWS\system32\drivers\egaterdr.sys [2006-05-19 10:22]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-03-06 23:41]
S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-07-27 17:37]
S3 NPF;WinPcap Packet Driver (NPF);C:\WINDOWS\system32\drivers\NPF.sys [2008-05-03 04:29]
S3 wampapache;wampapache;D:\Program Files\wamp\bin\apache\apache2.2.6\bin\httpd.exe [2007-09-05 10:59]
S3 wampmysqld;wampmysqld;D:\Program Files\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2008-03-06 23:41]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2008-03-06 23:41]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2008-03-06 23:41]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2008-03-06 23:41]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0c30289-5af8-11dd-bc8c-0007e984a00b}]
\Shell\AutoRun\command - Q:\InstallTomTomHOME.exe
*Newly Created Service* - NTMSSVC
*Newly Created Service* - SYSMONLOG
.
Contents of the 'Scheduled Tasks' folder
2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = about:blank
R0 -: HKCU-Main,Default_Search_URL = hxxp://www.google.com/ie
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - D:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-11 17:26:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-11 17:27:19
ComboFix-quarantined-files.txt 2008-08-11 15:27:16
Pre-Run: 25,085,526,016 bytes free
Post-Run: 25,070,735,360 bytes free
253 --- E O F --- 2008-07-09 08:07:50
[/code]
Ściągnij -> http://download.bleepingcomputer.com/Merijn/adsspy.zip
Zaznacz opcję "Scan only this folder", wskaż folder c:\windows\system32 i kliknij "scan the system for ..."
Jeżeli odnajdze sie winsock32.exe to postaw przy tym strumieniu ptaszek i kliknij "Remove selected streams"
Jak znajdą się w tym folderze jeszcze inne alternatywne strumienie danych to chciałbym zobaczyć co to sa za strumienie.
Potem skasuj klucz HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9281A4FC-C581-3449-5FA6-456C6F7B9079} i upewnij się, że w kataogu c:\windows\system32\ nie ma pliku winsock32.exe (zapuść Combofixa - niech zrobi loga - Combofix powinien sam go skasować)
Pokaż logi raz jeszcze jak to zrobisz.
Dzięki.
Na logach z SilentRunners widac klucz rejestru który odwołuję się do tego pliku, próba kasowania gop nic nie daje.
Oto logi:
SilentRunners
[code]
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"H/PC Connection Agent" = ""D:\Program Files\Microsoft ActiveSync\wcescomm.exe"" [MS]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""D:\Program Files\My Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020" ["Nero AG"]
"Nokia.PCSync" = ""D:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog" ["Time Information Services Ltd."]
"PC Suite Tray" = ""D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray" ["Nokia"]
"DAEMON Tools Lite" = ""D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun" ["DT Soft Ltd"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTHelper" = "CTHELPER.EXE" ["Creative Technology Ltd"]
"CTxfiHlp" = "CTXFIHLP.EXE" ["Creative Technology Ltd"]
"avgnt" = ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min" ["Avira GmbH"]
"MSConfig" = "C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto" [MS]
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components{9281A4FC-C581-3449-5FA6-456C6F7B9079}\(Default) = (no title provided)
\StubPath = "C:\WINDOWS\system32:winsock32.exe" [** WMI GetObject error **]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "D:\Program Files\My Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "hticons.dll" [file not found]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{49BF5420-FA7F-11cf-8011-00A0C90A8F78}" = "Mobile Device"
-> {HKLM...CLSID} = "Mobile Device"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~3\Wcesview.dll" [MS]
"{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}" = "Nokia Phone Browser"
-> {HKLM...CLSID} = "Nokia Phone Browser"
\InProcServer32\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\phonebrowser.dll" ["Nokia"]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
-> {HKLM...CLSID} = "Groove GFS Browser Helper"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
-> {HKLM...CLSID} = "Groove Folder Synchronization"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
-> {HKLM...CLSID} = "Groove XML Icon Handler"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~4\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~4\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~4\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MYCOMM~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
\InProcServer32\(Default) = "D:\PROGRA~1\MYCOMM~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"
-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"
\InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
-> {HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "D:\Program Files\My Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
-> {HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "D:\Program Files\My Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "D:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{51A64D28-F937-4045-A420-065CEFBD8A76}" = "ARAR Context Menu Shell Extension"
-> {HKLM...CLSID} = "ARARCtxMenu Class"
\InProcServer32\(Default) = "D:\Program Files\ARAR\ARARSHL.dll" [empty string]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "D:\Program Files\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "D:\Program Files\dBpowerAMP\dMCShell.dll" [empty string]
"{AE1514A4-5D7D-4D1B-BC7F-320E6962B0DD}" = "Edit with Hex Editor Neo"
-> {HKLM...CLSID} = "DropTarget Class"
\InProcServer32\(Default) = "D:\Program Files\Hex Editor Neo\FileDocument.dll" ["HHD Software Ltd."]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware scanning"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks<> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
-> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
<> "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
-> {HKLM...CLSID} = "SABShellExecuteHook Class"
\InProcServer32\(Default) = "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\wpdshserviceobj.dll" [MS]
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager<> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify<> !SASWinLogon\DLLName = "D:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<> dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]
HKLM\SOFTWARE\Classes\PROTOCOLS\Filter<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
\InProcServer32\(Default) = "D:\PROGRA~1\MYCOMM~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
-> {HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "D:\Program Files\My Common Files\Nero\Lib\NeroDigitalExt.dll" ["Nero AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\My Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
{FED7043D-346A-414D-ACD7-550D052499A7}\(Default) = "dBpowerAMP Column Handler"
-> {HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "D:\Program Files\dBpowerAMP\dBShell.dll" [empty string]
HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlersCover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"
-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"
\InProcServer32\(Default) = "D:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]
Shell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlersWinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlersShell Extension for Malware scanning\(Default) = "{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
-> {HKLM...CLSID} = "Shell Extension for Malware scanning"
\InProcServer32\(Default) = "D:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll" ["Avira GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlersXXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
\InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
Default executables:
--------------------
<> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoResolveTrack" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoResolveSearch" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoSMHelp" = (REG_DWORD) dword:0x00000000
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}
"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoSMHelp" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoRemoteRecursiveEvents" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"NoDrives" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"DisableRegistryTools" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideLogoffScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001
{unrecognized setting}
"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
"HideStartupScripts" = (REG_DWORD) dword:0x00000000
{unrecognized setting}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop"Wallpaper" = "D:\Documents\Grzes\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Windows Portable Device AutoPlay Handlers
-----------------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers
AdobePremiereProCS3CameraArrival"Provider" = "Adobe Premiere Pro"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""D:\Program Files\Adobe\Adobe Premiere Pro CS3\Adobe Premiere Pro.exe""
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
AlcoholAutoPlayV2.BurnDisc"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""D:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]
AlcoholAutoPlayV2.ReadDisc"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""D:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]
BridgeCS3ImportMediaOnArrival"Provider" = "Adobe Bridge CS3"
"InvokeProgID" = "Adobe.adobebridge"
"InvokeVerb" = "launch"
HKLM\SOFTWARE\Classes\Adobe.adobebridge\shell\launch\command\(Default) = "D:\Program Files\Adobe\Adobe Bridge CS3\bridgeproxy.exe -v %1" ["Adobe Systems, Inc."]
dMCAudioCDInput"Provider" = "dMC Audio CD Input"
"InvokeProgID" = "dMC.AudioCD.Autorun"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\dMC.AudioCD.Autorun\shell\open\command\(Default) = ""D:\Program Files\dBpowerAMP\CDGrab.exe"" ["Illustrate"]
ImgBurnBluRayBurningOnArrival_BuildImage"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BuildImage\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnBluRayBurningOnArrival_BurnImage"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleBluRayBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleBluRayBurningOnArrival_BurnImage\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnCDBurningOnArrival_BuildImage"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BuildImage\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnCDBurningOnArrival_BurnImage"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleCDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleCDBurningOnArrival_BurnImage\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnDVDBurningOnArrival_BuildImage"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BuildImage\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnDVDBurningOnArrival_BurnImage"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleDVDBurningOnArrival_BurnImage\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnHDDVDBurningOnArrival_BuildImage"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BuildImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BuildImage\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE BUILD /BUILDMODE DEVICE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnHDDVDBurningOnArrival_BurnImage"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "HandleHDDVDBurningOnArrival_BurnImage"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\HandleHDDVDBurningOnArrival_BurnImage\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE WRITE /DEST "%1"" ["LIGHTNING UK!"]
ImgBurnPlayBluRayOnArrival_ReadDisc"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayBluRayOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayBluRayOnArrival_ReadDisc\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]
ImgBurnPlayCDAudioOnArrival_ReadDisc"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayCDAudioOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayCDAudioOnArrival_ReadDisc\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]
ImgBurnPlayDVDMovieOnArrival_ReadDisc"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayDVDMovieOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayDVDMovieOnArrival_ReadDisc\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]
ImgBurnPlayHDDVDOnArrival_ReadDisc"Provider" = "ImgBurn"
"InvokeProgID" = "ImgBurn.AutoPlay.1"
"InvokeVerb" = "PlayHDDVDOnArrival_ReadDisc"
HKLM\SOFTWARE\Classes\ImgBurn.AutoPlay.1\shell\PlayHDDVDOnArrival_ReadDisc\Command\(Default) = ""D:\Program Files\ImgBurn\ImgBurn.exe" /MODE READ /SRC "%1"" ["LIGHTNING UK!"]
iTunesBurnCDOnArrival"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]
iTunesImportSongsOnArrival"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]
iTunesPlaySongsOnArrival"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]
iTunesShowSongsOnArrival"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""D:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]
MPCPlayCDAudioOnArrival"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayCDAudio"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayCDAudio\command\(Default) = ""D:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /cd" ["Gabest"]
MPCPlayDVDMovieOnArrival"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayDVDMovie"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayDVDMovie\command\(Default) = ""D:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1 /dvd" ["Gabest"]
MPCPlayMusicFilesOnArrival"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayMusicFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayMusicFiles\command\(Default) = ""D:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]
MPCPlayVideoFilesOnArrival"Provider" = "Media Player Classic"
"InvokeProgID" = "MediaPlayerClassic.Autorun"
"InvokeVerb" = "PlayVideoFiles"
HKLM\SOFTWARE\Classes\MediaPlayerClassic.Autorun\shell\PlayVideoFiles\command\(Default) = ""D:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe" %1" ["Gabest"]
MSWPDShellNamespaceHandler"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
-> {HKLM...CLSID} = "WPDShextAutoplay"
\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]
NeroAutoPlay8AudioToNeroDigital"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]
NeroAutoPlay8CDAudio"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]
NeroAutoPlay8CopyCD"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]
NeroAutoPlay8DataDisc_CD"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]
NeroAutoPlay8DataDisc_DVD"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]
NeroAutoPlay8LaunchNeroStartSmart"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]
NeroAutoPlay8PlayAudioCD"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayAudioCD_PlayMusicFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayAudioCD_PlayMusicFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]
NeroAutoPlay8PlayDVD"Provider" = "Nero ShowTime"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "PlayDVD_PlayVideoFilesOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\PlayDVD_PlayVideoFilesOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero ShowTime\ShowTime.exe /Play %L" ["Nero AG"]
NeroAutoPlay8RipCD"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]
NeroAutoPlay8TranscodeVideo"Provider" = "Nero Recode"
"InvokeProgID" = "Nero.AutoPlay8"
"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"
HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "D:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]
NeroAutoPlay8VideoCapture"Provider" = "Nero Vision"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = ""D:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
NMMPlayCDAudioOnArrival"Provider" = "Nokia Music Manager"
"InvokeProgID" = "NokiaMusicManager"
"InvokeVerb" = "NMMPlayCD"
HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMPlayCD\command\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /playCD "%L"" ["Nokia"]
NMMRipCDAudioOnArrival"Provider" = "Nokia Music Manager"
"InvokeProgID" = "NokiaMusicManager"
"InvokeVerb" = "NMMRipCD"
HKLM\SOFTWARE\Classes\NokiaMusicManager\shell\NMMRipCD\command\(Default) = "D:\Program Files\Nokia\Nokia PC Suite 6\MusicManager.exe /ripCD "%L"" ["Nokia"]
Picasa2ImportPicturesOnArrival"Provider" = "Picasa2"
"InvokeProgID" = "picasa2.autoplay"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\picasa2.autoplay\shell\import\command\(Default) = "D:\Program Files\Picasa2\Picasa2.exe "%1"" ["Google Inc."]
WinampMTPHandler"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\Program Files\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
-> {HKLM...CLSID} = "ShellExecute HW Event Handler"
\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]
WinampPlayMediaOnArrival"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""D:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
-> {HKLM...CLSID} = (no title provided)
\LocalServer32\(Default) = ""D:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]
Enabled Scheduled Tasks:
------------------------
"AppleSoftwareUpdate" -> launches: "D:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "D:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Computer, Inc."]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Explorer Bars
HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars
HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll" [MS]
HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "D:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]
{2670000A-7350-4F3C-8081-5663EE0C6C49}"ButtonText" = "Send to OneNote"
"MenuText" = "S&end to OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll" [MS]
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~3\INetRepl.dll" [MS]
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
-> {HKLM...CLSID} = "Create Mobile Favorite"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~3\INetRepl.dll" [MS]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}"ButtonText" = "Research"
{E2E2DD38-D088-4134-82B7-F2BA38496583}"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Apple Mobile Device, Apple Mobile Device, ""D:\Program Files\My Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Avira AntiVir Personal - Free Antivirus Guard, AntiVirService, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Personal - Free Antivirus Scheduler, AntiVirScheduler, ""D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe"" ["Avira GmbH"]
StarWind AE Service, StarWindServiceAE, "D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}
Print Monitors:
---------------
HKLM\SYSTEM\CurrentControlSet\Control\Print\MonitorsSend To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]
SUGG1 Langmon\Driver = "SUGG1LMK.DLL" ["Samsung Electronics."]
---------- (launch time: 2008-08-11 16:32:50)
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 65 seconds, including 4 seconds for message boxes)
[/code]
Hijackthis (nie pokazuje nic)
[code]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:37, on 8/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\My Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\Program Files\My Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\My Common Files\Nokia\MPAPI\MPAPI3s.exe
D:\Program Files\Opera\opera.exe
C:\WINDOWS\explorer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\My Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\My Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Nokia.PCSync] "D:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [PC Suite Tray] "D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204296012515
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1215349539640
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - D:\Program Files\My Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\My Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: wampapache - Apache Software Foundation - D:\Program Files\wamp\bin\apache\apache2.2.6\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - D:\Program Files\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe
--
End of file - 8314 bytes
[/code]
no i log z combofix zaraz po ataku robactwa
[code]
ComboFix 08-08-09.06 - Grzes 2008-08-10 15:06:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1033.18.517 [GMT 2:00]
Running from: D:\Documents\Grzes\Desktop\ComboFix.exe
Command switches used :: D:\Documents\Grzes\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
FILE ::
C:\WINDOWS\BMc378c1c8.xml
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\efcBspPf.dll
C:\WINDOWS\system32\tskmygsl.dll
C:\WINDOWS\system32\tuvSjiHb.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\system32\winsock32.exe
D:\Documents\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
D:\Documents\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
----- BITS: Possible infected sites -----
http://www.hhdsoftware.com
.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.
2008-08-10 15:10 . 2008-08-10 15:10 31,056 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 31,056 --a------ C:\WINDOWS\system32\BMXState-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 30,528 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 30,528 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 11,564 --a------ C:\WINDOWS\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-20021102}.rfx
2008-08-10 15:10 . 2008-08-10 15:10 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-08-10 15:10 . 2008-08-10 15:10 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-08-10 14:30 . 2008-08-10 14:30 d-------- D:\Program Files\SUPERAntiSpyware
2008-08-10 14:30 . 2008-08-10 14:30 d-------- D:\Documents\Grzes\Application Data\SUPERAntiSpyware.com
2008-08-10 14:30 . 2008-08-10 14:30 d-------- D:\Documents\All Users\Application Data\SUPERAntiSpyware.com
2008-08-10 11:54 . 2008-08-10 11:54 d-------- D:\Program Files\Avira
2008-08-10 11:54 . 2008-08-10 11:54 d-------- D:\Documents\All Users\Application Data\Avira
2008-08-10 08:41 . 2008-08-10 08:41 d-------- D:\Documents\All Users\Application Data\SlySoft
2008-08-09 16:25 . 2008-08-09 16:25 140 --a------ C:\WINDOWS\wininit.ini
2008-08-09 15:38 . 2008-08-09 15:39 d-------- D:\Program Files\Ssd
2008-08-09 15:38 . 2008-08-09 15:39 d-------- D:\Documents\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 15:34 . 2008-08-09 15:34 d-------- D:\Program Files\Avira GmbH
2008-08-09 15:21 . 2008-08-09 15:21 d-------- D:\Program Files\Lavasoft
2008-08-09 15:21 . 2008-08-09 15:21 d-------- D:\Documents\All Users\Application Data\Lavasoft
2008-08-09 14:03 . 2008-08-09 14:03 d--h----- C:\WINDOWS\system32\GroupPolicy
2008-08-09 12:09 . 2008-08-09 12:09 d-------- D:\Documents\Grzes\Application Data\ImgBurn
2008-08-09 12:08 . 2008-08-09 12:08 d-------- D:\Program Files\ImgBurn
2008-08-09 11:49 . 2008-08-09 11:49 d-------- D:\Program Files\Hex Editor Neo
2008-08-09 11:46 . 2008-08-09 11:46 d-------- D:\Program Files\Cygnus
2008-08-09 10:07 . 2008-08-09 10:10 d-------- D:\Program Files\IsoBuster
2008-08-09 09:20 . 2008-08-09 09:20 d-------- D:\Program Files\Alcohol Soft
2008-08-08 15:04 . 2008-08-08 15:03 27,958 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Musepack Codec.bmp
2008-08-08 15:04 . 2008-08-08 15:04 3,441 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Musepack Codec.dat
2008-08-08 15:03 . 2008-08-08 15:03 27,958 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.bmp
2008-08-08 15:03 . 2008-08-08 15:03 2,265 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.dat
2008-08-08 15:02 . 2008-08-08 19:37 d-------- D:\Program Files\dBpowerAMP
2008-08-08 15:02 . 2008-08-08 15:04 167,424 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2008-08-08 15:02 . 2008-08-08 15:02 36,593 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2008-08-08 15:02 . 2008-08-08 15:02 33,846 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.bmp
2008-08-07 15:47 . 2008-08-07 15:50 1,054 --a------ C:\WINDOWS\UAMedytor.ini
2008-08-07 15:21 . 2008-08-07 15:21 d-------- D:\Program Files\AbleMP3
2008-08-07 09:44 . 2008-08-07 09:44 d-------- D:\Program Files\Garmin
2008-08-06 13:16 . 2008-08-06 13:16 d-------- D:\Program Files\DAEMON Tools Lite
2008-08-06 12:22 . 2008-08-06 12:22 d-------- D:\Documents\Grzes\Application Data\InstallShield
2008-08-05 08:21 . 2008-08-05 08:21 d-------- D:\Program Files\SlySoft
2008-08-05 08:21 . 2008-08-05 08:22 24 ---hs---- C:\WINDOWS\S4AB4F68D.tmp
2008-08-04 15:43 . 2008-08-04 15:44 d-------- D:\Program Files\ActvMap V 4.7
2008-08-03 09:02 . 2008-08-03 10:35 d-------- C:\tt7
2008-08-02 15:01 . 2008-08-02 15:01 d-------- D:\Documents\Grzes\Application Data\Nokia Multimedia Player
2008-08-01 09:31 . 2008-08-01 09:31 89,674 --a------ C:\WINDOWS\WinVerCheck.exe
2008-07-26 15:36 . 2008-07-26 15:36 d-------- D:\Program Files\MSXML 4.0
2008-07-26 08:25 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-26 08:25 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-26 08:25 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-26 08:25 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-26 08:25 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-26 08:25 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-26 08:25 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-26 08:23 . 2008-07-26 08:23 d-------- C:\WINDOWS\Logs
2008-07-25 15:52 . 2008-07-25 15:52 d--hs---- C:\WINDOWS\ftpcache
2008-07-21 22:38 . 2008-07-21 22:38 45,056 --a------ C:\WINDOWS\NCUNINST.EXE
2008-07-21 22:37 . 2008-07-21 22:37 d-------- D:\Program Files\My Common Files\SWF Studio
2008-07-17 13:34 . 2008-07-18 14:33 d-------- D:\Program Files\mIRC
2008-07-17 13:34 . 2008-07-17 13:34 d-------- D:\Documents\Grzes\Application Data\mIRC
2008-07-16 14:06 . 2008-07-16 14:09 d-------- D:\Program Files\QBot
2008-07-15 19:04 . 2008-07-15 19:04 d-------- D:\Program Files\DVD Shrink
2008-07-15 19:04 . 2008-07-15 19:07 d-------- D:\Documents\All Users\Application Data\DVD Shrink
2008-07-15 18:56 . 2008-07-15 18:56 d-------- D:\Documents\Grzes\Application Data\DivX
2008-07-15 16:54 . 2008-07-15 16:54 d-------- D:\Program Files\Exif Tag Remover
2008-07-15 16:54 . 2004-03-09 00:00 609,824 --a------ C:\WINDOWS\system32\COMCTL32.ocx
2008-07-15 16:54 . 1999-05-07 01:00 140,288 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-07-14 17:47 . 2008-07-14 17:47 d-------- D:\Program Files\DivX
2008-07-14 17:47 . 2008-06-11 02:07 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-07-14 17:47 . 2008-06-11 02:07 120,056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2008-07-14 17:47 . 2008-06-11 02:07 118,520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2008-07-14 13:15 . 2008-08-04 18:51 d-------- D:\Program Files\Invision
2008-07-10 13:43 . 2008-07-10 13:43 d--h----- C:\WINDOWS\PIF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 12:29 --------- d-----w D:\Program Files\My Common Files\Wise Installation Wizard
2008-08-09 13:34 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-08-08 12:05 --------- d-----w D:\Program Files\emule
2008-08-06 11:18 --------- d-----w D:\Program Files\Google
2008-08-06 10:20 --------- d-----w D:\Program Files\Microsoft Visual Studio 8
2008-08-06 10:18 --------- d-----w D:\Documents\All Users\Application Data\Microsoft Help
2008-08-06 10:14 --------- d-----w D:\Program Files\Samsung
2008-07-09 08:04 --------- d-----w D:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-08 09:40 --------- d-----w D:\Program Files\PhotoTrack
2008-07-05 08:03 --------- d-----w D:\Documents\Grzes\Application Data\Dev-Cpp
2008-07-04 06:59 --------- d-----w D:\Program Files\Opera
2008-06-27 15:27 --------- d-----w D:\Program Files\Winamp
2008-06-27 15:27 --------- d-----w D:\Documents\Grzes\Application Data\Winamp
2008-06-26 12:04 --------- d-----w D:\Documents\Grzes\Application Data\Gadu-Gadu
2008-06-25 09:42 --------- d-----w D:\Program Files\Datum Software
2008-06-25 06:37 --------- d-----w D:\Program Files\Blender Foundation
2008-06-25 06:37 --------- d-----w D:\Documents\Grzes\Application Data\Blender Foundation
2008-06-24 10:59 --------- d-----w D:\Program Files\totalcmd
2008-06-24 10:43 --------- d-----w D:\Program Files\iLiberty
2008-06-23 09:59 --------- d-----w D:\Documents\Grzes\Application Data\Apple Computer
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-18 17:52 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 09:10 --------- d-----w D:\Program Files\SSinger
2008-06-11 09:04 --------- d-----w D:\Program Files\SISSigner
2008-06-11 00:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-06-11 00:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-06-11 00:04 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-06-11 00:04 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-29 16:26 99,328 ----a-w C:\WINDOWS\system32\winscard.dll
2008-05-24 16:51 160,221 ----a-w C:\WINDOWS\MOV Booster Pack Uninstaller.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-16 09:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]
"H/PC Connection Agent"="D:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 15:39 1289000]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\My Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-08-03 12:51 1422632]
"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"PC Suite Tray"="D:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2008-04-16 12:53 1079808]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-07-24 17:02 490952]
"SUPERAntiSpyware"="D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"CTHelper"="CTHELPER.EXE" [2006-08-11 16:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 16:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="C:\WINDOWS\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 12:06 13801]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"StartMenuLogoff"= 0 (0x0)
"ForceClassicControlPanel"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "D:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\startupfolder\D:^Documents^Grzes^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=D:\Documents\Grzes\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-12 00:16 39792 D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-03-20 18:46 217544 D:\Program Files\Alcohol Soft\Alcohol 120\AxCmd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 D:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-08-08 09:25 1828136 D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 D:\Program Files\My Common Files\Nero\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 D:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 06:25 144784 D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"ScsiAccess"=2 (0x2)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"gusvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Autodata Limited License Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"D:\\Program Files\\emule\\emule.exe"=
"D:\\Program Files\\Opera\\Opera.exe"=
"D:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"D:\Program Files\Microsoft ActiveSync\rapimgr.exe"= D:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"D:\Program Files\Microsoft ActiveSync\wcescomm.exe"= D:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"D:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= D:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"D:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"D:\\Program Files\\wamp\\bin\\apache\\apache2.2.6\\bin\\httpd.exe"=
"D:\\Program Files\\Midnight Club II\\mc2.exe"=
"D:\\Program Files\\Valve\\Steam\\SteamApps\\amayan\\counter-strike source\\hl2.exe"=
"D:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"D:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"D:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Garmin\\UMP-pcPL\\rsync.exe"=
"D:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Program Files\\Invision\\mirc.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
R0 iteraid;ITERAID_Service_Install;C:\WINDOWS\system32\DRIVERS\iteraid.sys [2005-03-17 10:00]
R3 Egatebus;Egatebus;C:\WINDOWS\system32\drivers\egatebus.sys [2006-05-19 10:22]
R3 Egaterdr;Egaterdr;C:\WINDOWS\system32\drivers\egaterdr.sys [2006-05-19 10:22]
S2 SSPORT;SSPORT;C:\WINDOWS\system32\Drivers\SSPORT.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-03-06 23:41]
S3 iadusb;MT882;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2006-07-27 17:37]
S3 NPF;WinPcap Packet Driver (NPF);C:\WINDOWS\system32\drivers\NPF.sys [2008-05-03 04:29]
S3 wampapache;wampapache;D:\Program Files\wamp\bin\apache\apache2.2.6\bin\httpd.exe [2007-09-05 10:59]
S3 wampmysqld;wampmysqld;D:\Program Files\wamp\bin\mysql\mysql5.0.45\bin\mysqld-nt.exe wampmysqld []
S3 zebrbus;Sony Ericsson Composite Device driver;C:\WINDOWS\system32\DRIVERS\zebrbus.sys [2008-03-06 23:41]
S3 zebrmdfl;Sony Ericsson Modem Filter;C:\WINDOWS\system32\DRIVERS\zebrmdfl.sys [2008-03-06 23:41]
S3 zebrmdm;Sony Ericsson Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdm.sys [2008-03-06 23:41]
S3 zebrmdmc;Sony Ericsson mRouter Port (WDM);C:\WINDOWS\system32\DRIVERS\zebrmdmc.sys [2008-03-06 23:41]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0c30289-5af8-11dd-bc8c-0007e984a00b}]
\Shell\AutoRun\command - Q:\InstallTomTomHOME.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9281A4FC-C581-3449-5FA6-456C6F7B9079}]
C:\WINDOWS\system32:winsock32.exe
.
Contents of the 'Scheduled Tasks' folder
2008-08-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 15:11:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32:winsock32.exe 481282 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\scardsvr.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
D:\Program Files\My Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
D:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\My Common Files\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2008-08-10 15:15:21 - machine was rebooted [Grzes]
ComboFix-quarantined-files.txt 2008-08-10 13:15:16
ComboFix2.txt 2008-08-09 15:29:22
Pre-Run: 25,119,227,904 bytes free
Post-Run: 25,103,278,080 bytes free
283 --- E O F --- 2008-07-09 08:07:50
[/code]
Dawaj logi - Combofixa, Hijacka i Silent Runners.
Temat zabieram do Bezpieczeństwa.
Strona 1 / 1