Wyłączenie kasperskiego 6 + rootkit alert
1. kapersky został wyłączony [ raczej zablokowany] choć jego procesy avp.exe [szt.2 - co jest normalne] były cały czas uruchomione. po tym jak zostawały przeze mnie ubite załączały się powtórnie, również w trybie awaryjnym po włączeniu Kasperskiego występowała ta sytuacja. Ponieważ nie mogłem ususnąć programu nałożyłem instalkę i kaspersky ożył, ale co pewien czas zgłasza alerty o połączeniu wychodzącym inicjowanym przez rootkita. w związku z tym wykonałem akcję HJT i usunąłem 4 szt. wpisów w rejestrze związanych z przeglądanymi stronami www
Poniżej załączam logi z HJT, SR, Combofix i Rootkit Revealer. Proszę o analizę i wskazanie rzeczy do ewentualnego usunięcia. Uprzedzając ew. zapytania o wpisy zawierające frazy: ASIX, Beckhoff, TwinCAT - są one poprawne. Z góry dzięki za pomoc.
HJT
[code]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19, on 2007-10-02
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\TwinCAT\EventLogger\TcEventLogger.exe
C:\WINDOWS\Explorer.EXE
C:\TwinCAT\TCATSysSrv.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\wincmd\WINCMD32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Blokuj wszystkie obrazy z tego serwera - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Dodaj do blokowanych banerów - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ie_banner_deny.htm
O8 - Extra context menu item: Dodaj do listy blokowanych reklam - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Otwórz w nowym Avant Browser - C:\Program Files\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Otwórz wszystkie adresy z tej strony... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Podświetl - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Szukaj - C:\Program Files\Avant Browser\Search.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7114CAB2-FAEB-4B6A-B2A5-F9E84EF9B2C2}: NameServer = 80.249.0.18,80.249.5.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{725AF909-8CA0-4E56-9524-7E27A2A8698B}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DDE serwer danych bieżących systemu ASIX (AsixCTDDE) - Askom sp. z o.o. - C:\ASIX\SERVIC~1.EXE
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TcEventLogger - Unknown owner - C:\TwinCAT\EventLogger\TcEventLogger.exe
O23 - Service: TwinCAT System Service - BECKHOFF - C:\TwinCAT\TCATSysSrv.exe
--
End of file - 5644 bytes
[/code]
Combofix
[code]ComboFix 07-10-02.2 - automatyka 2007-10-02 13:23:29.2 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.282 [GMT 2:00]
Running from: D:\Wojtek_siec\1\Combofix\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.
2007-10-02 13:01 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-02 10:33 d-------- C:\Program Files\Trend Micro
2007-10-01 07:19 d-------- C:\Temp
2007-09-18 11:06 d-------- C:\Documents and Settings\automatyka\Dane aplikacji\Thunderbird
2007-09-13 12:34 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-09-13 12:34 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-09-13 12:33 2,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-09-13 12:33 1,494,560 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-13 12:33 d-------- C:\Program Files\Kaspersky Lab
2007-09-13 12:33 d-------- C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-02 12:32 3404 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-10-02 12:32 23156 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2005-08-01 14:08 16 --a------ C:\Documents and Settings\automatyka\piei01.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-02_13.08.12.10 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 163,328 2007-03-13 08:57:12 C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WheelMouse"="C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [2001-10-16 16:07]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2001-06-18 14:30]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 12:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 03:10]
"BigDog303"="C:\WINDOWS\VM303_STI.exe" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" [2007-07-19 16:44]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll
R2 DriverX;DriverX;C:\WINDOWS\system32\drivers\DriverX.sys
R2 Kmm4xNT;Kmm4xNT;C:\WINDOWS\system32\drivers\Kmm4xNT.sys
R2 TcCam;TwinCAT CAM Server;\??\C:\TwinCAT\Driver\TcCam.sys
R2 TcEventLogger;TcEventLogger;C:\TwinCAT\EventLogger\TcEventLogger.exe
R2 TcIo;TwinCAT IO Server;\??\C:\TwinCAT\Driver\TcIo.sys
R2 TcPlc;TwinCAT IEC1131 Server;\??\C:\TwinCAT\Driver\TcPlc.sys
R2 TcRouter;TwinCAT Router Server;\??\C:\TwinCAT\Driver\TcRouter.sys
R2 TcRTime;TwinCAT Realtime Server;\??\C:\TwinCAT\Driver\TcRTime.sys
R2 TwinCAT System Service;TwinCAT System Service;C:\TwinCAT\TCATSysSrv.exe
R2 WIBUKEY;WIBU-KEY Kernel Driver;C:\WINDOWS\system32\DRIVERS\Wibukey.sys
R3 Amps2prt;A4Tech PS/2 Port Mouse Driver;C:\WINDOWS\system32\DRIVERS\Amps2prt.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 AsixCTDDE;DDE serwer danych bieżących systemu ASIX;C:\ASIX\SERVIC~1.EXE
S3 ZSMC303;A4 TECH PC Camera H;C:\WINDOWS\system32\Drivers\usbVM303.sys
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 13:28:33
Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-02 13:30:56
C:\ComboFix-quarantined-files.txt ... 2007-10-02 13:30
.
--- E O F ---
[/code]
Silent Runners
[code]"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" ["A4Tech Co.,Ltd."]
"iKeyWorks" = "C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" ["A4Tech Co.,Ltd."]
"NeroCheck" = "C:\WINDOWS\system32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"BigDog303" = "C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)" [file not found]
"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Active Setup\Installed Components<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}\(Default) = "IE7 Uninstall Stub"
\StubPath = "C:\WINDOWS\system32\ieudinit.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
{C451C08A-EC37-45DF-AAAD-18B51AB5E837}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PDFCreator Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020000-0000-1011-8004-0000C06B5161}" = "WIBU-SYSTEMS Shell Extension"
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"
-> {HKLM...CLSID} = "Statystyki ochrony WWW"
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows<> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0FO\adialhk.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify<> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers{00020000-0000-1011-8004-0000C06B5161}\(Default) = (no title provided)
-> {HKLM...CLSID} = "WIBU-SYSTEMS Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\WIBU-SYSTEMS\System\WibuShellExt.dll" ["WIBU-SYSTEMS AG"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlersKaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ShellEx.dll" ["Kaspersky Lab"]
TzShell\(Default) = "{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}"
-> {HKLM...CLSID} = "TzShell"
\InProcServer32\(Default) = "C:\PROGRA~1\TUGZip\TzShell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZONERMenu\(Default) = "{BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL" [file not found]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlersWinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZONERMenu\(Default) = "{BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL" [file not found]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlersKaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\ShellEx.dll" ["Kaspersky Lab"]
TzShell\(Default) = "{B38FE8E9-5DFC-4D58-8459-1E3AC5165E34}"
-> {HKLM...CLSID} = "TzShell"
\InProcServer32\(Default) = "C:\PROGRA~1\TUGZip\TzShell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
ZONERMenu\(Default) = "{BCAFD618-3FAE-4EFE-BF4E-4C43A7E1320B}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Zoner\Photo Studio 8\Program\SHELLEXT8.DLL" [file not found]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}"
-> {HKLM...CLSID} = "PDFCreator Toolbar"
\InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}" = "PDFCreator Toolbar"
-> {HKLM...CLSID} = "PDFCreator Toolbar"
\InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars
HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki ochrony WWW"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\SCIEPlgn.dll" ["Kaspersky Lab"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_09"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll" ["Sun Microsystems, Inc."]
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}"ButtonText" = "Statystyki ochrony WWW"
{E2E2DD38-D088-4134-82B7-F2BA38496583}"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
{FB5F1910-F110-11D2-BB9E-00C04F795683}"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Kaspersky Anti-Virus 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe" -r" ["Kaspersky Lab"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\system32\HPZipm12.exe" ["HP"]
TcEventLogger, TcEventLogger, "C:\TwinCAT\EventLogger\TcEventLogger.exe" [empty string]
TwinCAT System Service, TwinCAT System Service, "C:\TwinCAT\TCATSysSrv.exe" ["BECKHOFF"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\MonitorsHPLJ1018LM\Driver = "ZLhp1018.DLL" ["Zenographics, Inc."]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]
---------- (launch time: 2007-10-02 13:13:48)
<>: Suspicious data at a malware launch point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 188 seconds.
---------- (total run time: 274 seconds)
[/code]
Rootkit Reveal
[code]HKLM\SECURITY\Policy\Secrets\SAC* 2005-06-21 14:04 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2005-06-21 14:04 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SCM:{16779ED9-0265-11D4-9634-0020AF2F2B2C}* 2006-11-20 12:09 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\2b4.E44B6E0C01C804D7.history 2007-10-02 11:37 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\2b4.E460E33601C804D7.history 2007-10-02 11:37 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\430.488A321E01C804D2.history 2007-10-02 10:57 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\4e0.7248B9F801C804D8.history 2007-10-02 11:41 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\4e0.725E2F2201C804D8.history 2007-10-02 11:41 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\9d8.489FA74801C804D2.history 2007-10-02 10:57 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\b34.11F1998201C804D1.history\00000000.bak 2007-10-02 10:58 3.65 MB Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\c44.09496A7401C804D8.history 2007-10-02 11:38 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\c44.095EDF9E01C804D8.history 2007-10-02 11:38 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\db8.9DBCD69C01C804D7.history 2007-10-02 11:35 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\de0.485820BC01C804D2.history 2007-10-02 10:57 0 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\e88.BAB60A5201C804D7.history 2007-10-02 11:36 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\ef0.59ADB52401C804D8.history 2007-10-02 11:41 0 bytes Hidden from Windows API.
C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab\AVP6\PdmHist\ef0.59D63D1E01C804D8.history 2007-10-02 11:41 0 bytes Hidden from Windows API.
C:\Documents and Settings\automatyka\Dane aplikacji\Microsoft\Office\Niedawny\IL7OL0RY.LNK 2007-08-29 12:47 985 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Dane aplikacji\Microsoft\Office\Niedawny\M_Bus_protocol_087R2121_2561.LNK 2007-09-14 12:33 764 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Dane aplikacji\Microsoft\Office\Niedawny\RW wrzesie 2007-10-02 11:41 291 bytes Hidden from Windows API.
C:\Documents and Settings\automatyka\Dane aplikacji\Microsoft\Office\Niedawny\Stacja dyskietek 3,5 (A).LNK 2007-10-02 11:41 179 bytes Hidden from Windows API.
C:\Documents and Settings\automatyka\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\parent.lock 2007-10-02 10:58 0 bytes Hidden from Windows API.
C:\Documents and Settings\automatyka\Recent\DSC02288.lnk 2007-06-28 13:17 386 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Recent\Krosowanie przewodów.lnk 2007-09-20 08:15 472 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Recent\Moje obrazy.lnk 2007-09-17 11:13 362 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Recent\RW wrzesie 2007-10-02 11:42 229 bytes Hidden from Windows API.
C:\Documents and Settings\automatyka\Recent\Stacja dyskietek 3,5 (A).lnk 2007-10-02 11:42 129 bytes Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\01A2A320d01 2007-10-02 11:07 32.44 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\06CC909Fd01 2007-10-02 11:21 17.60 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\092B9514d01 2007-10-02 11:04 46.57 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\0E787DF6d01 2007-10-02 10:59 91.67 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\10067EBFd01 2007-10-02 11:07 42.90 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\1059D392d01 2007-10-02 11:12 40.21 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\109BE68Fd01 2007-10-02 10:59 19.39 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\13458E01d01 2007-10-02 11:20 17.42 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\176F21B7d01 2007-10-02 11:18 21.50 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\1F953ADCd01 2007-10-02 11:01 64.89 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\238C1CA4d01 2007-10-02 11:19 21.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\23A6D143d01 2007-10-02 11:21 63.41 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\24690E73d01 2007-10-02 11:45 56.37 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\26C40BAFd01 2007-10-02 11:13 49.06 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\2CE9363Cd01 2007-10-02 11:09 19.18 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\2CE9363Dd01 2007-10-02 11:08 20.05 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\2EE15ACDd01 2007-10-02 10:59 20.84 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\322838FFd01 2007-10-02 11:17 25.18 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\325EE4F2d01 2007-10-02 11:17 22.92 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\3DFAA21Dd01 2007-10-02 11:46 17.65 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\41729205d01 2007-10-02 11:19 21.03 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\459B2AC2d01 2007-10-02 11:00 24.31 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\45CB7AC2d01 2007-10-02 11:00 24.12 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\4842BEC4d01 2007-10-02 11:23 16.79 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\4A26D0E3d01 2007-10-02 11:21 33.24 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\4D71013Bd01 2007-10-02 11:14 19.72 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\4EA9A294d01 2007-10-02 11:05 42.91 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\4F5C61ACd01 2007-10-02 10:59 16.73 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\508FA0C3d01 2007-10-02 10:59 35.08 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\531E29A8d01 2007-10-02 10:59 20.91 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\564BEC3Ed01 2007-10-02 11:14 27.75 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\58005015d01 2007-10-02 11:17 16.75 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\593FDB60d01 2007-10-02 11:07 17.94 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\5E136EBEd01 2007-10-02 11:45 60.66 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\5FFDE755d01 2007-10-02 10:59 16.73 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\60573D60d01 2007-10-02 11:04 17.63 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\60A38B59d01 2007-10-02 11:07 86.40 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\71ED5980d01 2007-10-02 10:58 23.70 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\76D802FCd01 2007-10-02 11:05 23.15 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\7A3A9B64d01 2007-10-02 11:07 18.81 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\810A804Cd01 2007-10-02 11:45 19.24 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\856BB2BCd01 2007-10-02 11:02 62.84 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\856F46E0d01 2007-10-02 11:03 73.70 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\88AF1D3Ed01 2007-10-02 11:13 23.57 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\8D0715A7d01 2007-10-02 10:59 17.76 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\8DD5E9EBd01 2007-10-02 10:59 20.25 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\8F302017d01 2007-10-02 11:01 32.14 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\908BA25Ed01 2007-10-02 11:01 29.20 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\908F5602d01 2007-10-02 11:01 30.20 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\96CB221Ed01 2007-10-02 10:59 18.66 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\9A9E2707d01 2007-10-02 10:59 18.66 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\A0DC024Ad01 2007-10-02 11:10 16.36 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\A0DC046Dd01 2007-10-02 11:10 18.72 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\A3FA231Dd01 2007-10-02 10:59 17.05 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\A6912ACEd01 2007-10-02 11:01 42.82 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\A934598Ad01 2007-10-02 11:14 17.98 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\A99ECE49d01 2007-10-02 11:04 55.67 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\B08B3AC2d01 2007-10-02 10:59 19.64 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\B6AD2141d01 2007-10-02 11:07 26.79 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\BA593291d01 2007-10-02 10:59 36.79 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\C19DD2C1d01 2007-10-02 11:23 19.96 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\C2FD245Cd01 2007-10-02 10:59 17.15 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\C4A02017d01 2007-10-02 10:59 37.77 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\C61AF3EDd01 2007-10-02 11:04 57.48 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\C70EB203d01 2007-10-02 11:14 18.76 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\D04727D4d01 2007-10-02 10:59 16.73 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\D443C928d01 2007-10-02 11:19 18.93 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\D548670Fd01 2007-10-02 10:59 35.95 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\DA1DBC02d01 2007-10-02 11:04 57.48 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\DF4F1B9Dd01 2007-10-02 11:07 18.27 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\E1BE2913d01 2007-10-02 10:59 21.32 KB Hidden from Windows API.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\E4544C36d01 2007-10-02 11:20 40.49 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\ECA16062d01 2007-10-02 11:23 28.38 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\automatyka\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\v3tk69up.default\Cache\FCCC0923d01 2007-10-02 10:58 18.48 KB Hidden from Windows API.
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf 2007-10-02 10:57 15.65 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~29f372e5f.htp 2007-10-02 10:59 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~29f373907.htp 2007-10-02 10:59 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2d5129bdd.htp 2007-10-02 11:03 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2d512a6c5.htp 2007-10-02 11:03 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2de6d509a.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2de6d5b19.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2dfb1e2cd.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2dfb1edaf.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2e1973ee1.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2e19749df.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2e19d9cfb.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2e19da7d8.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2e1a05894.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~2e1a063d7.htp 2007-10-02 11:04 8.00 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Temp\cch~4ed8ebd2a.htp 2007-10-02 11:45 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~4ed8ec974.htp 2007-10-02 11:45 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~4ed9fe220.htp 2007-10-02 11:45 8.00 KB Hidden from Windows API.
C:\WINDOWS\Temp\cch~4ed9fed35.htp 2007-10-02 11:45 8.00 KB Hidden from Windows API.
[/code]
Odpowiedzi: 0
Strona 0 / 0