Skocz do zawartości
Hawk2

Virtumonde, Vundo ... Usunąłem, Czy Nie Do Końca? Problemy :/

Przez Hawk2, w Centrum Bezpieczeństwa

Rekomendowane odpowiedzi

Hawk2 Newbie

Hawk2

Opublikowano
Opublikowano

Witam. Zassałem archiwum z trojanem Virtumonde, o czym szybko się przekonałem. Odłączyłem się od sieci, włączyłem spybota, przeczyściłem wszystko ale Virtumonde dalej zostawał. Na drugim kompie zassałem ComboFix, FixVundo, VirtumondoBeGone oraz VundoFix. Po użyciu tych programów Virtumonde zniknął, ale ciągle po uruchomieniu systemu coś mi z neta zasysa i wysyła, a wwdc pisze, że svchost wygląda na podmieniony :/ więc z konsoli odzyskiwania przywróciłem oryginalnego svchost z płyty z Windowsem, ale po ponownym uruchomieniu wywaliło mi taki komunikat i to kilka razy:

Dołączona grafikaDołączona grafika

 

A do tego wwdc dalej pisze, że svchost wygląda na podmieniony. Może mam na nowo zainstalować SP3? Płytę mam z SP2. Tak czy siak nadal coś mi ssie i wysyła do netu, ale tylko przez pierwsze kilka minut, a później przestaje.

 

Podaję logi z HJT i Silent Runners:

 

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "HJT"
Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:17, on 2008-10-03

Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

D:\PROGRA~1\Internet\FASTRE~1\IQWebFTPServerEngine.exe

D:\Progs\DiskeeperLite\DKService.exe

D:\Program Files\Internet\FileZilla Server\FileZilla Server.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

D:\Progs\UPSilon 2000\RupsMon.exe

C:\WINDOWS\system32\svchost.exe

D:\Progs\UPSilon 2000\USBMate.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\System32\svchost.exe

D:\Progs\Keyboard Driver\OEMDriver.exe

D:\Progs\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\vsnpstd3.exe

C:\WINDOWS\system32\kxmixer.exe

C:\WINDOWS\system32\taskswitch.exe

C:\WINDOWS\system32\ctfmon.exe

D:\Program Files\Użytki\Spybot - Search & Destroy\TeaTimer.exe

D:\Progs\UPSilon 2000\Monw32.exe

D:\Progs\toolbox278\toolbox.exe

C:\WINDOWS\system32\wscntfy.exe

D:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

D:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Program Files\Użytki\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - D:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - D:\Progs\Free Download Manager\iefdm2.dll

O4 - HKLM\..\Run: [KBDriver] D:\Progs\Keyboard Driver\OEMDriver.exe

O4 - HKLM\..\Run: [LWBMOUSE] D:\Progs\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL;ctaud2k.sys

O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe

O4 - HKLM\..\Run: [kX Mixer] C:\WINDOWS\system32\kxmixer.exe --startup

O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Program Files\Użytki\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: ToolBox.lnk = D:\Progs\toolbox278\toolbox.exe

O4 - Global Startup: Rupsmon Daemon.lnk = D:\Progs\UPSilon 2000\Monw32.exe

O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: Download video with Free Download Manager - file://D:\Progs\FREEDO~1\dlfvideo.htm

O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://D:\Progs\Free Download Manager\dlfvideo.htm

O8 - Extra context menu item: Pobierz w Free Download Manager - file://D:\Progs\Free Download Manager\dllink.htm

O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://D:\Progs\Free Download Manager\dlall.htm

O8 - Extra context menu item: Pobierz wszystko z Free Download Manager - file://D:\Progs\FREEDO~1\dlall.htm

O8 - Extra context menu item: Pobierz z Free Download Manager - file://D:\Progs\FREEDO~1\dllink.htm

O8 - Extra context menu item: Pobierz zaznaczenie z Free Download Manager - file://D:\Progs\FREEDO~1\dlselected.htm

O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://D:\Progs\Free Download Manager\dlselected.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Kolekcja wycinków HP - {58ECB495-38F0-49cb-A538-10282ABF65E7} - D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Zaznaczanie HP Smart - {700259D7-1666-479a-93B1-3250410481E8} - D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} (MksSkanerOnline Class) - http://www.mks.com.pl/skaner/SkanerOnline.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15034/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{552C5321-BF6E-4D4D-8EF8-7AE767193E69}: NameServer = 10.0.0.2

O17 - HKLM\System\CS1\Services\Tcpip\..\{552C5321-BF6E-4D4D-8EF8-7AE767193E69}: NameServer = 10.0.0.2

O17 - HKLM\System\CS2\Services\Tcpip\..\{552C5321-BF6E-4D4D-8EF8-7AE767193E69}: NameServer = 10.0.0.2

O17 - HKLM\System\CS3\Services\Tcpip\..\{552C5321-BF6E-4D4D-8EF8-7AE767193E69}: NameServer = 10.0.0.2

O17 - HKLM\System\CS4\Services\Tcpip\..\{552C5321-BF6E-4D4D-8EF8-7AE767193E69}: NameServer = 10.0.0.2

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\system32\CTsvcCDA.EXE (file missing)

O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Progs\DiskeeperLite\DKService.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - D:\Program Files\Internet\FileZilla Server\FileZilla Server.exe

O23 - Service: Menedżer Google Desktop 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Fastream IQ Web/FTP Server (NFService) - Fastream Technologies - D:\PROGRA~1\Internet\FASTRE~1\IQWebFTPServerEngine.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Rupsmon - Mega System Technologies, Inc. - D:\Progs\UPSilon 2000\RupsMon.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - D:\Progs\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - D:\Progs\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe

O23 - Service: USBMate - Mega Corp. - D:\Progs\UPSilon 2000\USBMate.exe

 

--

End of file - 8786 bytes

» Naciśnij aby pokazać/ukryć tekst oznaczony jako spoiler « - "Silent Runners"
"Silent Runners.vbs", revision 58, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

 

 

Startup items buried in registry:

---------------------------------

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"SpybotSD TeaTimer" = "D:\Program Files\Użytki\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

"KBDriver" = "D:\Progs\Keyboard Driver\OEMDriver.exe" [empty string]

"LWBMOUSE" = "D:\Progs\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE" [empty string]

"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]

"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]

"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]

"AsioReg" = "REGSVR32.EXE /S CTASIO.DLL;ctaud2k.sys" [MS]

"snpstd3" = "C:\WINDOWS\vsnpstd3.exe" [empty string]

"kX Mixer" = "C:\WINDOWS\system32\kxmixer.exe --startup" ["Eugene Gavrilov"]

"CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{053F9267-DC04-4294-A72C-58F732D338C0}\(Default) = (no title provided)

-> {HKLM...CLSID} = "HP Print Clips"

\InProcServer32\(Default) = "D:\Program Files\HP\Smart Web Printing\hpswp_framework.dll" ["Hewlett-Packard Co."]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)

-> {HKLM...CLSID} = "SSVHelper Class"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)

-> {HKLM...CLSID} = "FDMIECookiesBHO Class"

\InProcServer32\(Default) = "D:\Progs\Free Download Manager\iefdm2.dll" [null data]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

\InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"

-> {HKLM...CLSID} = "DesktopContext Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"

-> {HKLM...CLSID} = "NVIDIA CPL Extension"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]

"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"

-> {HKLM...CLSID} = "Desktop Explorer"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"

-> {HKLM...CLSID} = "nView Desktop Context Menu"

\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

"{9FCB3717-B87B-421E-BB30-61769539EA23}" = "ZipItFreeContextMenu"

-> {HKLM...CLSID} = "ZipItFree Shell DLL Windows Integration"

\InProcServer32\(Default) = "D:\Progs\ZipItFree\ZFreeEx.dll" ["MicroSmarts LLC."]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\Progs\WinRAR\rarext.dll" [null data]

"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""D:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""D:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""D:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""D:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

 

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<<!>> "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = ""D:\Program Files\OpenOffice.org 2.4\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]

 

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

GPGee\(Default) = "{A0820A59-3343-450B-A902-B481029CD9E8}"

-> {HKLM...CLSID} = "GNU Privacy Guard Explorer Extension"

\InProcServer32\(Default) = "D:\PROGRA~1\GNU\GnuPG\GPGee.dll" ["Kurt Fitzner <kfitzner@excelcia.org>"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\Progs\WinRAR\rarext.dll" [null data]

ZipItFreeContextMenu\(Default) = "{9FCB3717-B87B-421E-BB30-61769539EA23}"

-> {HKLM...CLSID} = "ZipItFree Shell DLL Windows Integration"

\InProcServer32\(Default) = "D:\Progs\ZipItFree\ZFreeEx.dll" ["MicroSmarts LLC."]

 

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

GPGee\(Default) = "{A0820A59-3343-450B-A902-B481029CD9E8}"

-> {HKLM...CLSID} = "GNU Privacy Guard Explorer Extension"

\InProcServer32\(Default) = "D:\PROGRA~1\GNU\GnuPG\GPGee.dll" ["Kurt Fitzner <kfitzner@excelcia.org>"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\Progs\WinRAR\rarext.dll" [null data]

ZipItFree\(Default) = "{9FCB3717-B87B-421E-BB30-61769539EA23}"

-> {HKLM...CLSID} = "ZipItFree Shell DLL Windows Integration"

\InProcServer32\(Default) = "D:\Progs\ZipItFree\ZFreeEx.dll" ["MicroSmarts LLC."]

 

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "D:\Progs\WinRAR\rarext.dll" [null data]

ZipItFree\(Default) = "{9FCB3717-B87B-421E-BB30-61769539EA23}"

-> {HKLM...CLSID} = "ZipItFree Shell DLL Windows Integration"

\InProcServer32\(Default) = "D:\Progs\ZipItFree\ZFreeEx.dll" ["MicroSmarts LLC."]

 

 

Default executables:

--------------------

 

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"

 

 

Group Policies {policy setting}:

--------------------------------

 

Note: detected settings may not have any effect.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

 

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{Prevent access to registry editing tools}

 

HKCU\Software\Policies\Microsoft\Windows\System\

 

"DisableCMD" = (REG_DWORD) dword:0x00000000

{Disable the command prompt}

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

 

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Shutdown: Allow system to be shut down without having to log on}

 

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Devices: Allow undock without having to log on}

 

"DisableRegistryTools" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLegacyLogonScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideLogoffScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"RunLogonScriptSync" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

 

"RunStartupScriptSync" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

"HideStartupScripts" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

 

 

Active Desktop and Wallpaper:

-----------------------------

 

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

 

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Hawk2\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

 

 

Windows Portable Device AutoPlay Handlers

-----------------------------------------

 

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

 

HPAutoplayPSE\

"Provider" = "HP Photosmart Essential 2.01"

"InvokeProgID" = "HpqPSApl.Autoplay"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\HpqPSApl.Autoplay\shell\Play\DropTarget\CLSID = "{A6873065-D632-4615-A3A9-C5F05EE109C1}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = "D:\Program Files\HP\Digital Imaging\bin\HpqPsApl.exe" ["Hewlett-Packard"]

 

MSPlayCDAudioOnArrival\

"Provider" = "ALLPlayer"

"InvokeProgID" = "AllPlayerFile"

"InvokeVerb" = "play"

HKLM\SOFTWARE\Classes\AllPlayerFile\shell\play\command\(Default) = ""D:\Progs\MarBit\ALLPlayer\ALLPlayer.exe" "%1"" ["MarBit"]

 

MSWPDShellNamespaceHandler\

"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = " "

-> {HKLM...CLSID} = "WPDShextAutoplay"

\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

 

WinampMTPHandler\

"Provider" = "Winamp"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "D:\Progs\Winamp\winamp.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

 

WinampPlayMediaOnArrival\

"Provider" = "Winamp"

"InvokeProgID" = "Winamp.File"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""D:\Progs\Winamp\winamp.exe" "%1"" ["Nullsoft"]

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = ""D:\Progs\Winamp\winamp.exe"" ["Nullsoft"]

 

 

Startup items in "Hawk2" & "All Users" startup folders:

-------------------------------------------------------

 

C:\Documents and Settings\Hawk2\Menu Start\Programy\Autostart

"ToolBox" -> shortcut to: "D:\Progs\toolbox278\toolbox.exe" ["CyLog Software"]

 

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Rupsmon Daemon" -> shortcut to: "D:\Progs\UPSilon 2000\Monw32.exe" ["Mega System Technologies, Inc."]

 

 

Enabled Scheduled Tasks:

------------------------

 

"GoogleUpdateTaskUser" -> launches: "C:\Documents and Settings\Hawk2\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe /c" ["Google Inc."]

 

 

Winsock2 Service Provider DLLs:

-------------------------------

 

Namespace Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

 

Transport Service Providers

 

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 14

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

 

 

Toolbars, Explorer Bars, Extensions:

------------------------------------

 

Extensions (Tools menu items, main toolbar menu buttons)

 

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\

"MenuText" = "Sun Java Console"

"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"

-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]

-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"

\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

 

{58ECB495-38F0-49CB-A538-10282ABF65E7}\

"ButtonText" = "Kolekcja wycinków HP"

"CLSIDExtension" = "{E763472E-A716-4CD9-89BD-DBDA6122F741}"

-> {HKLM...CLSID} = "ClipBookBtn Class"

\InProcServer32\(Default) = "D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll" ["Hewlett-Packard Co."]

 

{700259D7-1666-479A-93B1-3250410481E8}\

"ButtonText" = "Zaznaczanie HP Smart"

"CLSIDExtension" = "{A93C41D8-01F8-4F8B-B14C-DE20B117E636}"

-> {HKLM...CLSID} = "EnhSelectionBtn Class"

\InProcServer32\(Default) = "D:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll" ["Hewlett-Packard Co."]

 

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

 

 

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

 

Ad-Aware 2007 Service, aawservice, ""D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"" ["Lavasoft"]

Diskeeper, Diskeeper, "D:\Progs\DiskeeperLite\DKService.exe" ["Executive Software International, Inc."]

Fastream IQ Web/FTP Server, NFService, "D:\PROGRA~1\Internet\FASTRE~1\IQWebFTPServerEngine.exe" ["Fastream Technologies"]

FileZilla Server FTP server, FileZilla Server, "D:\Program Files\Internet\FileZilla Server\FileZilla Server.exe" ["FileZilla Project"]

hpqcxs08, hpqcxs08, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"D:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll" ["Hewlett-Packard Co."]}

Net Driver HPZ12, Net Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZinw12.dll" ["Hewlett-Packard"]}

NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]

Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\svchost.exe -k HPZ12" {"C:\WINDOWS\system32\HPZipm12.dll" ["Hewlett-Packard"]}

Rupsmon, Rupsmon, "D:\Progs\UPSilon 2000\RupsMon.exe" ["Mega System Technologies, Inc."]

USBMate, USBMate, "D:\Progs\UPSilon 2000\USBMate.exe" ["Mega Corp."]

Usługa HP CUE DeviceDiscovery, hpqddsvc, "C:\WINDOWS\system32\svchost.exe -k hpdevmgmt" {"D:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll" ["Hewlett-Packard Co."]}

WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]

 

 

Print Monitors:

---------------

 

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

LIDIL hpzll5ha\Driver = "hpzll5ha.dll" ["Hewlett-Packard Company"]

 

 

---------- (launch time: 2008-10-03 00:21:10)

<<!>>: Suspicious data at a malware launch point.

 

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 70 seconds.

---------- (total run time: 97 seconds)

Mam nadzieję, że ktoś mi pomoże 8O

Udostępnij tę odpowiedź

Odnośnik do odpowiedzi
Udostępnij na innych stronach

Dołącz do dyskusji

Możesz dodać zawartość już teraz a zarejestrować się później. Jeśli posiadasz już konto, zaloguj się aby dodać zawartość za jego pomocą.

Gość
Dodaj odpowiedź do tematu...

×   Wklejono zawartość z formatowaniem.   Przywróć formatowanie

  Dozwolonych jest tylko 75 emoji.

×   Odnośnik został automatycznie osadzony.   Przywróć wyświetlanie jako odnośnik

×   Przywrócono poprzednią zawartość.   Wyczyść edytor

×   Nie możesz bezpośrednio wkleić grafiki. Dodaj lub załącz grafiki z adresu URL.

Ładowanie
×
Tematy
×
×
  • Dodaj nową pozycję...