Results 1 to 10 of 10
Thread: RootKit?
Hybrid View
-
5th November 2007 16:37 #1Registered User
Join Date: Jun:2006
Location: Sofia
Posts: 43
RootKit?
, ,
service (NVidia), , , . Windows restart-.
NOD32 ZoneAlarm, . , connect- . PC Tools Spyware Doctor . RootKit , .
-. Windows. Firewall-a . , .
Windows- , -
, Windows-
Code:C:\Documents and Settings\dmuser\Desktop\svv-2.3-bin>svv check Important module ntoskrnl.exe not found ntdll.dll (7c900000 - 7c9b0000)... suspected! (verdict = 5). kernel32.dll (7c800000 - 7c8f5000)... suspected! (verdict = 5). USER32.dll (7e410000 - 7e4a0000)... suspected! (verdict = 5). SYSTEM INFECTION LEVEL: 5 0 - BLUE 1 - GREEN 2 - YELLOW 3 - ORANGE 4 - RED --> 5 - DEEPRED SUSPECTED modifications detected. System is probably infected!Code:C:\Documents and Settings\dmuser\Desktop\modGREPER-0.3-bin>modgreper.exe -h modGREPER 0.3, written by Joanna Rutkowska (2005) http://invisiblethings.org searching phase 1 completed. searching phase 2 completed. ? f72d1000 - f73bb000 : sptd.sys ? f70ed000 - f7101000 : srescan.sys ? f7ab0000 - f7ab1000 : \??\C:\WINDOWS\system32\Drivers\mchInjDrv.sys ? eb310000 - eb370000 : \SystemRoot\System32\vsdatant.sys ? eb1ea000 - eb203000 : \SystemRoot\System32\Drivers\dump_nvata.sys ? f0ebf000 - f0ec1000 : \SystemRoot\System32\Drivers\dump_WMILIB.SYS ? b3f31000 - b3f5b000 : \SystemRoot\System32\Drivers\IsDrv120.sys ? f24aa000 - f24ac000 : \??\C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS ? f0449000 - f044b000 : \??\C:\WINDOWS\system32\682.tmp THERE ARE 9 SUSPECTED MODULE(S)!!!
Code:"Silent Runners.vbs", revision 52, http://www.silentrunners.org/ Operating System: Windows XP SP2 Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS] "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."] "AlcoholAutomount" = ""C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount" ["Alcohol Soft Development Team"] HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++} "FFTI" = "C:\Documents and Settings\dmuser\Application Data\Mozilla\Firefox\Profiles\3meeve2p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\dmuser\Application Data\Mozilla\Firefox\Profiles/3meeve2p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"" [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} "SDTray" = ""C:\Program Files\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"] "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS] "SmartDefrag" = ""C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp" [null data] "ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided) -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch" -> {HKLM...CLSID} = "FGCatchUrl" \InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided) -> {HKLM...CLSID} = "SSVHelper Class" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Helper" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided) -> {HKLM...CLSID} = "Google Toolbar Notifier BHO" \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll" ["Google Inc."] {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53}\(Default) = "Google Gears Helper" -> {HKLM...CLSID} = "Google Gears Helper" \InProcServer32\(Default) = "C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll" ["Google Inc."] {F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided) -> {HKLM...CLSID} = "FlashGet GetFlash Class" \InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] "{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan" -> {HKLM...CLSID} = "ZLAVShExt Class" \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"] "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class" -> {HKLM...CLSID} = "DesktopContext Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper" -> {HKLM...CLSID} = "NVIDIA CPL Extension" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {HKLM...CLSID} = "Desktop Explorer" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu" -> {HKLM...CLSID} = "nView Desktop Context Menu" \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"] "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\msohev.dll" [file not found] "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders" -> {HKLM...CLSID} = "My Sharing Folders" \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {HKLM...CLSID} = "iTunes" \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."] "{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] "{5d1cb710-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] "{5d1cb711-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] "{5d1cb712-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] "{5d1cb713-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] "{5d1cb714-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] "{5d1cb715-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] "{5d1cb716-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -> {HKLM...CLSID} = "WPDShServiceObj Class" \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided) -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] {5d1cb710-1c4b-11d4-bed5-005004b1f42f}\(Default) = "Tortoise CVS" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler" -> {HKLM...CLSID} = (no title provided) \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."] {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info" -> {HKLM...CLSID} = "PDF Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] EditPlus\(Default) = "{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}" -> {HKLM...CLSID} = "EditPlus Context Menu Handler" \InProcServer32\(Default) = "C:\Program Files\EditPlus 2\eppshell.dll" [null data] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [file not found] InfoNotaryShell Class\(Default) = "{47D24136-4681-4EC0-9DFF-3C5743E3C977}" -> {HKLM...CLSID} = "InfoNotaryShell Class" \InProcServer32\(Default) = "C:\PROGRA~1\INFONO~1\INSigner\EDMSHE~1.DLL" ["InfoNotary Ltd."] NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] TortoiseCVS\(Default) = "{5d1cb710-1c4b-11d4-bed5-005004b1f42f}" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}" -> {HKLM...CLSID} = "ZLAVShExt Class" \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}" -> {HKLM...CLSID} = "7-Zip Shell Extension" \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"] ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" -> {HKLM...CLSID} = "MCLiteShellExt Class" \InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [file not found] TortoiseCVS\(Default) = "{5d1cb710-1c4b-11d4-bed5-005004b1f42f}" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension" \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data] TortoiseCVS\(Default) = "{5d1cb710-1c4b-11d4-bed5-005004b1f42f}" -> {HKLM...CLSID} = "TortoiseCVS" \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"] TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}" -> {HKLM...CLSID} = "TortoiseSVN" \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"] UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" -> {HKLM...CLSID} = "WinRAR" \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data] ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}" -> {HKLM...CLSID} = "ZLAVShExt Class" \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"] HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\ UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" -> {HKLM...CLSID} = "UnlockerShellExtension" \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} "undockwithoutlogon" = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\Documents and Settings\dmuser\Local Settings\Application Data\Microsoft\Wallpaper1.bmp" Startup items in "dmuser" & "All Users" startup folders: -------------------------------------------------------- C:\Documents and Settings\dmuser\Start Menu\Programs\Startup "OpenOffice.org 2.2" -> shortcut to: "C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe" [null data] "Secunia PSI (BETA)" -> shortcut to: "C:\Program Files\Secunia\PSI (BETA)\PSI.exe" ["Secunia"] "Yahoo! Widget Engine" -> shortcut to: "C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe" ["Yahoo! Inc."] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "Google Updater" -> shortcut to: "C:\Program Files\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"] "HiPath SIcurity Card API" -> shortcut to: "C:\Program Files\Siemens\Card API\bin\siecacst.exe" ["Siemens AG"] "Last.fm Helper" -> shortcut to: "C:\Program Files\Last.fm\LastFMHelper.exe" ["Last.fm"] "Launchy" -> shortcut to: "C:\Program Files\Launchy\Launchy.exe" ["Code Jelly"] "Privoxy" -> shortcut to: "C:\Program Files\Privoxy\privoxy.exe" [file not found] Enabled Scheduled Tasks: ------------------------ "AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."] "GoogleUpdateTask" -> launches: "C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe" ["Google Inc."] "InfoNotary e-Doc Signer Updates" -> launches: "C:\Program Files\InfoNotary\INSigner\Updater.exe /checknow" ["Caphyon LTD"] "InfoNotary Smart Card Manager Updates" -> launches: "C:\Program Files\InfoNotary\SCManager\Updater.exe /checknow" ["Caphyon LTD"] "SmartDefrag" -> launches: "C:\Program Files\IObit\IObit SmartDefrag\schedule.exe" [null data] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 31 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided) -> {HKLM...CLSID} = "&Google" \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ HKLM\Software\Classes\CLSID\{CAF171B1-077D-4D35-A792-23773191E5B6}\(Default) = "LeapTag" Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar] InProcServer32\(Default) = "C:\Program Files\LeapTag\Weblook.dll" [file not found] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}" -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."] -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03" \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."] {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5}\ "MenuText" = "&Google Gears Settings" "CLSIDExtension" = "{0B4350D1-055F-47A3-B112-5F2F2B0D6F08}" -> {HKLM...CLSID} = "Google Gears ToolsMenuItem" \InProcServer32\(Default) = "C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll" ["Google Inc."] {B863453A-26C3-4E1F-A54D-A2CD196348E9}\ "ButtonText" = "ICQ Lite" "MenuText" = "ICQ Lite" "Exec" = "C:\Program Files\ICQLite\ICQLite.exe" [file not found] {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\ "ButtonText" = "FlashGet" "MenuText" = "FlashGet" "Exec" = "C:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"] {E2E2DD38-D088-4134-82B7-F2BA38496583}\ "MenuText" = "@xpsp3res.dll,-20001" "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS] {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Windows Messenger" "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS] HOSTS file ---------- C:\WINDOWS\System32\drivers\etc\HOSTS maps: 2 domain names to IP addresses, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Apache2.2, Apache2.2, ""C:\xampp\apache\bin\apache.exe" -k runservice" ["Apache Software Foundation"] Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."] GemSAFE Card Server, GemSAFE Card Server, "C:\Program Files\Gemplus\GemSafe Libraries Admin\BIN\GCardSrvNT.exe" ["Gemplus"] Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"] Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS] mysql, mysql, "C:\xampp\mysql\bin\mysqld-nt.exe --defaults-file=C:\xampp\mysql\bin\my.cnf mysql" [null data] NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "] NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"] PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\svcntaux.exe" ["PC Tools"] PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\swdsvc.exe" ["PC Tools"] StarWind AE Service, StarWindServiceAE, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"] TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"] UpdaterService, UpdaterService, "C:\Program Files\Updater\XYNTService.exe" [null data] VMware Authorization Service, VMAuthdService, "C:\Program Files\VMware\VMware Workstation\vmware-authd.exe" ["VMware, Inc."] VMware DHCP Service, VMnetDHCP, "C:\WINDOWS\system32\vmnetdhcp.exe" ["VMware, Inc."] VMware NAT Service, VMware NAT Service, "C:\WINDOWS\system32\vmnat.exe" ["VMware, Inc."] VMware Virtual Mount Manager Extended, vmount2, ""C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe"" ["VMware, Inc."] YUPBPPAUILD, YUPBPPAUILD, "C:\DOCUME~1\dmuser\LOCALS~1\Temp\YUPBPPAUILD.exe" ["Sysinternals - www.sysinternals.com"] Keyboard Driver Filters: ------------------------ HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\ "UpperFilters" = <<!>> "vmkbd2" [file not found] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ HP Master Monitor\Driver = "hpbmmon.dll" ["Hewlett-Packard"] HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"] ---------- (launch time: 2007-11-05 16:15:56) <<!>>: Suspicious data at a malware launch point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + The search for DESKTOP.INI DLL launch points on all local fixed drives took 1172 seconds. ---------- (total run time: 1300 seconds)
Code:Logfile of HijackThis v1.99.1 Scan saved at 15:16:58, on 05.11.2007 . Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\SCardSvr.exe C:\xampp\apache\bin\apache.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Gemplus\GemSafe Libraries Admin\BIN\GCardSrvNT.exe C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\xampp\mysql\bin\mysqld-nt.exe C:\xampp\apache\bin\apache.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Spyware Doctor\svcntaux.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Spyware Doctor\SDTrayApp.exe C:\Program Files\Spyware Doctor\swdsvc.exe C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\Siemens\Card API\bin\siecacst.exe C:\Program Files\Last.fm\LastFMHelper.exe C:\Program Files\Launchy\Launchy.exe C:\Program Files\Secunia\PSI (BETA)\PSI.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\Program Files\Updater\XYNTService.exe C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN C:\Program Files\VMware\VMware Workstation\vmware-authd.exe C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe C:\WINDOWS\system32\vmnat.exe C:\WINDOWS\system32\vmnetdhcp.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\avgarkt.exe C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\jEAh20.exe C:\totalcmd\TOTALCMD.EXE C:\Program Files\ESET\nod32kui.exe C:\Program Files\TrueCrypt\TrueCrypt.exe C:\Program Files\QIP\qip.exe C:\Program Files\Spyware Doctor\swdoctor.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe C:\Documents and Settings\dmuser\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.bg/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.microsoft.com/regsys...6028&lcid=1033 O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\dmuser\Application Data\Mozilla\Firefox\Profiles\3meeve2p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\dmuser\Application Data\Mozilla\Firefox\Profiles/3meeve2p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}" O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe O4 - Startup: Secunia PSI (BETA).lnk = C:\Program Files\Secunia\PSI (BETA)\PSI.exe O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: HiPath SIcurity Card API.lnk = ? O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing) O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing) O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O15 - Trusted Zone: http://www.adobe.com O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188289270337 O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://ebb.ubb.bg/CAPICOM/capicom.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///C:/2/controls/sdkinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5004497F-A821-4EBA-B72B-4896581C0630}: NameServer = 82.103.104.130 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOADFO~2\RNetPin.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\xampp\filezillaftp\filezillaserver.exe O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) - Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe" -s "C:\Program Files\Freenet\wrapper.conf (file missing) O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries Admin\BIN\GCardSrvNT.exe O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe" /svc (file missing) O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: VMware Agent Service (ufad-ws60) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml (file missing) O23 - Service: UpdaterService - Unknown owner - C:\Program Files\Updater\XYNTService.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Last edited by ju_lian; 5th November 2007 at 19:00.
-
5th November 2007 17:05 #2
-
5th November 2007 18:57 #3Registered User
Join Date: Jun:2006
Location: Sofia
Posts: 43
!
. tools.
?
ju
-
5th November 2007 19:46 #4
-
5th November 2007 22:35 #5Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
, , .
, Spyware Doctor, ZA , windows- firewall ZA.
, .
, .
, antirootkit AVG antirootkit, BlickLight Sophos Antirootkit, .
? ? ? ?
-
6th November 2007 09:55 #6Registered User
Join Date: Jun:2006
Location: Sofia
Posts: 43
Rootkit.
C:\WINDOWS\system32\Drivers\mchInjDrv.sys
\SystemRoot\System32\Drivers\IsDrv120.sys
, windows- , rootkit-
ju
-
6th November 2007 10:28 #7Prolemuris
Join Date: Oct:2006
Location: Varna
Posts: 4,296
? f0449000 - f044b000 : \??\C:\WINDOWS\system32\682.tmp
-
6th November 2007 16:09 #8l.kanelovGuest
Log- , - Rootkit. Ntdll.dll- Windows, , . . . Live Kernel Debugger, WinDbg (Debugging Tools for Windows) , debuger-.
, Rootkit GMER (Freeware), ilk. GMER Rootkits. . . . RootkitRevealer, - GMER.Last edited by l.kanelov; 6th November 2007 at 17:06.
-
6th November 2007 22:20 #9Registered User
Join Date: Dec:2005
Location: yvr
Posts: 5,167
/ , , , , .
- IceSword, ?
, , . , , , .
, , , , .
, , , Gmer , .
Gmer , . Catchme - .
http://www.microsoft.com/emea/spotli..._Cleaning.aspx
, .
-
8th November 2007 15:42 #10Registered User
Join Date: Jun:2006
Location: Sofia
Posts: 43
Gmer, 10x
. ,




Reply With Quote


R9 280,
7th May 2023, 21:28 in