Results 1 to 10 of 10

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Registered User
    Join Date: Jun:2006
    Location: Sofia
    Posts: 43

    Unhappy Äàëè èìàì RootKit?

    Çäðàâåéòå

    Îò èçâåñòíî âðåìå êîìïþòúðúò ìè ñå äúðæè ñòðàííî è àç ñúì óáåäåí, ÷å å çàðàçåí, íî íå ìîãà äà îòêðèÿ äîêàçàòåëñòâî

    Ïúðâî åäèí äåí çàïî÷íà ñóòðèí êîãàòî ãî ïóñêàì äà ìè ãúðìè íÿêàêúâ service ñâúðçàí ñ âèäåî äðàéâåðèòå (NVidia), ïðåèíñòàëèðàõ, ïðîáâàõ âñÿêàêâè âåðñèè, íî ïîíÿêîãà ñè ãúðìè. Ñúùî ïîíÿêîãà äîêàòî çàðåæäà Windows è êîìïþòúðúò çàñïèâà è òðÿáâà äà ãî restart-èðàì.

    Ïðîáâàõ ñ NOD32 è ZoneAlarm, íî íå îòêðèâàì íèùî ñòðàííî. Íèòî âèðóñ, íèòî íÿêîé äà èñêà äà ñå connect-âà íàâúí. Ïðîáâàõ ñ PC Tools Spyware Doctor è ïàê íèùî. Äíåñ ðåøèõ äà ïðîáâàì ðàçíè àíòè RootKit ïðîãðàìè, íî íå èì ðàçáèðàì äîñòàòú÷íî.

    Çàáðàâèõ äà êàæà íàé-âàæíîòî. Íÿêîé ïðîãðàìè ñïèðàò äà ñå çàðåæäàò ñ òðúãâàíåòî íà Windows. Íàïðèìåð Firewall-a ìè è àíòèâèðóñíàòà è ñëåä êàòî çàáåëåæà ãè ïðåèíñòàëèðàì. Ñëåä íÿêîé äåí çàáåëÿçâàì, ÷å ïàê íå ñà ñå ñòàðòèðàëè.

    Ìîæå ïðîñòî Windows-à ìè äà èìà íÿêàêúâ ïðîáëåì ñ çàðåæäàåòî, à ìîæå äà å íåùî ïî-ñåðèîçíî

    Ïðàùàì âè íÿêîëêî ðåçóëòàòà îò ðàçëè÷íè ïðîãðàìè, äàíî ìîæåòå äà ìè êàæåòå èìà ëè íåùî èëè ïðîñòî Windows-à ìè ñå å çáîçèë

    Code:
    C:\Documents and Settings\dmuser\Desktop\svv-2.3-bin>svv check
    Important module ntoskrnl.exe not found
    ntdll.dll            (7c900000 - 7c9b0000)... suspected! (verdict = 5).
    kernel32.dll         (7c800000 - 7c8f5000)... suspected! (verdict = 5).
    USER32.dll           (7e410000 - 7e4a0000)... suspected! (verdict = 5).
    
    SYSTEM INFECTION LEVEL: 5
        0 - BLUE
        1 - GREEN
        2 - YELLOW
        3 - ORANGE
        4 - RED
    --> 5 - DEEPRED
    SUSPECTED modifications detected. System is probably infected!
    Code:
    C:\Documents and Settings\dmuser\Desktop\modGREPER-0.3-bin>modgreper.exe -h
    modGREPER 0.3, written by Joanna Rutkowska (2005)
    http://invisiblethings.org
    searching phase 1 completed.
    searching phase 2 completed.
    
    ? f72d1000 - f73bb000 : sptd.sys
    ? f70ed000 - f7101000 : srescan.sys
    ? f7ab0000 - f7ab1000 : \??\C:\WINDOWS\system32\Drivers\mchInjDrv.sys
    ? eb310000 - eb370000 : \SystemRoot\System32\vsdatant.sys
    ? eb1ea000 - eb203000 : \SystemRoot\System32\Drivers\dump_nvata.sys
    ? f0ebf000 - f0ec1000 : \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    ? b3f31000 - b3f5b000 : \SystemRoot\System32\Drivers\IsDrv120.sys
    ? f24aa000 - f24ac000 : \??\C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS
    ? f0449000 - f044b000 : \??\C:\WINDOWS\system32\682.tmp
    
    THERE ARE 9 SUSPECTED MODULE(S)!!!
    Code:
    "Silent Runners.vbs", revision 52, http://www.silentrunners.org/
    Operating System: Windows XP SP2
    Output limited to non-default values, except where indicated by "{++}"
    
    
    Startup items buried in registry:
    ---------------------------------
    
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
    "swg" = "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" ["Google Inc."]
    "AlcoholAutomount" = ""C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount" ["Alcohol Soft Development Team"]
    
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
    "FFTI" = "C:\Documents and Settings\dmuser\Application Data\Mozilla\Firefox\Profiles\3meeve2p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\dmuser\Application Data\Mozilla\Firefox\Profiles/3meeve2p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"" [file not found]
    
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
    "SDTray" = ""C:\Program Files\Spyware Doctor\SDTrayApp.exe"" ["PC Tools"]
    "NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
    "SmartDefrag" = ""C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp" [null data]
    "ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
    
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
      -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                       \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
    {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = "flashget urlcatch"
      -> {HKLM...CLSID} = "FGCatchUrl"
                       \InProcServer32\(Default) = "C:\Program Files\FlashGet\jccatch.dll" ["www.flashget.com"]
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
      -> {HKLM...CLSID} = "SSVHelper Class"
                       \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
    {AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
      -> {HKLM...CLSID} = "Google Toolbar Helper"
                       \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}\(Default) = (no title provided)
      -> {HKLM...CLSID} = "Google Toolbar Notifier BHO"
                       \InProcServer32\(Default) = "C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll" ["Google Inc."]
    {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53}\(Default) = "Google Gears Helper"
      -> {HKLM...CLSID} = "Google Gears Helper"
                       \InProcServer32\(Default) = "C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll" ["Google Inc."]
    {F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
      -> {HKLM...CLSID} = "FlashGet GetFlash Class"
                       \InProcServer32\(Default) = "C:\Program Files\FlashGet\getflash.dll" ["www.flashget.com"]
    
    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
      -> {HKLM...CLSID} = "UnlockerShellExtension"
                       \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
    "{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
      -> {HKLM...CLSID} = "ZLAVShExt Class"
                       \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
    "{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
      -> {HKLM...CLSID} = "DesktopContext Class"
                       \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
      -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                       \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
    "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
      -> {HKLM...CLSID} = "Desktop Explorer"
                       \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
      -> {HKLM...CLSID} = (no title provided)
                       \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
      -> {HKLM...CLSID} = "nView Desktop Context Menu"
                       \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
    "{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
      -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                       \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
    "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
      -> {HKLM...CLSID} = "WinRAR"
                       \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    "{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
      -> {HKLM...CLSID} = (no title provided)
                       \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
      -> {HKLM...CLSID} = (no title provided)
                       \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
      -> {HKLM...CLSID} = (no title provided)
                       \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
      -> {HKLM...CLSID} = (no title provided)
                       \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
      -> {HKLM...CLSID} = (no title provided)
                       \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\msohev.dll" [file not found]
    "{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
      -> {HKLM...CLSID} = "My Sharing Folders"
                       \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
    "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
      -> {HKLM...CLSID} = "iTunes"
                       \InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
    "{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    "{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
      -> {HKLM...CLSID} = "7-Zip Shell Extension"
                       \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
    "{5d1cb710-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    "{5d1cb711-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    "{5d1cb712-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    "{5d1cb713-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    "{5d1cb714-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    "{5d1cb715-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    "{5d1cb716-1c4b-11d4-bed5-005004b1f42f}" = "Tortoise CVS"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    "WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
      -> {HKLM...CLSID} = "WPDShServiceObj Class"
                       \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
    
    HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
    {30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided)
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    {5d1cb710-1c4b-11d4-bed5-005004b1f42f}\(Default) = "Tortoise CVS"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    {C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
      -> {HKLM...CLSID} = (no title provided)
                       \InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.2\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
    {F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
      -> {HKLM...CLSID} = "PDF Shell Extension"
                       \InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
    
    HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
    7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
      -> {HKLM...CLSID} = "7-Zip Shell Extension"
                       \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
    EditPlus\(Default) = "{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}"
      -> {HKLM...CLSID} = "EditPlus Context Menu Handler"
                       \InProcServer32\(Default) = "C:\Program Files\EditPlus 2\eppshell.dll" [null data]
    ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
      -> {HKLM...CLSID} = "MCLiteShellExt Class"
                       \InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [file not found]
    InfoNotaryShell Class\(Default) = "{47D24136-4681-4EC0-9DFF-3C5743E3C977}"
      -> {HKLM...CLSID} = "InfoNotaryShell Class"
                       \InProcServer32\(Default) = "C:\PROGRA~1\INFONO~1\INSigner\EDMSHE~1.DLL" ["InfoNotary Ltd."]
    NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
      -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                       \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
    TortoiseCVS\(Default) = "{5d1cb710-1c4b-11d4-bed5-005004b1f42f}"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {HKLM...CLSID} = "WinRAR"
                       \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
      -> {HKLM...CLSID} = "ZLAVShExt Class"
                       \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
    
    HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
    7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
      -> {HKLM...CLSID} = "7-Zip Shell Extension"
                       \InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
    ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
      -> {HKLM...CLSID} = "MCLiteShellExt Class"
                       \InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [file not found]
    TortoiseCVS\(Default) = "{5d1cb710-1c4b-11d4-bed5-005004b1f42f}"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {HKLM...CLSID} = "WinRAR"
                       \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    
    HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
    NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
      -> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
                       \InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
    TortoiseCVS\(Default) = "{5d1cb710-1c4b-11d4-bed5-005004b1f42f}"
      -> {HKLM...CLSID} = "TortoiseCVS"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseCVS\TrtseShl.dll" ["www.tortoisecvs.org"]
    TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
      -> {HKLM...CLSID} = "TortoiseSVN"
                       \InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
    UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
      -> {HKLM...CLSID} = "UnlockerShellExtension"
                       \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
    WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
      -> {HKLM...CLSID} = "WinRAR"
                       \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
    ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
      -> {HKLM...CLSID} = "ZLAVShExt Class"
                       \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]
    
    HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
    UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
      -> {HKLM...CLSID} = "UnlockerShellExtension"
                       \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
    
    
    Group Policies {GPedit.msc branch and setting}:
    -----------------------------------------------
    
    Note: detected settings may not have any effect.
    
    HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
    
    "shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Shutdown: Allow system to be shut down without having to log on}
    
    "undockwithoutlogon" = (REG_DWORD) hex:0x00000001
    {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
    Devices: Allow undock without having to log on}
    
    
    Active Desktop and Wallpaper:
    -----------------------------
    
    Active Desktop may be disabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    
    Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
    HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
    "Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
    
    Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
    HKCU\Control Panel\Desktop\
    "Wallpaper" = "C:\Documents and Settings\dmuser\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
    
    
    Startup items in "dmuser" & "All Users" startup folders:
    --------------------------------------------------------
    
    C:\Documents and Settings\dmuser\Start Menu\Programs\Startup
    "OpenOffice.org 2.2" -> shortcut to: "C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe" [null data]
    "Secunia PSI (BETA)" -> shortcut to: "C:\Program Files\Secunia\PSI (BETA)\PSI.exe" ["Secunia"]
    "Yahoo! Widget Engine" -> shortcut to: "C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe" ["Yahoo! Inc."]
    
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    "Google Updater" -> shortcut to: "C:\Program Files\Google\Google Updater\GoogleUpdater.exe -systray -startup" ["Google"]
    "HiPath SIcurity Card API" -> shortcut to: "C:\Program Files\Siemens\Card API\bin\siecacst.exe" ["Siemens AG"]
    "Last.fm Helper" -> shortcut to: "C:\Program Files\Last.fm\LastFMHelper.exe" ["Last.fm"]
    "Launchy" -> shortcut to: "C:\Program Files\Launchy\Launchy.exe" ["Code Jelly"]
    "Privoxy" -> shortcut to: "C:\Program Files\Privoxy\privoxy.exe" [file not found]
    
    
    Enabled Scheduled Tasks:
    ------------------------
    
    "AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
    "GoogleUpdateTask" -> launches: "C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe" ["Google Inc."]
    "InfoNotary e-Doc Signer Updates" -> launches: "C:\Program Files\InfoNotary\INSigner\Updater.exe /checknow" ["Caphyon LTD"]
    "InfoNotary Smart Card Manager Updates" -> launches: "C:\Program Files\InfoNotary\SCManager\Updater.exe /checknow" ["Caphyon LTD"]
    "SmartDefrag" -> launches: "C:\Program Files\IObit\IObit SmartDefrag\schedule.exe" [null data]
    
    
    Winsock2 Service Provider DLLs:
    -------------------------------
    
    Namespace Service Providers
    
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
    
    Transport Service Providers
    
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11
    %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 31
    %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10
    
    
    Toolbars, Explorer Bars, Extensions:
    ------------------------------------
    
    Toolbars
    
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
      -> {HKLM...CLSID} = "&Google"
                       \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    
    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
      -> {HKLM...CLSID} = "&Google"
                       \InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
    
    Explorer Bars
    
    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    
    HKLM\Software\Classes\CLSID\{CAF171B1-077D-4D35-A792-23773191E5B6}\(Default) = "LeapTag"
    Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
    InProcServer32\(Default) = "C:\Program Files\LeapTag\Weblook.dll" [file not found]
    
    Extensions (Tools menu items, main toolbar menu buttons)
    
    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
    "MenuText" = "Sun Java Console"
    "CLSIDExtension" = "{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}"
      -> {HKCU...CLSID} = "Java Plug-in 1.6.0_03"
                       \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll" ["Sun Microsystems, Inc."]
      -> {HKLM...CLSID} = "Java Plug-in 1.6.0_03"
                       \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll" ["Sun Microsystems, Inc."]
    
    {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5}\
    "MenuText" = "&Google Gears Settings"
    "CLSIDExtension" = "{0B4350D1-055F-47A3-B112-5F2F2B0D6F08}"
      -> {HKLM...CLSID} = "Google Gears ToolsMenuItem"
                       \InProcServer32\(Default) = "C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll" ["Google Inc."]
    
    {B863453A-26C3-4E1F-A54D-A2CD196348E9}\
    "ButtonText" = "ICQ Lite"
    "MenuText" = "ICQ Lite"
    "Exec" = "C:\Program Files\ICQLite\ICQLite.exe" [file not found]
    
    {D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
    "ButtonText" = "FlashGet"
    "MenuText" = "FlashGet"
    "Exec" = "C:\Program Files\FlashGet\FlashGet.exe" ["FlashGet.com"]
    
    {E2E2DD38-D088-4134-82B7-F2BA38496583}\
    "MenuText" = "@xpsp3res.dll,-20001"
    "Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]
    
    {FB5F1910-F110-11D2-BB9E-00C04F795683}\
    "ButtonText" = "Messenger"
    "MenuText" = "Windows Messenger"
    "Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
    
    
    HOSTS file
    ----------
    
    C:\WINDOWS\System32\drivers\etc\HOSTS
    
    maps: 2 domain names to IP addresses,
          1 of the IP addresses is *not* localhost!
    
    
    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------
    
    Apache2.2, Apache2.2, ""C:\xampp\apache\bin\apache.exe" -k runservice" ["Apache Software Foundation"]
    Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple, Inc."]
    GemSAFE Card Server, GemSAFE Card Server, "C:\Program Files\Gemplus\GemSafe Libraries Admin\BIN\GCardSrvNT.exe" ["Gemplus"]
    Google Updater Service, gusvc, ""C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"" ["Google"]
    Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
    mysql, mysql, "C:\xampp\mysql\bin\mysqld-nt.exe --defaults-file=C:\xampp\mysql\bin\my.cnf mysql" [null data]
    NOD32 Kernel Service, NOD32krn, ""C:\Program Files\Eset\nod32krn.exe"" ["Eset "]
    NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
    PC Tools Auxiliary Service, sdAuxService, "C:\Program Files\Spyware Doctor\svcntaux.exe" ["PC Tools"]
    PC Tools Security Service, sdCoreService, "C:\Program Files\Spyware Doctor\swdsvc.exe" ["PC Tools"]
    StarWind AE Service, StarWindServiceAE, "C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe" ["Rocket Division Software"]
    TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
    UpdaterService, UpdaterService, "C:\Program Files\Updater\XYNTService.exe" [null data]
    VMware Authorization Service, VMAuthdService, "C:\Program Files\VMware\VMware Workstation\vmware-authd.exe" ["VMware, Inc."]
    VMware DHCP Service, VMnetDHCP, "C:\WINDOWS\system32\vmnetdhcp.exe" ["VMware, Inc."]
    VMware NAT Service, VMware NAT Service, "C:\WINDOWS\system32\vmnat.exe" ["VMware, Inc."]
    VMware Virtual Mount Manager Extended, vmount2, ""C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe"" ["VMware, Inc."]
    YUPBPPAUILD, YUPBPPAUILD, "C:\DOCUME~1\dmuser\LOCALS~1\Temp\YUPBPPAUILD.exe" ["Sysinternals - www.sysinternals.com"]
    
    
    Keyboard Driver Filters:
    ------------------------
    
    HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
    "UpperFilters" = <<!>> "vmkbd2" [file not found]
    
    
    Print Monitors:
    ---------------
    
    HKLM\System\CurrentControlSet\Control\Print\Monitors\
    HP Master Monitor\Driver = "hpbmmon.dll" ["Hewlett-Packard"]
    HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]
    
    
    ---------- (launch time: 2007-11-05 16:15:56)
    <<!>>: Suspicious data at a malware launch point.
    
    + This report excludes default entries except where indicated.
    + To see *everywhere* the script checks and *everything* it finds,
      launch it from a command prompt or a shortcut with the -all parameter.
    + The search for DESKTOP.INI DLL launch points on all local fixed drives
      took 1172 seconds.
    ---------- (total run time: 1300 seconds)
    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 15:16:58, on 05.11.2007 ã.
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\xampp\apache\bin\apache.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Gemplus\GemSafe Libraries Admin\BIN\GCardSrvNT.exe
    C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\xampp\mysql\bin\mysqld-nt.exe
    C:\xampp\apache\bin\apache.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Siemens\Card API\bin\siecacst.exe
    C:\Program Files\Last.fm\LastFMHelper.exe
    C:\Program Files\Launchy\Launchy.exe
    C:\Program Files\Secunia\PSI (BETA)\PSI.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\Program Files\Updater\XYNTService.exe
    C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
    C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    C:\WINDOWS\system32\vmnat.exe
    C:\WINDOWS\system32\vmnetdhcp.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\avgarkt.exe
    C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\jEAh20.exe
    C:\totalcmd\TOTALCMD.EXE
    C:\Program Files\ESET\nod32kui.exe
    C:\Program Files\TrueCrypt\TrueCrypt.exe
    C:\Program Files\QIP\qip.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Documents and Settings\dmuser\Desktop\hijackthis\HijackThis.exe
    
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.bg/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.microsoft.com/regsys...6028&lcid=1033
    O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
    O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SmartDefrag] "C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\dmuser\Application Data\Mozilla\Firefox\Profiles\3meeve2p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\dmuser\Application Data\Mozilla\Firefox\Profiles/3meeve2p.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
    O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
    O4 - Startup: Secunia PSI (BETA).lnk = C:\Program Files\Secunia\PSI (BETA)\PSI.exe
    O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O4 - Global Startup: HiPath SIcurity Card API.lnk = ?
    O4 - Global Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
    O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
    O4 - Global Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
    O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
    O9 - Extra 'Tools' menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe (file missing)
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://www.adobe.com
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1188289270337
    O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
    O16 - DPF: {A996E48C-D3DC-4244-89F7-AFA33EC60679} (Settings Class) - https://ebb.ubb.bg/CAPICOM/capicom.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
    O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - file:///C:/2/controls/sdkinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5004497F-A821-4EBA-B72B-4896581C0630}: NameServer = 82.103.104.130
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOADFO~2\RNetPin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\xampp\filezillaftp\filezillaserver.exe
    O23 - Service: Freenet 0.7 darknet-8888 (freenet-darknet-8888) - Unknown owner - C:\Program Files\Freenet\bin\wrapper-windows-x86-32.exe" -s "C:\Program Files\Freenet\wrapper.conf (file missing)
    O23 - Service: GemSAFE Card Server - Gemplus - C:\Program Files\Gemplus\GemSafe Libraries Admin\BIN\GCardSrvNT.exe
    O23 - Service: Google Update Service (gupdate) - Unknown owner - C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe" /svc (file missing)
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: VMware Agent Service (ufad-ws60) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml (file missing)
    O23 - Service: UpdaterService - Unknown owner - C:\Program Files\Updater\XYNTService.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
    O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    Last edited by ju_lian; 5th November 2007 at 19:00.
    àáâãäåæçèéêëìíîïðñòóôõö÷øùúüþÿ

  2. #2
    Ïðîôåñèîíàëåí èìèãðàíò tonich's Avatar
    Join Date: Sep:2005
    Location: Æèâîò ¹2
    Posts: 10,802
    Ïîëçâàé ôóíêöèÿòà CODE - #!


    Èìà "çàáîäåíà" òåìà çà âèðóñè, âèäÿ ëè ÿ?

  3. #3
    Registered User
    Join Date: Jun:2006
    Location: Sofia
    Posts: 43

    Äà âèäÿõ ÿ!

    Äà âèäÿõ ÿ. Îò òàì ðàçáðàõ çà òåçè tools.
    Òðÿáâà ëè äà èçïúëíÿ öÿëàòà ïðîöåäóðà ïðåäè äà ïîïèòàì çà ñúâåò?

    ju
    àáâãäåæçèéêëìíîïðñòóôõö÷øùúüþÿ

  4. #4
    Ïðîôåñèîíàëåí èìèãðàíò tonich's Avatar
    Join Date: Sep:2005
    Location: Æèâîò ¹2
    Posts: 10,802
    Äà - Èëêî ÿ å îïèñàë ìíîãî ïîäðîáíî. Êàðàé ïî ïðîöåäóðàòà!

  5. #5
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Íå âèæäàì íèùî èíòåðåñíî ïî ëîãîâåòå, îñâåí ÷å èìàø êóï èíñòàëèðàíè ïðîãðàìè, âñÿêà îò êîèòî ìîæå äà ïðàâè ïðîáëåìà.
    Àç áèõ ðàç÷èñòèë èçëèøíèòå, êàòî çàïî÷íåø îò Spyware Doctor, àêî ZA å âåðñèÿòà ñ àíòèâèðóñíà ìàõíè íåÿ èëè ÍÎÄ, îñòàâè windows- êèÿò firewall àêî ìàõàø ZA.
    Ïîñëå ìàõíè äðóãèòå ïðîãðàìè, êîèòî íå ïîëçâàø.
    Àêî çàðàáîòè íîðìàëíî òîãàâà âå÷å ìîæåø äà ñëàãàø åäíà ïî åäíà, òàêà ùå ðàçáåðåø êîÿ ïðàâè íîìåðà.
    Âñå ïàê ìîæåø äà ñêàíèðàø çà áîêëóöè, êàòî çà antirootkit ïîëçâàé AVG antirootkit, BlickLight è Sophos Antirootkit, êàòî ñêàíèðàø ñ òÿõ ïîîòäåëíî.

    Êëîêâàë ëè ñè? Ñèãóðíè ëè ñìå ÷å âñè÷êî å íàðåä ñ õàðäóåðà? Ñêàíèðàë ëè ñè äèñêà çà ëîøè ñåêòîðè? À ïàìåòòà?

  6. #6
    Registered User
    Join Date: Jun:2006
    Location: Sofia
    Posts: 43
    Íà ìåí ìè ñå ñòðóâà ÷å ñòàâà âúïðîñ çà Rootkit. Ñúìíåíèÿòà ìè èäâàò îò

    C:\WINDOWS\system32\Drivers\mchInjDrv.sys

    è îò

    \SystemRoot\System32\Drivers\IsDrv120.sys

    Äíåñ ùå âèäèì êàê äà ñêàíèðàì õàðäà, áåç äà ïîëçâàì windows-à íà íåãî, çà äà íå ìîæå rootkit-à äà ñå ñêðèå

    ju
    àáâãäåæçèéêëìíîïðñòóôõö÷øùúüþÿ

  7. #7
    Prolemuris
    Join Date: Oct:2006
    Location: Varna
    Posts: 4,296
    ? f0449000 - f044b000 : \??\C:\WINDOWS\system32\682.tmp

    Òîâà ñúùî èçãëåæäà äîñòà ïîäîçðèòåëíî

  8. #8
    l.kanelov
    Guest
    Òåçè Log-ôàéëîâå ñà áåçïîëåçíè, àêî ñè çàðàçåí ñ ïî-ñåðèîçåí Rootkit. ×åñòî çàðàçÿâàò Ntdll.dll-à íà Windows, êîéòî âñè÷êè äèàãíîñòè÷íè èíñòðóìåíòè ïîëçâàò, çà äà ïîêàçâàò èíôîðìàöèÿ çà òåêóùèòå ïðîöåñè â ñèñòåìàòà è ïî òîçè íà÷èí ñå ñêðèâàò. Ò.å ïðè òàêúâ ñëó÷àé íå âèæäàø ðåàëíîòî ñúñòîÿíèå íà òåêóùèòå ïðîöåñè. Åäèíñòâåíèÿ íà÷èí äà ïðîâåðèø êàêâî ðåàëíî âúðâè â ìîìåíòà å äà ñå èçïîëçâà Live Kernel Debugger, êàòî WinDbg (Debugging Tools for Windows) è ñëåä òîâà äà ñðàâíèø ïðîöåñèòå, êîèòî ïîêàçâàò ñòàíäàðòíèòå èíñòðóìåíòè è debuger-à.
    Áèõ òè ïðåïîðú÷àë, àêî ñå ñúìíÿâàø çà Rootkit äà ñêàíèðàø ñ èíñòðóìåíòà GMER (Freeware), êàòî äîïúëíåíèå êúì ïîñòà íà ilkî. Îùå ïðè ïúðâîòî ñòàðòèðàíå GMER ùå ñêàíèðà ïàìåòòà çà àêòèâíè Rootkits. Îáèêíîâåíî çàïëàõèòå ñå âèçóàëèçèðàò â ÷åðâåíî. Ïîñëå ìîæå äà ïóñíåø è ïúëíà ïðîâåðêà íà ñèñòåìàòà. Õóáàâî å äà ñå ñêàíèðà ñ ïîâå÷å îò åäèí èíñòðóìåíò. Äðóãà àëòåðíàòèâà å RootkitRevealer, íî òîé ðàáîòè íà ïî-ðàçëè÷åí ïðèíöèï îò GMER.
    Last edited by l.kanelov; 6th November 2007 at 17:06.

  9. #9
    Registered User
    Join Date: Dec:2005
    Location: yvr
    Posts: 5,167
    Quote Originally Posted by ju_lian View Post
    Íà ìåí ìè ñå ñòðóâà ÷å ñòàâà âúïðîñ çà Rootkit. Ñúìíåíèÿòà ìè èäâàò îò

    C:\WINDOWS\system32\Drivers\mchInjDrv.sys

    è îò

    \SystemRoot\System32\Drivers\IsDrv120.sys

    Äíåñ ùå âèäèì êàê äà ñêàíèðàì õàðäà, áåç äà ïîëçâàì windows-à íà íåãî, çà äà íå ìîæå rootkit-à äà ñå ñêðèå

    ju
    Ïúðâèÿò ñå èçïîëçâà ÷åñòî è îò ëåãèòèìíè àíòèâèðóñíè/ñïàé ïðîãðàìè, çà äà èçâèêàò ñâîèòå ñè äðàéâåðè, ìîæå äà ñå èçïîëçâà è îò âèðóñè çà òàçè öåë, íî íÿìà äðóãî, êîåòî äà ïîäñêàçâà òîâà.
    Çà âòîðèÿò- âåðîÿòíî å äðàéâåðà íà IceSword, ñêàíèðàë ëè ñè ñ íåÿ?

    Quote Originally Posted by vbdasc View Post
    ? f0449000 - f044b000 : \??\C:\WINDOWS\system32\682.tmp

    Òîâà ñúùî èçãëåæäà äîñòà ïîäîçðèòåëíî
    Äîêîëêîòî âèäÿõ å ïóñíàë íÿêîëêî àíòèðóóòêèò ïðîãðàìè äà ñêàíèðàò åäíîâðåìåííî, òåõíèòå äðàéâåðè ñå äåòåêòâàò êàòî ðóóòêèò îò äðóãèòå, çàòîâà ìó íàïèñàõ äà ñêàíèðà ñ åäíà ïî åäíà. Ñàìèÿò ôàéë å ïîäîçðèòåëåí, íî ïî ïðèíöèï ðóóòêèò ïðîãðàìè ñå èçïîëçâàò çà äà êðèÿò íåùî äðóãî, à òîâà ùåøå äà ñå âèäè, èëè òåïúðâà äà ñå âèäè êîãàòî ñêàíèðà ñ äðóãè ïðîãðàìè.

    Quote Originally Posted by l.kanelov View Post
    Òåçè Log-ôàéëîâå ñà áåçïîëåçíè, àêî ñè çàðàçåí ñ ïî-ñåðèîçåí Rootkit. ×åñòî çàðàçÿâàò Ntdll.dll-à íà Windows, êîéòî âñè÷êè äèàãíîñòè÷íè èíñòðóìåíòè ïîëçâàò, çà äà ïîêàçâàò èíôîðìàöèÿ çà òåêóùèòå ïðîöåñè â ñèñòåìàòà è ïî òîçè íà÷èí ñå ñêðèâàò. Ò.å ïðè òàêúâ ñëó÷àé íå âèæäàø ðåàëíîòî ñúñòîÿíèå íà òåêóùèòå ïðîöåñè. Åäèíñòâåíèÿ íà÷èí äà ïðîâåðèø êàêâî ðåàëíî âúðâè â ìîìåíòà å äà ñå èçïîëçâà Live Kernel Debugger, êàòî WinDbg (Debugging Tools for Windows) è ñëåä òîâà äà ñðàâíèø ïðîöåñèòå, êîèòî ïîêàçâàò ñòàíäàðòíèòå èíñòðóìåíòè è debuger-à.
    Áèõ òè ïðåïîðú÷àë, àêî ñå ñúìíÿâàø çà Rootkit äà ñêàíèðàø ñ èíñòðóìåíòà GMER (Freeware), êàòî äîïúëíåíèå êúì ïîñòà íà ilkî. Îùå ïðè ïúðâîòî ñòàðòèðàíå GMER ùå ñêàíèðà ïàìåòòà çà àêòèâíè Rootkits. Îáèêíîâåíî çàïëàõèòå ñå âèçóàëèçèðàò â ÷åðâåíî. Ïîñëå ìîæå äà ïóñíåø è ïúëíà ïðîâåðêà íà ñèñòåìàòà. Õóáàâî å äà ñå ñêàíèðà ñ ïîâå÷å îò åäèí èíñòðóìåíò. Äðóãà àëòåðíàòèâà å RootkitRevealer, íî òîé ðàáîòè íà ïî-ðàçëè÷åí ïðèíöèï îò GMER.
    Ìàëêî óòî÷íèíèå, ðóóòêèò íå èíôåêòèðàò äèðåêòíî ôàéëîâå, çàðåæäàò ñå îáèêíîâåíî êàòî äðàéâåðè, êàòî ïà÷âàò â ïàìåòòà ïðîöåäóðèòå íà êåðíåëà, òàêà ÷å äà ñêðèÿò èëè íàïðàâÿò êàêâîòî èñêàò.
    Ñêàíèðà ñå ñ ðàçëè÷íè ïðîãðàìè, çàùîòî ðàçëè÷íèòå ðóóòêèò ïîëçâàò ðàçëè÷íè òåõíèêè, îòäåëíî èìà äîñòà íàïðåäíàëè îò òÿõ, êîèòî êàòî âèäÿò Gmer íàïðèìåð ñòàðòèðàí ñè ìàõàò êîäà, òàêà ÷å âñè÷êî èçãëåæäà íàðåä.
    Gmer å ñòðàõîòíà ïðîãðàìà, íî ñå èñêà ìàëêî çíàíèÿ çà äà èíòåðïðåòèðàø ïðàâèëíî ðåçóëòàòèòå. Catchme å ïàê îò ñúùèÿò àâòîð è å ïî- óäîáíà çà íà÷èíàåùè.

    http://www.microsoft.com/emea/spotli..._Cleaning.aspx
    Òóê å îáÿñíåíî ñóïåð îò áàø ìàéñòîðà, ìîæåø äà ïîãëåäíåø íàïðàâî ÷àñòòà çà ðóóòêèòñ.

  10. #10
    Registered User
    Join Date: Jun:2006
    Location: Sofia
    Posts: 43
    Ùå îïèòàì è ñ Gmer, 10x

    Ùå ïèøà ïàê. Èíà÷å, äà òîãàâà ñêàíèðàõ ñ íÿêîëêî ïðîãðàìè åäíîâðåìåííî
    àáâãäåæçèéêëìíîïðñòóôõö÷øùúüþÿ

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Copyright © 1999-2011 Õàðäóåð ÁÃ. Âúçìîæíî å ñúäúðæàíèåòî íà òàçè ñòðàíèöà äà å îáåêò íà àâòîðñêè ïðàâà.
iskamPC.com | mobility.BG | Bloody's Techblog | Êðèïòîâàëóòè è ìàéíèíã | 3D Vision Blog | Ìàãàçèí çà åëåêòðîííè öèãàðè