Witam.
Podczas ostatniego skanowania Avira wykryła jakiś hidden object, poniżej wycinek z loga:
Starting search for hidden objects.
HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces{E22D3D30-3F82-4BCD-919C-BA41F276EDEE}\ntecontextlist
[iNFO] The registry entry is invisible.
‘29031’ objects were checked, ‘1’ hidden objects were found.
Zauważyłem też, że w menedżerze zadań mam dwa procesy explorer. Czy może to mieć jakiś związek z potencjalnym rootkitem? Proszę o sprawdzenie logów i z góry dziękuję za pomoc.
Log z HiJack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33:09, on 2008-07-03
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM…\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM…\Run: [nwiz] nwiz.exe /install
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM…\Run: [COMODO Firewall Pro] “C:\Program Files\COMODO\Firewall\cfp.exe” -h
O4 - HKLM…\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”
O4 - HKLM…\Run: [WheelMouse] C:\Program Files\A4Tech\Mouse\Amoumain.exe
O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM…\Run: [avgnt] “C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min
O4 - HKCU…\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip…{E22D3D30-3F82-4BCD-919C-BA41F276EDEE}: NameServer = 194.204.159.1 217.98.63.164
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
–
End of file - 4468 bytes
Log z Silent Runners:
“Silent Runners.vbs”, revision 58, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“SpybotSD TeaTimer” = “C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [“Safer Networking Limited”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]
“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]
“NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS]
“SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]
“COMODO Firewall Pro” = ““C:\Program Files\COMODO\Firewall\cfp.exe” -h” [“COMODO”]
“WinampAgent” = ““C:\Program Files\Winamp\winampa.exe”” [file not found]
“WheelMouse” = “C:\Program Files\A4Tech\Mouse\Amoumain.exe” [“A4Tech Co., Ltd.”]
“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“avgnt” = ““C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)
-> {HKLM…CLSID} = “Spybot-S&D IE Protection”
\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”
-> {HKLM…CLSID} = “DesktopContext Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]
“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”
-> {HKLM…CLSID} = “NVIDIA CPL Extension”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”
-> {HKLM…CLSID} = “Desktop Explorer”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”
-> {HKLM…CLSID} = “nView Desktop Context Menu”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning”
-> {HKLM…CLSID} = “Shell Extension for Malware scanning”
\InProcServer32(Default) = “C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{6DEA92E9-8682-4b6a-97DE-354772FE5727}” = “Autodesk DWF Preview”
-> {HKLM…CLSID} = “ACDWFTHMBPRXY”
\InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcDwfThmbPrxy16.dll” [“Autodesk”]
“{36A21736-36C2-4C11-8ACB-D4136F2B57BD}” = “AutoCAD Digital Signatures Icon Overlay Handler”
-> {HKLM…CLSID} = “AcSignIcon”
\InProcServer32(Default) = “C:\WINDOWS\system32\AcSignIcon.dll” [“Autodesk”]
“{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}” = “Autodesk Drawing Preview”
-> {HKLM…CLSID} = “ACTHUMBNAIL”
\InProcServer32(Default) = “C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll” [“Autodesk”]
“{AD392E40-428C-459F-961E-9B147782D099}” = “UltraISO”
-> {HKLM…CLSID} = “UIContextMenu Class”
\InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”]
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<> “BootExecute” = “autocheck autochk *”|“lsdelete” [null data]
HKLM\SOFTWARE\Classes*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”
-> {HKLM…CLSID} = “Shell Extension for Malware scanning”
\InProcServer32(Default) = “C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
UltraISO(Default) = “{AD392E40-428C-459F-961E-9B147782D099}”
-> {HKLM…CLSID} = “UIContextMenu Class”
\InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”
-> {HKLM…CLSID} = “Shell Extension for Malware scanning”
\InProcServer32(Default) = “C:\Program Files\Avira\AntiVir PersonalEdition Classic\shlext.dll” [“Avira GmbH”]
UltraISO(Default) = “{AD392E40-428C-459F-961E-9B147782D099}”
-> {HKLM…CLSID} = “UIContextMenu Class”
\InProcServer32(Default) = “C:\Program Files\UltraISO\isoshell.dll” [“EZB Systems, Inc.”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
Default executables:
<> HKCU\Software\Classes.scr(Default) = “AutoCADScriptFile”
<> HKCU\Software\Classes\AutoCADScriptFile\shell\open\command(Default) = "“C:\WINDOWS\system32\notepad.exe” “%1"” [MS]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Windows Portable Device AutoPlay Handlers
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\
FunMultiMediaHandler\
“Provider” = “MultiMedia Manager”
“ProgID” = “FUNBOX.Autoplay”
HKLM\SOFTWARE\Classes\FUNBOX.Autoplay\CLSID(Default) = “{DF866F1F-10DF-4694-94A9-7F526FC8800A}”
-> {HKLM…CLSID} = “FUNBOX Autoplay Sample 2”
\LocalServer32(Default) = “C:\Program Files\Samsung\Samsung PC Studio 3\Share_autoplay.exe” [“TODO: <** **>” (unwritable string)]
WinampMTPHandler\
“Provider” = “Winamp”
“ProgID” = “Shell.HWEventHandlerShellExecute”
“InitCmdLine” = “C:\Program Files\Winamp\winamp.exe”
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID(Default) = “{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}”
-> {HKLM…CLSID} = “ShellExecute HW Event Handler”
\LocalServer32(Default) = “rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}” [MS]
WinampPlayMediaOnArrival\
“Provider” = “Winamp”
“InvokeProgID” = “Winamp.File”
“InvokeVerb” = “Play”
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command(Default) = "“C:\Program Files\Winamp\winamp.exe” “%1"” [“Nullsoft”]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = “{46986115-84D6-459c-8F95-52DD653E532E}”
-> {HKLM…CLSID} = (no title provided)
\LocalServer32(Default) = ““C:\Program Files\Winamp\winamp.exe”” [“Nullsoft”]
Startup items in “Boss” & “All Users” startup folders:
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
“AutoCAD Startup Accelerator” -> shortcut to: “C:\Program Files\Common Files\Autodesk Shared\acstart16.exe” [null data]
“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.6.0_05”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.6.0_05”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll” [“Sun Microsystems, Inc.”]
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
“MenuText” = “Spybot - Search & Destroy Configuration”
“CLSIDExtension” = “{53707962-6F74-2D53-2644-206D7942484F}”
-> {HKLM…CLSID} = “Spybot-S&D IE Protection”
\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Ad-Aware 2007 Service, aawservice, ““C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe”” [“Lavasoft”]
AntiVir PersonalEdition Classic Guard, AntiVirService, ““C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe”” [“Avira GmbH”]
AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, ““C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe”” [“Avira GmbH”]
COMODO Firewall Pro Helper Service, cmdAgent, ““C:\Program Files\COMODO\Firewall\cmdagent.exe”” [“COMODO”]
NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]
Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\system32\wdfmgr.exe” [MS]
---------- (launch time: 2008-07-03 17:48:26)
<>: Suspicious data at a malware launch point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- The search for DESKTOP.INI DLL launch points on all local fixed drives
took 80 seconds.
---------- (total run time: 182 seconds)