mam problem z jednym robalem.
infekuje plik …\system32\wdmfmc32.dll (o tym wiem) i nie wiem co z tym zrobic
mks go wykrywa od razu przy starcie, przy usunieciu go wlaczaja sie wszystkie programy (z explorerem wlacznie), potem alert wyskakuje co jakis czas a po usuwaniu wraca
killnolem go juz killboxem (z rebootem i bez) ale bezskutecznie.
sciagnalem Prevx1 - wykrywa go, robi cleenupa, rebootuje… i nic, po restarcie to samo.
wie ktos jak sie tego ustrojstwa pozbyc?
pelny log z hjt:
StartupList report, 2006-06-04, 18:31:19
StartupList version: 1.52.2
Started from : D:\Documents and Settings\bartek\Pulpit\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\MKS\Bin\mks_menu.exe
D:\Program Files\MKS\Bin\ABregmon.exe
D:\Program Files\VIAudioi\SBADeck\ADeck.exe
E:\Program Files\DAEMON Tools\daemon.exe
D:\WINDOWS\System32\ctfmon.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\MKS\Bin\NetMonSV.exe
D:\Program Files\MKS\Bin\mksmonsv.exe
E:\Program Files\Opera\Opera.exe
D:\WINDOWS\System32\wuauclt.exe
D:\Program Files\MKS\Bin\mks_scan.exe
D:\Documents and Settings\bartek\Pulpit\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[D]
*No files*
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[D]
Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
ATI CATALYST System Tray.lnk = D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
ATIPTA = D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
(Default) =
MKS_MENU = D:\Program Files\MKS\Bin\mks_menu.exe
ABREGMON = D:\Program Files\MKS\Bin\ABregmon.exe
AudioDeck = D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
NeroFilterCheck = D:\WINDOWS\system32\NeroCheck.exe
DAEMON Tools = "e:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
PrevxOne = D:\Program Files\Prevx1\PXConsole.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
CTFMON.EXE = D:\WINDOWS\System32\ctfmon.exe
MSMSGS = "D:\Program Files\Messenger\msmsgs.exe" /background
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command
(Default) = "%1" /S
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = D:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection D:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = D:\WINDOWS\System32\Rundll32.exe D:\WINDOWS\System32\mscories.dll,Install
[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] *
StubPath = rundll32 iesetup.dll,IEAccessUserInst
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from D:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
D:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
D:\WINDOWS\Explorer\Explorer.exe: not present
D:\WINDOWS\System\Explorer.exe: not present
D:\WINDOWS\System32\Explorer.exe: not present
D:\WINDOWS\Command\Explorer.exe: not present
D:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in D:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Edytor rejestru'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - e:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
Malicious Scripts Scanner - D:\Documents and Settings\All Users\Dane aplikacji\Prevx\pxbho.dll - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: D:\WINDOWS\System32\mswsock.dll
NameSpace #2: D:\WINDOWS\System32\winrnr.dll
NameSpace #3: D:\WINDOWS\System32\mswsock.dll
Protocol #1: D:\WINDOWS\system32\mswsock.dll
Protocol #2: D:\WINDOWS\system32\mswsock.dll
Protocol #3: D:\WINDOWS\system32\mswsock.dll
Protocol #4: D:\WINDOWS\system32\rsvpsp.dll
Protocol #5: D:\WINDOWS\system32\rsvpsp.dll
Protocol #6: D:\WINDOWS\system32\mswsock.dll
Protocol #7: D:\WINDOWS\system32\mswsock.dll
Protocol #8: D:\WINDOWS\system32\mswsock.dll
Protocol #9: D:\WINDOWS\system32\mswsock.dll
Protocol #10: D:\WINDOWS\system32\mswsock.dll
Protocol #11: D:\WINDOWS\system32\mswsock.dll
Protocol #12: D:\WINDOWS\system32\mswsock.dll
Protocol #13: D:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
ArcaBit NetMonitor: D:\Program Files\MKS\Bin\NetMonSV.exe (autostart)
ABTDI: \??\D:\Program Files\MKS\Bin\ABTDI.sys (system)
Sterownik Microsoft ACPI: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
Środowisko obsługi sieci AFD: \SystemRoot\System32\drivers\afd.sys (autostart)
Urządzenie alarmowe: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Usługa bramy warstwy aplikacji: %SystemRoot%\System32\alg.exe (manual start)
Zarządzanie aplikacjami: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
Sterownik multimediów asynchronicznych RAS: System32\DRIVERS\asyncmac.sys (manual start)
Standardowy kontroler dysku twardego IDE/ESDI: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: D:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
Protokół klienta ARP ATM: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sterownik Audio Stub: System32\DRIVERS\audstub.sys (manual start)
Usługa inteligentnego transferu w tle: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Przeglądarka komputera: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sterownik stacji dysków CD-ROM: System32\DRIVERS\cdrom.sys (system)
Usługa indeksowania: D:\WINDOWS\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Aplikacja systemowa modelu COM+: D:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Usługi kryptograficzne: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Klient DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sterownik dysku: System32\DRIVERS\disk.sys (system)
Usługa administracyjna Menedżera dysków logicznych: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Sterownik Menedżera dysków logicznych: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Menedżer dysków logicznych: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Syntezator Microsoft Kernel DLS: system32\drivers\DMusic.sys (manual start)
Klient DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
Usługa raportowania błędów: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Dziennik zdarzeń: %SystemRoot%\system32\services.exe (autostart)
System zdarzeń COM+: D:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Zgodność szybkiego przełączania użytkowników: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Sterownik kontrolera stacji dyskietek: System32\DRIVERS\fdc.sys (manual start)
Sterownik stacji dyskietek: System32\DRIVERS\flpydisk.sys (manual start)
Sterownik Menedżera woluminów: System32\DRIVERS\ftdisk.sys (system)
Licznik portów gier: System32\DRIVERS\gameenum.sys (manual start)
Rodzajowy klasyfikator pakietu: System32\DRIVERS\msgpc.sys (manual start)
Pomoc i obsługa techniczna: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Dostęp do urządzeń interfejsu HID: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Sterownik portu klawiatury i8042 i myszy PS/2: System32\DRIVERS\i8042prt.sys (system)
Usługa COM nagrywania dysków CD IMAPI: D:\WINDOWS\System32\imapi.exe (manual start)
Sterownik filtru ruchu IP: System32\DRIVERS\ipfltdrv.sys (manual start)
Sterownik IP w tunelu IP: System32\DRIVERS\ipinip.sys (manual start)
Translator adresów sieciowych IP: System32\DRIVERS\ipnat.sys (manual start)
Sterownik IPSEC: System32\DRIVERS\ipsec.sys (system)
Usługa wyliczania IR: System32\DRIVERS\irenum.sys (manual start)
Sterownik PnP magistrali ISA/EISA: System32\DRIVERS\isapnp.sys (system)
Sterownik klasy klawiatury: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Serwer: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Stacja robocza: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Pomoc TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Posłaniec: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
MkS_Mon Kernel Engine: \??\D:\Program Files\MKS\Bin\MksMonEn.sys (manual start)
MkS_Mon Kernel Events: \??\D:\Program Files\MKS\Bin\MksMonEv.sys (manual start)
MkS_Mon Kernel Filter Driver: \??\D:\Program Files\MKS\Bin\MksMonFd.sys (manual start)
MkSUpdateInt: D:\Program Files\MKS\bin\MkSUpdateInt.exe (manual start)
MkS_Vir Monitor: D:\Program Files\MKS\Bin\mksmonsv.exe (autostart)
MkS_Scan: D:\Program Files\MKS\Bin\mks_scan.exe (manual start)
NetMeeting Remote Desktop Sharing: D:\WINDOWS\System32\mnmsrvc.exe (manual start)
Sterownik klasy myszy: System32\DRIVERS\mouclass.sys (system)
Readresator klienta WebDav: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: D:\WINDOWS\System32\msdtc.exe (manual start)
Instalator Windows: D:\WINDOWS\System32\msiexec.exe /V (manual start)
Serwer proxy usługi Microsoft Streaming: system32\drivers\MSKSSRV.sys (manual start)
Serwer proxy zegara Microsoft Streaming: system32\drivers\MSPCLOCK.sys (manual start)
Serwer proxy menedżera jakości Microsoft Streaming: system32\drivers\MSPQM.sys (manual start)
Sterownik usługi Dostęp zdalny NDIS TAPI: System32\DRIVERS\ndistapi.sys (manual start)
Protokół We/Wy trybu użytkownika NDIS: System32\DRIVERS\ndisuio.sys (manual start)
Sterownik usługi Dostęp zdalny NDIS WAN: System32\DRIVERS\ndiswan.sys (manual start)
Interfejs NetBIOS: System32\DRIVERS\netbios.sys (system)
NetBios przez TCP/IP: System32\DRIVERS\netbt.sys (system)
DDE sieci: %SystemRoot%\system32\netdde.exe (manual start)
DSDM DDE sieci: %SystemRoot%\system32\netdde.exe (manual start)
Logowanie do sieci: %SystemRoot%\System32\lsass.exe (manual start)
Połączenia sieciowe: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
RCA USB Digital Cable Modem Driver: System32\DRIVERS\netrcacm.sys (manual start)
Rozpoznawanie lokalizacji w sieci (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Usługa NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Magazyn wymienny: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Sterownik filtru ruchu IPX: System32\DRIVERS\nwlnkflt.sys (manual start)
Sterownik usług przesyłania dalej ruchu IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)
Sterownik portu równoległego: System32\DRIVERS\parport.sys (manual start)
Sterownik magistrali PCI: System32\DRIVERS\pci.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Usługi IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Prevx Agent: "D:\Program Files\Prevx1\PXAgent.exe" -f (autostart)
PREVX Kernel Mode Agent: system32\drivers\pxfsf.sys (system)
PREVX Emulator Driver: system32\drivers\pxemu.sys (manual start)
PREVX Tdi filter: system32\drivers\pxtdi.sys (system)
Sterownik procesora: System32\DRIVERS\processr.sys (system)
Magazyn chroniony: %SystemRoot%\system32\lsass.exe (autostart)
Harmonogram pakietów QoS: System32\DRIVERS\psched.sys (manual start)
Sterownik bezpośredniego połączenia kablowego: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
PREVX Rootkitscan driver: \??\D:\WINDOWS\system32\drivers\pxrd.sys (manual start)
Sterownik automatycznego połączenia dostępu zdalnego: System32\DRIVERS\rasacd.sys (system)
Menedżer autopołączenia dostępu zdalnego: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Menedżer połączeń usługi Dostęp zdalny: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Sterownik usługi Dostęp zdalny PPPOE: System32\DRIVERS\raspppoe.sys (manual start)
Bezpośrednie połączenie kablowe: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Sterownik przekierowania urządzenia serwera terminali: System32\DRIVERS\rdpdr.sys (manual start)
Menedżer sesji pomocy pulpitu zdalnego: D:\WINDOWS\system32\sessmgr.exe (manual start)
Sterownik filtru odtwarzania audio cyfrowych dysków CD: System32\DRIVERS\redbook.sys (system)
Routing i dostęp zdalny: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Rejestr zdalny: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Lokalizator usługi zdalnego wywołania procedury (RPC): %SystemRoot%\System32\locator.exe (manual start)
Zdalne wywoływanie procedur (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Sterownik NT karty Realtek RTL8139(A/B/C)-based PCI Fast Ethernet: System32\DRIVERS\RTL8139.SYS (manual start)
Menedżer kont zabezpieczeń: %SystemRoot%\system32\lsass.exe (autostart)
Pomocnik karty inteligentnej: %SystemRoot%\System32\SCardSvr.exe (manual start)
Karta inteligentna: %SystemRoot%\System32\SCardSvr.exe (manual start)
Harmonogram zadań: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Logowanie pomocnicze: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Zawiadomienie o zdarzeniu systemowym: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Sterownik filtru Serenum: System32\DRIVERS\serenum.sys (manual start)
Sterownik portu szeregowego: System32\DRIVERS\serial.sys (system)
Zapora połączenia internetowego / Udostępnianie połączenia internetowego: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Wykrywanie sprzętu powłoki: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Bufor wydruku: %SystemRoot%\system32\spoolsv.exe (autostart)
Sterownik filtru Przywracania systemu: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
Usługa przywracania systemu: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Usługa odnajdywania SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (manual start)
Sterownik magistrali programowej: System32\DRIVERS\swenum.sys (manual start)
Syntezator tablicy dźwięków WAVE Microsoft Kernel GS: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: D:\WINDOWS\System32\dllhost.exe /Processid:{FA1B09DE-6973-4D44-8827-97918E190206} (manual start)
Urządzenie audio Microsoft Kernel System: system32\drivers\sysaudio.sys (manual start)
Dzienniki wydajności i alerty: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telefonia: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Sterownik protokołu TCP/IP: System32\DRIVERS\tcpip.sys (system)
Sterownik urządzenia terminalu: System32\DRIVERS\termdd.sys (system)
Usługi terminalowe: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Kompozycje: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: D:\WINDOWS\System32\tlntsvr.exe (manual start)
Klient śledzenia łączy rozproszonych: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: D:\WINDOWS\System32\wdfmgr.exe (autostart)
Sterownik Microcode Update: System32\DRIVERS\update.sys (manual start)
Menedżer przekazywania: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Host uniwersalnego urządzenia Plug and Play: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Zasilacz awaryjny (UPS): %SystemRoot%\System32\ups.exe (manual start)
Koncentrator z obsługą USB2: System32\DRIVERS\usbhub.sys (manual start)
Sterownik Miniport uniwersalnego kontrolera hosta USB Microsoft: System32\DRIVERS\usbuhci.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
Filtr magistrali AGP VIA: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Vinyl AC'97 Audio Controller (WDM): system32\drivers\vinyl97.sys (manual start)
Kopiowanie woluminów w tle: %SystemRoot%\System32\vssvc.exe (manual start)
Usługa Czas systemu Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Sterownik usługi Dostęp zdalny IP ARP: System32\DRIVERS\wanarp.sys (manual start)
Sterownik zgodności audio Microsoft WINMM WDM: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Instrumentacja zarządzania Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Rozszerzenia sterownika Instrumentacji zarządzania Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Karta wydajności WMI: D:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Aktualizacje automatyczne: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Konfiguracja zerowej sieci bezprzewodowej: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: D:\WINDOWS\system32\SHELL32.dll
CDBurn: D:\WINDOWS\system32\SHELL32.dll
WebCheck: D:\WINDOWS\System32\webcheck.dll
SysTray: D:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 30 236 bytes
Report generated in 0,361 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
log z sr
"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\System32\ctfmon.exe" [MS]
"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"(Default)" = (empty string)
"MKS_MENU" = "D:\Program Files\MKS\Bin\mks_menu.exe" ["MKS Sp. z o.o."]
"ABREGMON" = "D:\Program Files\MKS\Bin\ABregmon.exe" ["ArcaBit"]
"AudioDeck" = "D:\Program Files\VIAudioi\SBADeck\ADeck.exe 1 " ["VIA Technologies, Inc."]
"NeroFilterCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"DAEMON Tools" = ""e:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]
"PrevxOne" = "D:\Program Files\Prevx1\PXConsole.exe" ["Prevx"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "e:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{55EA1964-F5E4-4D6A-B9B2-125B37655FCB}\(Default) = "Malicious Scripts Scanner"
-> {HKLM...CLSID} = "URLDetector Class"
\InProcServer32\(Default) = "D:\Documents and Settings\All Users\Dane aplikacji\Prevx\pxbho.dll" ["Prevx Ltd."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "E:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
MkS_Vir\(Default) = "{CC4245C0-D511-11D0-8918-444553540000}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\MKS\Bin\MkSShell.dll" [null data]
MyPhoneExplorer\(Default) = "{C63D6E57-FE9E-43D7-B7ED-900DEB695D3E}"
-> {HKLM...CLSID} = "MyPhoneExplorer_ShellEx.ShellExt"
\InProcServer32\(Default) = "e:\Program Files\MyPhoneExplorer\DLL\ShellMgr.dll" ["F.J. Wechselberger"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
MkS_Vir\(Default) = "{CC4245C0-D511-11D0-8918-444553540000}"
-> {HKLM...CLSID} = "MkS_Vir Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\MKS\Bin\MkSShell.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "e:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\bartek\Dane aplikacji\Opera\Opera\profile\Skin\chaosad.bmp"
Startup items in "bartek" & "All Users" startup folders:
--------------------------------------------------------
D:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"ATI CATALYST System Tray" -> shortcut to: "D:\Program Files\ATI Technologies\ATI.ACE\CLI.exe SystemTray" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ArcaBit NetMonitor, ABNetMon, "D:\Program Files\MKS\Bin\NetMonSV.exe" ["ArcaBit sp. z o.o."]
Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
MkS_Scan, MkS_Scan, "D:\Program Files\MKS\Bin\mks_scan.exe" [empty string]
MkS_Vir Monitor, MksVirMonSvc, "D:\Program Files\MKS\Bin\mksmonsv.exe" [empty string]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\System32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 120 seconds, including 4 seconds for message boxes)