[Løst]Har jeg virus, eller bare et vanlig problem?

[Ståle]

Jeg trodde jeg hadde Conficker.

 

 

Har Vista Business 32-bit og mest sannsynlig Conficker. Jeg kommer inn på microsoft.com, men får ikke lastet ned MRST. Jeg har også en autorun.inf som ligner på den Conficker lager. Og rare filer rundt om kring som Symantec sin Conficker remover ikke kunne åpne.

 

Lastet ned MRST fra en annen PC, men får ikke startet den. Symantec og BitDefender sine Conficker removal tools finner ingenting. NOD32 finner heller ikke.

 

Alt er gjort i Safe Mode.

 

HJT

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:19:52, on 01.04.2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18000)

Boot mode: Safe mode

 

Running processes:

C:\Windows\Explorer.EXE

H:\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe

O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe

O4 - HKCU\..\Run: [WhatPulse] C:\Program Files\WhatPulse\WhatPulse.exe

O4 - HKCU\..\Run: [nodenable] C:\Program Files\eset\nodenable.exe

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')

O4 - Startup: AWC (lower priority).lnk = C:\Windows\System32\cmd.exe

O4 - Startup: TK8 EasyNote.lnk = C:\Users\Stale\AppData\Roaming\TK8 Software\TK8 EasyNote\EasyNote.exe

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe

O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll

O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O13 - Gopher Prefix:

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Franson GpsGate 2.0 - Unknown owner - C:\Program Files\Franson\GpsGate 2.0\GpsGateService.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\stacsv.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe

O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe

O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

 

--

End of file - 7259 bytes

 

 

 

 

Fant http://www.skullsecurity.org/blog/?p=209

 

 

root@grete:~/nmap# ./nmap --script=smb-check-vulns --script-args=unsafe=1 -p445 -d 192.168.2.199

Warning: File ./nselib/ exists, but Nmap is using /usr/local/share/nmap/nselib/ for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).

 

Starting Nmap 4.85BETA6 ( http://nmap.org ) at 2009-04-01 16:36 CEST

--------------- Timing report ---------------

hostgroups: min 1, max 100000

rtt-timeouts: init 1000, min 100, max 10000

max-scan-delay: TCP 1000, UDP 1000

parallelism: min 0, max 0

max-retries: 10, host-timeout: 0

min-rate: 0, max-rate: 0

---------------------------------------------

Initiating ARP Ping Scan at 16:36

Scanning 192.168.2.199 [1 port]

Packet capture filter (device eth0): arp and ether dst host 00:30:05:65:F5:9D

Completed ARP Ping Scan at 16:36, 0.02s elapsed (1 total hosts)

Overall sending rates: 60.10 packets / s, 2524.34 bytes / s.

mass_rdns: Using DNS server 192.168.2.3

mass_rdns: Using DNS server 192.168.2.5

Initiating SYN Stealth Scan at 16:36

Scanning vaio-fedora (192.168.2.199) [1 port]

Packet capture filter (device eth0): dst host 192.168.2.3 and (icmp or ((tcp or udp) and (src host 192.168.2.199)))

Discovered open port 445/tcp on 192.168.2.199

Completed SYN Stealth Scan at 16:36, 0.01s elapsed (1 total ports)

Overall sending rates: 79.87 packets / s, 3514.10 bytes / s.

NSE: Initiating script scanning.

NSE: Script scanning vaio-fedora (192.168.2.199).

NSE: Initialized 1 rules

NSE: Matching rules.

NSE: Running scripts.

NSE: Runlevel: 2.000000

Initiating NSE at 16:36

Running 1 script threads:

NSE (0.302s): Starting smb-check-vulns against 192.168.2.199.

NSE: SMB: Extended login as \guest succeeded

NSE: SMB: Extended login as \guest succeeded

NSE: SMB: Extended login as \guest succeeded

NSE (0.463s): Finished smb-check-vulns against 192.168.2.199.

Completed NSE at 16:36, 0.16s elapsed

NSE: Script scanning completed.

Host vaio-fedora (192.168.2.199) is up, received arp-response (0.0013s latency).

Scanned at 2009-04-01 16:36:09 CEST for 0s

Interesting ports on vaio-fedora (192.168.2.199):

PORT STATE SERVICE REASON

445/tcp open microsoft-ds syn-ack

MAC Address: 00:1F:3B:0B:F3:A1 (Intel Corporate)

 

Host script results:

| smb-check-vulns:

| MS08-067: FIXED

| Conficker: Likely CLEAN

|_ regsvc DoS: ERROR: NT_STATUS_OBJECT_NAME_NOT_FOUND

Final times for host: srtt: 1341 rttvar: 3920 to: 100000

 

 

Read from /usr/local/share/nmap: nmap-mac-prefixes nmap-services.

Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds

Raw packets sent: 2 (86B) | Rcvd: 3 (126B)

 

 

 

Men kommer ikke inn på eset.com, laste ned oppdateringer til windows/defender eller WLM.

 

når jeg pinger eset.com, oversetter noe det til 127.0.0.1.

 

 

C:\Users\Stale\Desktop>nslookup eset.com

Server: UnKnown

Address: 192.168.2.5

 

Non-authoritative answer:

Name: eset.com

Address: 72.3.254.86

 

 

Men med verktøyene jeg fant her:

http://iv.cs.uni-bonn.de/wg/cs/application...ining-conficker

og alle virusscannene jeg har gjort,

finner de ingenting.

 

Jeg får heller ikke lastet ned SAS eller oppdatere Ad-Aware.

[Bruker-158599]

....

Endret 30. juli 2010 av riskake90

[Ståle]

ComboFix

 

 

 

ComboFix 09-03-31.03 - Stale 2009-04-01 17:40:16.1 - NTFSx86

Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.2038.845 [GMT 2:00]

Running from: c:\users\Stale\Desktop\ComboFix.exe

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)

* Created a new restore point

* Resident AV is active

 

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\install.exe

c:\users\Stale\AppData\Roaming\.#

c:\users\Stale\AppData\Roaming\.#\MBX@570@1C41D48.###

c:\users\Stale\AppData\Roaming\.#\MBX@570@1C41D68.###

c:\windows\system32\drivers\gaopdxpxuifhpb.sys

c:\windows\system32\gaopdxcounter

c:\windows\system32\gaopdxmqwetbee.dll

c:\windows\system32\readme-net.doc

c:\windows\system32\x64

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Service_gaopdxserv.sys

 

 

((((((((((((((((((((((((( Files Created from 2009-03-01 to 2009-04-01 )))))))))))))))))))))))))))))))

.

 

2009-04-01 18:07 . 2009-04-01 18:09 239,074,150 --a------ c:\windows\MEMORY.DMP

2009-04-01 17:25 . 2009-03-09 21:06 15,688 --a------ c:\windows\System32\lsdelete.exe

2009-04-01 16:18 . 2009-04-01 16:18 <DIR> d--h-c--- c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-04-01 16:18 . 2009-04-01 16:18 <DIR> d--h-c--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

2009-04-01 16:18 . 2009-03-09 21:06 64,160 --a------ c:\windows\System32\drivers\Lbd.sys

2009-04-01 16:17 . 2009-04-01 16:18 <DIR> d-------- c:\users\All Users\Lavasoft

2009-04-01 16:17 . 2009-04-01 16:18 <DIR> d-------- c:\programdata\Lavasoft

2009-04-01 16:17 . 2009-04-01 16:17 <DIR> d-------- c:\program files\Lavasoft

2009-04-01 16:05 . 2009-04-01 16:05 <DIR> d-------- c:\users\Stale\.zenmap

2009-04-01 16:04 . 2009-04-01 16:04 <DIR> d-------- c:\program files\WinPcap

2009-04-01 16:04 . 2009-04-01 16:04 <DIR> d-------- c:\program files\Nmap

2009-04-01 15:07 . 2009-04-01 15:07 <DIR> d-------- c:\program files\UlisesSoft

2009-04-01 08:13 . 2009-03-31 17:21 6,512,088 --------- C:\fseasyclean.exe

2009-04-01 08:13 . 2009-03-31 17:14 2,402,613 --------- C:\bd_rem_tool.zip

2009-04-01 08:12 . 2009-04-01 01:04 2,348,416 --------- C:\FixDwndp.exe

2009-03-30 08:21 . 2009-03-30 08:21 1,908 --a------ c:\windows\diagwrn.xml

2009-03-30 08:21 . 2009-03-30 08:21 1,908 --a------ c:\windows\diagerr.xml

2009-03-29 16:19 . 2009-03-29 16:20 <DIR> d-------- c:\program files\Microsoft IntelliPoint

2009-03-29 01:00 . 2009-03-29 01:00 <DIR> d-------- c:\users\Stale\AppData\Roaming\Red Kawa

2009-03-29 01:00 . 2009-03-29 01:00 <DIR> d-------- c:\program files\Regensoft

2009-03-29 01:00 . 2009-03-29 01:00 <DIR> d-------- c:\program files\Red Kawa

2009-03-29 01:00 . 2009-03-29 01:00 <DIR> d-------- c:\program files\AviSynth 2.5

2009-03-18 23:18 . 2009-03-18 23:24 <DIR> d-------- c:\users\Stale\AppData\Roaming\WhatPulse

2009-03-15 22:13 . 2009-03-15 22:13 240,248 --a------ c:\windows\System32\wpcap.dll

2009-03-15 22:13 . 2009-03-15 22:13 88,704 --a------ c:\windows\System32\Packet.dll

2009-03-15 22:13 . 2009-03-15 22:13 53,299 --a------ c:\windows\System32\pthreadVC.dll

2009-03-15 22:13 . 2009-03-15 22:13 34,064 --a------ c:\windows\System32\drivers\npf.sys

2009-03-11 10:45 . 2008-12-16 05:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL

2009-03-11 10:45 . 2008-12-16 07:31 7,680 --a------ c:\windows\System32\spwmp.dll

2009-03-11 10:45 . 2008-12-16 07:31 4,096 --a------ c:\windows\System32\msdxm.ocx

2009-03-11 10:45 . 2008-12-16 07:31 4,096 --a------ c:\windows\System32\dxmasf.dll

2009-03-11 10:44 . 2009-02-09 05:10 2,033,152 --a------ c:\windows\System32\win32k.sys

2009-03-11 10:44 . 2008-11-27 06:43 268,288 --a------ c:\windows\System32\schannel.dll

2009-03-08 15:59 . 2009-03-08 15:59 <DIR> d-------- C:\Python30

2009-03-08 13:16 . 2009-03-08 13:16 20,832 --a------ c:\users\Stale\test.exe

2009-03-07 17:22 . 2009-03-07 17:22 <DIR> d-------- c:\program files\MediaMonkey

2009-03-07 15:57 . 2009-03-07 15:57 <DIR> d-------- c:\users\Stale\AppData\Roaming\Apple Computer

2009-03-07 15:53 . 2009-03-07 15:55 <DIR> d-------- c:\users\All Users\Apple Computer

2009-03-07 15:53 . 2009-03-07 15:55 <DIR> d-------- c:\programdata\Apple Computer

2009-03-07 15:53 . 2009-03-07 15:54 <DIR> d-------- c:\program files\QuickTime

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-01 13:23 --------- d-----w c:\program files\ESET

2009-04-01 06:18 --------- d-----w c:\programdata\Google Updater

2009-03-30 08:27 --------- d-----w c:\programdata\OrbNetworks

2009-03-30 08:27 --------- d-----w c:\program files\Winamp Remote

2009-03-29 19:04 --------- d-----w c:\program files\Last.fm

2009-03-29 14:29 --------- d-----w c:\users\Stale\AppData\Roaming\FrostWire

2009-03-29 13:28 --------- d---a-w c:\programdata\TEMP

2009-03-22 05:43 --------- d-----w c:\program files\Steam

2009-03-20 17:26 --------- d-----w c:\users\Stale\AppData\Roaming\uTorrent

2009-03-19 20:22 91,303 ----a-w c:\users\Stale\AppData\Roaming\nvModes.dat

2009-03-18 21:18 --------- d-----w c:\program files\WhatPulse

2009-03-14 19:40 --------- d-----w c:\program files\Common Files\Steam

2009-03-13 15:33 --------- d-----w c:\program files\Windows Mail

2009-03-13 11:39 --------- d-----w c:\program files\Winamp

2009-03-13 11:38 --------- d-----w c:\users\Stale\AppData\Roaming\Winamp

2009-03-13 11:22 --------- d-----w c:\program files\Opera 10 Preview

2009-03-08 14:12 140,216 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-03-02 20:29 --------- d-----w c:\program files\Microsoft Silverlight

2009-02-15 15:14 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-15 15:14 --------- d-----w c:\program files\Huawei technologies

2009-02-08 20:49 --------- d-----w c:\program files\Opera

2009-02-08 17:14 --------- d-----w c:\program files\Trayit

2009-02-05 12:11 --------- d-----w c:\program files\Deer Hunter Tournament

2009-02-04 14:02 --------- d-----w c:\program files\LucasArts

2009-02-01 18:32 --------- d-----w c:\users\Stale\AppData\Roaming\Spotify

2009-02-01 18:17 --------- d-----w c:\program files\LingvoSoft

2008-11-29 17:58 45,672 ----a-w c:\users\Stale\uptime.exe

2008-10-18 18:20 22,328 ----a-w c:\users\Stale\AppData\Roaming\PnkBstrK.sys

2008-10-12 08:46 174 --sha-w c:\program files\desktop.ini

.

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-08-08 691656]

 

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]

[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]

[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]

[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{32099AAC-C132-4136-9E9A-4E364A424E17}"= "c:\program files\DAEMON Tools Toolbar\DTToolbar.dll" [2008-08-08 691656]

 

[HKEY_CLASSES_ROOT\clsid\{32099aac-c132-4136-9e9a-4e364a424e17}]

[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj.1]

[HKEY_CLASSES_ROOT\TypeLib\{3E288F79-03E4-4983-A48E-0D879B51FF19}]

[HKEY_CLASSES_ROOT\DTToolbar.ToolBandObj]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]

@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]

2007-06-05 23:16 2955264 --a------ c:\program files\Protector Suite QL\farchns.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]

@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]

2007-06-05 23:16 2955264 --a------ c:\program files\Protector Suite QL\farchns.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]

"WhatPulse"="c:\program files\WhatPulse\WhatPulse.exe" [2009-03-12 2763264]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint\Apoint.exe" [2008-02-23 118784]

"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-06-05 49168]

"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-08-06 86016]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-06 8429568]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-06 81920]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-07-01 1447168]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]

 

c:\users\Stale\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

AWC (lower priority).lnk - c:\windows\System32\cmd.exe [2008-10-12 318976]

TK8 EasyNote.lnk - c:\users\Stale\AppData\Roaming\TK8 Software\TK8 EasyNote\EasyNote.exe [2009-01-18 439808]

 

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-10-30 748072]

Google Calendar Sync.lnk - c:\program files\Google\Google Calendar Sync\GoogleCalendarSync.exe [2008-10-02 546288]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

"EnableUIADesktopToggle"= 0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2007-06-05 23:03 90112 c:\windows\System32\psqlpwd.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]

2007-08-14 20:05 98304 c:\windows\System32\VESWinlogon.dll

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]

--a------ 2008-10-18 19:51 4608 c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2008-02-11 20:13 166424 c:\windows\System32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2008-02-11 20:13 133656 c:\windows\System32\igfxpers.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartWiHelper]

--a------ 2007-05-19 20:00 65536 c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{B27403D7-FA33-4127-B9D0-D2AE3711D510}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"{ABDD104E-677D-4F99-8CF6-04C227661637}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)

"TCP Query User{D3B8E805-78BB-4507-B383-629FCE3C499D}c:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= UDP:c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe:Apache HTTP Server

"UDP Query User{9E1A94C3-0136-40D9-8B7E-13EFBAC5AFCC}c:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"= TCP:c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe:Apache HTTP Server

"TCP Query User{C89E75BA-E328-4989-B00C-E149A6D72D23}c:\\program files\\winamp remote\\bin\\orbtray.exe"= UDP:c:\program files\winamp remote\bin\orbtray.exe:Orb

"UDP Query User{C27DDD41-2980-43A7-9F39-02191E5FCD0B}c:\\program files\\winamp remote\\bin\\orbtray.exe"= TCP:c:\program files\winamp remote\bin\orbtray.exe:Orb

"TCP Query User{D2007ACD-71D2-41FF-A181-1E146A00D6A5}c:\\program files\\soldier of fortune ii - double helix mp test\\sof2mp-test.exe"= UDP:c:\program files\soldier of fortune ii - double helix mp test\sof2mp-test.exe:SoF2MP-Test

"UDP Query User{3B7C0979-8491-43E9-9B05-CBA5AB416EA1}c:\\program files\\soldier of fortune ii - double helix mp test\\sof2mp-test.exe"= TCP:c:\program files\soldier of fortune ii - double helix mp test\sof2mp-test.exe:SoF2MP-Test

"TCP Query User{47E4DD16-319B-4063-BF13-26DDB8EDC68F}c:\\program files\\opera\\opera.exe"= UDP:c:\program files\opera\opera.exe:Opera Internet Browser

"UDP Query User{6559BFE3-E62F-48CE-99C8-8E643C7AE961}c:\\program files\\opera\\opera.exe"= TCP:c:\program files\opera\opera.exe:Opera Internet Browser

"TCP Query User{1EE237BB-0930-40D8-AE3C-2889BD2C2399}c:\\program files\\steam\\steamapps\\stale007\\half-life 2 deathmatch\\hl2.exe"= UDP:c:\program files\steam\steamapps\stale007\half-life 2 deathmatch\hl2.exe:hl2

"UDP Query User{BFB68912-8763-4B75-B96F-656B2C1E7D45}c:\\program files\\steam\\steamapps\\stale007\\half-life 2 deathmatch\\hl2.exe"= TCP:c:\program files\steam\steamapps\stale007\half-life 2 deathmatch\hl2.exe:hl2

"TCP Query User{5B999CBA-DF97-4453-BF33-8F03EA30A6CD}c:\\program files\\steam\\steamapps\\stale007\\synergy\\hl2.exe"= UDP:c:\program files\steam\steamapps\stale007\synergy\hl2.exe:hl2

"UDP Query User{5130812C-F36F-422C-9387-D118B7FCA9EB}c:\\program files\\steam\\steamapps\\stale007\\synergy\\hl2.exe"= TCP:c:\program files\steam\steamapps\stale007\synergy\hl2.exe:hl2

"{44E9A1F4-2535-498D-B35C-88431E581E35}"= UDP:c:\program files\ElcomSoft\Distributed Password Recovery\esdprs.exe:ElcomSoft Distributed Password Recovery Server

"{1B8D9DC9-B64E-4B91-BABB-50D3ECF90B80}"= TCP:c:\program files\ElcomSoft\Distributed Password Recovery\esdprs.exe:ElcomSoft Distributed Password Recovery Server

"{6AB657C8-D7C7-4E9E-A2A8-10EFBFEC5465}"= UDP:c:\program files\ElcomSoft\Distributed Password Recovery\esdpr.exe:Elcomsoft Distributed Password Recovery Console

"{E352A013-8271-4F33-9F2F-ADA25A97340A}"= TCP:c:\program files\ElcomSoft\Distributed Password Recovery\esdpr.exe:Elcomsoft Distributed Password Recovery Console

"{16596B39-6A34-4437-A2B8-9770EEA0F258}"= UDP:c:\program files\ElcomSoft\Distributed Password Recovery\esda.exe:ElcomSoft Distributed Agent

"{FF7D6F08-37E7-47C8-B2A0-0477FB5426FC}"= TCP:c:\program files\ElcomSoft\Distributed Password Recovery\esda.exe:ElcomSoft Distributed Agent

"{D504814C-D3E2-49D5-9A69-F427BA789BB3}"= UDP:12121:ElcomSoft Distributed Agents TCP Port

"{FCE9EF81-4DB1-41F6-8F5F-E6FCA418FCAB}"= Disabled:UDP:12121:ElcomSoft Distributed Agents TCP Port

"{E323552C-E633-437C-9175-067CC145470D}"= UDP:12122:ElcomSoft Distributed Password Recovery Console TCP Port

"{3E49B906-09B4-430E-8D0B-8D77C89E3C60}"= Disabled:UDP:12122:ElcomSoft Distributed Password Recovery Console TCP Port

"TCP Query User{7D185028-CCFF-4ADD-B7D5-8895D990A73B}c:\\program files\\elcomsoft\\distributed password recovery\\esdprs.exe"= UDP:c:\program files\elcomsoft\distributed password recovery\esdprs.exe:Elcomsoft Distributed Password Recovery Server

"UDP Query User{4324AA68-FC0D-4A90-A50C-514EF5E2B3B2}c:\\program files\\elcomsoft\\distributed password recovery\\esdprs.exe"= TCP:c:\program files\elcomsoft\distributed password recovery\esdprs.exe:Elcomsoft Distributed Password Recovery Server

"{C66BD6F2-B7B4-4081-8951-DF6CE7D44AA2}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA

"{F5915DA6-3BFA-4AF1-83DF-9A83C6F961F1}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA

"{26ED7866-8518-4C23-97D7-0C1B55FD5B63}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB

"{CC565362-9923-4DBF-980F-3EB56028A67D}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB

"{65EE1AF0-7B69-4DBE-A393-D83AF2DD9FFB}"= UDP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare

"{6F937774-8E71-4E22-95BF-9DFE3540E802}"= TCP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare

"{3123B138-E535-4974-83C6-E31EF1D3CDC4}"= UDP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3sp.exe:Call of Duty® 4 - Modern Warfare Singleplayer

"{48CEF2A1-4238-4C27-BAC7-B2FA4F5BF870}"= TCP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3sp.exe:Call of Duty® 4 - Modern Warfare Singleplayer

"{7693E39B-FD5C-4B6F-A322-03B1B92B8627}"= UDP:c:\program files\Adobe\Adobe Bridge\Bridge.exe:Adobe Bridge

"{9607807C-A7F7-493D-A24C-520EDC773795}"= TCP:c:\program files\Adobe\Adobe Bridge\Bridge.exe:Adobe Bridge

"{A12D116A-D3D5-4EEF-9A25-FE5F13562D88}"= UDP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare

"{CBD000F9-E490-43F4-B3F5-56C3D6E28D87}"= TCP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare

"{7E3049BD-4121-46E9-86C6-3DFCF3D0141D}"= UDP:28960:COD

"{0CFCB5DF-0AE3-4021-B95E-A52EE4B4585B}"= TCP:28960:COD2

"{A9B8A9AB-36D4-429B-86FD-89155D9862F3}"= TCP:20500:COD1

"{9D5BB576-1364-43A4-B080-314D2B1FBA9C}"= TCP:20510:COD3

"TCP Query User{65EBE9EF-5753-415B-89F7-E235A68382EC}c:\\program files\\ra2\\game.exe"= UDP:c:\program files\ra2\game.exe:Main executable for Red Alert 2

"UDP Query User{D5738E90-2135-439E-A313-A81D63402AC5}c:\\program files\\ra2\\game.exe"= TCP:c:\program files\ra2\game.exe:Main executable for Red Alert 2

"TCP Query User{CE70A86E-5A8E-461F-9F00-1FC1633F4EDB}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager

"UDP Query User{5EC42A5A-E12C-41E6-8BF4-75FF32875CEA}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager

"TCP Query User{DE766E50-EA5C-456A-8B2A-9349C3CFFE0E}c:\\program files\\electronic arts\\red alert 3\\data\\ra3_1.3.game"= UDP:c:\program files\electronic arts\red alert 3\data\ra3_1.3.game:Command & Conquer™ Red Alert™ 3

"UDP Query User{1AC6C8FE-39E8-4222-B110-C1A424A7DF0F}c:\\program files\\electronic arts\\red alert 3\\data\\ra3_1.3.game"= TCP:c:\program files\electronic arts\red alert 3\data\ra3_1.3.game:Command & Conquer™ Red Alert™ 3

"TCP Query User{9765D567-B990-4B34-B23A-F4DE8106712A}c:\\program files\\electronic arts\\eadm\\core.exe"= UDP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager

"UDP Query User{5E9FCABC-6B2C-451F-826E-E051CE7CFE64}c:\\program files\\electronic arts\\eadm\\core.exe"= TCP:c:\program files\electronic arts\eadm\core.exe:EA Download Manager

"TCP Query User{ABE3E02A-191C-4271-89DD-A80FAE917BB4}c:\\program files\\electronic arts\\red alert 3\\data\\ra3_1.4.game"= UDP:c:\program files\electronic arts\red alert 3\data\ra3_1.4.game:Command & Conquer™ Red Alert™ 3

"UDP Query User{1E10370A-AF01-437D-85BB-44257672A96A}c:\\program files\\electronic arts\\red alert 3\\data\\ra3_1.4.game"= TCP:c:\program files\electronic arts\red alert 3\data\ra3_1.4.game:Command & Conquer™ Red Alert™ 3

"{BE545104-E059-4E4C-93CD-E1447556F0E9}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)

"{9A228175-4F76-4017-84CF-4825B92AD3E9}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)

"TCP Query User{AAE73B77-2FCE-4FEB-B1FC-43FE56E18B85}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire

"UDP Query User{B4430614-C2AD-4CD5-9836-6E79F4F3F3CE}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire

"TCP Query User{6FE8C68F-2AB4-40A1-96F4-2AC1B5BFF5CD}c:\\program files\\spotify\\spotify.exe"= UDP:c:\program files\spotify\spotify.exe:Spotify

"UDP Query User{52FC7FFA-5CD2-4CD6-BEB2-2D5AD119DD0C}c:\\program files\\spotify\\spotify.exe"= TCP:c:\program files\spotify\spotify.exe:Spotify

"TCP Query User{8B574CD4-01F6-4199-A256-7AA7318FBEEF}c:\\windows\\system32\\javaw.exe"= UDP:c:\windows\system32\javaw.exe:Java Platform SE binary

"UDP Query User{423CF63A-DFC8-4A2D-B39C-BD1C4251C721}c:\\windows\\system32\\javaw.exe"= TCP:c:\windows\system32\javaw.exe:Java Platform SE binary

"{84537623-E225-4349-802B-6CE376B0289C}"= UDP:c:\program files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2

"{7A666A85-173A-470D-8E2A-EF96F030048A}"= TCP:c:\program files\EA GAMES\Battlefield 2\BF2.exe:Battlefield 2

"TCP Query User{FE7A1E9E-5E95-4DCF-B1E6-622B38CE1201}c:\\program files\\steam\\steamapps\\common\\defcon\\defcon.exe"= UDP:c:\program files\steam\steamapps\common\defcon\defcon.exe:Defcon

"UDP Query User{6979A035-55DD-4964-B61D-FBF1B654E498}c:\\program files\\steam\\steamapps\\common\\defcon\\defcon.exe"= TCP:c:\program files\steam\steamapps\common\defcon\defcon.exe:Defcon

"TCP Query User{F46F2945-C8EA-466B-8F7C-44FD4946A70B}c:\\program files\\soldier of fortune ii - double helix mp test\\sof2mp-test.exe"= UDP:c:\program files\soldier of fortune ii - double helix mp test\sof2mp-test.exe:SoF2MP-Test

"UDP Query User{E44A8008-EF04-4506-8142-42460C0374F6}c:\\program files\\soldier of fortune ii - double helix mp test\\sof2mp-test.exe"= TCP:c:\program files\soldier of fortune ii - double helix mp test\sof2mp-test.exe:SoF2MP-Test

"TCP Query User{A112FC63-12E3-4765-B234-B285C71050F1}c:\\program files\\steam\\steamapps\\[email protected]\\synergy\\hl2.exe"= UDP:c:\program files\steam\steamapps\[email protected]\synergy\hl2.exe:hl2

"UDP Query User{E15356B6-0532-430A-9962-61DF98A2776E}c:\\program files\\steam\\steamapps\\[email protected]\\synergy\\hl2.exe"= TCP:c:\program files\steam\steamapps\[email protected]\synergy\hl2.exe:hl2

"TCP Query User{9B79C2D8-7B01-4276-9EE7-6B5B818DC7AD}c:\\program files\\steam\\steamapps\\[email protected]\\half-life 2 deathmatch\\hl2.exe"= UDP:c:\program files\steam\steamapps\[email protected]\half-life 2 deathmatch\hl2.exe:hl2

"UDP Query User{CC07A35C-28B9-4285-A3B2-4F18DC63B7F2}c:\\program files\\steam\\steamapps\\[email protected]\\half-life 2 deathmatch\\hl2.exe"= TCP:c:\program files\steam\steamapps\[email protected]\half-life 2 deathmatch\hl2.exe:hl2

"TCP Query User{09234F67-CAF7-4F6E-9A6E-1EBF69F0D9D2}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire

"UDP Query User{B253BAFE-F244-4BE2-8755-BE137B78B842}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire

"TCP Query User{19DB9FD4-596F-4ED3-9171-D2B965A8D691}c:\\program files\\opera 10 preview\\opera.exe"= UDP:c:\program files\opera 10 preview\opera.exe:Opera Internet Browser

"UDP Query User{6F2D38F8-2D7D-4BF7-ABFB-16696AB2C4E6}c:\\program files\\opera 10 preview\\opera.exe"= TCP:c:\program files\opera 10 preview\opera.exe:Opera Internet Browser

"TCP Query User{A1F90BC2-A837-4BB7-8393-833C12C0A4E2}c:\\program files\\steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"= UDP:c:\program files\steam\steamapps\[email protected]\counter-strike\hl.exe:Half-Life Launcher

"UDP Query User{CC71188C-CC9C-4E79-8D80-D2EC37BC98D6}c:\\program files\\steam\\steamapps\\[email protected]\\counter-strike\\hl.exe"= TCP:c:\program files\steam\steamapps\[email protected]\counter-strike\hl.exe:Half-Life Launcher

"TCP Query User{A2E83F04-EF07-40DE-9784-56C274DE65E9}c:\\program files\\videolan\\vlc\\vlc.exe"= UDP:c:\program files\videolan\vlc\vlc.exe:VLC media player

"UDP Query User{423D898B-5930-4D55-96ED-EEE670B13F32}c:\\program files\\videolan\\vlc\\vlc.exe"= TCP:c:\program files\videolan\vlc\vlc.exe:VLC media player

"TCP Query User{13836974-FB68-4B38-B06E-62DA7267706E}c:\\program files\\steam\\steamapps\\[email protected]\\the ship\\ship.exe"= UDP:c:\program files\steam\steamapps\[email protected]\the ship\ship.exe:ship

"UDP Query User{A6743BC8-CE67-48CE-95E4-7D536AE25040}c:\\program files\\steam\\steamapps\\[email protected]\\the ship\\ship.exe"= TCP:c:\program files\steam\steamapps\[email protected]\the ship\ship.exe:ship

"{4D5228CE-5E31-44ED-AF89-C722076F99A7}"= UDP:c:\program files\Steam\steamapps\common\peggle extreme\PeggleExtreme.exe:Peggle Extreme

"{DF0203CE-1BB7-4A08-BC5E-8494A93D1BDB}"= TCP:c:\program files\Steam\steamapps\common\peggle extreme\PeggleExtreme.exe:Peggle Extreme

"{42937075-8CC8-467C-B625-10490B70243F}"= UDP:c:\program files\Winamp Remote\bin\Orb.exe:Orb

"{1A504D26-A083-4FD9-A787-42773F028C70}"= TCP:c:\program files\Winamp Remote\bin\Orb.exe:Orb

"{97290D8E-BB3C-4D5D-A2B4-A6E1509C24E3}"= UDP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray

"{5DF5B4DE-637A-4D06-92A5-009B41CC5A19}"= TCP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray

"{2974B9F9-2C95-4DD7-9DE9-3B18FF32CA77}"= UDP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client

"{772F70F0-5248-496B-98A1-7A2EE0A93DCB}"= TCP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client

"{D5A8C095-1993-43C6-86B3-3E88A7B9248B}"= UDP:c:\users\Stale\Desktop\wlsetup-web.exe:wlsetup-web.exe

"{9C4594DD-7C66-4883-B85D-CC9FD36B12C4}"= TCP:c:\users\Stale\Desktop\wlsetup-web.exe:wlsetup-web.exe

"{0B5A5E76-1A5C-4325-AD7B-2281BF5C6F26}"= Disabled:UDP:c:\program files\ElcomSoft\Distributed Password Recovery\esda.exe:ElcomSoft Distributed Agent

"{60EFB308-B97A-4EF6-9814-1F885119F41F}"= Disabled:TCP:c:\program files\ElcomSoft\Distributed Password Recovery\esda.exe:ElcomSoft Distributed Agent

"{F557C282-DDD4-42F0-AF0F-72E82D7B6A14}"= Disabled:UDP:c:\program files\ElcomSoft\Distributed Password Recovery\esdpr.exe:Elcomsoft Distributed Password Recovery Console

"{59679446-A3D3-4A43-A970-2EA9466DFD50}"= Disabled:TCP:c:\program files\ElcomSoft\Distributed Password Recovery\esdpr.exe:Elcomsoft Distributed Password Recovery Console

"{F97E8137-B637-4666-8D0A-574A4C6FC95A}"= Disabled:UDP:c:\program files\ElcomSoft\Distributed Password Recovery\esdprs.exe:ElcomSoft Distributed Password Recovery Server

"{E17A072D-99B3-4DA4-9A5E-7E2B85E67E66}"= Disabled:TCP:c:\program files\ElcomSoft\Distributed Password Recovery\esdprs.exe:ElcomSoft Distributed Password Recovery Server

"{970BC649-102D-4F75-B526-81805D09B2DA}"= UDP:c:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe:nodlogin.exe

"{90C4786E-0D66-4857-B5F8-AC131550787D}"= TCP:c:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe:nodlogin.exe

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]

"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

 

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-04-01 64160]

R0 shpf;Sony HDD Protection Filter Driver;c:\windows\System32\drivers\shpf.sys [2008-10-12 21408]

R1 bizVSerial;Franson VSerial;c:\windows\System32\drivers\bizVSerialNT.sys [2006-04-03 14949]

R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [2008-07-01 34312]

R1 Ext2fs;Ext2fs;c:\windows\System32\drivers\ext2fs.sys [2009-01-30 189888]

R1 IfsMount;IfsMount;c:\windows\System32\drivers\ifsmount.sys [2009-01-30 60352]

R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-07-01 468224]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\System32\drivers\btwl2cap.sys [2008-10-12 28464]

R3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\System32\drivers\R5U870FLx86.sys [2008-10-12 75392]

R3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\System32\drivers\R5U870FUx86.sys [2008-10-12 43904]

R3 SFEP;Sony Firmware Extension Parser;c:\windows\System32\drivers\SFEP.sys [2008-10-12 9344]

R3 SPI;Sony Programmable I/O Control Device;c:\windows\System32\drivers\SonyPI.sys [2008-10-12 14720]

R3 ti21sony;ti21sony;c:\windows\System32\drivers\ti21sony.sys [2008-10-12 812544]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [2008-10-12 16896]

S3 Franson GpsGate 2.0;Franson GpsGate 2.0;c:\program files\Franson\GpsGate 2.0\GpsGateService.exe [2008-09-12 258048]

S3 npf;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [2009-03-15 34064]

S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\System32\drivers\s125bus.sys [2007-04-24 83336]

S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\System32\drivers\s125mdfl.sys [2007-04-24 15112]

S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\System32\drivers\s125mdm.sys [2007-04-24 108680]

S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s125mgmt.sys [2007-04-24 100488]

S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\System32\drivers\s125obex.sys [2007-04-24 98696]

S3 USBRDXP;USBRDXP;c:\windows\System32\drivers\USBRDXP.SYS [2008-12-20 37264]

S3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-10-12 333088]

 

--- Other Services/Drivers In Memory ---

 

*Deregistered* - sptd

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

bthsvcs REG_MULTI_SZ BthServ

WindowsMobile REG_MULTI_SZ wcescomm rapimgr

LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{106e805f-0d65-11de-a5c8-001a80d24550}]

\shell\AutoRun\command - WD_Windows_Tools\setup.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{41a28dd6-fb80-11dd-80c6-001a80d24550}]

\shell\AutoRun\command - H:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f895ab75-fb72-11dd-949c-001a80d24550}]

\shell\AutoRun\command - H:\AutoRun.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f895abaf-fb72-11dd-949c-001a80d24550}]

\shell\AutoRun\command - H:\AutoRun.exe

.

Contents of the 'Scheduled Tasks' folder

 

2009-04-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 21:06]

 

2009-04-01 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-26 16:14]

.

- - - - ORPHANS REMOVED - - - -

 

HKLM-Run-NodLogin - c:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe

MSConfigStartUp-NodLogin - c:\program files\ESET\ESET NOD32 Antivirus\nodlogin.exe

 

 

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&ksporter til Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

FF - ProfilePath - c:\users\Stale\AppData\Roaming\Mozilla\Firefox\Profiles\ck69lspw.default\

FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin.dll

FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin2.dll

FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin3.dll

FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin4.dll

FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin5.dll

FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin6.dll

FF - plugin: c:\program files\Opera 10 Preview\program\plugins\npqtplugin7.dll

FF - plugin: c:\program files\Opera 10 Preview\program\plugins\NPSWF32.dll

 

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".no");

.

 

**************************************************************************

 

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-01 18:11:54

Windows 6.0.6001 Service Pack 1 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

 

- - - - - - - > 'lsass.exe'(728)

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infra.dll

 

- - - - - - - > 'Explorer.exe'(4736)

c:\program files\Protector Suite QL\farchns.dll

c:\program files\Protector Suite QL\infra.dll

c:\windows\system32\btmmhook.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\System32\audiodg.exe

c:\program files\Protector Suite QL\upeksvr.exe

c:\windows\System32\wlanext.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\windows\System32\PnkBstrA.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe

c:\windows\System32\stacsv.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\program files\Sony\VAIO Event Service\VESMgr.exe

c:\windows\System32\WUDFHost.exe

c:\windows\System32\drivers\XAudio.exe

c:\program files\Sony\VAIO Event Service\VESMgrSub.exe

c:\windows\System32\igfxext.exe

c:\windows\System32\igfxsrvc.exe

c:\windows\System32\wbem\unsecapp.exe

c:\program files\Sony\VAIO Power Management\SPMgr.exe

c:\windows\System32\conime.exe

c:\program files\AWC\AWC.exe

c:\program files\Protector Suite QL\psqltray.exe

c:\program files\Apoint\ApMsgFwd.exe

c:\program files\Apoint\Apvfb.exe

c:\program files\Apoint\ApntEx.exe

c:\users\Stale\AppData\Roaming\TK8 Software\TK8 EasyNote\Note.exe

c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe

c:\windows\System32\dllhost.exe

.

**************************************************************************

.

Completion time: 2009-04-01 18:17:47 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-01 16:17:44

 

Pre-Run: 33,658,544,128 bytes free

Post-Run: 33,712,840,704 bytes free

 

390 --- E O F --- 2009-03-15 18:35:21

 

 

 

Har gjort det nå, og holder på søke gjennom.

[Ståle]

ComboFix fikset det faktisk.

 

Er det mulig å finne ut hva det var?

[Bruker-158599]

Endret 30. juli 2010 av riskake90

[snippsat]

Det var et rootkit "Generic RootKit.x"

 

Loggen ser grei ut nå.

 

Du kan fjerne combofix ved å skrive combofix /u fra kjør-vinduet. Denne kommandoen gjør at filer i karantene og backups blir slette. Systemgjenopprettingsmappa nullstilt etc.

 

Sjekk om software er oppdatert Secunia

 

Surf trygt.

Endret 1. april 2009 av SNIPPSAT