[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-Disclosure] Transamericana.org
From: Antonio Henrique Oliveira <tat () postmark ! net>
Date: 2005-01-29 15:17:24
Message-ID: 41FBA904.3040505 () postmark ! net
[Download RAW message or body]
Michael Rutledge wrote:
> This may be a stretch (a large stretch), but someone could have
> planted something on your Windows box that is using pings as a covert
> channel (given that person has also taken control of the webserver
> that hosts transamericana.org and can watch the connection logs). Do
> you have a capture of the pings for someone to do a frequency analysis
> on?
>
> Also, you may want to post a list of your currently running processes
> in hopes someone may spot something that looks wrong.
>
> -Michael
>
> On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira
> <tat@postmark.net> wrote:
>
>>Gregh wrote:
>>
>>>----- Original Message -----
>>>From: "Antonio Henrique Oliveira" <tat@postmark.net>
>>>To: <full-disclosure@lists.netsys.com>
>>>Sent: Saturday, January 29, 2005 9:46 PM
>>>Subject: [Full-Disclosure] Transamericana.org
>>>
>>>
>>>
>>>
>>>>Dear all,
>>>>
>>>>Please excuse me if this is a bit off-topic, but since this is the only
>>>>IT related mailing list I subscribe (apart from Secunia's) I decided to
>>>>post here.
>>>>
>>>
>>>>From sometime ago (I cannot determine exactly when this started to
>>>
>>>>happen), my workstation (WinXP SP2 PT, fully patched) has been sending
>>>>out ping requests to www.transamericana.org when I login to the machine
>>>>(right at the beginning of the login process, and only at that time).
>>>>
>>>
>>>
>>>Perchance is your DNS hosted there? Eg, your ISP's DNS servers?
>>>
>>>Greg.
>>
>>No. The Linux box runs bind for the internal (and external) networks and
>>does direct queries to the root servers, not using our ISP's DNS. The
>>internal network is configured with DHCP and the DNS server for all
>>hosts is set to the linux box internal address. Also, my workstation
>>(and there are 5 more) is the only one doing this.
>>
>>Regards,
>>--
>>Anto'nio Henrique A. Proenca de Oliveira
>>
>>"Although we can never go back, like an old sweet song with a strong
>>refrain, memories remain" - (Someone)
>>
>>Please avoid sending me Word or PowerPoint attachments.
>>See http://www.fsf.org/philosophy/no-word-attachments.html
>>$Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
The only records I have from the pings are from yesterday (when I
started logging them).
It sends three pings (not replied to) to www.transamericana.org during
login process and then stops until I login again (either by reboot or
logoff/login).
Attached are two files with results from "HiJackThis", as per Gregh's
suggestion. They show the running processes and the list of programs
executed during login.
Regards,
--
Anto'nio Henrique A. Proenca de Oliveira
R. 3 - Lote 22 - Loteam. Pinhel
4805-078 Caldas das Taipas - Portugal
T +351 253 576 888 / Work +351 255 862 416
M +351 96 323 1169 / tat@postmark.net
"Although we can never go back, like an old sweet song with a strong
refrain, memories remain" - (Someone)
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
$Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $
["hijackthis.txt" (text/plain)]
Logfile of HijackThis v1.99.0
Scan saved at 12:34:50, on 29-01-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\apcupsd\bin\apcupsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Iomega\AutoDisk\ADUserMon.exe
C:\Programas\Iomega\DriveIcons\ImgIcon.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Mozilla Thunderbird\thunderbird.exe
C:\Programas\PuTTY\pageant.exe
C:\Programas\One Guy Coding\Automachron\achron.exe
C:\Programas\OpenOffice.org1.1.4\program\soffice.exe
C:\Programas\Microsoft Office\Office\2070\msoffice.exe
C:\Programas\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\ah.HOMES\Definições locais\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.postmark.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.citydesk.pt
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Programas\Outlook \
Express\msimn.exe" R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet \
Settings,ProxyServer = 192.168.0.2:3128 R0 - HKCU\Software\Microsoft\Internet \
Explorer\Toolbar,LinksFolderName = Hiperligações O2 - BHO: AcroIEHlprObj Class - \
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat \
7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Programas\Roxio\Easy CD \
Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [ADUserMon] \
C:\Programas\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [Apcupsd] \
"c:\apcupsd\bin\apcupsd.exe" /servicehelper O4 - HKLM\..\Run: [Deskup] \
C:\Programas\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [Iomega Drive Icons] \
C:\Programas\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [iTunesHelper] \
C:\Programas\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE \
C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [WATCHPNP_Xerox] watchPnp.exe Xerox
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programas\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Automachron.lnk = C:\Programas\One Guy Coding\Automachron\achron.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = \
C:\Programas\OpenOffice.org1.1.4\program\quickstart.exe O4 - Global Startup: Adobe Reader Speed \
Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft \
Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Mozilla \
Thunderbird (Safe Mode).lnk = C:\Programas\Mozilla Thunderbird\thunderbird.exe O4 - Global \
Startup: Pageant.lnk = C:\Programas\PuTTY\pageant.exe O9 - Extra button: Yahoo! Messenger - \
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra \
'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - \
C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE O9 - Extra button: Messenger - \
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe O9 - Extra 'Tools' \
menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - \
C:\Programas\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.citydesk.pt
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - \
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093519773919
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homes.local
O17 - HKLM\Software\..\Telephony: DomainName = homes.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homes.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homes.local
O23 - Service: Apcupsd UPS Server - Unknown - c:\apcupsd\bin\apcupsd.exe
O23 - Service: FAH@C:+Programas+FOLDING+fah502-console - Stanford University - \
C:\Programas\FOLDING\fah502-console.exe O23 - Service: Iomega Activity Disk2 - Unknown - (file \
missing) O23 - Service: Iomega App Services - Iomega Corporation - \
C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: iPod Service - Apple Computer, Inc. \
- C:\Programas\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service - NVIDIA \
Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: VNC Server Version 4 - RealVNC \
Ltd. - C:\Programas\RealVNC\VNC4\WinVNC4.exe O23 - Service: Iomega Active Disk - Iomega \
Corporation - C:\Programas\Iomega\AutoDisk\ADService.exe
["startuplist.txt" (text/plain)]
StartupList report, 29-01-2005, 12:38:34
StartupList version: 1.52.2
Started from : C:\Documents and Settings\ah.HOMES\Definições locais\Temp\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\apcupsd\bin\apcupsd.exe
C:\WINDOWS\System32\cisvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Programas\Iomega\AutoDisk\ADUserMon.exe
C:\Programas\Iomega\DriveIcons\ImgIcon.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Mozilla Thunderbird\thunderbird.exe
C:\Programas\PuTTY\pageant.exe
C:\Programas\One Guy Coding\Automachron\achron.exe
C:\Programas\OpenOffice.org1.1.4\program\soffice.exe
C:\Programas\Microsoft Office\Office\2070\msoffice.exe
C:\Programas\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\ah.HOMES\Definições locais\Temp\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Startup:
[C:\Documents and Settings\ah.HOMES\Menu Iniciar\Programas\Arranque]
Automachron.lnk = C:\Programas\One Guy Coding\Automachron\achron.exe
OpenOffice.org 1.1.4.lnk = C:\Programas\OpenOffice.org1.1.4\program\quickstart.exe
Shell folders AltStartup:
*Folder not found*
User shell folders Startup:
*Folder not found*
User shell folders AltStartup:
*Folder not found*
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque]
Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk = C:\Programas\Microsoft Office\Office\OSA9.EXE
Mozilla Thunderbird (Safe Mode).lnk = C:\Programas\Mozilla Thunderbird\thunderbird.exe
Pageant.lnk = C:\Programas\PuTTY\pageant.exe
Shell folders Common AltStartup:
*Folder not found*
User shell folders Common Startup:
*Folder not found*
User shell folders Alternate Common Startup:
*Folder not found*
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*
[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
AdaptecDirectCD = "C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
ADUserMon = C:\Programas\Iomega\AutoDisk\ADUserMon.exe
Apcupsd = "c:\apcupsd\bin\apcupsd.exe" /servicehelper
Deskup = C:\Programas\Iomega\DriveIcons\deskup.exe /IMGSTART
Iomega Drive Icons = C:\Programas\Iomega\DriveIcons\ImgIcon.exe
iTunesHelper = C:\Programas\iTunes\iTunesHelper.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
QuickTime Task = "C:\Programas\QuickTime\qttask.exe" -atboottime
Synchronization Manager = %SystemRoot%\system32\mobsync.exe /logon
WATCHPNP_Xerox = watchPnp.exe Xerox
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Yahoo! Pager = C:\Programas\Yahoo!\Messenger\ypager.exe -quiet
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No values found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
[OptionalComponents]
*No values found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*
--------------------------------------------------
File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%1" %*
--------------------------------------------------
File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScriptFile\shell\open\command
(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"
--------------------------------------------------
File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command
(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*
--------------------------------------------------
File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1
--------------------------------------------------
Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)
[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP
[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall \
%SystemRoot%\system32\themeui.dll
[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection \
C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection \
C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll
[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe
[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection \
C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
--------------------------------------------------
Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps
*Registry key not found*
--------------------------------------------------
Load/Run keys from C:\WINDOWS\WIN.INI:
load=*INI section not found*
run=*INI section not found*
Load/Run keys from Registry:
HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Checking for EXPLORER.EXE instances:
C:\WINDOWS\Explorer.exe: PRESENT!
C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present
--------------------------------------------------
Checking for superhidden extensions:
.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden
--------------------------------------------------
Verifying REGEDIT.EXE integrity:
- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Editor de registo'
Registry check passed
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - \
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
--------------------------------------------------
Enumerating Task Scheduler jobs:
*No jobs found*
--------------------------------------------------
Enumerating Download Program Files:
[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093519773919
[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37578.0401967593
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:
NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
--------------------------------------------------
Enumerating Windows NT/2000/XP services
abp480n5: System32\DRIVERS\ABP480N5.SYS (system)
Intel(r) 82801 - serviço de instalação do controlador de áudio (WDM): \
system32\drivers\ac97intc.sys (manual start) Controlador ACPI da Microsoft: \
System32\DRIVERS\ACPI.sys (system)
adpu160m: System32\DRIVERS\adpu160m.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
Ambiente de suporte com funcionalidades de rede AFD: \SystemRoot\System32\drivers\afd.sys \
(system) Filtro de barramento Intel AGP: System32\DRIVERS\agp440.sys (system)
Filtro de barramento Compaq AGP: System32\DRIVERS\agpCPQ.sys (system)
Aha154x: System32\DRIVERS\aha154x.sys (system)
aic78u2: System32\DRIVERS\aic78u2.sys (system)
aic78xx: System32\DRIVERS\aic78xx.sys (system)
Alerta: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Serviço de gateway de camada de aplicação: %SystemRoot%\System32\alg.exe (manual start)
AliIde: System32\DRIVERS\aliide.sys (system)
Filtro de barramento ALI AGP: System32\DRIVERS\alim1541.sys (system)
Controlador de filtro de barramento AMD AGP: System32\DRIVERS\amdagp.sys (system)
amsint: System32\DRIVERS\amsint.sys (system)
Apcupsd UPS Server: "c:\apcupsd\bin\apcupsd.exe" /service (autostart)
Gestão de aplicações: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
asc: System32\DRIVERS\asc.sys (system)
asc3350p: System32\DRIVERS\asc3350p.sys (system)
asc3550: System32\DRIVERS\asc3550.sys (system)
Controlador de média assíncrono de RAS: System32\DRIVERS\asyncmac.sys (manual start)
Controlador de disco rígido IDE/ESDI padrão: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\atievxx.exe (autostart)
atimpab: System32\DRIVERS\atimpab.sys (manual start)
ATM - protocolo para cliente ARP: System32\DRIVERS\atmarpc.sys (manual start)
Áudio do Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controladores de stub de áudio: System32\DRIVERS\audstub.sys (manual start)
Serviço de transferência inteligente em fundo: %SystemRoot%\System32\svchost.exe -k netsvcs \
(manual start) Browser de computador: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Bluetooth Audio: System32\DRIVERS\btaudio.sys (manual start)
Bluetooth Virtual Communications Driver: System32\DRIVERS\btport.sys (manual start)
Bluetooth LAN Access Server: System32\DRIVERS\btwdndis.sys (manual start)
WIDCOMM USB Bluetooth Driver: System32\Drivers\btwusb.sys (manual start)
cbidf: System32\DRIVERS\cbidf2k.sys (system)
Descodificador de captura fechada: System32\DRIVERS\CCDECODE.sys (manual start)
cd20xrnt: System32\DRIVERS\cd20xrnt.sys (system)
Controlador de CD-ROM: System32\DRIVERS\cdrom.sys (system)
Serviço de indexação: C:\WINDOWS\System32\cisvc.exe (autostart)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
CmdIde: System32\DRIVERS\cmdide.sys (system)
Aplicação de sistema COM+: C:\WINDOWS\System32\dllhost.exe \
/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cpqarray: System32\DRIVERS\cpqarray.sys (system)
Serviços criptográficos: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
dac2w2k: System32\DRIVERS\dac2w2k.sys (system)
dac960nt: System32\DRIVERS\dac960nt.sys (system)
DCOM - Lançador de processo de servidor: %SystemRoot%\system32\svchost -k DcomLaunch \
(autostart) Team MFP Comm Driver: System32\Drivers\DgiVecp.sys (autostart)
Cliente DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador de disco: System32\DRIVERS\disk.sys (system)
Serviço administrativo de gestão de discos lógicos: %SystemRoot%\System32\dmadmin.exe /com \
(manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Controlador do gestor de disco lógico: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Gestor de discos lógicos: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft - sintetizador Kernel DSL: system32\drivers\DMusic.sys (manual start)
Cliente DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
dpti2o: System32\DRIVERS\dpti2o.sys (system)
Microsoft Kernel DRM Descrambler Filter: system32\drivers\drmkaud.sys (manual start)
Intel(R) - controlador de adaptador PRO: System32\DRIVERS\e100b325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Serviço de relato de erros: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Creative AudioPCI (ES1371,ES1373) (WDM): system32\drivers\es1371mp.sys (manual start)
Registo de eventos: %SystemRoot%\system32\services.exe (autostart)
Sistema de eventos do COM+: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
FAH@C:+Programas+FOLDING+fah502-console: C:\Programas\FOLDING\fah502-console -svcstart (manual \
start) Compatibilidade de 'Mudança rápida de utilizador': %SystemRoot%\System32\svchost.exe -k \
netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Controlador de disquete: System32\DRIVERS\fdc.sys (manual start)
D-Link DFE-530TX PCI Fast Ethernet Adapter Driver: System32\DRIVERS\dlkfet5b.sys (manual start)
Controlador de unidades de disquetes: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
SEMC DSS-20 SyncStation Serial Converter Driver: system32\drivers\ftdibus.sys (manual start)
Controlador do gestor de volume: System32\DRIVERS\ftdisk.sys (system)
Lundinova Filter Driver: system32\drivers\ftlund.sys (manual start)
SEMC DSS-20 SyncStation Driver: system32\drivers\ftser2k.sys (manual start)
Enumerador de portas de jogos: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Classificador de pacotes genérico: System32\DRIVERS\msgpc.sys (manual start)
hardlock: \??\C:\WINDOWS\System32\drivers\hardlock.sys (autostart)
Haspnt: \??\C:\WINDOWS\System32\drivers\Haspnt.sys (autostart)
Ajuda e suporte: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Acesso a dispositivos de interface humana: %SystemRoot%\System32\svchost.exe -k netsvcs \
(disabled)
hpn: System32\DRIVERS\hpn.sys (system)
hpt3xx: System32\DRIVERS\hpt3xx.sys (system)
HTTP: System32\Drivers\HTTP.sys (manual start)
SSL de HTTP: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i2omp: System32\DRIVERS\i2omp.sys (system)
Teclado i8042 e controlador de porta de rato PS/2: System32\DRIVERS\i8042prt.sys (system)
i81x: System32\DRIVERS\i81xnt5.sys (manual start)
iAimFP0: System32\DRIVERS\wADV01nt.sys (manual start)
iAimFP1: System32\DRIVERS\wADV02NT.sys (manual start)
iAimFP2: System32\DRIVERS\wADV05NT.sys (manual start)
iAimFP3: System32\DRIVERS\wSiINTxx.sys (manual start)
iAimFP4: System32\DRIVERS\wVchNTxx.sys (manual start)
iAimTV0: System32\DRIVERS\wATV01nt.sys (manual start)
iAimTV1: System32\DRIVERS\wATV02NT.sys (manual start)
iAimTV2: System32\DRIVERS\wATV03nt.sys (manual start)
iAimTV3: System32\DRIVERS\wATV04nt.sys (manual start)
iAimTV4: System32\DRIVERS\wCh7xxNT.sys (manual start)
Controlador de filtro de gravação de CD: System32\DRIVERS\imapi.sys (system)
Serviço COM de gravação de CD de IMAPI: C:\WINDOWS\System32\imapi.exe (manual start)
ini910u: System32\DRIVERS\ini910u.sys (system)
IntelIde: System32\DRIVERS\intelide.sys (system)
Iomega Devices Disk Filter Services: System32\DRIVERS\iomdisk.sys (system)
Iomega Activity Disk2: "" (manual start)
Iomega App Services: "C:\PROGRA~1\Iomega\System32\AppServices.exe" (manual start)
Controlador de IPv6 do Firewall do Windows: system32\drivers\ip6fw.sys (manual start)
Controlador de filtração de tráfego IP: System32\DRIVERS\ipfltdrv.sys (manual start)
Controlador de túnel IP-em-IP: System32\DRIVERS\ipinip.sys (manual start)
Tradutor de endereços de rede IP: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Programas\iPod\bin\iPodService.exe (manual start)
Controlador IPSEC: System32\DRIVERS\ipsec.sys (system)
Serviço enumerador IR: System32\DRIVERS\irenum.sys (manual start)
Controlador de barramento PnP ISA/EISA: System32\DRIVERS\isapnp.sys (system)
Controlador de classe de teclado: System32\DRIVERS\kbdclass.sys (system)
Microsoft - misturador de áudio Kernel Wave: system32\drivers\kmixer.sys (manual start)
Servidor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Estação de trabalho: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Programa auxiliar TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe" \
(autostart)
Mensageiro: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Partilha remota do ambiente de trabalho do NetMeeting: C:\WINDOWS\System32\mnmsrvc.exe (manual \
start) Controlador de classe de rato: System32\DRIVERS\mouclass.sys (system)
mraid35x: System32\DRIVERS\mraid35x.sys (system)
Redireccionador de cliente WebDav: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
DTC (Coordenador de transacções distribuídas): C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Proxy da Microsoft para serviços de fluxo: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Proxy da Microsoft para gestão de qualidade de fluxo: system32\drivers\MSPQM.sys (manual start)
Controlador BIOS Microsoft System Management: System32\DRIVERS\mssmbios.sys (manual start)
Conversor da Microsoft para fluxos Tee/Sink-to-Sink: system32\drivers\MSTEE.sys (manual start)
Microsoft - controlador MPU-401 MIDI UART: system32\drivers\msmpu401.sys (manual start)
MySQL: C:\mysql\bin\mysqld-max-nt MySQL (disabled)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NAVAP: \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys (manual start)
NAVAPEL: \??\C:\Programas\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS (autostart)
NAVENG: \??\C:\PROGRA~1\FICHEI~1\SYMANT~1\VIRUSD~1\20040728.003\NAVENG.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\FICHEI~1\SYMANT~1\VIRUSD~1\20040728.003\NAVEX15.sys (manual start)
Ligação de TV/Vídeo Microsoft: System32\DRIVERS\NdisIP.sys (manual start)
Controlador TAPI NDIS de acesso remoto: System32\DRIVERS\ndistapi.sys (manual start)
Protocolo E/S de modo de utilizador NDIS: System32\DRIVERS\ndisuio.sys (manual start)
Controlador WAN NDIS de acesso remoto: System32\DRIVERS\ndiswan.sys (manual start)
Interface de NetBIOS: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Rede DDE: %SystemRoot%\system32\netdde.exe (disabled)
Rede DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Início de sessão de rede: %SystemRoot%\System32\lsass.exe (autostart)
Ligações de rede: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Identificação da localização na rede (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs \
(manual start) NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Armazenamento amovível: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
Controlador de filtração de tráfego IPX: System32\DRIVERS\nwlnkflt.sys (manual start)
Controlador de reencaminhamento de tráfego IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)
Controlador de processador Intel PentiumIII: System32\DRIVERS\p3.sys (system)
Controlador de porta paralela: System32\DRIVERS\parport.sys (manual start)
Controlador de barramento PCI: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Video Blaster WebCam 5 (WDM): System32\DRIVERS\PD100Vid.sys (manual start)
perc2: System32\DRIVERS\perc2.sys (system)
perc2hib: System32\DRIVERS\perc2hib.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Serviços IPSEC: %SystemRoot%\System32\lsass.exe (manual start)
Controlador de filtro Legacy de porta paralela da Iomega: System32\DRIVERS\ppa3.sys (system)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Controlador do processador: System32\DRIVERS\processr.sys (system)
Armazenamento protegido: %SystemRoot%\system32\lsass.exe (autostart)
Controlador de ligações directas por porta paralela: System32\DRIVERS\ptilink.sys (manual \
start)
ql1080: System32\DRIVERS\ql1080.sys (system)
Ql10wnt: System32\DRIVERS\ql10wnt.sys (system)
ql12160: System32\DRIVERS\ql12160.sys (system)
ql1240: System32\DRIVERS\ql1240.sys (system)
ql1280: System32\DRIVERS\ql1280.sys (system)
Controlador de ligação automática de acesso remoto: System32\DRIVERS\rasacd.sys (system)
Gestor de ligação automática de acesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs \
(autostart) WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Gestor de ligação de acesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador de acesso remoto PPPOE: System32\DRIVERS\raspppoe.sys (manual start)
Paralelo directo: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Controlador de redireccionador de dispositivo de servidor de terminais: \
System32\DRIVERS\rdpdr.sys (manual start) Gestor de sessões de ajuda do 'Ambiente de trabalho \
remoto': C:\WINDOWS\system32\sessmgr.exe (manual start) Controlador de filtro de reprodução de \
áudio digital de CD: System32\DRIVERS\redbook.sys (system) Encaminhamento e acesso remoto: \
%SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Registo remoto: \
%SystemRoot%\system32\svchost.exe -k LocalService (disabled) Microsoft Legacy Modem Driver: \
System32\Drivers\RootMdm.sys (manual start) Localizador RPC (Remote Procedure Call): \
%SystemRoot%\System32\locator.exe (autostart) Chamada de procedimento remoto (RPC): \
%SystemRoot%\system32\svchost -k rpcss (autostart) QoS RSVP: %SystemRoot%\System32\rsvp.exe \
(manual start) Controlador NT de placa Fast Ethernet baseada na Realtek RTL8139(A/B/C): \
System32\DRIVERS\RTL8139.SYS (manual start) 600 CU Still Image Device Service: \
system32\drivers\usbscan.sys (manual start) Gestor de contas de segurança: \
%SystemRoot%\system32\lsass.exe (autostart) Smart Card: %SystemRoot%\System32\SCardSvr.exe \
(disabled) Programador de tarefas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Início de sessão secundário: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notificação de evento de sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Controlador de filtro Serenum: System32\DRIVERS\serenum.sys (manual start)
Controlador de porta série: System32\DRIVERS\serial.sys (system)
Firewall do Windows/Partilha de ligação à Internet (ICS): %SystemRoot%\System32\svchost.exe -k \
netsvcs (autostart) Detecção de hadrware da shell: %SystemRoot%\System32\svchost.exe -k netsvcs \
(autostart) Filtro de barramento SIS AGP: System32\DRIVERS\sisagp.sys (system)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Borland Socket Server: C:\Programas\Borland Socket Server\scktsrvc.exe (disabled)
Sony USB Filter Driver (SONYPVU1): System32\DRIVERS\SONYPVU1.SYS (manual start)
Sparrow: System32\DRIVERS\sparrow.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Spooler de impressão: %SystemRoot%\system32\spoolsv.exe (autostart)
Controlador do filtro de restauro do sistema: System32\DRIVERS\sr.sys (system)
Serviço de 'Restauro do sistema': %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Serviço de identificação SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Controlador de barramento por software: System32\DRIVERS\swenum.sys (manual start)
Microsoft - sintetizador Kernel GS Wavetable: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe \
/Processid:{9F4E95ED-F4D3-4059-997C-D616948B14CA} (manual start)
symc810: System32\DRIVERS\symc810.sys (system)
symc8xx: System32\DRIVERS\symc8xx.sys (system)
sym_hi: System32\DRIVERS\sym_hi.sys (system)
sym_u3: System32\DRIVERS\sym_u3.sys (system)
Microsoft - dispositivo de áudio do kernel do sistema: system32\drivers\sysaudio.sys (manual \
start) Alertas e registos de desempenho: %SystemRoot%\system32\smlogsvc.exe (autostart)
Dispositivos telefónicos: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Controlador do protocolo TCP/IP: System32\DRIVERS\tcpip.sys (system)
Controlador de dispositivo de terminal: System32\DRIVERS\termdd.sys (system)
Serviços de terminal: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Temas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tiger Jet PCI 128K ISDN Adapter: System32\DRIVERS\tjisdn.sys (manual start)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
TosIde: System32\DRIVERS\toside.sys (system)
Cliente de Distributed Link Tracking: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: System32\DRIVERS\ultra.sys (system)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Controlador de actualização microcódigo: System32\DRIVERS\update.sys (manual start)
Anfitrião de dispositivos Universal Plug and Play: %SystemRoot%\System32\svchost.exe -k \
LocalService (manual start) Fonte de alimentação ininterrupta: %SystemRoot%\System32\ups.exe \
(disabled) Concentrador activado por USB2: System32\DRIVERS\usbhub.sys (manual start)
Classe de impressoras USB Microsoft: System32\DRIVERS\usbprint.sys (manual start)
Controlador de armazenamento de massa USB: System32\DRIVERS\USBSTOR.SYS (manual start)
Controlador miniport do controlador Microsoft USB universal: System32\DRIVERS\usbuhci.sys \
(manual start) VGA - controlador de visualização.: \SystemRoot\System32\drivers\vga.sys \
(system) Filtro de barramento VIA AGP: System32\DRIVERS\viaagp.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
Cópia sombra de volume: %SystemRoot%\System32\vssvc.exe (disabled)
Hora do Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Controlador ARP IP de acesso remoto: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WDM Virtual Wave Driver (WDM): system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WMI (Instrumento de gestão do Windows): %systemroot%\system32\svchost.exe -k netsvcs \
(autostart) VNC Server Version 4: "C:\Programas\RealVNC\VNC4\WinVNC4.exe" -service (autostart)
Serviço do número de série de leitores de multimédia portáteis: \
%SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Extens. contr. da Windows \
Management Instrumentation: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start) \
Adaptador de desempenho WMI: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start) Centro de \
segurança: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) World Standard Teletext \
Codec: System32\DRIVERS\WSTCODEC.SYS (manual start) Actualizações automáticas: \
%systemroot%\system32\svchost.exe -k netsvcs (autostart) Configuração zero sem fios: \
%SystemRoot%\System32\svchost.exe -k netsvcs (disabled) Serviço de fornecimento de rede: \
%SystemRoot%\System32\svchost.exe -k netsvcs (manual start) Iomega Active Disk: \
"C:\Programas\Iomega\AutoDisk\ADService.exe" (manual start)
--------------------------------------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*
Windows NT checkdisk command:
BootExecute = autocheck autochk *
Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
*Registry key not found*
--------------------------------------------------
End of report, 38.332 bytes
Report generated in 0,320 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic