GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-10-15 20:34:10 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7 rev. Running: m0gyv4qv.exe; Driver: C:\DOCUME~1\KYSIAC~1\USTAWI~1\Temp\kxpcyaod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB71B83A0, 0x83C195, 0xE8000020] ? C:\DOCUME~1\KYSIAC~1\USTAWI~1\Temp\kxpcyaod.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 01D99DD2 .text C:\WINDOWS\System32\svchost.exe[1272] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3B1 5 Bytes JMP 01D99D72 .text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 00869DD2 ---- Processes - GMER 1.0.15 ---- Library C:\Documents and Settings\Kysiaczek\Pulpit\m0gyv4qv.exe (*** hidden *** ) @ C:\Documents and Settings\Kysiaczek\Pulpit\m0gyv4qv.exe [1832] 0x00400000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\tlntsvr.exe (*** hidden *** ) [DISABLED] TlntSvr <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg@Description Serwer Rejestru Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths Reg HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration? Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@DisplayNameFile %SystemRoot%\System32\els.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@DisplayNameID 257 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@File %SystemRoot%\System32\config\SecEvent.Evt Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@MaxSize 524288 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@PrimaryModule Security Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@Retention 604800 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@Sources Spooler?ServiceModel 4.0.0.0?Security Account Manager?SC Manager?NetDDE Object?LSA?DS?Security? Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security@RestrictGuestAccess 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 4.0.0.0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 4.0.0.0@TypesSupported 31 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 4.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 4.0.0.0@CategoryCount 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 4.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MUI\0409\ServiceModelEvents.dll.mui Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 4.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MUI\0409\ServiceModelEvents.dll.mui Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 4.0.0.0@EventSourceFlags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\programy\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x94 0x2A 0x42 0x6E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@Start 4 Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@ImagePath C:\WINDOWS\system32\tlntsvr.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@DisplayName Telnet Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@DependOnService RPCSS?TCPIP?NTLMSSP? Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@DependOnGroup Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr@Description Umo?liwia u?ytkownikowi zdalnemu zalogowanie si? na tym komputerze i obs?uguje rozmaitych klient?w us?ugi Telnet TCP/IP, w tym komputery z systemami UNIX i Windows. Je?li ta us?uga zostanie zatrzymana, funkcja dost?pu u?ytkownik?w zdalnych do program?w mo?e sta? si? niedost?pna. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Library C:\WINDOWS\system32\wbem\wmiaprpl.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Open WmiOpenPerfData Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Collect WmiCollectPerfData Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Close WmiClosePerfData Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Object List 4102 4102 4108 4108 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Counter 4114 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@Last Help 4115 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Counter 4102 Reg HKLM\SYSTEM\CurrentControlSet\Services\WmiApRpl\Performance@First Help 4103 Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg@Description Serwer Rejestru Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg\AllowedPaths (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Control\SecurePipeServers\winreg\AllowedPaths@Machine System\CurrentControlSet\Control\ProductOptions?System\CurrentControlSet\Control\Print\Printers?System\CurrentControlSet\Control\Server Applications?System\CurrentControlSet\Services\Eventlog?Software\Microsoft\OLAP Server?Software\Microsoft\Windows NT\CurrentVersion?System\CurrentControlSet\Control\ContentIndex?System\CurrentControlSet\Control\Terminal Server?System\CurrentControlSet\Control\Terminal Server\UserConfig?System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration? Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@DisplayNameFile %SystemRoot%\System32\els.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@DisplayNameID 257 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@File %SystemRoot%\System32\config\SecEvent.Evt Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@MaxSize 524288 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@PrimaryModule Security Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@Retention 604800 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@Sources Spooler?ServiceModel 4.0.0.0?Security Account Manager?SC Manager?NetDDE Object?LSA?DS?Security? Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security@RestrictGuestAccess 1 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryCount 9 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security@TypesSupported 28 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Channel 5120 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Device 4352 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Directory 4368 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Event 4384 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@File 4416 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Job 5136 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Key 4432 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Port 4464 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Process 4480 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Profile 4496 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Section 4512 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Thread 4560 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Timer 4576 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Token 4592 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@Type 4608 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 4.0.0.0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 4.0.0.0@TypesSupported 31 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 4.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 4.0.0.0@CategoryCount 3 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 4.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MUI\0409\ServiceModelEvents.dll.mui Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 4.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MUI\0409\ServiceModelEvents.dll.mui Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\ServiceModel 4.0.0.0@EventSourceFlags 1 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928 Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 D:\programy\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x94 0x2A 0x42 0x6E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@Type 16 Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@Start 4 Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@ImagePath C:\WINDOWS\system32\tlntsvr.exe Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@DisplayName Telnet Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@DependOnService RPCSS?TCPIP?NTLMSSP? Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@DependOnGroup Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr@Description Umo?liwia u?ytkownikowi zdalnemu zalogowanie si? na tym komputerze i obs?uguje rozmaitych klient?w us?ugi Telnet TCP/IP, w tym komputery z systemami UNIX i Windows. Je?li ta us?uga zostanie zatrzymana, funkcja dost?pu u?ytkownik?w zdalnych do program?w mo?e sta? si? niedost?pna. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\TlntSvr\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Library C:\WINDOWS\system32\wbem\wmiaprpl.dll Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Open WmiOpenPerfData Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Collect WmiCollectPerfData Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Close WmiClosePerfData Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Object List 4102 4102 4108 4108 Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Last Counter 4114 Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@Last Help 4115 Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@First Counter 4102 Reg HKLM\SYSTEM\ControlSet002\Services\WmiApRpl\Performance@First Help 4103 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS@StateIndex 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group0 S-1-5-21-682003330-484763869-725345543-513 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group1 S-1-1-0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group2 S-1-5-32-544 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group3 S-1-5-32-545 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group4 S-1-5-4 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group5 S-1-5-11 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Group6 S-1-2-0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy\GroupMembership@Count 7 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- EOF - GMER 1.0.15 ----