Wana to kill fck subj :) Hellp :)


BUGAS
Atidarant per My Computer C diska meta Rundll reror can not open
..\desktop.dll

SITUACIJA
Windows XP
Antivirusas anskciau buvo rades trjoanus,
Antivirusine Antivir  DABAR neranda nieko
Registru cleneris Tune Up Utilites 2009  palieka ta MountPoints2 Key
registruose

VEIKSMAS
Blin kazkokiu budu PERKLAUNANT Registruose vis susikuria MountPoints2
Atidarant C diska meta Rundll reror can not open .\desktop.dll kas lb
nervina moralishkai

MORALAS
ishtrynus registruose  MountPoints2 keyjus viskas ok iki ...perkrauni kompa
:)
Blin  tai kur jis slepiasi? Beje !!!!!!!!!!!!!!!!!!! Perinstaliavus windous
XP = :) ant svariu (fresh instalo? ) tas bugas ishlieka

IN FO
HKEY_USERS\S-1-5-21-507921405-2146650191-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bea66670-82c8-11dc-a26e-806d6172696f}\Shell\open\Command
====== rundll32.exe .\desktop.dll,InstallM


DAR SIEK TIEK INFO
"Silent Runners.vbs", revision 59,
 http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RegServer" = "regserve.exe" [null data]
"PmProxy" = "C:\Program Files\Analog Devices\SoundMAX\PmProxy.exe" ["adi"]
"avgnt" = ""C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min" ["Avira
GmbH"]
"UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe""
[null data]
"TrueImageMonitor.exe" = "C:\Program
Files\Acronis\TrueImageHome\TrueImageMonitor.exe" ["Acronis"]
"AcronisTimounterMonitor" = "C:\Program
Files\Acronis\TrueImageHome\TimounterMonitor.exe" ["Acronis"]
"Acronis Scheduler2 Service" = ""C:\Program Files\Common
Files\Acronis\Schedule2\schedhlp.exe"" ["Acronis"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}\(Default) = "Skype add-on
(mastermind)"
  -> {HKLM...CLSID} = "Skype add-on (mastermind)"
                   \InProcServer32\(Default) = "C:\Program
Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype
Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not
found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) =
"C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                   \InProcServer32\(Default) =
"C:\WINDOWS\system32\shdocvw.dll" [MS]
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}" = "Shell Extension for Malware
scanning"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Program
Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
"{4838CD50-7E5D-4811-9B17-C47A85539F28}" = "TuneUp Disk Space Explorer Shell
Extension"
  -> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\TuneUp
Utilities 2009\DseShExt-x86.dll" ["TuneUp Software"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon
Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office10\msohev.dll" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon
Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft
Office\Office10\OLKFSTUB.DLL" [MS]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program
Files\Unlocker\UnlockerCOM.dll" [null data]
"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data
Source for Windows Search"
  -> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows
Search"
                   \InProcServer32\(Default) =
"C:\WINDOWS\system32\ieframe.dll" [MS]
"{C539A15A-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell Context
Menu Extension"
  -> {HKLM...CLSID} = "Acronis True Image Shell Context Menu Extension"
                   \InProcServer32\(Default) = "C:\Program
Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]
"{C539A15B-3AF9-4c92-B771-50CB78F5C751}" = "Acronis True Image Shell
Extension"
  -> {HKLM...CLSID} = "Acronis True Image Shell Extension"
                   \InProcServer32\(Default) = "C:\Program
Files\Acronis\TrueImageHome\tishell.dll" ["Acronis"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) =
"C:\WINDOWS\system32\wpdshserviceobj.dll" [MS]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) =
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Program
Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
TuneUp Disk Space Explorer Shell Extension\(Default) =
"{4838CD50-7E5D-4811-9B17-C47A85539F28}"
  -> {HKLM...CLSID} = "TuneUp Disk Space Explorer Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\TuneUp
Utilities 2009\DseShExt-x86.dll" ["TuneUp Software"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning\(Default) =
"{45AC2688-0253-4ED8-97DE-B5370FA7D48A}"
  -> {HKLM...CLSID} = "Shell Extension for Malware scanning"
                   \InProcServer32\(Default) = "C:\Program
Files\Avira\AntiVir Desktop\shlext.dll" ["Avira GmbH"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program
Files\Unlocker\UnlockerCOM.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program
Files\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local
Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local
Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
  -> {HKLM...CLSID} = "WPDShextAutoplay"
                   \LocalServer32\(Default) =
"C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]


Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities
2009\OneClickStarter.exe /schedulestart" ["TuneUp Software GmbH"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\
{++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
{++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
"ButtonText" = "Skype"
"CLSIDExtension" = "{77BF5300-1474-4EC7-9980-D32B190E9B07}"
  -> {HKLM...CLSID} = "Skype add-on (button)"
                   \InProcServer32\(Default) = "C:\Program
Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll" ["Skype
Technologies S.A."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]:
START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[Strings]:
MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\
<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Acronis Scheduler2 Service, AcrSch2Svc, ""C:\Program Files\Common
Files\Acronis\Schedule2\schedul2.exe"" ["Acronis"]
Avira AntiVir Guard, AntiVirService, ""C:\Program Files\Avira\AntiVir
Desktop\avguard.exe"" ["Avira GmbH"]
Avira AntiVir Scheduler, AntiVirSchedulerService, ""C:\Program
Files\Avira\AntiVir Desktop\sched.exe"" ["Avira GmbH"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program
Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
TuneUp Program Statistics Service, TuneUp.ProgramStatisticsSvc,
"C:\WINDOWS\System32\TUProgSt.exe" ["TuneUp Software"]


---------- (launch time: 2009-06-12 12:00:09)
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 121 seconds, including 22 seconds for message
boxes)