Witam
Mam taki problem raz na jakieś 2 tygodnie wkrada mi się wirus do komputera i za każdym razem zmienia mi wszystkie pliki na pulpicie. Wszystkie te pliki po zmianie wyglądają jak by im ktoś zmienił rozszerzenie.
Po restarcie systemu już się nie da uruchomić.
Co to za wirus może być, jak się go pozbyć??
Logfile of HijackThis v1.99.1
Scan saved at 15:56:33, on 2007-01-20
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Administrator\Pulpit\HijackThis + Silent Runners\HijackThis 1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = d:\Programy\Narzędzia systemowe\Nie używane\Norton Utilities 2006\Support\PCAWR\help\wwhelp\wwhimpl\common\html\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = d:\Programy\Narzędzia systemowe\Nie używane\Norton Utilities 2006\Support\PCAWR\help\wwhelp\wwhimpl\common\html\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM…\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM…\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM…\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM…\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM…\Run: [unlockerAssistant] “C:\Program Files\Unlocker\UnlockerAssistant.exe”
O4 - HKLM…\Run: [sunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM…\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM…\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM…\Run: [nod32kui] “C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE
O4 - HKLM…\Run: [DiskeeperSystray] “C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe”
O4 - HKLM…\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM…\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM…\Run: [Norton Ghost 10.0] “C:\Program Files\Norton Ghost\Agent\GhostTray.exe”
O4 - HKCU…\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [spyware Doctor] “C:\Program Files\Spyware Doctor\swdoctor.exe” /Q
O4 - HKCU…\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU…\Run: [Gadu-Gadu] “C:\Program Files\Gadu-Gadu\gg.exe” /tray
O4 - HKCU…\Run: [freeCommander.exe] C:\Program Files\freeCommander2006\freeCommander.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Szybkie dostosowywanie programu Outpost Firewall Pro - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
a tutaj drugi log
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“Spyware Doctor” = ““C:\Program Files\Spyware Doctor\swdoctor.exe” /Q” [“PC Tools Research Pty Ltd”]
“odk_mcd” = “(empty string)” [file not found]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}” = ““C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”” [“Nero AG”]
“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]
“freeCommander.exe” = “C:\Program Files\freeCommander2006\freeCommander.exe” [“Marek Jasinski - http://www.freeCommander.com”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”]
“Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”]
“ATIPTA” = ““C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”” [“ATI Technologies, Inc.”]
“CoolSwitch” = “C:\WINDOWS\system32\taskswitch.exe” [null data]
“UnlockerAssistant” = ““C:\Program Files\Unlocker\UnlockerAssistant.exe”” [null data]
“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“Outpost Firewall” = “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice” [“Agnitum Ltd.”]
“OutpostFeedBack” = “C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup” [“Agnitum Ltd.”]
“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]
“DiskeeperSystray” = ““C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe”” [“Diskeeper Corporation”]
“PCSuiteTrayApplication” = “C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup” [“Nokia”]
“NeroFilterCheck” = “C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [“Nero AG”]
“ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”]
“Norton Ghost 10.0” = ““C:\Program Files\Norton Ghost\Agent\GhostTray.exe”” [“Symantec Corporation”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{0055C089-8582-441B-A0BF-17B458C2A3A8}(Default) = “IDM Helper”
-> {HKLM…CLSID} = “IDMIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Internet Download Manager\IDMIECC.dll” [“Internet Download Manager Corp., Tonec Inc.”]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll” [“Adobe Systems Incorporated”]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}(Default) = (no title provided)
-> {HKLM…CLSID} = “PCTools Site Guard”
\InProcServer32(Default) = “C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll” [“PC Tools”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}(Default) = (no title provided)
-> {HKLM…CLSID} = “PCTools Browser Monitor”
\InProcServer32(Default) = “C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll” [“PC Tools”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]
“{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension”
-> {HKLM…CLSID} = “UnlockerShellExtension”
\InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data]
“{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]
“{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]
“{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]
“{416651E4-9C3C-11D9-8BDE-F66BAD1E3F3A}” = “PhoneBrowser”
-> {HKLM…CLSID} = “Nokia Phone Browser”
\InProcServer32(Default) = “C:\Program Files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll” [“Nokia”]
“{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler”
-> {HKLM…CLSID} = “NeroDigitalIconHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
“{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler”
-> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
“{52B87208-9CCF-42C9-B88E-069281105805}” = “Trojan Remover Shell Extension”
-> {HKLM…CLSID} = “Trojan Remover Shell Extension”
\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> AtiExtEvent\DLLName = “Ati2evxx.dll” [“ATI Technologies Inc.”]
HKLM\Software\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler”
-> {HKLM…CLSID} = “NeroDigitalColumnHandler Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]
{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”
-> {HKLM…CLSID} = “PDF Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”
-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”]
NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]
Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}”
-> {HKLM…CLSID} = “Trojan Remover Shell Extension”
\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”]
WinExpert(Default) = “{19741013-C829-11D1-8233-0020AF3E97A9}”
-> {HKLM…CLSID} = “Context Menu Shell Extension”
\InProcServer32(Default) = “C:\WINDOWS\system32\context.dll” [“SuperLogix”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”
-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ASW(Default) = “{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}”
-> {HKLM…CLSID} = “Outpost.ASWShellExt Component”
\InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\op_shell.dll” [“Agnitum Ltd.”]
NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”
-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”
\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]
Trojan Remover(Default) = “{52B87208-9CCF-42C9-B88E-069281105805}”
-> {HKLM…CLSID} = “Trojan Remover Shell Extension”
\InProcServer32(Default) = “C:\PROGRA~1\TROJAN~1\Trshlex.dll” [“Simply Super Software”]
UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”
-> {HKLM…CLSID} = “UnlockerShellExtension”
\InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data]
WinExpert(Default) = “{19741013-C829-11D1-8233-0020AF3E97A9}”
-> {HKLM…CLSID} = “Context Menu Shell Extension”
\InProcServer32(Default) = “C:\WINDOWS\system32\context.dll” [“SuperLogix”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “C:\PROGRA~1\WinZip\WZSHLSTB.DLL” [“WinZip Computing, Inc.”]
HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”
-> {HKLM…CLSID} = “UnlockerShellExtension”
\InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
“NoSharedDocuments” = (REG_DWORD) hex:0x00000001
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 17
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10
Toolbars, Explorer Bars, Extensions:
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID{A1A7E22D-1587-4230-8F16-081C68D21448}(Default) = “Szybkie dostosowywanie programu”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll” [“Agnitum Ltd.”]
HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie”
Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
“ButtonText” = “Spyware Doctor”
“CLSIDExtension” = “{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}”
-> {HKLM…CLSID} = “PCTools Browser Monitor”
\InProcServer32(Default) = “C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll” [“PC Tools”]
{44627E97-789B-40D4-B5C2-58BD171129A1}\
“ButtonText” = “Szybkie dostosowywanie programu Outpost Firewall Pro”
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
“ButtonText” = “Badanie”
{E2E2DD38-D088-4134-82B7-F2BA38496583}\
“MenuText” = “@xpsp3res.dll,-20001”
“Exec” = “%windir%\Network Diagnostic\xpnetdiag.exe” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Ati HotKey Poller, Ati HotKey Poller, “C:\WINDOWS\system32\Ati2evxx.exe” [“ATI Technologies Inc.”]
Diskeeper, Diskeeper, ““C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe”” [“Diskeeper Corporation”]
GEARSecurity, GEARSecurity, “C:\WINDOWS\System32\GEARSec.exe” [“GEAR Software”]
Karta wydajności WMI, WmiApSrv, “C:\WINDOWS\system32\wbem\wmiapsrv.exe” [MS]
NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]
Norton Ghost, Norton Ghost, “C:\Program Files\Norton Ghost\Agent\VProSvc.exe” [“Symantec Corporation”]
Outpost Firewall Service, OutpostFirewall, “C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /service” [“Agnitum Ltd.”]
PC Tools Spyware Doctor, SDhelper, “C:\Program Files\Spyware Doctor\sdhelp.exe” [“PC Tools Research Pty Ltd”]
Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”]
Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”]
<>: Suspicious data at a malware launch point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- The search for DESKTOP.INI DLL launch points on all local fixed drives
took 50 seconds.
---------- (total run time: 118 seconds)