To chyba o to chodziło
"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"UpdateManager" = "C:\Program Files\Common Files\Microsoft Shared\Web Components\WUpdMan32.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SoundMax" = ""C:\Program Files\Analog Devices\SoundMAX\SMax4.exe" /tray" ["Analog Devices, Inc."]
"RemoteControl" = ""D:\Program Files\DO FILMOW\PowerDVD\PDVDServ.exe"" ["Cyberlink Corp."]
"LanguageShortcut" = ""D:\Program Files\DO FILMOW\PowerDVD\Language\Language.exe"" [null data]
"!ewido" = ""D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "IeCatch5 Class"
\InProcServer32\(Default) = "D:\PROGRA~1\INTERN~1\FlashGet\jccatch.dll" ["FlashGet"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "D:\Program Files\SYSTEMOWE\Java\bin\ssv.dll" ["Sun Microsystems, Inc."]
{F156768E-81EF-470C-9057-481BA8380DBA}\(Default) = (no title provided)
-> {HKLM...CLSID} = "gFlash Class"
\InProcServer32\(Default) = "D:\PROGRA~1\INTERN~1\FlashGet\getflash.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\ARCHIWIZUJACE\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{67C63340-679B-11D2-92EE-000021474C19}" = "IrfanView Extensions"
-> {HKLM...CLSID} = "IrfanView Extensions"
\InProcServer32\(Default) = "D:\Program Files\GRAFICZNE\IrfanView\IVEX.dll" ["BAxBEx Software"]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\NOD\nodshex.dll" [null data]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "D:\PROGRA~1\DONAPE~1\ALCOHO~1\axshlex.dll" ["Alcohol Soft Development Team"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\Office\Office10\msohev.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{70B28949-EC23-4D00-A411-AD8A1B3A8A5A}" = "awxDTools - ContextMenu ShellExtension"
-> {HKLM...CLSID} = "awxDTShlExt Class"
\InProcServer32\(Default) = "D:\Program Files\DO NAPEDOW\DAEMON Tools\awxDTools.dll" ["arniWORX"]
"{7A5117B0-B594-4DA8-829D-D15BF11996F2}" = "awxDTools - ColumnHandler ShellExtension"
-> {HKLM...CLSID} = "awxDTColumnHandler Class"
\InProcServer32\(Default) = "D:\Program Files\DO NAPEDOW\DAEMON Tools\awxDTools.dll" ["arniWORX"]
"{D7C3180D-83AA-464B-9154-6BD0B4E34FBD}" = "awxDTools - PropertySheetHandler ShellExtension"
-> {HKLM...CLSID} = "awxDToolsPropSheet Class"
\InProcServer32\(Default) = "D:\Program Files\DO NAPEDOW\DAEMON Tools\awxDTools.dll" ["arniWORX"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\Unlocker\UnlockerCOM.dll" [null data]
"{CA5FEE26-14C1-4B5A-86E9-233FC0EE2682}" = "IZArc DragDrop Menu"
-> {HKLM...CLSID} = "IZArc DragDrop Menu"
\InProcServer32\(Default) = "D:\PROGRA~1\ARCHIW~1\IZArc\IZArcCM.dll" [null data]
"{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}" = "IZArc Shell Context Menu"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "D:\PROGRA~1\ARCHIW~1\IZArc\IZArcCM.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = " SF3.DLL" [file not found]
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
INFECTION WARNING! (" ntoskrnl.dll" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, ntoskrnl.dll"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7A5117B0-B594-4DA8-829D-D15BF11996F2}\(Default) = "awxDTools - ColumnHandler"
-> {HKLM...CLSID} = "awxDTColumnHandler Class"
\InProcServer32\(Default) = "D:\Program Files\DO NAPEDOW\DAEMON Tools\awxDTools.dll" ["arniWORX"]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "D:\PROGRA~1\ARCHIW~1\IZArc\IZArcCM.dll" [null data]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\NOD\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\ARCHIWIZUJACE\WinRAR\rarext.dll" [null data]
{67C63340-679B-11D2-92EE-000021474C19}\(Default) = "{67C63340-679B-11D2-92EE-000021474C19}"
-> {HKLM...CLSID} = "IrfanView Extensions"
\InProcServer32\(Default) = "D:\Program Files\GRAFICZNE\IrfanView\IVEX.dll" ["BAxBEx Software"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
IZArcCM\(Default) = "{8D9D4D0D-FDDD-44CB-AAB2-6161FA0757C5}"
-> {HKLM...CLSID} = "IZArc Shell Context Menu"
\InProcServer32\(Default) = "D:\PROGRA~1\ARCHIW~1\IZArc\IZArcCM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\ARCHIWIZUJACE\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"
-> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"
\InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\UZYTKOWE\NOD\nodshex.dll" [null data]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\Program Files\NARZEDZIOWE\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\ARCHIWIZUJACE\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Mateusz\Dane aplikacji\IrfanView\IrfanView_Wallpaper.bmp"
Startup items in "Mateusz" & "All Users" startup folders:
---------------------------------------------------------
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "D:\Program Files\UZYTKOWE\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Kaspersky Anti-Hacker" -> shortcut to: "D:\Program Files\INTERNETOWE\Kaspersky Anti-Hacker\KAVPF.exe /silence" ["Kaspersky Lab"]
"Microsoft Office" -> shortcut to: "D:\Program Files\UZYTKOWE\Office\Office10\OSA.EXE -b -l" [MS]
"nod32kui" -> shortcut to: "D:\Program Files\UZYTKOWE\NOD\nod32kui.exe" ["Eset "]
"SMax4PNP" -> shortcut to: "C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" ["Analog Devices, Inc."]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\system32\imon.dll ["Eset "], 01 - 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{E0E899AB-F487-11D5-8D29-0050BA6940E3}" = "FlashGet Bar"
-> {HKLM...CLSID} = "FlashGet Bar"
\InProcServer32\(Default) = "D:\PROGRA~1\INTERN~1\FlashGet\fgiebar.dll" ["Amaze Soft"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_08"
\InProcServer32\(Default) = "D:\Program Files\SYSTEMOWE\Java\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_08"
\InProcServer32\(Default) = "D:\Program Files\SYSTEMOWE\Java\bin\npjpi150_08.dll" ["Sun Microsystems, Inc."]
{C23E2132-960C-44FC-8EBD-39B37AA4DE78}\
"ButtonText" = "Send this URL to WTR - Web The Ripper 2"
"MenuText" = "WTR - Web The Ripper 2"
"Script" = "D:\Program Files\INTERNETOWE\WTR - Web The Ripper 2\wtr.ie.html" [file not found]
{D6E814A0-E0C5-11D4-8D29-0050BA6940E3}\
"ButtonText" = "FlashGet"
"MenuText" = "&FlashGet"
"Exec" = "D:\PROGRA~1\INTERN~1\FlashGet\flashget.exe" ["FlashGet.com"]
{E19ADC6E-3909-43E4-9A89-B7B676377EE3}\
"ButtonText" = "Sothink SWF Catcher"
"MenuText" = "Sothink SWF Catcher"
"Script" = "C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm" [null data]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
HOSTS file
----------
C:\WINDOWS\System32\drivers\etc\HOSTS
maps: 3 domain names to IP addresses,
2 of the IP addresses are *not* localhost!
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Cyberlink RichVideo Service(CRVS), RichVideo, ""C:\Program Files\Cyberlink\Shared files\RichVideo.exe"" [empty string]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "D:\Program Files\NARZEDZIOWE\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
NOD32 Kernel Service, NOD32krn, ""D:\Program Files\UZYTKOWE\NOD\nod32krn.exe"" ["Eset "]
SecuROM User Access Service (V7), UserAccess7, "C:\WINDOWS\system32\UAService7.exe" [null data]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
StarWind iSCSI Service, StarWindService, "D:\Program Files\DO NAPEDOW\Alcohol 52\StarWind\StarWindService.exe" ["Rocket Division Software"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]
Keyboard Driver Filters:
------------------------
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "Lkbdflt2" ["Logitech, Inc."]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Lexmark Network Port\Driver = "LEXLMPM.DLL" ["Lexmark International, Inc."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 99 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 15 seconds.
---------- (total run time: 143 seconds)