"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Free Download Manager" = "D:\programy\Free Download Manager\fdm.exe -autorun" [null data]
"Komunikator" = "D:\programy\Tlen.pl\tlen.exe" ["o2.pl Sp. z o.o."]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"NvCplDaemon" = "RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"avast!" = "D:\programy\ALWILS~1\Avast4\ashDisp.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "D:\programy\Real Alternative\rpshell.dll" ["RealNetworks, Inc."]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "D:\WINDOWS\system32\NVCPL.DLL" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "D:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""D:\programy\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""D:\programy\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""D:\programy\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""D:\programy\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{FEB7DAE0-E111-11D0-BFD7-444553540000}" = "ICEOWS"
-> {HKLM...CLSID} = "Folder Iceows"
\InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\programy\Unlocker\UnlockerCOM.dll" [null data]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "D:\programy\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {HKLM...CLSID} = "Microsoft.AntiSpyware.ShellExecuteHook.1"
\InProcServer32\(Default) = "D:\programy\Microsoft AntiSpyware\shellextension.dll" [MS]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "iniwin32.dll" [file not found]
HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "pdboot.exe autocheck autochk *" [file not found], [file not found], [MS], [file not found]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""D:\programy\OpenOffice.ux.pl 2.0\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "D:\programy\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
ICEOWS\(Default) = "{FEB7DAE0-E111-11D0-BFD7-444553540000}"
-> {HKLM...CLSID} = "Folder Iceows"
\InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ICEOWS\(Default) = "{FEB7DAE0-E111-11D0-BFD7-444553540000}"
-> {HKLM...CLSID} = "Folder Iceows"
\InProcServer32\(Default) = "D:\WINDOWS\system32\ShellExt\IceGUI.dll" ["Raphaël MOUNIER"]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
-> {HKLM...CLSID} = "avast"
\InProcServer32\(Default) = "D:\programy\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
-> {HKLM...CLSID} = "UnlockerShellExtension"
\InProcServer32\(Default) = "D:\programy\Unlocker\UnlockerCOM.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\Łukasz\Dane aplikacji\Mozilla\Firefox\Tapeta pulpitu.bmp"
Startup items in "Łukasz" & "All Users" startup folders:
--------------------------------------------------------
D:\Documents and Settings\Łukasz\Menu Start\Programy\Autostart
INFECTION WARNING! "HideBUS.exe" [null data]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBC}"
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_01"
\InProcServer32\(Default) = "D:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll" ["Sun Microsystems, Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "D:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Apache2, Apache2, ""D:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice" ["Apache Software Foundation"]
avast! Antivirus, avast! Antivirus, ""D:\programy\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""D:\programy\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
avast! Mail Scanner, avast! Mail Scanner, ""D:\programy\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""D:\programy\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
NVIDIA Display Driver Service, NVSvc, "D:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Virtual CD v5 Security service, VC5SecS, ""D:\Program Files\HHVcdV5Sys\VC5SecS.exe"" ["H+H Software GmbH"]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]
Keyboard Driver Filters:
------------------------
HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "klengine" [null data]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt09\Driver = "hpzsnt09.dll" ["HP"]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 71 seconds, including 17 seconds for message boxes)
Co ciekawe podczas skanowania przez Silent Runnera, avast wykrył wirusa w pliku klengine.sys. Wybrałem, by nie podejmował żadnej akcji, ale w razie czego mogę go usunąć. Co to za plik i czy w nim może tkwić problem?