Witam maly maly problem z explorer.exe i po malych zmaganaich i konsultacjach przyslano mnie tutaj wiec proszeo sprawdzenie loga n to moja ostatnia szansa na uratowanie kompa przed reinstalacja. “Silent Runners.vbs”, revision 52, http://www.silentrunners.org/ Operating System: Windows Vista Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”] “ISUSPM Startup” = “c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup” [“InstallShield Software Corporation”] “Orb” = ““C:\Program Files\Winamp Remote\bin\OrbTray.exe” /background” [“Orb Networks”] HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++} “Windows Defender” = “C:\Program Files\Windows Defender\MSASCui.exe -hide” “ISUSScheduler” = ““C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start” [“InstallShield Software Corporation”] “SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”” [“Sun Microsystems, Inc.”] “AVPDWIN” = ““C:\Program Files\Panda Software\Panda Demo\pandasft.exe”” [file not found] “APVXDWIN” = ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE” /s” [“Panda Software International”] “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}(Default) = “Winamp Toolbar BHO” n {HKLM…CLSID} = “Winamp Toolbar BHO” \InProcServer32(Default) = “C:\Program Files\Winamp Toolbar\winamptb.dll” [“AOL LLC”] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided) n {HKLM…CLSID} = “SSVHelper Class” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll” [“Sun Microsystems, Inc.”] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{E7DE9B1A-7533-4556-9484-B26FB486475E}” = (no title provided) n {HKLM…CLSID} = “Network Map” \InProcServer32(Default) = “C:\Windows\system32\shdocvw.dll” [MS] “{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486}” = “IGD Property Sheet Handler” n {HKLM…CLSID} = “IGD Property Page” \InProcServer32(Default) = “C:\Windows\System32\icsigd.dll” [MS] “{8856f961-340a-11d0-a96b-00c04fd705a2}” = “Microsoft Web Browser” n {HKLM…CLSID} = “Microsoft Web Browser” \InProcServer32(Default) = “C:\Windows\system32\ieframe.dll” [MS] “{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}” = “MSHTML Document” n {HKLM…CLSID} = “MHTML Document” \InProcServer32(Default) = “C:\Windows\system32\mshtml.dll” [MS] “{25336920-03f9-11cf-8fd0-00aa00686f13}” = “HTML Document” n {HKLM…CLSID} = “HTML Document” \InProcServer32(Default) = “C:\Windows\system32\mshtml.dll” [MS] “{74246bfc-4c96-11d0-abef-0020af6b0b7a}” = “Device Manager” n {HKLM…CLSID} = “Device Manager” \InProcServer32(Default) = “C:\Windows\System32\devmgr.dll” [MS] “{44f3dab6-4392-4186-bb7b-6282ccb7a9f6}” = “MyDocuments menu and properties” n {HKLM…CLSID} = “MyDocuments menu and properties” \InProcServer32(Default) = “C:\Windows\system32\mydocs.dll” [MS] “{D34A6CA6-62C2-4C34-8A7C-14709C1AD938}” = “Common Places Folder” n {HKLM…CLSID} = “Common Places FS Folder” \InProcServer32(Default) = “C:\Windows\System32\shdocvw.dll” [MS] “{865e5e76-ad83-4dca-a109-50dc2113ce9a}” = “Programs Folder and Fast Items” n {HKLM…CLSID} = “Programs Folder and Fast Items” \InProcServer32(Default) = “C:\Windows\system32\shell32.dll” [MS] “{21ec2020-3aea-1069-a2dd-08002b30309d}” = “Control Panel” n {HKLM…CLSID} = “Control Panel” \InProcServer32(Default) = “shell32.dll” [MS] “{25585dc7-4da0-438d-ad04-e42c8d2d64b9}” = “Client application shell extension” n {HKLM…CLSID} = “Client application shell extension” \InProcServer32(Default) = “C:\Windows\system32\shell32.dll” [MS] “{4d5c8c2a-d075-11d0-b416-00c04fb90376}” = “Microsoft CommBand” n {HKLM…CLSID} = “Microsoft CommBand” \InProcServer32(Default) = “C:\Windows\system32\browseui.dll” [MS] “{92337A8C-E11D-11D0-BE48-00C04FC30DF6}” = “OlePrn.PrinterURL” n {HKLM…CLSID} = “prturl Class” \InProcServer32(Default) = “C:\Windows\system32\oleprn.dll” [MS] “{16C2C29D-0E5F-45f3-A445-03E03F587B7D}” = “group_wab_auto_file” n {HKLM…CLSID} = “.group shell context menu” \InProcServer32(Default) = “C:\Program Files\Common Files\System\wab32.dll” [MS] “{CF67796C-F57F-45F8-92FB-AD698826C602}” = “contact_wab_auto_file” n {HKLM…CLSID} = “.contact shell context menu” \InProcServer32(Default) = “C:\Program Files\Common Files\System\wab32.dll” [MS] “{90b9bce2-b6db-4fd3-8451-35917ea1081b}” = “Search Execute Command” n {HKLM…CLSID} = “CLSID_SearchExecute” \InProcServer32(Default) = “ExplorerFrame.dll” [MS] “{1a184871-359e-4f67-aad9-5b9905d62232}” = “Microsoft Windows Font File Context Menu Handler” n {HKLM…CLSID} = “Microsoft Windows Font Context Menu Handler” \InProcServer32(Default) = “fontext.dll” [MS] “{8a7cae0e-5951-49cb-bf20-ab3fa1e44b01}” = “Microsoft Windows Font Previewer” n {HKLM…CLSID} = “Microsoft Windows Font Preview Handler” \InProcServer32(Default) = “fontext.dll” [MS] “{BC65FB43-1958-4349-971A-210290480130}” = “Network Explorer Property Sheet Handler” n {HKLM…CLSID} = “Ncd Property Page” \InProcServer32(Default) = “C:\Windows\System32\NcdProp.dll” [MS] “{0a4286ea-e355-44fb-8086-af3df7645bd9}” = “Windows Media Player” n {HKLM…CLSID} = “&Windows Media Player” \InProcServer32(Default) = “C:\PROGRA~1\WI4EB4~1\wmpband.dll” [MS] “{BB6B2374-3D79-41DB-87F4-896C91846510}” = “EMDFileProperties” n {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “emdmgmt.dll” [MS] “{7A0F6AB7-ED84-46B6-B47E-02AA159A152B}” = “Sync Center Simple Conflict Presenter” n {HKLM…CLSID} = “Simple Conflict Presenter” \InProcServer32(Default) = “C:\Windows\System32\SyncCenter.dll” [MS] “{BE122A0E-4503-11DA-8BDE-F66BAD1E3F3A}” = (no title provided) n {HKLM…CLSID} = “Windows Anytime Upgrade” \InProcServer32(Default) = “C:\Windows\System32\shdocvw.dll” [MS] “{00f20eb5-8fd6-4d9d-b75e-36801766c8f1}” = “PhotoAcqDropTarget” n {HKLM…CLSID} = “PhotoAcqDropTarget” \InProcServer32(Default) = “C:\Program Files\Windows Photo Gallery\PhotoAcq.dll” [MS] “{91ADC906-6722-4B05-A12B-471ADDCCE132}” = “Touch Band” n {HKLM…CLSID} = “Touch Pointer” \InProcServer32(Default) = “C:\Windows\System32\TouchX.dll” [MS] “{7D4734E6-047E-41e2-AEAA-E763B4739DC4}” = “Windows Media Player Play as Playlist Context Menu Handler” n {HKLM…CLSID} = “WMP Play Folder As Playlist Launcher” \InProcServer32(Default) = “C:\Windows\system32\wmpshell.dll” [MS] “{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A}” = “GameUX.RichGameMediaThumbnail” n {HKLM…CLSID} = “RichGameMediaThumbnail Class” \InProcServer32(Default) = “C:\Windows\System32\gameux.dll” [MS] “{15D633E2-AD00-465b-9EC7-F56B7CDF8E27}” = “Tablet PC Input Panel” n {HKLM…CLSID} = “Tablet PC Input Panel” \InProcServer32(Default) = “C:\Program Files\Common Files\microsoft shared\ink\TipBand.dll” [MS] “{6b9228da-9c15-419e-856c-19e768a13bdc}” = “Windows gadget DropTarget” n {HKLM…CLSID} = “Windows gadget DropTarget” \InProcServer32(Default) = “C:\Program Files\Windows Sidebar\sbdrop.dll” [MS] “{8A734961-C4AA-4741-AC1E-791ACEBF5B39}” = “Windows Media Player Shop Music Context Menu Handler” n {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Windows\system32\wmpshell.dll” [MS] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” n {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{65756541-C65C-11CD-0000-4B656E696100}” = “Panda Antivirus” n {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\ShellTit.dll” [“Panda Software International”] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ <> “Shell” = “explorer.exe activexdebugger32.exe” [MS], [file not found] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” n {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\ShellTit.dll” [“Panda Software International”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” n {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” n {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Panda Antivirus(Default) = “{65756541-C65C-11CD-0000-4B656E696100}” n {HKLM…CLSID} = “Panda Antivirus” \InProcServer32(Default) = “C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\ShellTit.dll” [“Panda Software International”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” n {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] Group Policies {GPedit.msc branch and setting}: ----------------------------------------------- Note: detected settings may not have any effect. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “LogonHoursAction” = (REG_DWORD) hex:0x00000002 {unrecognized setting} “DontDisplayLogonHoursWarnings” = (REG_DWORD) hex:0x00000001 {unrecognized setting} HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ “ConsentPromptBehaviorAdmin” = (REG_DWORD) hex:0x00000002 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode} “ConsentPromptBehaviorUser” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Behavior Of The Elevation Prompt For Standard Users} “EnableInstallerDetection” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Detect Application Installations And Prompt For Elevation} “EnableLUA” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Run All Administrators In Admin Approval Mode} “EnableSecureUIAPaths” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Only elevate UIAccess applications that are installed in secure locations} “EnableVirtualization” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Virtualize file and registry write failures to per-user locations} “PromptOnSecureDesktop” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Conrol: Switch to the secure desktop when prompting for elevation} “shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Shutdown: Allow system to be shut down without having to log on} “undockwithoutlogon” = (REG_DWORD) hex:0x00000001 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| Devices: Allow undock without having to log on} “FilterAdministratorToken” = (REG_DWORD) hex:0x00000000 {Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options| User Account Control: Admin Approval Mode for the Built-in Administrator Account} Active Desktop and Wallpaper: ----------------------------- Active Desktop may be disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Displayed if Active Desktop enabled and wallpaper not set by Group Policy: HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ “Wallpaper” = “C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Tapeta pulpitu.bmp” Displayed if Active Desktop disabled and wallpaper not set by Group Policy: HKCU\Control Panel\Desktop\ “Wallpaper” = “C:\Users\Michał\AppData\Roaming\Mozilla\Firefox\Tapeta pulpitu.bmp” Non-disabled Scheduled Tasks: ----------------------------- C:\Windows\System32\Tasks “AppleSoftwareUpdate” n launches: “C:\Program Files\Apple Software Update\SoftwareUpdate.exe -background” [“Apple Computer, Inc.”] “User_Feed_Synchronization-{158D486F-3B4F-4561-8878-71533ECC8ACF}” n (HIDDEN!) launches: “C:\Windows\system32\msfeedssync.exe sync” [MS] “{4B17ABBB-5E0D-4513-96B8-47943BF44EF0}” n launches: “C:\Windows\system32\pcalua.exe -a C:\Download\wog\Install.exe -d C:\Download\wog” [MS] “{70B79365-A3EA-41A6-8F5B-5D3FB9821D03}” n launches: “C:\Windows\system32\pcalua.exe -a C:\Download\allinone_358f.exe -d C:\Download” [MS] “{785144CE-F3CC-4EC6-BB36-5F2EEB221B8F}” n launches: “C:\Windows\system32\pcalua.exe -a C:\Download\HamachiSetup-1.0.0.41-en.exe -d C:\Windows\system32” [MS] “{F1EFEA61-A672-4611-AA94-0B77BA9C8777}” n launches: “C:\Windows\system32\pcalua.exe -a “C:\Program Files\UOG\uninstall.exe”” [MS] “{FC3F380F-6F17-495A-9DFB-1F11FF8A1AE5}” n launches: “C:\Windows\system32\pcalua.exe -a C:\Download\allinon1\wog358f.part01.exe -d C:\Download\allinon1” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth “UninstallDeviceTask” n launches: “BthUdTask.exe $(Arg0)” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient “SystemTask” n launches: “{58fb76b9-ac85-4e55-ac04-427593b1d060}” n {HKLM…CLSID} = “Certificate Services Client Task Handler” \InProcServer32(Default) = “C:\Windows\system32\dimsjob.dll” [MS] “UserTask” n launches: “{58fb76b9-ac85-4e55-ac04-427593b1d060}” n {HKLM…CLSID} = “Certificate Services Client Task Handler” \InProcServer32(Default) = “C:\Windows\system32\dimsjob.dll” [MS] “UserTask-Roam” n launches: “{58fb76b9-ac85-4e55-ac04-427593b1d060}” n {HKLM…CLSID} = “Certificate Services Client Task Handler” \InProcServer32(Default) = “C:\Windows\system32\dimsjob.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program “Consolidator” n launches: “%SystemRoot%\System32\wsqmcons.exe” [MS] “OptinNotification” n launches: “%SystemRoot%\System32\wsqmcons.exe -n 0x1C577FA2B69CAD0” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Defrag “ManualDefrag” n launches: “%windir%\system32\defrag.exe -c” [MS] “ScheduledDefrag” n launches: “%windir%\system32\defrag.exe -c -i” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Media Center “ehDRMInit” n launches: “%SystemRoot%\ehome\ehPrivJob.exe /DRMInit” [MS] “mcupdate” n launches: “%SystemRoot%\ehome\mcupdate $(Arg0) -gc” [MS] “OCURActivate” n launches: “%SystemRoot%\ehome\ehPrivJob.exe /OCURActivate” [MS] “OCURDiscovery” n launches: “%SystemRoot%\ehome\ehPrivJob.exe /OCURDiscovery” [MS] “UpdateRecordPath” n launches: “%SystemRoot%\ehome\ehPrivJob.exe /DoUpdateRecordPath $(Arg0)” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC “HotStart” n launches: “{06DA0625-9701-43da-BFD7-FBEEA2180A1E}” n {HKLM…CLSID} = “HotStart User Agent” \InProcServer32(Default) = “C:\Windows\System32\HotStartUserAgent.dll” [MS] “TMM” n launches: “{35EF4182-F900-4632-B072-8639E4478A61}” n {HKLM…CLSID} = “Transient Multi-Monitor Manager” \InProcServer32(Default) = “C:\Windows\System32\TMM.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\MUI “LPRemove” n launches: “%windir%\system32\lpremove.exe” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Multimedia “SystemSoundsService” n launches: “{2DEA658F-54C1-4227-AF9B-260AB5FC3543}” n {HKLM…CLSID} = “Microsoft PlaySoundService Class” \InProcServer32(Default) = “C:\Windows\System32\PlaySndSrv.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection “NAPStatus UI” n launches: “{f09878a1-4652-4292-aa63-8c7d4fd7648f}” n {HKLM…CLSID} = “Nap ITask Handler Implementation” \InProcServer32(Default) = “C:\Windows\System32\QAgent.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RAC “RACAgent” n (HIDDEN!) launches: “%windir%\system32\RacAgent.exe” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance “RemoteAssistanceTask” n (HIDDEN!) launches: “%windir%\system32\RAServer.exe /offerraupdate” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Shell “CrawlStartPages” n launches: “{51653423-e62d-4ff7-894a-dabb2b8e21e2}” n {HKLM…CLSID} = “CrawlStartPages Task Handler” \InProcServer32(Default) = “C:\Windows\System32\srchadmin.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SideShow “GadgetManager” n launches: “{FF87090D-4A9A-4f47-879B-29A80C355D61}” n {HKLM…CLSID} = “GadgetsManager Class” \InProcServer32(Default) = “C:\Windows\System32\AuxiliaryDisplayServices.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\SystemRestore “SR” n launches: “%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Tcpip “IpAddressConflict1” n launches: “rundll32 ndfapi.dll,NdfRunDllDuplicateIPOffendingSystem” [MS] “IpAddressConflict2” n launches: “rundll32 ndfapi.dll,NdfRunDllDuplicateIPDefendingSystem” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework “MsCtfMonitor” n (HIDDEN!) launches: “{01575cfe-9a55-4003-a5e1-f38d1ebdcbe1}” n {HKLM…CLSID} = “MsCtfMonitor task handler” \InProcServer32(Default) = “C:\Windows\system32\MsCtfMonitor.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\UPnP “UPnPHostConfig” n launches: “sc.exe config upnphost start= auto” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\WDI “ResolutionHost” n (HIDDEN!) launches: “{900be39d-6be8-461a-bc4d-b0fa71f5ecb1}” n {HKLM…CLSID} = “DiagnosticInfrastructureCustomHandler” \InProcServer32(Default) = “C:\Windows\System32\wdi.dll” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Windows Error Reporting “QueueReporting” n launches: “%windir%\system32\wermgr.exe -queuereporting” [MS] C:\Windows\System32\Tasks\Microsoft\Windows\Wired “GatherWiredInfo” n launches: “%windir%\system32\gatherWiredInfo.vbs” [null data] C:\Windows\System32\Tasks\Microsoft\Windows\Wireless “GatherWirelessInfo” n launches: “%windir%\system32\gatherWirelessInfo.vbs” [null data] C:\Windows\System32\Tasks\Microsoft\Windows Defender “MP Scheduled Scan” n (HIDDEN!) launches: “c:\program files\windows defender\MpCmdRun.exe Scan -RestrictPrivileges” [MS] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\system32\NLAapi.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\system32\napinsp.dll” [MS] 000000000005\LibraryPath = “%SystemRoot%\system32\pnrpnsp.dll” [MS] 000000000006\LibraryPath = “%SystemRoot%\system32\pnrpnsp.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavlsp.dll [“Panda Software International”], 01 - 06, 30 C:\Windows\system32\wpclsp.dll [MS], 07 - 14, 25 %SystemRoot%\system32\mswsock.dll [MS], 15 - 24, 26 - 29 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}” n {HKLM…CLSID} = “Winamp Toolbar” \InProcServer32(Default) = “C:\Program Files\Winamp Toolbar\winamptb.dll” [“AOL LLC”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}” = “Winamp Toolbar” n {HKLM…CLSID} = “Winamp Toolbar” \InProcServer32(Default) = “C:\Program Files\Winamp Toolbar\winamptb.dll” [“AOL LLC”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}” n {HKLM…CLSID} = “Java Plug-in 1.6.0_03” \InProcServer32(Default) = “C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll” [“Sun Microsystems, Inc.”] Miscellaneous IE Hijack Points ------------------------------ HKLM\Software\Microsoft\Internet Explorer\AboutURLs\ <> “NavigationFailure” = “res://shdoclc.dll/navcancl.htm” [file not found] <> “DesktopItemNavigationFailure” = “res://shdoclc.dll/navcancl.htm” [file not found] <> “NavigationCanceled” = “res://shdoclc.dll/navcancl.htm” [file not found] <> “OfflineInformation” = “res://shdoclc.dll/offcancl.htm” [file not found] <> “PostNotCached” = “res://mshtml.dll/repost.htm” [MS] HOSTS file ---------- C:\Windows\System32\drivers\etc\HOSTS maps: 2 domain names to IP addresses, 1 of the IP addresses is *not* localhost! Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Dziennik zdarzeń systemu Windows, Eventlog, “C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted” {(missing data)} Host urządzenia UPnP, upnphost, “C:\Windows\system32\svchost.exe -k LocalService” {“C:\Windows\System32\upnphost.dll” [MS]} Konfiguracja usług terminalowych, SessionEnv, “C:\Windows\System32\svchost.exe -k netsvcs” {“C:\Windows\system32\sessenv.dll” [MS]} MySql, MySql, “c:\usr/MYSQL/bin/mysqld.exe” [null data] Panda anti-virus service, PAVSRV, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\pavsrvx86.exe”” [“Panda Software International”] Panda Function Service, PAVFNSVR, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe”” [“Panda Software International”] Panda Host Service, PSHost, ““c:\program files\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE”” [“Panda Software International”] Panda IManager Service, PSIMSVC, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe”” [“Panda Software International”] Panda PSK service, PskSvcRetail, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PskSvc.exe”” [“Panda Software International”] Panda Software Controller, Panda Software Controller, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe”” [“Panda Software International”] Panda TPSrv, TPSrv, ““C:\Program Files\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe”” [“Panda Software International”] Propagacja certyfikatu, CertPropSvc, “C:\Windows\system32\svchost.exe -k netsvcs” {“C:\Windows\System32\certprop.dll” [MS]} Przeglądarka komputera, Browser, “C:\Windows\System32\svchost.exe -k netsvcs” {“C:\Windows\System32\browser.dll” [MS]} Publikacja zasobów odnajdowania funkcji, FDResPub, “C:\Windows\system32\svchost.exe -k LocalService” {“C:\Windows\system32\fdrespub.dll” [MS]} Windows Driver Foundation — User-mode Driver Framework, wudfsvc, “C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted” {“C:\Windows\System32\WUDFSvc.dll” [MS]} Windows Image Acquisition (WIA), stisvc, “C:\Windows\system32\svchost.exe -k imgsvc” {“C:\Windows\System32\wiaservc.dll” [MS]} Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ PCL hpz3l4v2\Driver = “hpz3l4v2.dll” [“Hewlett-Packard Company”] ---------- (launch time: 2007-11-13 23:46:34) <>: Suspicious data at a malware launch point. <>: Suspicious data at a browser hijack point. + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points, use the -supp parameter or answer “No” at the first message box and “Yes” at the second message box. ---------- (total run time: 75 seconds, including 3 seconds for message boxes)