Witam ,mam bankowo Smitfrauda i chyba jeszcze jakiś syf. Proszę o pomoc - oto log z Silenta .
“Silent Runners.vbs”, revision 49, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“CTFMON.EXE” = “D:\WINDOWS\System32\ctfmon.exe” [MS]
“Komunikator” = “D:\Program Files\Tlen.pl\tlen.exe” [“o2.pl Sp. z o.o.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“NvCplDaemon” = “RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup” [MS]
“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]
“NvMediaCenter” = “RunDLL32.exe NvMCTray.dll,NvTaskbarInit” [MS]
“Logitech Utility” = “Logi_MwX.Exe” [“Logitech Inc.”]
“SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”]
“SigmatelSysTrayApp” = “sttray.exe” [file not found]
“avgnt” = ““D:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe” /min” [“Avira GmbH”]
“WooCnxMon” = “D:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string]
“WOOWATCH” = “D:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom R&D”]
“WOOTASKBARICON” = “D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe” [“France Télécom R&D”]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided)
\StubPath = ““D:\WINDOWS\System32\rundll32.exe” “D:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}(Default) = (no title provided)
-> {HKLM…CLSID} = “AcroIEHlprObj Class”
\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx” [empty string]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “D:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”]
“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”
-> {HKLM…CLSID} = “DesktopContext Class”
\InProcServer32(Default) = “D:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”]
“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”
-> {HKLM…CLSID} = “NVIDIA CPL Extension”
\InProcServer32(Default) = “D:\WINDOWS\System32\nvcpl.dll” [“NVIDIA Corporation”]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”
-> {HKLM…CLSID} = “Desktop Explorer”
\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”
-> {HKLM…CLSID} = “nView Desktop Context Menu”
\InProcServer32(Default) = “D:\WINDOWS\System32\nvshell.dll” [“NVIDIA Corporation”]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”
-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”
\InProcServer32(Default) = “D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]
“{E0D79300-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]
“{E0D79301-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]
“{E0D79302-84BE-11CE-9641-444553540000}” = “WinZip”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
“{45AC2688-0253-4ED8-97DE-B5370FA7D48A}” = “Shell Extension for Malware scanning”
-> {HKLM…CLSID} = “Shell Extension for Malware scanning”
\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> rpcc\DLLName = “D:\WINDOWS\System32\rpcc.dll” [null data]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”
-> {HKLM…CLSID} = “Shell Extension for Malware scanning”
\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Shell Extension for Malware scanning(Default) = “{45AC2688-0253-4ED8-97DE-B5370FA7D48A}”
-> {HKLM…CLSID} = “Shell Extension for Malware scanning”
\InProcServer32(Default) = “D:\Program Files\AntiVir PersonalEdition Classic\shlext.dll” [“H+BEDV Datentechnik GmbH”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
WinZip(Default) = “{E0D79300-84BE-11CE-9641-444553540000}”
-> {HKLM…CLSID} = “WinZip”
\InProcServer32(Default) = “D:\PROGRA~1\WinZip\wzshlext.dll” [null data]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “D:\Documents and Settings\łuki\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “D:\Documents and Settings\łuki\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}(Default) = “Volet Wanadoo”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]
HKLM\Software\Classes\CLSID{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}(Default) = “ToolBand Class”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]
HKLM\Software\Classes\CLSID{5BF498C0-931E-4A4F-B33F-456D07137EAA}(Default) = “Volet Wanadoo”
Implemented Categories{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\audience\audience.dll” [empty string]
Miscellaneous IE Hijack Points
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided)
-> {HKLM…CLSID} = “Search Class”
\InProcServer32(Default) = “D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string]
Running Services (Display Name, Service Name, Path {Service DLL}):
AntiVir PersonalEdition Classic Guard, AntiVirService, “D:\Program Files\AntiVir PersonalEdition Classic\avguard.exe” [“AVIRA GmbH”]
AntiVir PersonalEdition Classic Scheduler, AntiVirScheduler, “D:\Program Files\AntiVir PersonalEdition Classic\sched.exe” [“Avira GmbH”]
NVIDIA Display Driver Service, NVSvc, “D:\WINDOWS\System32\nvsvc32.exe” [“NVIDIA Corporation”]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt10\Driver = “hpzsnt10.dll” [“HP”]
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- The search for DESKTOP.INI DLL launch points on all local fixed drives
took 58 seconds.
---------- (total run time: 117 seconds)