Witam,
Proszę o pomoc - walczę prawdopodobnie z trojanem vundo ale bez powodzenia
Poniżej zamieszczam log z Hijack:
"Logfile of HijackThis v1.99.1
Scan saved at 00:14:45, on 2007-04-04
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ASUSKBService.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mksauth.exe
C:\lotus\notes\ntmulti.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\nutsrv4.exe
C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rshd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\telnetd.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\install\ProcessExplorer\procexp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\KRBO\Pulpit\trojan\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.winuel.com.pl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.winuel.com.pl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.2.0.10:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.winuel.com.pl;10.0.*;10.100.*
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [Skrót do strony właściwości High Definition Audio] HDAShCut.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [JobHisInit] C:\Program Files\RMClient\JobHisInit.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Procexp.lnk = C:\install\ProcessExplorer\procexp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.winuel.com.pl
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120196866533
O16 - DPF: {E008A543-CEFB-4559-912F-C27C2B89F13B} (Domino Web Access 7 Control) - http://wn.winuel.com.pl/dwa7W.cab
O18 - Protocol: qrev - {9DE24BAC-FC3C-42C4-9FC4-76B3FAFDBD90} - C:\PROGRA~1\QUESTS~1\TOAD\RNetPin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MGXPgmInit - Unknown owner - C:\Ascential\ProfileStage\AnalysisServer\AppToService.exe" /sys "C:\Ascential\ProfileStage\AnalysisServer\MGXPgmInit.exe" /Name:"MGXPgmInit" /Startup:M /Show:2 /Arguments:"\"C:\Ascential\ProfileStage\AnalysisServer\MGXPgmInit.ini\" (file missing)
O23 - Service: MGXSwitch - Unknown owner - C:\Ascential\ProfileStage\MessageSwitch\AppToService.exe" /sys "C:\Ascential\ProfileStage\MessageSwitch\MGXSwitch.exe" /Name:"MGXSwitch" /Startup:M /Show:2 /Arguments:"\"C:\Ascential\ProfileStage\MessageSwitch\MGXSwitch.ini\"" /Directory:" (file missing)
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\lotus\notes\ntmulti.exe
O23 - Service: NuTCRACKER Service (NuTCRACKERService) - DataFocus, Inc. - C:\WINDOWS\system32\nutsrv4.exe
O23 - Service: QualityStage Engine Service (QSEngine) - Unknown owner - C:\Ascential\QualityStageServer75\qsservsrv.exe
O23 - Service: QualityStage Realtime Manager Service (QSRTManager) - Unknown owner - C:\Ascential\QualityStageServer75\qsrtmngrsrv.exe
O23 - Service: REXECD - Mortice Kern Systems Inc. - C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rexecd.exe
O23 - Service: RSHD - Mortice Kern Systems Inc. - C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rshd.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe"
oraz z Silent Runners:
""Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"WMPNSCFG" = "C:\Program Files\Windows Media Player\WMPNSCFG.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Skrót do strony właściwości High Definition Audio" = "HDAShCut.exe" ["Windows (R) Server 2003 DDK provider"]
"VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."]
"VTTrayp" = "VTtrayp.exe" ["S3 Graphics Co., Ltd."]
"HControl" = "C:\WINDOWS\ATK0100\HControl.exe" [empty string]
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Power_Gear" = "C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1" ["ASUSTeK Computer Inc."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"SMSERIAL" = "sm56hlpr.exe" ["Motorola Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" ["Sun Microsystems, Inc."]
"igfxtray" = "C:\WINDOWS\system32\igfxtray.exe" ["Intel Corporation"]
"igfxhkcmd" = "C:\WINDOWS\system32\hkcmd.exe" ["Intel Corporation"]
"igfxpers" = "C:\WINDOWS\system32\igfxpers.exe" ["Intel Corporation"]
"Wireless Console 2" = "C:\Program Files\Wireless Console 2\wcourier.exe" [null data]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"JobHisInit" = "C:\Program Files\RMClient\JobHisInit.exe" [empty string]
"MplSetUp" = "C:\Program Files\RMClient\MplSetUp.exe" ["RICOH CO.,LTD."]
"Synchronization Manager" = "C:\WINDOWS\system32\mobsync.exe /logon"
"SpybotSnD" = ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose" ["Safer Networking Limited"]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{1976BB54-4CE4-4DB9-9BBD-48445BB6DB77}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nnnlj.dll" [file not found]
{4DCB4FA4-75DE-4E9B-A039-E181EE4EAC24}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\fcyxu.dll" [file not found]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{57E218E6-5A80-4f0c-AB25-83598F25D7E9}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\jfdtworf.dll" [null data]
{72E2D623-D7AC-41E2-BA1D-B0B72380CC50}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ddawt.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
{977BE5B2-614C-4D42-BB11-E25DD90B9EBc}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\cmnawnjo.dll" [null data]
{BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL" [null data]
{C451C08A-EC37-45DF-AAAD-18B51AB5E837}\(Default) = (no title provided)
-> {HKLM...CLSID} = "PDFCreator Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]
{CD786B5A-BFD9-4ECF-BDAF-7A2A30579745}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\ssqpp.dll" [file not found]
{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\opnnoop.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
"{88BFE743-E4A3-4656-B023-DB95C56837E2}" = "Secure FTP Connections"
-> {HKLM...CLSID} = "Secure FTP Connections"
\InProcServer32\(Default) = "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\bin\sshview.dll" ["DataFocus, Inc."]
"{C5098102-EAF2-493A-883A-B7B751B21534}" = "FolderBox Shell Extensions"
-> {HKLM...CLSID} = "FolderBox Shell Extensions"
\InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {HKLM...CLSID} = "ImageExtractorShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {HKLM...CLSID} = "CInfoTipShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> "{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}" = "*g" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\opnnoop.dll" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> ddawt\DLLName = "C:\WINDOWS\system32\ddawt.dll" [null data]
<> igfxcui\DLLName = "igfxdev.dll" ["Intel Corporation"]
<> NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" ["Symantec Corporation"]
<> opnnoop\DLLName = "opnnoop.dll" [null data]
<> vtuttut\DLLName = "vtuttut.dll" [file not found]
<> xxyabyw\DLLName = "xxyabyw.dll" [null data]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
<> taskmgr.exe\Debugger = ""C:\INSTALL\PROCESSEXPLORER\PROCEXP.EXE"" ["Sysinternals"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""C:\Program Files\OpenOffice.org 2.1\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
{C5098102-EAF2-493A-883A-B7B751B21534}\(Default) = "{C5098102-EAF2-493A-883A-B7B751B21534}"
-> {HKLM...CLSID} = "FolderBox Shell Extensions"
\InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
FineReader8\(Default) = "{F7091C74-EBB1-49D7-94C7-FE4886CCC18D}"
-> {HKLM...CLSID} = "FineReader8ExplorerContextMenuHandler"
\InProcServer32\(Default) = "C:\Program Files\ABBYY FineReader 8.0 Professional Edition\FECMenu.dll" ["ABBYY Software"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {HKLM...CLSID} = "VpshellEx Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
-> {HKLM...CLSID} = "TortoiseSVN"
\InProcServer32\(Default) = "C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll" ["www.tortoisesvn.org"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
{C5098102-EAF2-493A-883A-B7B751B21534}\(Default) = "{C5098102-EAF2-493A-883A-B7B751B21534}"
-> {HKLM...CLSID} = "FolderBox Shell Extensions"
\InProcServer32\(Default) = "C:\Program Files\FolderBox\FolderBoxShell.dll" [null data]
Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\PROGRA~1\Picasa2\Picasa2.scr" ["Google Inc."]
Startup items in "KRBO" & "All Users" startup folders:
------------------------------------------------------
C:\Documents and Settings\KRBO\Menu Start\Programy\Autostart
"Procexp" -> shortcut to: "C:\install\ProcessExplorer\procexp.exe" ["Sysinternals"]
C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Utility Tray" -> shortcut to: "C:\WINDOWS\system32\sistray.exe" ["Silicon Integrated Systems Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06, 09 - 52
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
%SystemRoot%\system32\nutafun4.dll ["DataFocus, Inc."], 07 - 08
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}"
-> {HKLM...CLSID} = "PDFCreator Toolbar"
\InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}"
-> {HKLM...CLSID} = "PDFCreator Toolbar"
\InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{31CF9EBE-5755-4A1D-AC25-2834D952D9B4}" = "PDFCreator Toolbar"
-> {HKLM...CLSID} = "PDFCreator Toolbar"
\InProcServer32\(Default) = "C:\Program Files\PDFCreator Toolbar\v3.0.0.0\PDFCreator_Toolbar.dll" [null data]
Explorer Bars
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{3F5A62E2-51F2-11D3-A075-CC7364CAE42B}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Folder Box"
\InProcServer32\(Default) = "C:\PROGRA~1\FOLDER~1\FOLDER~1.DLL" [null data]
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_10"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll" ["Sun Microsystems, Inc."]
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Internet Explorer Address Prefixes:
-----------------------------------
Prefix for specific service (i.e., "www")
HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
<> "sftp://" = "sftp"
Miscellaneous IE Hijack Points
------------------------------
C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")
Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.winuel.com.pl
Missing lines (compared with English-language version):
[Strings]: 1 line
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ASUS Keyboard Service, ASUSKeyboardService, "C:\WINDOWS\ASUSKBService.exe" ["ASUSTeK COMPUTER INC."]
ATK Keyboard Service, ATKKeyboardService, "C:\WINDOWS\ATKKBService.exe" ["ASUSTeK COMPUTER INC."]
LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
MKS Telnetd, MKSTelnetd, "C:\WINDOWS\system32\telnetd.exe" ["DataFocus, Inc."]
MKSAUTH, MKSAUTH, "C:\WINDOWS\system32\mksauth.exe" ["Mortice Kern Systems Inc."]
Multi-user Cleanup Service, Multi-user Cleanup Service, "C:\lotus\notes\ntmulti.exe" ["IBM Corp"]
NuTCRACKER Service, NuTCRACKERService, "C:\WINDOWS\system32\nutsrv4.exe" ["DataFocus, Inc."]
RSHD, RSHD, "C:\ASCENT~1\QUALIT~1\USERTO~1\mks\mksnt\rshd.exe" ["Mortice Kern Systems Inc."]
SAVRoam, SavRoam, ""C:\Program Files\Symantec AntiVirus\SavRoam.exe"" ["symantec"]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, ""C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe"" ["Symantec Corporation"]
Usługa udostępniania w sieci programu Windows Media Player, WMPNetworkSvc, ""C:\Program Files\Windows Media Player\WMPNetwk.exe"" [MS]
Usługi Simple TCP/IP, SimpTcp, "C:\WINDOWS\System32\tcpsvcs.exe" [MS]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
NRG Language Monitor2\Driver = "rc4mon.dll" ["RICOH CO.,Ltd."]
PDFCreator\Driver = "pdfcmnnt.dll" [null data]
SmartNetMonitor\Driver = "RPNV2MON.DLL" ["RICOH"]
Toshiba Bluetooth Monitor\Driver = "tbtmon.dll" ["Toshiba America Business Solutions, Inc."]
----------
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 139 seconds.
---------- (total run time: 208 seconds)"