L2MFIX find log 032106 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 “Logoff”=“ChainWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] “Asynchronous”=dword:00000000 “Impersonate”=dword:00000000 “DllName”=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 “Logoff”=“CryptnetWlxLogoffEvent” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] “DLLName”=“cscdll.dll” “Logon”=“WinlogonLogonEvent” “Logoff”=“WinlogonLogoffEvent” “ScreenSaver”=“WinlogonScreenSaverEvent” “Startup”=“WinlogonStartupEvent” “Shutdown”=“WinlogonShutdownEvent” “StartShell”=“WinlogonStartShellEvent” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] “Logoff”=“WLEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000001 “DllName”=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] “DLLName”=“WlNotify.dll” “Lock”=“SensLockEvent” “Logon”=“SensLogonEvent” “Logoff”=“SensLogoffEvent” “Safe”=dword:00000001 “MaxWait”=dword:00000258 “StartScreenSaver”=“SensStartScreenSaverEvent” “StopScreenSaver”=“SensStopScreenSaverEvent” “Startup”=“SensStartupEvent” “Shutdown”=“SensShutdownEvent” “StartShell”=“SensStartShellEvent” “Unlock”=“SensUnlockEvent” “Impersonate”=dword:00000001 “Asynchronous”=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck] “Asynchronous”=dword:00000000 “DllName”=“C:\WINNT\system32\j2p00c7mef.dll” “Impersonate”=dword:00000000 “Logon”=“WinLogon” “Logoff”=“WinLogoff” “Shutdown”=“WinShutdown” [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif] “DLLName”=“wzcdlg.dll” “Logon”=“WZCEventLogon” “Logoff”=“WZCEventLogoff” “Impersonate”=dword:00000000 “Asynchronous”=dword:00000000 ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] “{CB22BEFC-3660-D38A-BD9B-02AC6703EE03}”="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] “{00022613-0000-0000-C000-000000000046}”=“Karta wˆa˜ciwo˜ci pliku multimedialnego” “{176d6597-26d3-11d1-b350-080036a75b03}”=“ZarzĄdzanie skanerem ICM” “{1F2E5C40-9550-11CE-99D2-00AA006E086C}”=“Strona zabezpieczeä NTFS” “{3EA48300-8CF6-101B-84FB-666CCB9BCD32}”=“Strona wˆa˜ciwo˜ci OLE Docfile” “{40dd6e20-7c17-11ce-a804-00aa003ca9f6}”=“Rozszerzenia powˆoki dla udost©pniania zasob˘w” “{41E300E0-78B6-11ce-849B-444553540000}”=“Rozszerzenie CPL pakietu PlusPack” “{42071712-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL karty graficznej” “{42071713-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL monitora wy˜wietlania” “{42071714-76d4-11d1-8b24-00a0c9068ff3}”=“Rozszerzenie CPL kadrowania wy˜wietlania” “{4E40F770-369C-11d0-8922-00A024AB2DBB}”=“Strona zabezpieczeä usˆugi DS” “{56117100-C0CD-101B-81E2-00AA004AE837}”=“Program obsˆugi danych wycinkowych powˆoki” “{59099400-57FF-11CE-BD94-0020AF85B590}”=“Rozszerzenie Disc Copy” “{59be4990-f85c-11ce-aff7-00aa003ca9f6}”=“Rozszerzenia powˆoki dla obiekt˘w Microsoft Windows Network” “{5DB2625A-54DF-11D0-B6C4-0800091AA605}”=“ZarzĄdzanie monitorem ICM” “{675F097E-4C4D-11D0-B6C1-0800091AA605}”=“ZarzĄdzanie drukarkĄ ICM” “{764BF0E1-F219-11ce-972D-00AA00A14F56}”=“Rozszerzenia powˆoki dla kompresji plik˘w” “{77597368-7b15-11d0-a0c2-080036af3f03}”=“Rozszerzenie powˆoki drukarek sieci Web” “{7988B573-EC89-11cf-9C00-00AA00A14F56}”=“Disk Quota UI” “{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}”=“Menu kontekstowe szyfrowania” “{85BBD920-42A0-1069-A2E4-08002B30309D}”=“Akt˘wka” “{88895560-9AA2-1069-930E-00AA0030EBC8}”=“Rozszerzenie ikony HyperTerminalu” “{BD84B380-8CA2-1069-AB1D-08000948F534}”=“Fonts” “{DBCE2480-C732-101B-BE72-BA78E9AD5B27}”=“Profil ICC” “{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}”=“Strona zabezpieczeä drukarek” “{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}”=“Rozszerzenia powˆoki dla udost©pniania zasob˘w” “{f92e8c40-3d33-11d2-b1aa-080036a75b03}”=“Display TroubleShoot CPL Extension” “{60254CA5-953B-11CF-8C96-00AA00B8708C}”=“Rozszerzenie powloki dla programu Windows Script Host” “{7444C717-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto PKO” “{7444C719-39BF-11D1-8CD9-00C04FC29D45}”=“Rozszerzenie Crypto Sign” “{7007ACC7-3202-11D1-AAD2-00805FC1270E}”=“PoˆĄczenia sieciowe i telefoniczne” “{EFA24E61-B078-11d0-89E4-00C04FC9E26E}”=“Favorites Band” “{0A89A860-D7B1-11CE-8350-444553540000}”=“Shell Automation Inproc Service” “{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}”=“Shell DocObject Viewer” “{FBF23B40-E3F0-101B-8488-00AA003E56F8}”=“InternetShortcut” “{3C374A40-BAE4-11CF-BF7D-00AA006946EE}”=“Microsoft Url History Service” “{FF393560-C2A7-11CF-BFF4-444553540000}”=“Historia” “{7BD29E00-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=“Microsoft Url Search Hook” “{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}”=“Ekran powitalny pakietu IE4” “{67EA19A0-CCEF-11d0-8024-00C04FD75D13}”=“CDF Extension Copy Hook” “{131A6951-7F78-11D0-A979-00C04FD705A2}”=“ISFBand OC” “{9461b922-3c5a-11d2-bf8b-00c04fb93661}”=“Search Assistant OC” “{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}”=“Internet” “{871C5380-42A0-1069-A2EA-08002B30309D}”=“Internet Name Space” “{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Icon Handler” “{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}”=“Tasks Folder Shell Extension” “{D6277990-4C6A-11CF-8D87-00AA0060F5BF}”=“Zaplanowane zadania” “{1A9BA3A0-143A-11CF-8350-444553540000}”=“Folder Ulubione powˆoki” “{20D04FE0-3AEA-1069-A2D8-08002B30309D}”=“M˘j komputer” “{86747AC0-42A0-1069-A2E6-08002B30309D}”=“Folder Akt˘wka” “{0AFACED1-E828-11D1-9187-B532F1E9575D}”=“Skr˘t folderu” “{12518493-00B2-11d2-9FA5-9E3420524153}”=“Wolumin zainstalowany” “{21B22460-3AEA-1069-A2DC-08002B30309D}”=“Rozszerzenie strony wˆa˜ciwo˜ci pliku” “{B091E540-83E3-11CF-A713-0020AFD79762}”=“Strona typ˘w plik˘w” “{FBF23B41-E3F0-101B-8488-00AA003E56F8}”=“Przechwytywanie plik˘w typu MIME” “{C2FBB630-2971-11d1-A18C-00C04FD75D13}”=“Usˆuga Microsoft CopyTo” “{C2FBB631-2971-11d1-A18C-00C04FD75D13}”=“Usˆuga Microsoft MoveTo” “{13709620-C279-11CE-A49E-444553540000}”=“Usˆuga automatyzacji powˆoki” “{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}”=“Widok folderu automatyzacji powˆoki” “{4622AD11-FF23-11d0-8D34-00A0C90F2719}”=“Menu Start” “{7BA4C740-9E81-11CF-99D3-00AA004AE837}”=“Usˆuga Microsoft SendTo” “{D969A300-E7FF-11d0-A93B-00A0C90F2719}”=“Usˆuga Microsoft New Object” “{09799AFB-AD67-11d1-ABCD-00C04FC30936}”=“Obsˆuga menu kontekstowego “Otw˘rz z”” “{3FC0B520-68A9-11D0-8D77-00C04FD70822}”=“Wy˜wietlaj rozszerzenia HTML Panelu sterowania” “{75048700-EF1F-11D0-9888-006097DEACF9}”=“ActiveDesktop” “{6D5313C0-8C62-11D1-B2CD-006097DF8C11}”=“Rozszerzenie strony wˆa˜ciwo˜ci Opcje folder˘w” “{57651662-CE3E-11D0-8D77-00C04FC99D61}”=“CmdFileIcon” “{4657278A-411B-11d2-839A-00C04FD918D0}”=“Pomocnik dla operacji przeciĄgania i upuszczania powˆoki” “{A470F8CF-A1E8-4f65-8335-227475AA5C46}”=“Dodaj opcj© szyfrowania do menu kontekstowych w Eksploratorze” “{5E6AB780-7743-11CF-A12B-00AA004AE837}”=“Pasek narz©dzi programu Microsoft Internet” “{22BF0C20-6DA7-11D0-B373-00A0C9034938}”=“Stan pobierania” “{568804CA-CBD7-11d0-9816-00C04FD91972}”=“Folder powˆoki menu” “{5b4dae26-b807-11d0-9815-00c04fd91972}”=“Pasek menu” “{8278F931-2A3E-11d2-838F-00C04FD918D0}”=“Menu powˆoki ˜ledzenia” “{E13EF4E4-D2F2-11d0-9816-00C04FD91972}”=“Lokacja menu” “{ECD4FC4F-521C-11D0-B792-00A0C90312E1}”=“Pasek pulpitu menu” “{91EA3F8B-C99B-11d0-9815-00C04FD91972}”=“Folder powˆoki zwi©kszonej” “{6413BA2C-B461-11d1-A18A-080036B11A03}”=“Folder powˆoki zwi©kszonej 2” “{F61FFEC1-754F-11d0-80CA-00AA005B4383}”=“BandProxy” “{D82BE2B0-5764-11D0-A96E-00C04FD705A2}”=“IPasek folder˘w powˆoki” “{7BA4C742-9E81-11CF-99D3-00AA004AE837}”=“Pasek przeglĄdarki Microsoft” “{30D02401-6A81-11d0-8274-00C04FD5AE38}”=“Pasek wyszukiwania” “{169A0691-8DF9-11d1-A1C4-00C04FD75D13}”=“Wyszukiwanie w okienku” “{07798131-AF23-11d1-9111-00A0C98BA67D}”=“Wyszukiwanie w sieci Web” “{0E5CBF21-D15F-11d0-8301-00AA005B4383}”="&ťĄcza" “{AF4F6510-F982-11d0-8595-00AA004CD6D8}”=“Narz©dzie opcji drzewa rejestru” “{01E04581-4EEE-11d0-BFE9-00AA005B4383}”="&Adres" “{A08C11D2-A228-11d0-825B-00AA005B4383}”=“Pole edycji adresu” “{00BB2763-6A77-11D0-A535-00C04FD7D062}”=“Autouzupeˆnianie Microsoft” “{7487cd30-f71a-11d0-9ea7-00805f714772}”=“Obraz miniatury” “{7376D660-C583-11d0-A3A5-00C04FD706EC}”=“Wyodr©bnianie obraz˘w Trident” “{6756A641-DE71-11d0-831B-00AA005B4383}”=“Lista autouzupeˆniania MRU” “{00BB2764-6A77-11D0-A535-00C04FD7D062}”=“Lista autouzupeˆniania historii Microsoft” “{03C036F1-A186-11D0-824A-00AA005B4383}”=“Lista autouzupeˆniania folderu powˆoki Microsoft” “{00BB2765-6A77-11D0-A535-00C04FD7D062}”=“Kontener wielu list autouzupeˆniania Microsoft” “{ECD4FC4E-521C-11D0-B792-00A0C90312E1}”=“Menu witryny paska powˆoki” “{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}”=“Shell DeskBarApp” “{ECD4FC4C-521C-11D0-B792-00A0C90312E1}”=“Pasek pulpitu powˆoki” “{ECD4FC4D-521C-11D0-B792-00A0C90312E1}”=“Shell Rebar BandSite” “{DD313E04-FEFF-11d1-8ECD-0000F87A470C}”=“Pomoc dla uľytkownika” “{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}”=“Globalne ustawienia folder˘w” “{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}”=“Sendmail service” “{88C6C381-2E85-11D0-94DE-444553540000}”=“Folder pami©ci podr©cznej ActiveX” “{E6FB5E20-DE35-11CF-9C87-00AA005127ED}”=“WebCheck” “{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}”=“Subscription Mgr” “{F5175861-2688-11d0-9C5E-00AA00A45957}”=“Folder subskrypcji” “{08165EA0-E946-11CF-9C87-00AA005127ED}”=“WebCheckWebCrawler” “{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}”=“WebCheckChannelAgent” “{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}”=“TrayAgent” “{7D559C10-9FE9-11d0-93F7-00AA0059CE02}”=“Code Download Agent” “{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}”=“ConnectionAgent” “{D8BD2030-6FC9-11D0-864F-00AA006809D9}”=“PostAgent” “{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}”=“WebCheck SyncMgr Handler” “{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}”=“Miniatury” “{EAB841A0-9550-11CF-8C16-00805F1408F3}”=“Rozpakowywacz miniatur HTML” “{1AEB1360-5AFC-11D0-B806-00C04FD706EC}”=“Rozpakowywacz miniatur filtr˘w graficznych Office” “{9DBD2C50-62AD-11D0-B806-00C04FD706EC}”=“Informacje podsumowujĄce obsˆugi miniatur (DOCFILES)” “{500202A0-731E-11D0-B829-00C04FD706EC}”=“Obsˆuga interfejsu miniatur plik˘w typu LNK” “{352EC2B7-8B9A-11D1-B8AE-006008059382}”=“Menedľer aplikacji powˆoki” “{0B124F8C-91F0-11D1-B8B5-006008059382}”=“Wyliczanie zainstalowanych aplikacji” “{CFCCC7A0-A282-11D1-9082-006008059382}”=“Darwin App Publisher” “{fe1290f0-cfbd-11cf-a330-00aa00c16e65}”=“Directory Namespace” “{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}”=“Shell properties for a DS object” “{8A23E65E-31C2-11d0-891C-00A024AB2DBB}”=“Directory Query UI” “{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}”=“Directory Object Find” “{F020E586-5264-11d1-A532-0000F8757D7E}”=“Directory Start/Search Find” “{0D45D530-764B-11d0-A1CA-00AA00C16E65}”=“Directory Property UI” “{62AE1F9A-126A-11D0-A14B-0800361B1103}”=“Directory Context Menu Verbs” “{450D8FBA-AD25-11D0-98A8-0800361B1103}”=“MyDocs Folder” “{ECF03A33-103D-11d2-854D-006008059367}”=“MyDocs Copy Hook” “{ECF03A32-103D-11d2-854D-006008059367}”=“MyDocs Drop Target” “{4a7ded0a-ad25-11d0-98a8-0800361b1103}”=“MyDocs Properties” “{750fdf0e-2a26-11d1-a3ea-080036587f03}”=“Menu plik˘w trybu offline” “{10CFC467-4392-11d2-8DB4-00C04FA31A66}”=“Opcje folderu plik˘w trybu offline” “{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}”=“Folder plik˘w trybu offline” “{7A80E4A8-8005-11D2-BCF8-00C04F72C717}”=“MMC Icon Handler” “{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}”=".CAB file viewer" “{2F603045-309F-11CF-9774-0020AFD0CFF6}”=“Synaptics Control Panel” “{32683183-48a0-441b-a342-7c2a440a9478}”=“Pasek multimedi˘w” “{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}”=“Niestandardowa lista autouzupeˆniania MRU” “{7e653215-fa25-46bd-a339-34a2790f3cb7}”=“Dost©pny” “{acf35015-526e-4230-9596-becbe19f0ac9}”=“Pasek podr©czny ˜ledzenia” “{E0E11A09-5CB8-4B6C-8332-E00720A168F2}”=“Analizator paska adresu” “{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}”=“Microsoft Browser Architecture” “{7BD29E01-76C1-11CF-9DD0-00A0C9034933}”=“Tymczasowe pliki internetowe” “{EFA24E64-B078-11d0-89E4-00C04FC9E26E}”=“Pasek eksploratora” “{f39a0dc0-9cc8-11d0-a599-00c04fd64433}”=“Plik kanaˆu” “{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}”=“Skr˘t kanaˆu” “{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}”=“Obiekt obsˆugi kanaˆu” “{f3da0dc0-9cc8-11d0-a599-00c04fd64437}”=“Channel Menu” “{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}”=“Channel Properties” “{32714800-2E5F-11d0-8B85-00AA0044F941}”="&Do os˘b…" “{2206CDB2-19C1-11D1-89E0-00C04FD7A829}”=“Microsoft Data Link” “{BDEADF00-C265-11D0-BCED-00A0C90AB50F}”=“Foldery w sieci Web” “{42042206-2D85-11D3-8CFF-005004838597}”=“Microsoft Office HTML Icon Handler” “{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}”="" “{23170F69-40C1-278A-1000-000100020000}”=“7-Zip Shell Extension” ********************************************************************************** HKEY ROOT CLASSIDS: Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\CLSID{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}] @="" [HKEY_CLASSES_ROOT\CLSID{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}\Implemented Categories] @="" [HKEY_CLASSES_ROOT\CLSID{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}\Implemented Categories{00021492-0000-0000-C000-000000000046}] @="" [HKEY_CLASSES_ROOT\CLSID{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}\InprocServer32] @=“C:\WINNT\system32\dbauth.dll” “ThreadingModel”=“Apartment” ********************************************************************************** Files Found are not all bad files: C:\WINNT\SYSTEM32\ acmeter.dll Tue 2006-08-22 10:19:08 …S.R 234 272 228,78 K dbauth.dll Tue 2006-08-22 10:47:06 …S.R 234 344 228,85 K djk4937e.dll Sun 2006-08-20 21:26:12 A… 61 952 60,50 K ivlmgicd.dll Tue 2006-08-22 10:31:16 …S.R 234 344 228,85 K j2p00c~1.dll Tue 2006-08-22 10:19:08 …S.R 234 344 228,85 K jtp607~1.dll Tue 2006-08-22 10:29:08 …S.R 234 272 228,78 K lvrs09~1.dll Tue 2006-08-22 10:36:16 …S.R 234 344 228,85 K oyjsel.dll Mon 2006-08-21 7:46:20 …S.R 234 272 228,78 K rafsaps.dll Sun 2006-08-20 21:26:00 …S.R 234 272 228,78 K rrsdlg.dll Sun 2006-08-20 21:25:42 …S.R 234 272 228,78 K rysmans.dll Sun 2006-08-20 21:25:46 …S.R 234 272 228,78 K t8r8li~1.dll Mon 2006-08-21 7:42:42 …S.R 234 272 228,78 K w02f3033.dll Sun 2006-08-20 21:26:06 A… 29 696 29,00 K 13 items found: 13 files (11 H/S), 0 directories. Total of file sizes: 2 668 928 bytes 2,54 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Wolumin w stacji C nie ma etykiety. Numer seryjny woluminu: 849F-E539 Katalog: C:\WINNT\System32 2006-08-22 10:47 234˙344 dbauth.dll 2006-08-22 10:36 234˙344 lvrs0997e.dll 2006-08-22 10:31 234˙344 iVlmgicd.dll 2006-08-22 10:29 234˙272 jtp6077se.dll 2006-08-22 10:19 234˙272 acmeter.dll 2006-08-22 10:19 234˙344 j2p00c7mef.dll 2006-08-21 07:46 234˙272 oyjsel.dll 2006-08-21 07:42 234˙272 t8r8li9u18.dll 2006-08-20 21:25 234˙272 rafsaps.dll 2006-08-20 21:25 234˙272 rYsmans.dll 2006-08-20 21:25 234˙272 RRSDLG.DLL 2006-06-05 09:44 2003-07-08 14:00 188˙416 msjava.exe 2003-07-08 14:00 305˙653 msijavaup32.exe 2003-07-08 14:00 187˙392 WunosJava.exe 14 plik(˘w) 3˙258˙741 bajt˘w 1 katalog(˘w) 75˙083˙235˙328 bajt˘w wolnych Kod: “Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows 2000 Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”] “mssp3” = “C:\WINNT\system32\mshost32.exe” [null data] “shell” = ““C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”” [null data] “wqwm” = “C:\PROGRA~1\COMMON~1\wqwm\wqwmm.exe” [empty string] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “SoundMan” = “SOUNDMAN.EXE” [“Realtek Semiconductor Corp.”] “BisonCom” = “C:\WINNT\VdCap03C\BisonCom” [null data] “Synchronization Manager” = “mobsync.exe /logon” [MS] “Picasa Media Detector” = “C:\Program Files\Picasa2\PicasaMediaDetector.exe” [“Google Inc.”] “djk4937e” = “RUNDLL32.EXE w02f3033.dll,n 0034937b0000000a02f3033” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” -> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” -> {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINNT\system32\hticons.dll” [“Hilgraeve, Inc.”] “{2F603045-309F-11CF-9774-0020AFD0CFF6}” = “Synaptics Control Panel” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Synaptics\SynTP\SynTPCpl.dll” [“Synaptics, Inc.”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{6DC50BF4-2F6E-4C75-B263-12F393BC4CC4}” = (no title provided) -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\acmeter.dll” [null data] “{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ “” = “{E61B5E20-DE35-11CF-9C87-1579005127ED}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\msc.cpl” [null data] “msp.cpl” = “{E21B5E20-DE35-11CF-9C87-157900512701}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINNT\system32\msp.cpl” [null data] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ INFECTION WARNING! “Shell” = “Explorer.exe WunosJava.exe” [MS], [null data] INFECTION WARNING! “Userinit” = “C:\WINNT\system32\userinit.exe,WunosJava.exe” [MS], [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! Run\DLLName = “C:\WINNT\system32\gp46l3hs1.dll” [null data] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” -> {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes\Folder\shellex\ColumnHandlers\ {F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info” -> {HKLM…CLSID} = “PDF Shell Extension” \InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ 7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}” -> {HKLM…CLSID} = “7-Zip Shell Extension” \InProcServer32(Default) = “C:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Startup items in “Administrator” & “All Users” startup folders: --------------------------------------------------------------- C:\Documents and Settings\All Users.WINNT\Menu Start\Programy\Autostart “Adobe Reader Speed Launch” -> shortcut to: “C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe” [“Adobe Systems Incorporated”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\rnr20.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 12 %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ “{44BE0690-5429-47F0-85BB-3FFD8020233E}” = “44BE0690-5429-47f0-85BB-3FFD8020233E” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [“Effective-i Inc.”] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{44BE0690-5429-47F0-85BB-3FFD8020233E}” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [“Effective-i Inc.”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{44BE0690-5429-47F0-85BB-3FFD8020233E}” = “UCmore - The Search Accelerator” -> {HKLM…CLSID} = “UCmore XP - The Search Accelerator” \InProcServer32(Default) = “C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll” [“Effective-i Inc.”] All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}): --------------------------------------------------------------------------- DSDM DDE sieci, NetDDEdsdm, “C:\WINNT\system32\netdde.exe” [MS] HID Input Service, HidServ, “C:\WINNT\system32\hidserv.exe” [MS] Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE”” [MS] Office Source Engine, ose, ““C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE”” [MS] System zdarzeń COM+, EventSystem, “C:\WINNT\system32\svchost.exe -k netsvcs” {“C:\WINNT\system32\es.dll” [null data]} Usługa administracyjna Menedżera dysków logicznych, dmadmin, “C:\WINNT\System32\dmadmin.exe /com” [“VERITAS Software Corp.”] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ Microsoft Document Imaging Writer Monitor\Driver = “mdimon.dll” [MS] PDF-XChange\Driver = “pxc25pm.dll” [“Tracker Software”] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 32 seconds, including 17 seconds for message boxes)