SilentRunners: czy wszystko OK?


(Wera95) #1

Witam,

Kilka minut temu załadowałem i próbowałem uruchomić SilentRunners. Jednak NAV zidentyfikował go jako złośclijavascript:emoticon(':-x')wy skrypt, więc sie powstrzymałem. Ktoś go ostatnio uruchamiał? Słyszałem, że fałszywy alarm nie jest wyjątkiem, ale moze ktoś doświadczony potwierdziłby mi że mogę z nim spokojnie jechać javascript:emoticon('8)')


(Gblade) #2

Silent runners nie jest szkodliwy, wyłącz nortona na czas skanowania :wink:


(Wera95) #3

i oto log a wnim dwa ostrzeżenia. Od rzu przpraszma gdyby sie xle wkleiło:

“Silent Runners.vbs”, revision 44, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]

“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}

“ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”]

“Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” [“Symantec Corporation”]

“SunJavaUpdateSched” = “C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe” [“Sun Microsystems, Inc.”]

“Odkurzacz-MCD” = “D:\odkurzacz\odk_mcd.exe” [“FranmoSoft”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{53707962-6F74-2D53-2644-206D7942484F}(Default) = (no title provided)

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\PROGRA~1\SPYBOT~1\SDHelper.dll” [“Safer Networking Limited”]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)

-> {HKLM…CLSID} = “SSVHelper Class”

\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll” [file not found]

{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = (no title provided)

-> {HKLM…CLSID} = “CNavExtBho Class”

\InProcServer32(Default) = “C:\Program Files\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{00020D75-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Desktop Icon Handler”

-> {HKLM…CLSID} = “Microsoft Office Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL” [MS]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Office Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL” [MS]

“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS]

“{21569614-B795-46b1-85F4-E737A8DC09AD}” = “Shell Search Band”

-> {HKLM…CLSID} = “Shell Search Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

“{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player”

-> {HKLM…CLSID} = “RealOne Player Context Menu Class”

\InProcServer32(Default) = “D:\realPlayer\rpshell.dll” [“RealNetworks, Inc.”]

“{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension”

-> {HKLM…CLSID} = “UnlockerShellExtension”

\InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

INFECTION WARNING! “{54D9498B-CF93-414F-8984-8CE7FDE0D391}” = “ewido shell guard”

-> {HKLM…CLSID} = “CShellExecuteHookImpl Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\shellhook.dll” ["TODO: "]

HKLM\Software\Classes\PROTOCOLS\Filter\

INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

ClamWin(Default) = “{65713842-C410-4f44-8383-BFE01A398C90}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “H:\Clam\bin\ExpShell.dll” [file not found]

ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}”

-> {HKLM…CLSID} = “Ctest Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”]

Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}”

-> {HKLM…CLSID} = “IEContextMenu Class”

\InProcServer32(Default) = “C:\Program Files\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

ewido(Default) = “{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}”

-> {HKLM…CLSID} = “Ctest Object”

\InProcServer32(Default) = “C:\Program Files\ewido anti-malware\context.dll” [“ewido networks”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

ClamWin(Default) = “{65713842-C410-4f44-8383-BFE01A398C90}”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “H:\Clam\bin\ExpShell.dll” [file not found]

Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}”

-> {HKLM…CLSID} = “IEContextMenu Class”

\InProcServer32(Default) = “C:\Program Files\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”

-> {HKLM…CLSID} = “UnlockerShellExtension”

\InProcServer32(Default) = “C:\Program Files\Unlocker\UnlockerCOM.dll” [null data]

Active Desktop and Wallpaper:


Active Desktop is disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\

“Wallpaper” = “C:\Documents and Settings\WERONIKA\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”

Enabled Screen Saver:


HKCU\Control Panel\Desktop\

“SCRNSAVE.EXE” = “C:\WINDOWS\system32\Goldfish.scr” [null data]

Startup items in “WERONIKA” & “All Users” startup folders:


C:\Documents and Settings\WERONIKA\Menu Start\Programy\Autostart

INFECTION WARNING! “WordWeb.lnk.disabled” [null data]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

INFECTION WARNING! “Adobe Reader Speed Launch.lnk.disabled” [null data]

“SAGEM Wi-Fi 11g USB adapter LAN Utility” -> shortcut to: “C:\Program Files\SAGEM WiFi manager\WLANUTL.exe” [" "]

Enabled Scheduled Tasks:


“Symantec NetDetect” -> launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”]

Winsock2 Service Provider DLLs:


Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:


Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\

“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}”

-> {HKLM…CLSID} = “Norton AntiVirus”

\InProcServer32(Default) = “C:\Program Files\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\

“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus”

-> {HKLM…CLSID} = “Norton AntiVirus”

\InProcServer32(Default) = “C:\Program Files\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\

{21569614-B795-46B1-85F4-E737A8DC09AD}(Default) = (no title provided)

-> {HKLM…CLSID} = “Shell Search Band”

\InProcServer32(Default) = “C:\WINDOWS\system32\browseui.dll” [MS]

Dormant Explorer Bars in “View, Explorer Bar” menu

HKLM\Software\Classes\CLSID{FF059E31-CC5A-4E2E-BF3B-96E929D65503}(Default) = “&Badanie”

Implemented Categories{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL” [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):


Canon Camera Access Library 8, CCALib8, “C:\Program Files\Canon\CAL\CALMAIN.exe” [“Canon Inc.”]

ewido security suite control, ewido security suite control, “C:\Program Files\ewido anti-malware\ewidoctrl.exe” [“ewido networks”]

ewido security suite guard, ewido security suite guard, “C:\Program Files\ewido anti-malware\ewidoguard.exe” [“ewido networks”]

Sunbelt Kerio Personal Firewall 4, KPF4, ““C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe”” [“Sunbelt Software”]

Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”]

Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”]

SymWMI Service, SymWSC, ““C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe”” [“Symantec Corporation”]

Usługa Auto Protect programu Norton AntiVirus, navapsvc, ““C:\Program Files\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”]


  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 6 seconds.

  • The search for all Registry CLSIDs containing dormant Explorer Bars

took 16 seconds.

---------- (total run time: 45 seconds)


(Gblade) #4

Czysto :wink: