hej, przepraszam-zdawało mi się że robiłam jak należy, ale wyszło inaczej - poprawię się! A gra była stąd http://www.cda.pl/gry/rez.php
Złączono Posta : 25.03.2007 (Nie) 0:22
“Michal” - 07-03-22 23:40:59 Dodatek Service Pack 2
ComboFix 07-03-22 - Running from: “C:\Program Files”
((((((((((((((((((((((((((((((( Files Created from 2007-02-22 to 2007-03-22 ))))))))))))))))))))))))))))))))))
2007-03-22 21:55 1,111,686 --a------ C:\Program Files\ComboFix.exe
2007-03-22 17:37 494,582 --a------ C:\Program Files\Fixwareout.exe
2007-03-22 16:40
2007-03-22 15:49
2007-03-22 15:33
2007-03-22 14:04
2007-03-22 14:03 553,687 --a------ C:\Program Files\RegCleaner(dobreprogramy.pl).exe
2007-03-21 23:56 347,253 --a------ C:\Program Files\Silent Runners.vbs
2007-03-21 22:10 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-03-21 22:10
2007-03-21 22:10
2007-03-21 22:10
2007-03-21 22:10
2007-03-21 22:10
2007-03-21 22:10
2007-03-21 22:10
2007-03-21 21:34
2007-03-21 17:44 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-21 17:43 6,469,352 --a------ C:\Program Files\avgas-setup-7.5.0.50.exe
2007-03-21 01:15
2007-03-19 18:09
2007-03-19 00:14
2007-03-15 19:25
2007-03-15 12:00 466,432 --a------ C:\WINDOWS\system32\SkanerOnline.dll
2007-03-14 21:25
2007-03-14 21:22
2007-03-11 01:21
2007-03-10 15:05 3,728,158 --a------ C:\Program Files\ultra_dvdcreator.exe
2007-03-10 14:44 491,520 --a------ C:\WINDOWS\system32\lkVCDimager.dll
2007-03-09 23:55
2007-03-09 23:38
2007-03-08 16:58
2007-03-06 18:40
2007-03-06 18:40
2007-03-06 17:51 813,888 --a------ C:\Program Files\megauploadtoolbarsetup.exe
2007-03-03 17:29
2007-03-02 15:29
2007-03-02 15:27
2007-03-01 18:47 1,049,255 --a------ C:\Program Files\wrar362pl.exe
2007-03-01 00:06
2007-02-28 22:45
2007-02-28 21:32
2007-02-27 20:11 192,512 --a------ C:\WINDOWS\system32\srkey.exe
2007-02-27 20:11
2007-02-27 17:23 139,264 --a------ C:\WINDOWS\NeoUninstall.exe
2007-02-27 17:22
2007-02-27 16:53
2007-02-26 18:47
2007-02-26 16:06
2007-02-24 18:18 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-02-24 18:18
2007-02-24 18:16
2007-02-24 18:14 7,732,946 --a------ C:\Program Files\AVI_ReComp_1.2.3_Setup.exe
2007-02-24 17:22 87,608 --a------ C:\DOCUME~1\Michal\DANEAP~1\ezpinst.exe
2007-02-24 17:22 47,360 --a------ C:\DOCUME~1\Michal\DANEAP~1\pcouffin.sys
2007-02-24 17:22
2007-02-24 17:20 6,581,224 --a------ C:\Program Files\vsoConvertXtoDVD2_setup.exe
2007-02-24 13:07
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-03-22 23:39 -------- d-------- C:\DOCUME~1\Michal\DANEAP~1\skype
2007-03-22 23:37 16 --a------ C:\WINDOWS\system32\magicpvt.dat
2007-03-22 21:50 19838 --a------ C:\Program Files\startup programs (micha-ec058474c) 2007-03-22 21.49.40.txt
2007-03-22 19:42 19838 --a------ C:\Program Files\startup programs (micha-ec058474c) 2007-03-22 19.41.16.txt
2007-03-22 19:21 32 --a------ C:\WINDOWS\system32\driver.dat
2007-03-22 19:21 20287 --a------ C:\Program Files\startup programs (micha-ec058474c) 2007-03-22 16.36.53.txt
2007-03-22 17:45 21706 --a------ C:\Program Files\startup programs (micha-ec058474c) 2007-03-22 17.44.54.txt
2007-03-22 16:40 491891 --a------ C:\Program Files\gmer.zip
2007-03-22 13:57 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-21 21:34 3593154 --a------ C:\Program Files\tworzenie0.rar
2007-03-21 18:38 212849 --a------ C:\Program Files\hijackthis.zip
2007-03-21 18:31 -------- d-------- C:\Program Files\gnutella lite
2007-03-21 16:13 -------- d-------- C:\Program Files\norton internet security
2007-03-21 01:15 -------- d-------- C:\Program Files\symantec
2007-03-11 18:25 -------- d-------- C:\Program Files\emule
2007-03-10 15:12 -------- d-------- C:\Program Files\vso
2007-03-10 15:11 55 --a------ C:\DOCUME~1\Michal\DANEAP~1\pcouffin.log
2007-03-10 15:11 1144 --a------ C:\DOCUME~1\Michal\DANEAP~1\pcouffin.inf
2007-03-10 15:11 1074 --a------ C:\DOCUME~1\Michal\DANEAP~1\pcouffin.cat
2007-03-10 14:45 -------- d-------- C:\Program Files\usugi online
2007-03-10 14:45 -------- d-------- C:\Program Files\avisynth 2.5
2007-03-08 16:57 1034755 --a------ C:\Program Files\tmpgenc.zip
2007-03-03 18:46 -------- d-------- C:\Program Files\ganymedenet
2007-03-03 17:30 -------- d-------- C:\Program Files\common
2007-03-01 16:40 -------- d-------- C:\Program Files\odkurzacz
2007-02-28 21:32 -------- d-a------ C:\Program Files\ýe§
2007-02-27 20:11 -------- d–h----- C:\Program Files\installshield installation information
2007-02-25 14:04 -------- d-------- C:\Program Files\windows media connect 2
2007-02-20 00:37 -------- d-------- C:\Program Files\ginwords
2007-02-20 00:36 -------- d-------- C:\Program Files\ginwordssingle
2007-02-19 19:51 -------- d-------- C:\Program Files\ganymede
2007-02-18 15:54 -------- d-------- C:\DOCUME~1\Michal\DANEAP~1\simple sudoku
2007-02-16 13:34 -------- d-------- C:\Program Files\gabest
2007-02-16 00:22 6457048 --a------ C:\Program Files\odkurzacz.exe
2007-02-15 01:28 -------- d-------- C:\Program Files\ginmahjong
2007-02-15 01:27 -------- d-------- C:\Program Files\temp
2007-02-14 02:23 2560 --a------ C:\WINDOWS_msrstrt.exe
2007-02-13 20:43 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-02-11 12:38 4987838 --a------ C:\Program Files\gnutella_lite_free.exe
2007-02-10 22:35 8464 --a------ C:\WINDOWS\system32\sporder.dll
2007-02-10 22:30 3274990 --a------ C:\Program Files\atomixmp3_trial.exe
2007-02-09 13:48 -------- d-------- C:\Program Files\cdex_170b2
2007-02-08 17:22 -------- d-------- C:\DOCUME~1\Michal\DANEAP~1\freecall
2007-02-08 13:58 26488 --a------ C:\DOCUME~1\Michal\DANEAP~1\gdipfontcachev1.dat
2007-02-07 12:39 517840 --a------ C:\WINDOWS\system32\symneti.dll
2007-02-07 12:39 269616 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2007-02-07 12:39 132816 --a------ C:\WINDOWS\system32\symredir.dll
2007-02-07 12:38 47184 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2007-02-07 12:38 36976 --a------ C:\WINDOWS\system32\drivers\symids.sys
2007-02-07 12:38 17968 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2007-02-07 12:38 173392 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2007-02-07 12:38 11536 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2007-02-05 00:06 29 --a------ C:\WINDOWS\popcinfo.dat
2007-02-04 21:23 4 --a------ C:\WINDOWS\system32\proc20744962.bin
2007-02-03 22:12 -------- d-------- C:\Program Files\skype
2007-02-03 22:10 17529992 --a------ C:\Program Files\onet-skypesetup.exe
2007-02-03 17:04 -------- d-------- C:\Program Files\google
2007-02-03 01:57 -------- d-------- C:\Program Files\reflexivearcade
2007-01-28 17:45 -------- d-------- C:\DOCUME~1\Michal\DANEAP~1\google
2007-01-28 14:40 -------- d-------- C:\DOCUME~1\Michal\DANEAP~1\sun
2007-01-28 14:39 -------- d-------- C:\Program Files\java
2007-01-28 11:41 67078 --a------ C:\WINDOWS\system32\perfc015.dat
2007-01-28 11:41 435978 --a------ C:\WINDOWS\system32\perfh015.dat
2007-01-27 19:57 -------- d-------- C:\Program Files\messenger
2007-01-26 15:01 -------- d-------- C:\DOCUME~1\Michal\DANEAP~1\zylom
2007-01-25 16:34 -------- d-------- C:\DOCUME~1\Michal\DANEAP~1\real
2007-01-25 13:30 -------- d-------- C:\Program Files\gadu-gadu
2007-01-19 09:40 89088 --a------ C:\WINDOWS\system32\skaneronlineuninstall.exe
2007-01-08 19:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
“CTFMON.EXE”=“C:\WINDOWS\system32\ctfmon.exe”
“MSMSGS”="“C:\Program Files\Messenger\msmsgs.exe” /background"
“NBJ”="“C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe”"
“Gadu-Gadu”="“C:\Program Files\Gadu-Gadu\gg.exe” /tray"
“Skype”="“C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized"
“Odkurzacz-MCD”=“C:\Program Files\Odkurzacz\odk_mcd.exe”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
“SkyTel”=“SkyTel.EXE”
“RemoteControl”="“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”"
“InCD”=“C:\Program Files\Ahead\InCD\InCD.exe”
“NeroFilterCheck”=“C:\WINDOWS\system32\NeroCheck.exe”
“NvCplDaemon”=“RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup”
“nwiz”=“nwiz.exe /install”
“NvMediaCenter”=“RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit”
“RTHDCPL”=“RTHDCPL.EXE”
“Alcmtr”=“ALCMTR.EXE”
“LiveMonitor”=“C:\Program Files\MSI\Live Update 3\LMonitor.exe”
@=""
“NVIDIA nTune”="“C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear"
“ccApp”="“C:\Program Files\Common Files\Symantec Shared\ccApp.exe”"
“MagicRotation”=“C:\Program Files\MagicRotation\MagicPvt.exe”
“StormCodec_Helper”="“C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe” /S /opti"
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe”
“SunJavaUpdateSched”="“C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”"
“Symantec NetDriver Monitor”=“C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer”
“!AVG Anti-Spyware”="“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
“Installed”=“1”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
“Installed”=“1”
“NoChange”=“1”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
“Installed”=“1”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{57B86673-276A-48B2-BAE7-C6DBB3020EB8}”=“AVG Anti-Spyware 7.5”
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
“WPDShServiceObj”="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
“SecurityProviders”=“msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Contents of the ‘Scheduled Tasks’ folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Michal.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes …
scanning hidden services …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-03-22 23:43:39
C:\ComboFix2.txt … 07-03-22 21:57
Złączono Posta : 25.03.2007 (Nie) 0:23
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“CTFMON.EXE” = “C:\WINDOWS\system32\ctfmon.exe” [MS]
“MSMSGS” = ““C:\Program Files\Messenger\msmsgs.exe” /background” [MS]
“NBJ” = ““C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe”” [“Ahead Software AG”]
“Gadu-Gadu” = ““C:\Program Files\Gadu-Gadu\gg.exe” /tray” [“Gadu-Gadu S.A.”]
“Skype” = ““C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized” [“Skype Technologies S.A.”]
“Odkurzacz-MCD” = “C:\Program Files\Odkurzacz\odk_mcd.exe” [“Franmo Software”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“SkyTel” = “SkyTel.EXE” [“Realtek Semiconductor Corp.”]
“RemoteControl” = ““C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”” [“Cyberlink Corp.”]
“InCD” = “C:\Program Files\Ahead\InCD\InCD.exe” [“Nero AG”]
“NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“NvCplDaemon” = “RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup” [MS]
“nwiz” = “nwiz.exe /install” [“NVIDIA Corporation”]
“NvMediaCenter” = “RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit” [MS]
“RTHDCPL” = “RTHDCPL.EXE” [“Realtek Semiconductor Corp.”]
“Alcmtr” = “ALCMTR.EXE” [“Realtek Semiconductor Corp.”]
“LiveMonitor” = “C:\Program Files\MSI\Live Update 3\LMonitor.exe” [empty string]
“(Default)” = “(empty string)” [file not found]
“NVIDIA nTune” = ““C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe” clear” [“NVIDIA”]
“ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”]
“MagicRotation” = “C:\Program Files\MagicRotation\MagicPvt.exe” [“Samsung Electronics, Inc.”]
“StormCodec_Helper” = ““C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe” /S /opti” [null data]
“HP Software Update” = “C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [“Hewlett-Packard Development Company, L.P.”]
“SunJavaUpdateSched” = ““C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“Symantec NetDriver Monitor” = “C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer” [“Symantec Corporation”]
“!AVG Anti-Spyware” = ““C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized” [“Anti-Malware Development a.s.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}(Default) = (no title provided)
-> {HKLM…CLSID} = “Yahoo! Companion BHO”
\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll” [“Yahoo! Inc.”]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C}(Default) = “Skype add-on (mastermind)”
-> {HKLM…CLSID} = “Skype add-on (mastermind)”
\InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”]
{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}(Default) = (no title provided)
-> {HKLM…CLSID} = “Megaupload Toolbar”
\InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}(Default) = (no title provided)
-> {HKLM…CLSID} = “CNisExtBho Class”
\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”]
{AA58ED58-01DD-4d91-8333-CF10577473F7}(Default) = (no title provided)
-> {HKLM…CLSID} = “Google Toolbar Helper”
\InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”]
{BDF3E430-B101-42AD-A544-FADC6B084872}(Default) = (no title provided)
-> {HKLM…CLSID} = “CNavExtBho Class”
\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “C:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{EFA24E62-B078-11d0-89E4-00C04FC9E26E}” = “History Band”
-> {HKLM…CLSID} = “History Band”
\InProcServer32(Default) = “C:\WINDOWS\system32\shdocvw.dll” [MS]
“{950FF917-7A57-46BC-8017-59D9BF474000}” = “Shell Extension for CDRW”
-> {HKLM…CLSID} = “Shell Extension for CDRW”
\InProcServer32(Default) = “C:\Program Files\Ahead\InCD\incdshx.dll” [“Nero AG”]
“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”
-> {HKLM…CLSID} = “DesktopContext Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]
“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”
-> {HKLM…CLSID} = “NVIDIA CPL Extension”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvcpl.dll” [“NVIDIA Corporation”]
“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”
-> {HKLM…CLSID} = “Desktop Explorer”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”
-> {HKLM…CLSID} = “nView Desktop Context Menu”
\InProcServer32(Default) = “C:\WINDOWS\system32\nvshell.dll” [“NVIDIA Corporation”]
“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”
-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”
\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL” [MS]
“{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler”
-> {HKLM…CLSID} = (no title provided)
\InProcServer32(Default) = “C:\Program Files\Microsoft Office\Office10\msohev.dll” [MS]
“{59403EC0-EA55-11d5-954A-9A53884D6E09}” = “SecureDoc”
-> {HKLM…CLSID} = “SecureDoc”
\InProcServer32(Default) = “C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll” [“msi”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
“{9E5E1445-6CEA-4761-8E45-AA19F654571E}” = “MagicRotation Shell Extension”
-> {HKLM…CLSID} = “BkgndCtxMenuExt Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\mpvthook.dll” [“Samsung Electronics, Inc.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “AVG Anti-Spyware 7.5”
-> {HKLM…CLSID} = “CShellExecuteHookImpl Object”
\InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll” [“Anti-Malware Development a.s.”]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
“WPDShServiceObj” = “{AAA288BA-9A4C-45B0-95D7-94D524869DB5}”
-> {HKLM…CLSID} = “WPDShServiceObj Class”
\InProcServer32(Default) = “C:\WINDOWS\system32\WPDShServiceObj.dll” [MS]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”
-> {HKLM…CLSID} = “CContextScan Object”
\InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”]
SecureDocMenu(Default) = “{59403EC0-EA55-11d5-954A-9A53884D6E09}”
-> {HKLM…CLSID} = “SecureDoc”
\InProcServer32(Default) = “C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll” [“msi”]
Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}”
-> {HKLM…CLSID} = “IEContextMenu Class”
\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AVG Anti-Spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}”
-> {HKLM…CLSID} = “CContextScan Object”
\InProcServer32(Default) = “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll” [“Anti-Malware Development a.s.”]
SecureDocMenu(Default) = “{59403EC0-EA55-11d5-954A-9A53884D6E09}”
-> {HKLM…CLSID} = “SecureDoc”
\InProcServer32(Default) = “C:\PROGRA~1\MSI\SECURE~1\SecDoc.dll” [“msi”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu(Default) = “{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}”
-> {HKLM…CLSID} = “IEContextMenu Class”
\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data]
Group Policies {policy setting}:
Note: detected settings may not have any effect.
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“DisableRegistryTools” = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
“Wallpaper” = “C:\Documents and Settings\Michal\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp”
Startup items in “Michal” & “All Users” startup folders:
C:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart
“HP Digital Imaging Monitor” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe” [“Hewlett-Packard Development Company, L.P.”]
“HP Photosmart Premier - Szybkie uruchomienie” -> shortcut to: “C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s” [null data]
“InterVideo WinCinema Manager” -> shortcut to: “C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe” [“InterVideo Inc.”]
“MagicTune 3.5” -> shortcut to: “C:\Program Files\SEC\MagicTune3.5_Client\MagicTuneTray.exe” [empty string]
“Microsoft Office” -> shortcut to: “C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l” [MS]
“NaturalColorLoad” -> shortcut to: “C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe” [empty string]
“SecureDoc” -> shortcut to: “C:\Program Files\MSI\SecureDoc\Logon.exe” [“msi”]
Enabled Scheduled Tasks:
“Norton AntiVirus - Scan my computer - Michal” -> launches: “C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:“C:\Documents and Settings\All Users.WINDOWS\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}”
-> {HKLM…CLSID} = “Norton AntiVirus”
\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}”
-> {HKLM…CLSID} = “Norton Internet Security”
\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”]
“{EF99BD32-C1FB-11D2-892F-0090271D4F88}”
-> {HKLM…CLSID} = “&Yahoo! Companion”
\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll” [“Yahoo! Inc.”]
“{2318C2B1-4965-11D4-9B18-009027A5CD4F}”
-> {HKLM…CLSID} = “&Google”
\InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”]
“{F2CF5485-4E02-4F68-819C-B92DE9277049}”
-> {HKLM…CLSID} = “&Links”
\InProcServer32(Default) = “C:\WINDOWS\system32\ieframe.dll” [MS]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
“{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}” = “Norton Internet Security”
-> {HKLM…CLSID} = “Norton Internet Security”
\InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”]
“{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}” = “Norton AntiVirus”
-> {HKLM…CLSID} = “Norton AntiVirus”
\InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”]
“{EF99BD32-C1FB-11D2-892F-0090271D4F88}” = (no title provided)
-> {HKLM…CLSID} = “&Yahoo! Companion”
\InProcServer32(Default) = “C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0.dll” [“Yahoo! Inc.”]
“{2318C2B1-4965-11D4-9B18-009027A5CD4F}” = (no title provided)
-> {HKLM…CLSID} = “&Google”
\InProcServer32(Default) = “c:\program files\google\googletoolbar3.dll” [“Google Inc.”]
“{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}” = (no title provided)
-> {HKLM…CLSID} = “Megaupload Toolbar”
\InProcServer32(Default) = “C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL” [“MegaUpload”]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.5.0_10”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.5.0_10”
\InProcServer32(Default) = “C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll” [“Sun Microsystems, Inc.”]
{77BF5300-1474-4EC7-9980-D32B190E9B07}\
“ButtonText” = “Skype”
“CLSIDExtension” = “{77BF5300-1474-4EC7-9980-D32B190E9B07}”
-> {HKLM…CLSID} = “Skype add-on (button)”
\InProcServer32(Default) = “C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL” [“Skype Technologies S.A.”]
{DE60714F-AC17-427E-861A-FD60CBDF119A}\
“ButtonText” = “Ň×ȤąşÎď”
“MenuText” = “Ň×ȤąşÎď”
“Exec” = “http://click2.ad4all.net/url2/urlmanage/url.asp?id=1” [file not found]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “C:\Program Files\Messenger\msmsgs.exe” [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
Automatic LiveUpdate Scheduler, Automatic LiveUpdate Scheduler, ““C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe”” [“Symantec Corporation”]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe” [“Anti-Malware Development a.s.”]
InCD Helper, InCDsrv, “C:\Program Files\Ahead\InCD\InCDsrv.exe” [“Nero AG”]
ISSvc, ISSVC, ““C:\Program Files\Norton Internet Security\ISSVC.exe”” [“Symantec Corporation”]
Machine Debug Manager, MDM, ““C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe”” [MS]
Norton AntiVirus Auto-Protect Service, navapsvc, ““C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe”” [“Symantec Corporation”]
nTune Service, nTuneService, “C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe /StartService” [“NVIDIA”]
NVIDIA Display Driver Service, NVSvc, “C:\WINDOWS\system32\nvsvc32.exe” [“NVIDIA Corporation”]
Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”]
Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”]
Symantec Network Proxy, ccProxy, ““C:\Program Files\Common Files\Symantec Shared\ccProxy.exe”” [“Symantec Corporation”]
Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”]
Symantec SPBBCSvc, SPBBCSvc, ““C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe”” [“Symantec Corporation”]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = “HpTcpMon.dll” [“Hewlett Packard”]
PCL hpz3l054\Driver = “hpz3l054.dll” [“Hewlett-Packard Company”]
<>: Suspicious data at a malware launch point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer “No” at the
first message box and “Yes” at the second message box.
---------- (total run time: 53 seconds, including 3 seconds for message boxes)