“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“CTFMON.EXE” = “D:\WINDOWS\system32\ctfmon.exe” [MS]
“MSMSGS” = ““D:\Program Files\Messenger\msmsgs.exe” /background” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON”]
“SoundMan” = “SOUNDMAN.EXE” [“Avance Logic, Inc.”]
“NeroFilterCheck” = “D:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]
“SunJavaUpdateSched” = ““D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“HP Software Update” = ““E:\Phone\HP Software Update\HPWuSchd2.exe”” [“Hewlett-Packard Company”]
“HP Component Manager” = ““D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”]
“NVRaidService” = “D:\WINDOWS\system32\nvraidservice.exe” [“NVIDIA Corporation”]
“Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS]
“Microsoft WWW” = "D:\WINDOWS\inet20126\free.exe " [null data]
“Microsoft WPCEmail” = "D:\WINDOWS\inet20126\svchost.exe " [null data]
“sysinter” = “D:\WINDOWS\system32\adirss.exe” [null data]
“lnwin.exe” = “D:\WINDOWS\system32\lnwin.exe” [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{37B85A21-692B-4205-9CAD-2626E4993404}(Default) = “My Global Search Bar BHO”
-> {HKLM…CLSID} = “My Global Search Bar BHO”
\InProcServer32(Default) = “D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{F97DA966-F09D-4cab-BF29-75A0026986EA}(Default) = “XBTP02634”
-> {HKLM…CLSID} = “XBTP02634 Class”
\InProcServer32(Default) = “D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll” [“IE Toolbar”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”
-> {HKLM…CLSID} = “Portable Media Devices Menu”
\InProcServer32(Default) = “D:\WINDOWS\system32\Audiodev.dll” [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> partnershipreg\DLLName = “D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll” [null data]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\Documents and Settings\adam\Pulpit\zuz\an.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13, 16 - 18, 21 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05, 19 - 20
rsvp32_2.dll [null data], 14 - 15, 31
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}”
-> {HKLM…CLSID} = “BearShare MediaBar”
\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
“{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” = (no title provided)
-> {HKLM…CLSID} = “BearShare MediaBar”
\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.5.0_09”
\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.5.0_09”
\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS]
Miscellaneous IE Hijack Points
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> “{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” = (no title provided)
-> {HKLM…CLSID} = “BearShare MediaBar”
\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]
Running Services (Display Name, Service Name, Path {Service DLL}):
avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt10\Driver = “hpzsnt10.dll” [“HP”]
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer “No” at the
first message box and “Yes” at the second message box.
---------- (total run time: 54 seconds, including 6 seconds for message boxes)
Logfile of HijackThis v1.99.1
Scan saved at 14:41:48, on 2007-02-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
E:\Phone\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\WINDOWS\system32\nvraidservice.exe
D:\WINDOWS\inet20126\free.exe
D:\WINDOWS\system32\adirss.exe
D:\WINDOWS\system32\lnwin.exe
D:\WINDOWS\inet20126\wpcem.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wbem\unsecapp.exe
D:\Documents and Settings\adam\Pulpit\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM…\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”
O4 - HKLM…\Run: [HP Software Update] “E:\Phone\HP Software Update\HPWuSchd2.exe”
O4 - HKLM…\Run: [HP Component Manager] “D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM…\Run: [NVRaidService] D:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM…\Run: [Microsoft WWW] D:\WINDOWS\inet20126\free.exe
O4 - HKLM…\Run: [Microsoft WPCEmail] D:\WINDOWS\inet20126\svchost.exe
O4 - HKLM…\Run: [sysinter] D:\WINDOWS\system32\adirss.exe
O4 - HKLM…\Run: [lnwin.exe] D:\WINDOWS\system32\lnwin.exe
O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_29.cab
O17 - HKLM\System\CCS\Services\Tcpip…{39290636-B4BB-4023-AABC-D5B70BF37DE2}: NameServer = 194.204.159.1 217.98.63.164
O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - D:\WINDOWS\system32\update00822631.exe
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - D:\Documents and Settings\adam~tmp0374.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
Złączono Posta : 25.02.2007 (Nie) 14:57
“Silent Runners.vbs”, revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by “{++}”
Startup items buried in registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“CTFMON.EXE” = “D:\WINDOWS\system32\ctfmon.exe” [MS]
“MSMSGS” = ““D:\Program Files\Messenger\msmsgs.exe” /background” [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
“SpeedTouch USB Diagnostics” = ““D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON”]
“SoundMan” = “SOUNDMAN.EXE” [“Avance Logic, Inc.”]
“NeroFilterCheck” = “D:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”]
“avast!” = “D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [null data]
“SunJavaUpdateSched” = ““D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”” [“Sun Microsystems, Inc.”]
“HP Software Update” = ““E:\Phone\HP Software Update\HPWuSchd2.exe”” [“Hewlett-Packard Company”]
“HP Component Manager” = ““D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”” [“Hewlett-Packard Company”]
“NVRaidService” = “D:\WINDOWS\system32\nvraidservice.exe” [“NVIDIA Corporation”]
“Cmaudio” = “RunDll32 cmicnfg.cpl,CMICtrlWnd” [MS]
“Microsoft WWW” = "D:\WINDOWS\inet20126\free.exe " [null data]
“Microsoft WPCEmail” = "D:\WINDOWS\inet20126\svchost.exe " [null data]
“sysinter” = “D:\WINDOWS\system32\adirss.exe” [null data]
“lnwin.exe” = “D:\WINDOWS\system32\lnwin.exe” [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{37B85A21-692B-4205-9CAD-2626E4993404}(Default) = “My Global Search Bar BHO”
-> {HKLM…CLSID} = “My Global Search Bar BHO”
\InProcServer32(Default) = “D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL” [“My Global Search”]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}(Default) = (no title provided)
-> {HKLM…CLSID} = “SSVHelper Class”
\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]
{F97DA966-F09D-4cab-BF29-75A0026986EA}(Default) = “XBTP02634”
-> {HKLM…CLSID} = “XBTP02634 Class”
\InProcServer32(Default) = “D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll” [“IE Toolbar”]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”
-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”
\InProcServer32(Default) = “deskpan.dll” [file not found]
“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”
-> {HKLM…CLSID} = “HyperTerminal Icon Ext”
\InProcServer32(Default) = “D:\WINDOWS\system32\hticons.dll” [“Hilgraeve, Inc.”]
“{472083B0-C522-11CF-8763-00608CC02F24}” = “avast”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
“{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
“{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu”
-> {HKLM…CLSID} = “Portable Media Devices Menu”
\InProcServer32(Default) = “D:\WINDOWS\system32\Audiodev.dll” [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<> partnershipreg\DLLName = “D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll” [null data]
HKLM\Software\Classes*\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast(Default) = “{472083B0-C522-11CF-8763-00608CC02F24}”
-> {HKLM…CLSID} = “avast”
\InProcServer32(Default) = “D:\Program Files\Alwil Software\Avast4\ashShell.dll” [“ALWIL Software”]
WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}”
-> {HKLM…CLSID} = “WinRAR”
\InProcServer32(Default) = “D:\Program Files\WinRAR\rarext.dll” [null data]
Group Policies {GPedit.msc branch and setting}:
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}
“undockwithoutlogon” = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
“Wallpaper” = “C:\Documents and Settings\adam\Pulpit\zuz\an.bmp”
Enabled Screen Saver:
HKCU\Control Panel\Desktop\
“SCRNSAVE.EXE” = “D:\WINDOWS\System32\logon.scr” [MS]
Winsock2 Service Provider DLLs:
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]
000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13, 16 - 18, 21 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05, 19 - 20
rsvp32_2.dll [null data], 14 - 15, 31
Toolbars, Explorer Bars, Extensions:
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
“{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}”
-> {HKLM…CLSID} = “BearShare MediaBar”
\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
“{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” = (no title provided)
-> {HKLM…CLSID} = “BearShare MediaBar”
\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
“MenuText” = “Sun Java Console”
“CLSIDExtension” = “{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBC}”
-> {HKCU…CLSID} = “Java Plug-in 1.5.0_09”
\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll” [“Sun Microsystems, Inc.”]
-> {HKLM…CLSID} = “Java Plug-in 1.5.0_09”
\InProcServer32(Default) = “D:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll” [“Sun Microsystems, Inc.”]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
“ButtonText” = “Messenger”
“MenuText” = “Windows Messenger”
“Exec” = “D:\Program Files\Messenger\msmsgs.exe” [MS]
Miscellaneous IE Hijack Points
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<> “{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}” = (no title provided)
-> {HKLM…CLSID} = “BearShare MediaBar”
\InProcServer32(Default) = “D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll” [“IE Toolbar”]
Running Services (Display Name, Service Name, Path {Service DLL}):
avast! iAVS4 Control Service, aswUpdSv, ““D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe”” [null data]
Print Monitors:
HKLM\System\CurrentControlSet\Control\Print\Monitors\
hpzsnt10\Driver = “hpzsnt10.dll” [“HP”]
<>: Suspicious data at a malware launch point.
<>: Suspicious data at a browser hijack point.
-
This report excludes default entries except where indicated.
-
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
- To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer “No” at the
first message box and “Yes” at the second message box.
---------- (total run time: 54 seconds, including 6 seconds for message boxes)
Logfile of HijackThis v1.99.1
Scan saved at 14:41:48, on 2007-02-25
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
E:\Phone\HP Software Update\HPWuSchd2.exe
D:\Program Files\HP\hpcoretech\hpcmpmgr.exe
D:\WINDOWS\system32\nvraidservice.exe
D:\WINDOWS\inet20126\free.exe
D:\WINDOWS\system32\adirss.exe
D:\WINDOWS\system32\lnwin.exe
D:\WINDOWS\inet20126\wpcem.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wbem\unsecapp.exe
D:\Documents and Settings\adam\Pulpit\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://search.bearshare.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O2 - BHO: My Global Search Bar BHO - {37B85A21-692B-4205-9CAD-2626E4993404} - D:\Program Files\MyGlobalSearch\bar\1.bin\MGSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: XBTP02634 - {F97DA966-F09D-4cab-BF29-75A0026986EA} - D:\PROGRA~1\BEARSH~2\BEARSH~2\MediaBar.dll
O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - D:\Program Files\BearShare applications\BearShare MediaBar\MediaBar.dll
O4 - HKLM…\Run: [speedTouch USB Diagnostics] “D:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM…\Run: [soundMan] SOUNDMAN.EXE
O4 - HKLM…\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM…\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM…\Run: [sunJavaUpdateSched] “D:\Program Files\Java\jre1.5.0_09\bin\jusched.exe”
O4 - HKLM…\Run: [HP Software Update] “E:\Phone\HP Software Update\HPWuSchd2.exe”
O4 - HKLM…\Run: [HP Component Manager] “D:\Program Files\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM…\Run: [NVRaidService] D:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM…\Run: [Microsoft WWW] D:\WINDOWS\inet20126\free.exe
O4 - HKLM…\Run: [Microsoft WPCEmail] D:\WINDOWS\inet20126\svchost.exe
O4 - HKLM…\Run: [sysinter] D:\WINDOWS\system32\adirss.exe
O4 - HKLM…\Run: [lnwin.exe] D:\WINDOWS\system32\lnwin.exe
O4 - HKCU…\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [MSMSGS] “D:\Program Files\Messenger\msmsgs.exe” /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {FDDBE2B8-6602-4AD8-946D-94C5A32FA6C1} (GameDesire Pool 8) - http://67.15.101.3/g_bin/pl/billard8_2_0_0_29.cab
O17 - HKLM\System\CCS\Services\Tcpip…{39290636-B4BB-4023-AABC-D5B70BF37DE2}: NameServer = 194.204.159.1 217.98.63.164
O20 - Winlogon Notify: partnershipreg - D:\Documents and Settings\All Users\Dokumenty\Settings\partnership.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - D:\WINDOWS\system32\update00822631.exe
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - D:\Documents and Settings\adam~tmp0374.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe