Win32/PrcView Program w C:\System Volume Information\_restor

Dla specjalistów Bezpieczeństwo
#1

Zużycie procesora doch. do 100% . Liczne nowe pliki

ComboFix 07-09-21.2 - “Domowy” 2007-09-28 13:06:12.1 - FAT32 x86

Microsoft Windows XP Professional 5.1.2600.2.1250.48.1045.18.319 [GMT 2:00]

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2007-08-28 to 2007-09-28 )))))))))))))))))))))))))))))))

.

2007-09-28 13:04 51,200 --a------ C:\WINXP\NirCmd.exe

2007-09-28 09:32

2007-09-27 21:36 172,032 --a------ C:\WINXP\system32\poweroff.exe

2007-09-27 18:16

2007-09-27 12:11 271,224 --a------ C:\WINXP\system32\mucltui.dll

2007-09-26 17:54 94,480 --a------ C:\WINXP\system32\drivers\tmcomm.sys

2007-09-26 16:58

2007-09-26 16:58

2007-09-26 14:23

2007-09-26 11:29

2007-09-26 10:09

2007-09-25 13:20

2007-09-25 11:16 221,184 --a------ C:\WINXP\system32\wmpns.dll

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-25 11:16

2007-09-24 15:06

2007-09-21 12:26 0 --a------ C:\WINXP\nsreg.dat

2007-09-21 11:28

2007-09-21 11:28

2007-09-21 11:28

2007-09-21 11:28

2007-09-21 11:28

2007-09-21 11:28

2007-09-21 11:28

2007-09-20 12:23

2007-09-17 11:04

2007-09-17 11:04

2007-09-13 07:46 49,664 --a------ C:\WINXP\unvise32.exe

2007-09-06 10:29 512,096 --a------ C:\WINXP\system32\drivers\amon.sys

2007-09-06 10:29 298,104 --a------ C:\WINXP\system32\imon.dll

2007-09-06 10:29 15,424 --a------ C:\WINXP\system32\drivers\nod32drv.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-08-23 10:24 395744 --a------ C:\WINXP\system32\drivers\timntr.sys

2007-08-23 10:24 39264 --a------ C:\WINXP\system32\drivers\tifsfilt.sys

2007-08-23 10:24 114048 --a------ C:\WINXP\system32\drivers\snapman.sys

2007-08-07 02:15 33052 --a------ C:\WINXP\system32\drivers\scdemu.sys

2007-07-30 19:19 92504 --a------ C:\WINXP\system32\dllcache\cdm.dll

2007-07-30 19:19 92504 --a------ C:\WINXP\system32\cdm.dll

2007-07-30 19:19 549720 --a------ C:\WINXP\system32\wuapi.dll

2007-07-30 19:19 549720 --a------ C:\WINXP\system32\dllcache\wuapi.dll

2007-07-30 19:19 53080 --a------ C:\WINXP\system32\wuauclt.exe

2007-07-30 19:19 53080 --a------ C:\WINXP\system32\dllcache\wuauclt.exe

2007-07-30 19:19 43352 --a------ C:\WINXP\system32\wups2.dll

2007-07-30 19:19 325976 --a------ C:\WINXP\system32\wucltui.dll

2007-07-30 19:19 325976 --a------ C:\WINXP\system32\dllcache\wucltui.dll

2007-07-30 19:19 203096 --a------ C:\WINXP\system32\wuweb.dll

2007-07-30 19:19 203096 --a------ C:\WINXP\system32\dllcache\wuweb.dll

2007-07-30 19:19 1712984 --a------ C:\WINXP\system32\wuaueng.dll

2007-07-30 19:19 1712984 --a------ C:\WINXP\system32\dllcache\wuaueng.dll

2007-07-30 19:18 33624 --a------ C:\WINXP\system32\wups.dll

2007-07-30 19:18 33624 --a------ C:\WINXP\system32\dllcache\wups.dll

2007-07-30 19:18 207736 --a------ C:\WINXP\system32\muweb.dll

2007-07-27 15:49 225355 --a------ C:\WINXP\system32\lnod32apiW.dll

2007-07-27 15:49 196683 --a------ C:\WINXP\system32\lnod32apiA.dll

2007-07-18 16:06 88 —hs---- C:\Program Files\Desktop.ini

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Absolute StartUp monitor”=“D:\Program Files\F-Group\Absolute StartUp\ASMon.exe” [2007-07-03 13:59]

“nod32kui”=“C:\Program Files\Eset\nod32kui.exe” [2007-09-06 10:28]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

“Lotus Organizer”=“D:\ORG2\ORGANIZE.EXE” [1996-03-08 02:11]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

“NoRecentDocsMenu”=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

“InCDsrv”=3 (0x3)

“NMIndexingService”=3 (0x3)

R0 BsStor;InCD Storage Helper Driver;C:\WINXP\system32\DRIVERS\bsstor.sys

R2 BsUDF;InCD UDF Driver;C:\WINXP\system32\drivers\BsUDF.sys

S1 Uim_IM;UIM Drive Backup Image Plugin;C:\WINXP\system32\Drivers\Uim_IM.sys

S1 UimBus;Universal Image Mounter Controller;C:\WINXP\system32\DRIVERS\UimBus.sys

S3 ati2mtaa;ati2mtaa;C:\WINXP\system32\DRIVERS\ati2mtaa.sys

S3 EHDYGGSIFQ;EHDYGGSIFQ;C:\DOCUME~1\Domowy.UFF\USTAWI~1\Temp\EHDYGGSIFQ.exe

.

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-09-28 13:07:32

Windows 5.1.2600 Dodatek Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-09-28 13:08:39

C:\ComboFix2.txt … 2007-09-27 20:53

.

— E O F —

“Silent Runners.vbs”, revision 52, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by “{++}”

Startup items buried in registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Lotus Organizer” = “D:\ORG2\ORGANIZE.EXE” [“Lotus Development Corporation”]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

“Absolute StartUp monitor” = ““D:\Program Files\F-Group\Absolute StartUp\ASMon.exe”” [“F-Group Software”]

“nod32kui” = ““C:\Program Files\Eset\nod32kui.exe” /WAITSERVICE” ["Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

“{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania”

-> {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania”

\InProcServer32(Default) = “deskpan.dll” [file not found]

“{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu”

-> {HKLM…CLSID} = “HyperTerminal Icon Ext”

\InProcServer32(Default) = “C:\WINXP\system32\hticons.dll” [“Hilgraeve, Inc.”]

“{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler”

-> {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook”

\InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS]

“{A70C977A-BF00-412C-90B7-034C51DA2439}” = “NvCpl DesktopContext Class”

-> {HKLM…CLSID} = “DesktopContext Class”

\InProcServer32(Default) = “C:\WINXP\system32\nvcpl.dll” [“NVIDIA Corporation”]

“{FFB699E0-306A-11d3-8BD1-00104B6F7516}” = “Play on my TV helper”

-> {HKLM…CLSID} = “NVIDIA CPL Extension”

\InProcServer32(Default) = “C:\WINXP\system32\nvcpl.dll” [“NVIDIA Corporation”]

“{1CDB2949-8F65-4355-8456-263E7C208A5D}” = “Desktop Explorer”

-> {HKLM…CLSID} = “Desktop Explorer”

\InProcServer32(Default) = “C:\WINXP\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A47}” = “Desktop Explorer Menu”

-> {HKLM…CLSID} = (no title provided)

\InProcServer32(Default) = “C:\WINXP\system32\nvshell.dll” [“NVIDIA Corporation”]

“{1E9B04FB-F9E5-4718-997B-B8DA88302A48}” = “nView Desktop Context Menu”

-> {HKLM…CLSID} = “nView Desktop Context Menu”

\InProcServer32(Default) = “C:\WINXP\system32\nvshell.dll” [“NVIDIA Corporation”]

“{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}” = “UnlockerShellExtension”

-> {HKLM…CLSID} = “UnlockerShellExtension”

\InProcServer32(Default) = “D:\Unlocker\UnlockerCOM.dll” [null data]

“{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}” = “NeroCoverEd Live Icons”

-> {HKLM…CLSID} = “NeroCoverEdLiveIcons Class”

\InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”]

“{B327765E-D724-4347-8B16-78AE18552FC3}” = “NeroDigitalIconHandler”

-> {HKLM…CLSID} = “NeroDigitalIconHandler Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]

“{7F1CF152-04F8-453A-B34C-E609530A9DC8}” = “NeroDigitalPropSheetHandler”

-> {HKLM…CLSID} = “NeroDigitalPropSheetHandler Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]

“{B82D2E7F-B425-466A-B447-942771545628}” = “cm_Main”

-> {HKLM…CLSID} = “FolderMarker menu extension”

\InProcServer32(Default) = “D:\PROGRA~1\FOLDER~1\ShellExt.dll” [“ArcticLine Software”]

“{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}” = “PowerISO”

-> {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

“{B089FE88-FB52-11D3-BDF1-0050DA34150D}” = “NOD32 Context Menu Shell Extension”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

“{23170F69-40C1-278A-1000-000100020000}” = “7-Zip Shell Extension”

-> {HKLM…CLSID} = “7-Zip Shell Extension”

\InProcServer32(Default) = “D:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{7D4D6379-F301-4311-BEBA-E26EB0561882}(Default) = “NeroDigitalExt.NeroDigitalColumnHandler”

-> {HKLM…CLSID} = “NeroDigitalColumnHandler Class”

\InProcServer32(Default) = “C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll” [“Nero AG”]

{F9DB5320-233E-11D1-9F84-707F02C10627}(Default) = “PDF Column Info”

-> {HKLM…CLSID} = “PDF Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll” [“Adobe Systems, Inc.”]

HKLM\Software\Classes*\shellex\ContextMenuHandlers\

7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}”

-> {HKLM…CLSID} = “7-Zip Shell Extension”

\InProcServer32(Default) = “D:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]

Cover Designer(Default) = “{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}”

-> {HKLM…CLSID} = “NeroCoverEdContextMenu Class”

\InProcServer32(Default) = “C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll” [“Nero AG”]

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}”

-> {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

7-Zip(Default) = “{23170F69-40C1-278A-1000-000100020000}”

-> {HKLM…CLSID} = “7-Zip Shell Extension”

\InProcServer32(Default) = “D:\Program Files\7-Zip\7-zip.dll” [“Igor Pavlov”]

cm_Main(Default) = “{B82D2E7F-B425-466A-B447-942771545628}”

-> {HKLM…CLSID} = “FolderMarker menu extension”

\InProcServer32(Default) = “D:\PROGRA~1\FOLDER~1\ShellExt.dll” [“ArcticLine Software”]

PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}”

-> {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

NOD32 Context Menu Shell Extension(Default) = “{B089FE88-FB52-11D3-BDF1-0050DA34150D}”

-> {HKLM…CLSID} = “NOD32 Context Menu Shell Extension”

\InProcServer32(Default) = “C:\Program Files\Eset\nodshex.dll” [null data]

PowerISO(Default) = “{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}”

-> {HKLM…CLSID} = “PowerISO”

\InProcServer32(Default) = “D:\Program Files\PowerISO\PWRISOSH.DLL” [“PowerISO Computing, Inc.”]

UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”

-> {HKLM…CLSID} = “UnlockerShellExtension”

\InProcServer32(Default) = “D:\Unlocker\UnlockerCOM.dll” [null data]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

UnlockerShellExtension(Default) = “{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}”

-> {HKLM…CLSID} = “UnlockerShellExtension”

\InProcServer32(Default) = “D:\Unlocker\UnlockerCOM.dll” [null data]

Group Policies {GPedit.msc branch and setting}:

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

“NoRecentDocsMenu” = (REG_DWORD) hex:0x00000001

{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

“shutdownwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

“undockwithoutlogon” = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Winsock2 Service Provider DLLs:

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS]

000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

C:\WINXP\system32\imon.dll ["Eset "], 01 - 05, 17

%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 16

%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10

Miscellaneous IE Hijack Points

C:\WINXP\INF\IERESET.INF (used to “Reset Web Settings”)

Added lines (compared with English-language version):

: ˙ţ[V e r s i o n]

: S i g n a t u r e = " $ C H I C A G O $ "

: A d v a n c e d I N F = 2 . 5 , " Y o u n e e d a n e w v e r s i o n o f a d v p a c k . d l l "

:

: [R e s t o r e H o m e P a g e]

: A d d R e g = R e s t o r e H o m e P a g e . r e g

:

: [R e s t o r e B r o w s e r S e t t i n g s]

: A d d R e g = R e s t o r e B r o w s e r S e t t i n g s . r e g

: D e l R e g = D e l e t e T e m p l a t e s . r e g , D e l e t e A u t o s e a r c h . r e g

:

: [R e s t o r e H o m e P a g e . r e g]

: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S t a r t P a g e " , 0 , % S T A R T _ P A G E _ U R L %

:

: [R e s t o r e B r o w s e r S e t t i n g s . r e g]

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ P a g e _ U R L " , 0 , % S T A R T _ P A G E _ U R L %

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " D e f a u l t _ S e a r c h _ U R L " , 0 , % S E A R C H _ P A G E _ U R L %

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L %

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 1 " , 0 , " w w w . % s . c o m "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 2 " , 0 , " w w w . % s . o r g "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 3 " , 0 , " w w w . % s . n e t "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 4 " , 0 , " w w w . % s . e d u "

: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " S e a r c h P a g e " , 0 , % S E A R C H _ P A G E _ U R L %

:

: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t

: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ S e a r c h U r l " , " P r o v i d e r " , 0 , " "

:

: t m "

: t m "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ W i n d o w s \ C u r r e n t V e r s i o n \ I n t e r n e t S e t t i n g s \ S a f e S i t e s " , % S A F E S I T E _ V A L U E % , 0 , " h t t p : / / i e . s e a r c h . m s n . c o m / * "

:

: [D e l e t e T e m p l a t e s . r e g]

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 5 "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 6 "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 7 "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 8 "

: H K L M , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n \ U r l T e m p l a t e " , " 9 "

:

: [D e l e t e A u t o s e a r c h . r e g]

: ; N O T E ( a n d r e w g u ) i e 5 . 5 b # 1 0 8 2 5 9 - a u t o s e a r c h s e t t i n g s a r e n o t p r o p e r l y r e s e t

: H K C U , " S o f t w a r e \ M i c r o s o f t \ I n t e r n e t E x p l o r e r \ M a i n " , " A u t o S e a r c h "

:

: [S t r i n g s]

: S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e "

: S E A R C H _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & a r = i e s e a r c h "

: S A F E S I T E _ V A L U E = " i e . s e a r c h . m s n . c o m "

:

: ; I M P O R T A N T N O T E :

: ; I E b r a n d i n g d l l ( i e d k c s 3 2 . d l l ) u s e s t h e f o l l o w i n g e n t r i e s t o r e s t o r e t h e d e f a u l t M S v a l u e s .

: ; I n t h e v a n i l l a v e r s i o n o f I E , t h e v a l u e s m u s t b e t h e s a m e a s t h e i r c o r r e s p o n d i n g n o n M S _ * v a l u e s .

: ; F o r e x a m p l e , S T A R T _ P A G E _ U R L a n d M S _ S T A R T _ P A G E _ U R L m u s t h a v e t h e s a m e U R L i n t h e I E v e r s i o n r e l e a s e d b y M S .

: M S _ S T A R T _ P A G E _ U R L = " h t t p : / / w w w . m i c r o s o f t . c o m / i s a p i / r e d i r . d l l ? p r d = i e & p v e r = 6 & a r = m s n h o m e "

:

Missing lines (compared with English-language version):

[Version]: 2 lines

[RestoreHomePage]: 1 line

[RestoreHomePage.reg]: 1 line

[RestoreBrowserSettings.reg]: 12 lines

[DeleteTemplates.reg]: 5 lines

[DeleteAutosearch.reg]: 1 line

[strings]: 1 line

[RestoreBrowserSettings]: 2 lines

[strings]: 3 lines

Running Services (Display Name, Service Name, Path {Service DLL}):

NOD32 Kernel Service, NOD32krn, ““C:\Program Files\Eset\nod32krn.exe”” ["Eset "]

Print Monitors:

HKLM\System\CurrentControlSet\Control\Print\Monitors\

hpzsnt05\Driver = “hpzsnt05.dll” [“HP”]

---------- (launch time: 2007-09-28 15:13:41)

  • This report excludes default entries except where indicated.

  • To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

  • The search for DESKTOP.INI DLL launch points on all local fixed drives

took 10 seconds.

---------- (total run time: 76 seconds)

#2

Uwaga: Jak wklejasz loga to obejmuj go znacznikiem (tagiem) CODE lub QUOTE

Pozdrawiam Gutek2222

Logi Ok

Zrób tak - Prawoklik na Mój Komputer>>Przywracanie systemu>> wyłącz przywracanie systemu na wszystkich dyskach.

Nie wiesz jak - ak uzyskać dostęp do folderu System Volume Information

http://support.microsoft.com/kb/309531/PL/