SmitFraudFix v2.76 Scan done at 12:13:25,39, 2006-08-01 Run from C:\Documents and Settings\Cezary\Pulpit\SmitfraudFix OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT Fix ran in safe mode »»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» Killing process »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix GenericRenosFix by S!Ri »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning Registry Cleaning done. »»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix !Attention, following keys are not inevitably infected! SrchSTS.exe by S!Ri Search SharedTaskScheduler’s .dll »»»»»»»»»»»»»»»»»»»»»»»» End Logfile of HijackThis v1.99.1 Scan saved at 13:54:25, on 2006-08-01 Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\WINDOWS\system32\ntvdm.exe C:\Program Files\TOSHIBA\PadTouch\PadExe.exe C:\WINDOWS\System32\ezSP_Px.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\NEOSTR~1\CnxMon.exe C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe C:\PROGRA~1\NEOSTR~1\taskbaricon.exe C:\WINDOWS\system32\ymsmsgs.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe C:\WINDOWS\System32\DVDRAMSV.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Cezary\Pulpit\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL F3 - REG:win.ini: load=C:\YDPDict\watch.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM…\Run: [000StTHK] 000StTHK.exe O4 - HKLM…\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe O4 - HKLM…\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe O4 - HKLM…\Run: [Msn Update] MSMSG5.exe O4 - HKLM…\Run: [Microsoft Security Management] winexz.exe O4 - HKLM…\Run: [Microsoft Windows Update] scvvhost.exe O4 - HKLM…\Run: [*wuauclt.exe] wumct.exe O4 - HKLM…\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe O4 - HKLM…\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe O4 - HKLM…\Run: [MSN] exe.exe O4 - HKLM…\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot O4 - HKLM…\Run: [internet Suspention] story.exe O4 - HKLM…\Run: [HELPER] C:\WINDOWS\System32\poland.exe -N O4 - HKLM…\Run: [etbrun] C:\windows\system32\elitezwj32.exe O4 - HKLM…\Run: [*Security Center] secctr.exe O4 - HKLM…\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM…\Run: [*SCenter] scenter.exe O4 - HKLM…\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe O4 - HKLM…\Run: [bearShare] “C:\Program Files\BearShare\BearShare.exe” /pause O4 - HKLM…\Run: [MediaGateway] C:\Program Files\MediaGateway\MediaGateway.exe O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe” O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime O4 - HKLM…\Run: [shellapi32] svcnet.exe O4 - HKLM…\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe” O4 - HKLM…\Run: [sSC_UserPrompt] “C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe” O4 - HKLM…\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe O4 - HKLM…\Run: [WooCnxMon] C:\PROGRA~1\NEOSTR~1\CnxMon.exe O4 - HKLM…\Run: [speedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon O4 - HKLM…\Run: [WOOWATCH] C:\PROGRA~1\NEOSTR~1\Watch.exe O4 - HKLM…\Run: [WOOTASKBARICON] C:\PROGRA~1\NEOSTR~1\taskbaricon.exe O4 - HKLM…\Run: [˙_zsk]SYWSQX[ERBGLGA] C:\WINDOWS\System32_zskdmwin\AGLGBRE[XQSWYS].exe O4 - HKLM…\Run: [Microsoft Directxsp] directxbt.exe O4 - HKLM…\Run: [YhooUpdates] C:\WINDOWS\system32\ymsmsgs.exe O4 - HKLM…\Run: [!ewido] “C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized O4 - HKLM…\RunServices: [Msn Update] MSMSG5.exe O4 - HKLM…\RunServices: [Microsoft Security Management] winexz.exe O4 - HKLM…\RunServices: [windows update] wuarclt.exe O4 - HKLM…\RunServices: [Microsoft Windows Update] scvvhost.exe O4 - HKLM…\RunServices: [*wuauclt.exe] wumct.exe O4 - HKLM…\RunServices: [MSN] exe.exe O4 - HKLM…\RunServices: [internet Suspention] story.exe O4 - HKLM…\RunServices: [*Security Center] secctr.exe O4 - HKLM…\RunServices: [*SCenter] scenter.exe O4 - HKLM…\RunServices: [˙_zsk]SYWSQX[ERBGLGA] C:\WINDOWS\System32_zskdmwin\AGLGBRE[XQSWYS].exe O4 - HKLM…\RunServices: [Microsoft Directxsp] directxbt.exe O4 - HKCU…\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe O4 - HKCU…\Run: [Msn Update] MSMSG5.exe O4 - HKCU…\Run: [MSN] exe.exe O4 - HKCU…\Run: [windows update] wuarclt.exe O4 - HKCU…\Run: [Microsoft Windows Update] scvvhost.exe O4 - HKCU…\Run: [*wuauclt.exe] wumct.exe O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU…\Run: [internet Suspention] story.exe O4 - HKCU…\Run: [*Security Center] secctr.exe O4 - HKCU…\Run: [*SCenter] scenter.exe O4 - HKCU…\Run: [WhenUSave] “C:\Program Files\Save\Save.exe” O4 - HKCU…\Run: [shellapi32] svcnet.exe O4 - HKCU…\Run: [shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe” O4 - HKCU…\Run: [˙_zsk]SYWSQX[ERBGLGA] C:\WINDOWS\System32_zskdmwin\AGLGBRE[XQSWYS].exe O4 - HKCU…\Run: [Microsoft Directxsp] directxbt.exe O4 - HKCU…\RunServices: [Msn Update] MSMSG5.exe O4 - HKCU…\RunServices: [MSN] exe.exe O4 - HKCU…\RunServices: [Microsoft Directxsp] directxbt.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Szybkie uruchamianie programu Microsoft Office OneNote 2003.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/20a15398d71 … xIE601.cab O16 - DPF: {5A09E43F-A0A7-4ABF-AF80-11367CF1DC8F} (MainControl Class) - http://mks.com.pl/skaner/SkanerOnline.cab O16 - DPF: {65D72393-E210-4A2A-B8E0-10AC45986770} (GWebInstallControl Object) - http://megapanel.gem.pl/WebInstaller.dll O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://netvenda.com/default.cab?uid=61 … pd=5tag=3 O16 - DPF: {92ECE6FA-AC2E-4042-BFAE-0C8608E52A43} (SignActivX Control) - https://www.bph.pl/pi/components/SignActivX.cab O16 - DPF: {D35B74F6-E099-4CDD-91E0-9EA7C30059D1} (Main Class) - http://www.dialer-shop.com/webdial/webdial24106.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1044446.exe O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\nxtrap.dll (file missing) O23 - Service: *wuauclt.exe - Unknown owner - C:\WINDOWS\System32\wumct.exe (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005\RpcSandraSrv.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe “Silent Runners.vbs”, revision 46, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by “{++}” Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ “windows update” = “wuarclt.exe” [file not found] “*wuauclt.exe” = “wumct.exe” [file not found] “kmcsvk.exe” = “C:\WINDOWS\system\kmcsvk.exe” [file not found] “*Security Center” = “secctr.exe” [file not found] “*SCenter” = “scenter.exe” [file not found] HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “TOSCDSPD” = “C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe” [“TOSHIBA”] “Msn Update” = “MSMSG5.exe” [file not found] “MSN” = “exe.exe” [file not found] “windows update” = “wuarclt.exe” [file not found] “Microsoft Windows Update” = “scvvhost.exe” [null data] “*wuauclt.exe” = “wumct.exe” [file not found] “ctfmon.exe” = “C:\WINDOWS\System32\ctfmon.exe” [MS] “Internet Suspention” = “story.exe” [file not found] “*Security Center” = “secctr.exe” [file not found] “*SCenter” = “scenter.exe” [file not found] “WhenUSave” = ““C:\Program Files\Save\Save.exe”” [file not found] “Shellapi32” = “svcnet.exe” [file not found] “shell” = ““C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”” [file not found] “˙_zsk]SYWSQX[ERBGLGA” = “C:\WINDOWS\System32_zskdmwin\AGLGBRE[XQSWYS].exe” [file not found] “Microsoft Directxsp” = “directxbt.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++} “windows update” = “wuarclt.exe” [file not found] “*wuauclt.exe” = “wumct.exe” [file not found] “*Security Center” = “secctr.exe” [file not found] “*SCenter” = “scenter.exe” [file not found] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} “000StTHK” = “000StTHK.exe” [null data] “TouchED” = “C:\Program Files\TOSHIBA\TouchED\TouchED.Exe” [“TOSHIBA Corporation”] “PadTouch” = "“C:\Program Files\TOSHIBA\PadTouch\PadExe.exe” [file not found] “Msn Update” = “MSMSG5.exe” [file not found] “Microsoft Security Management” = “winexz.exe” [file not found] “Microsoft Windows Update” = “scvvhost.exe” [null data] “*wuauclt.exe” = “wumct.exe” [file not found] “winupdtl” = “C:\WINDOWS\System32\winupdt.exe” [file not found] “WinTask driver” = “C:\WINDOWS\System32\wintask.exe” [file not found] “MSN” = “exe.exe” [file not found] “ezShieldProtector for Px” = “C:\WINDOWS\System32\ezSP_Px.exe” [“Easy Systems Japan Ltd.”] “TkBellExe” = ““C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot” [“RealNetworks, Inc.”] “Internet Suspention” = “story.exe” [file not found] “HELPER” = “C:\WINDOWS\System32\poland.exe -N” [file not found] “etbrun” = “C:\windows\system32\elitezwj32.exe” [file not found] “*Security Center” = “secctr.exe” [file not found] “NeroFilterCheck” = “C:\WINDOWS\system32\NeroCheck.exe” [“Ahead Software Gmbh”] “*SCenter” = “scenter.exe” [file not found] “DIGStream” = “C:\Program Files\DIGStream\digstream.exe” [file not found] “BearShare” = ““C:\Program Files\BearShare\BearShare.exe” /pause” [file not found] “MediaGateway” = “C:\Program Files\MediaGateway\MediaGateway.exe” [file not found] “iTunesHelper” = ““C:\Program Files\iTunes\iTunesHelper.exe”” [“Apple Computer, Inc.”] “QuickTime Task” = ““C:\Program Files\QuickTime\qttask.exe” -atboottime” [“Apple Computer, Inc.”] “Shellapi32” = “svcnet.exe” [file not found] “ccApp” = ““C:\Program Files\Common Files\Symantec Shared\ccApp.exe”” [“Symantec Corporation”] “SSC_UserPrompt” = ““C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe”” [“Symantec Corporation”] “HPDJ Taskbar Utility” = “C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe” [“HP”] “WooCnxMon” = “C:\PROGRA~1\NEOSTR~1\CnxMon.exe” [empty string] “SpeedTouch USB Diagnostics” = ““C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon” [“THOMSON Telecom Belgium”] “WOOWATCH” = “C:\PROGRA~1\NEOSTR~1\Watch.exe” [“France Télécom RD”] “WOOTASKBARICON” = “C:\PROGRA~1\NEOSTR~1\taskbaricon.exe” [“France Télécom RD”] “˙_zsk]SYWSQX[ERBGLGA” = “C:\WINDOWS\System32_zskdmwin\AGLGBRE[XQSWYS].exe” [file not found] “Microsoft Directxsp” = “directxbt.exe” [file not found] “YhooUpdates” = “C:\WINDOWS\system32\ymsmsgs.exe” [null data] “!ewido” = ““C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized” [“Anti-Malware Development a.s.”] HKLM\Software\Microsoft\Active Setup\Installed Components\ {306D6C21-C1B6-4629-986C-E59E1875B8AF}(Default) = (no title provided) \StubPath = ““C:\WINDOWS\System32\rundll32.exe” “C:\Program Files\Messenger\msgsc.dll”,ShowIconsUser” [MS] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ “{42071714-76d4-11d1-8b24-00a0c9068ff3}” = “Rozszerzenie CPL kadrowania wyświetlania” - {HKLM…CLSID} = “Rozszerzenie CPL kadrowania wyświetlania” \InProcServer32(Default) = “deskpan.dll” [file not found] “{88895560-9AA2-1069-930E-00AA0030EBC8}” = “Rozszerzenie ikony HyperTerminalu” - {HKLM…CLSID} = “HyperTerminal Icon Ext” \InProcServer32(Default) = “C:\WINDOWS\System32\hticons.dll” [“Hilgraeve, Inc.”] “{C4213067-97B3-4929-9B98-B5600FBBBA13}” = “TouchED” - {HKLM…CLSID} = “TouchShellExt Class” \InProcServer32(Default) = “C:\PROGRA~1\TOSHIBA\TouchED\TouchED.dll” [“TOSHIBA Corporation”] “{42042206-2D85-11D3-8CFF-005004838597}” = “Microsoft Office HTML Icon Handler” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Microsoft Office\OFFICE11\msohev.dll” [MS] “{0006F045-0000-0000-C000-000000000046}” = “Microsoft Outlook Custom Icon Handler” - {HKLM…CLSID} = “Rozszerzenie ikon plików programu Outlook” \InProcServer32(Default) = “C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL” [MS] “{E0D79304-84BE-11CE-9641-444553540000}” = “WinZip” - {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79305-84BE-11CE-9641-444553540000}” = “WinZip” - {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79306-84BE-11CE-9641-444553540000}” = “WinZip” - {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{E0D79307-84BE-11CE-9641-444553540000}” = “WinZip” - {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] “{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}” = “Shell Extensions for RealOne Player” - {HKLM…CLSID} = “RealOne Player Context Menu Class” \InProcServer32(Default) = “C:\Program Files\Real\RealPlayer\rpshell.dll” [“RealNetworks, Inc.”] “{640167b4-59b0-47a6-b335-a6b3c0695aea}” = “Portable Media Devices” - {HKLM…CLSID} = “Portable Media Devices” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{cc86590a-b60a-48e6-996b-41d25ed39a1e}” = “Portable Media Devices Menu” - {HKLM…CLSID} = “Portable Media Devices Menu” \InProcServer32(Default) = “C:\WINDOWS\System32\Audiodev.dll” [MS] “{1C311AAA-D8B1-4A0A-BEE5-2387FEC583DA}” = “ShellPlusContextMenu” - {HKLM…CLSID} = “Burn4Freecontext menu” \InProcServer32(Default) = “C:\WINDOWS\system32\B4FM.dll” [null data] “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” = “WinRAR shell extension” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] “{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}” = “iTunes” - {HKLM…CLSID} = “iTunes” \InProcServer32(Default) = “C:\Program Files\iTunes\iTunesMiniPlayer.dll” [“Apple Computer, Inc.”] “{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}” = “Context Menu Shell Extension” - {HKLM…CLSID} = “Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TAGREN~1\TRshell.dll” [“Softpointer Inc”] “{C59972B7-5B9F-4152-BB43-9DC2EC11707A}” = (no title provided) - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\WINDOWS\system32\guard.tmp” [file not found] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\ INFECTION WARNING! “{57B86673-276A-48B2-BAE7-C6DBB3020EB8}” = “ewido anti-spyware 4.0” - {HKLM…CLSID} = “CShellExecuteHookImpl Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll” [“Anti-Malware Development a.s.”] HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ INFECTION WARNING! “load” = “C:\YDPDict\watch.exe” [null data] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! SideBySide\DLLName = “C:\WINDOWS\system32\nxtrap.dll” [file not found] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = “{807553E5-5146-11D5-A672-00B0D022E945}” - {HKLM…CLSID} = (no title provided) \InProcServer32(Default) = “C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL” [MS] HKLM\Software\Classes*\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” - {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] fmxxgx(Default) = “{7a797d44-21d1-492b-91c0-448916145ac3}” - {HKLM…CLSID} = “eorrrr.class” \InProcServer32(Default) = “C:\WINDOWS\System32\clqqgq.dll” [file not found] Symantec.Norton.Antivirus.IEContextMenu(Default) = “{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}” - {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] TagRename_ContextMenu(Default) = “{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}” - {HKLM…CLSID} = “Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TAGREN~1\TRshell.dll” [“Softpointer Inc”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” - {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ ewido anti-spyware(Default) = “{8934FCEF-F5B8-468f-951F-78A921CD3920}” - {HKLM…CLSID} = “CContextScan Object” \InProcServer32(Default) = “C:\Program Files\ewido anti-spyware 4.0\context.dll” [“Anti-Malware Development a.s.”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” - {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu(Default) = “{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}” - {HKLM…CLSID} = “IEContextMenu Class” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] TagRename_ContextMenu(Default) = “{7C5E74A0-D5E0-11D0-A9BF-E886A83B9BE5}” - {HKLM…CLSID} = “Context Menu Shell Extension” \InProcServer32(Default) = “C:\PROGRA~1\TAGREN~1\TRshell.dll” [“Softpointer Inc”] WinRAR(Default) = “{B41DB860-8EE4-11D2-9906-E49FADC173CA}” - {HKLM…CLSID} = “WinRAR” \InProcServer32(Default) = “C:\Program Files\WinRAR\rarext.dll” [null data] WinZip(Default) = “{E0D79304-84BE-11CE-9641-444553540000}” - {HKLM…CLSID} = “WinZip” \InProcServer32(Default) = “C:\PROGRA~1\WINZIP\WZSHLSTB.DLL” [“WinZip Computing, Inc.”] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ “SCRNSAVE.EXE” = “C:\WINDOWS\System32\PLAYBO~1.SCR” (Playboy Screensaver.scr) [null data] Startup items in “Cezary” “All Users” startup folders: -------------------------------------------------------- C:\Documents and Settings\All Users\Menu Start\Programy\Autostart “Microsoft Office” - shortcut to: “C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l” [MS] “Szybkie uruchamianie programu Microsoft Office OneNote 2003” - shortcut to: “C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE /tsr” [MS] Enabled Scheduled Tasks: ------------------------ “Norton AntiVirus - Run Full System Scan - Cezary” - launches: “C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /TASK:“C:\Documents and Settings\All Users\Dane aplikacji\Symantec\Norton AntiVirus\Tasks\mycomp.sca”” [“Symantec Corporation”] “Symantec NetDetect” - launches: “C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE” [“Symantec Corporation”] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000002\LibraryPath = “%SystemRoot%\System32\winrnr.dll” [MS] 000000000003\LibraryPath = “%SystemRoot%\System32\mswsock.dll” [MS] 000000000004\LibraryPath = “%SystemRoot%\System32\nwprovau.dll” [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: %SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 22 %SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ “{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}” - {HKLM…CLSID} = “Norton Internet Security 2006” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”] “{C4069E3A-68F1-403E-B40E-20066696354B}” - {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ “{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}” = “Norton Internet Security 2006” - {HKLM…CLSID} = “Norton Internet Security 2006” \InProcServer32(Default) = “C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll” [“Symantec Corporation”] “{C4069E3A-68F1-403E-B40E-20066696354B}” = “Norton AntiVirus” - {HKLM…CLSID} = “Norton AntiVirus” \InProcServer32(Default) = “C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll” [“Symantec Corporation”] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ “MenuText” = “Sun Java Console” “CLSIDExtension” = “{08B0E5C0-4FCB-11CF-AAA5-00401C608501}” {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ “ButtonText” = “Badanie” Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to “Reset Web Settings”) Added lines (compared with English-language version): [strings]: START_PAGE_URL=file:///C:\Program Files\TOSHIBA\Free Update Service\splash.html Missing lines (compared with English-language version): [strings]: 1 line HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\ “{08C06D61-F1F3-4799-86F8-BE1A89362C85}” = (no title provided) - {HKLM…CLSID} = “Search Class” \InProcServer32(Default) = “C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL” [empty string] Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ Agent SAP, NwSapAgent, “C:\WINDOWS\System32\svchost.exe -k netsvcs” {“C:\WINDOWS\System32\ipxsap.dll” [MS]} ConfigFree Service, CFSvcs, “C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe” [“TOSHIBA CORPORATION”] DVD-RAM_Service, DVD-RAM_Service, “C:\WINDOWS\System32\DVDRAMSV.exe” [“Matsushita Electric Industrial Co., Ltd.”] ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, “C:\Program Files\ewido anti-spyware 4.0\guard.exe” [“Anti-Malware Development a.s.”] iPodService, iPodService, “C:\Program Files\iPod\bin\iPodService.exe” [“Apple Computer, Inc.”] SoundMAX Agent Service, SoundMAX Agent Service (default), “C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe” [“Analog Devices, Inc.”] Symantec Core LC, Symantec Core LC, ““C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe”” [“Symantec Corporation”] Symantec Event Manager, ccEvtMgr, ““C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe”” [“Symantec Corporation”] Symantec Network Drivers Service, SNDSrvc, ““C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe”” [“Symantec Corporation”] Symantec Network Proxy, ccProxy, ““C:\Program Files\Common Files\Symantec Shared\ccProxy.exe”” [“Symantec Corporation”] Symantec Settings Manager, ccSetMgr, ““C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe”” [“Symantec Corporation”] Windows User Mode Driver Framework, UMWdf, “C:\WINDOWS\System32\wdfmgr.exe” [MS] Print Monitors: --------------- HKLM\System\CurrentControlSet\Control\Print\Monitors\ EPSON V4 Monitor3SA\Driver = “EBPMON3.DLL” [“SEIKO EPSON CORPORATION”] hpzlnt05\Driver = “hpzlnt05.dll” [“HP”] Monitor 2 języka BJ\Driver = “CNBJMON2.DLL” [MS] Monitor języka PJL\Driver = “PJLMON.DLL” [MS] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer “No” at the first message box. ---------- (total run time: 145 seconds, including 18 seconds for message boxes)