Wyskakujace okienka i komunikaty o winlogon


(Lukasz) #1

Witam,

Co jakis czas Kaspersky wywala mi komunikat o dostepie do winlogon.exe oraz co jakis czas wyskakuja mi okienka z reklamami w ie7. Ponizej log z hijack.

Logfile of HijackThis v1.99.1

Scan saved at 16:38:52, on 2007-04-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\TOPCOM\Common\Topcom_USB_4001g.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Documents and Settings\Łukasz\Pulpit\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.bmj.net.pl:3128

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O4 - Global Startup: Topcom Wireless LAN Utility.lnk = C:\Program Files\TOPCOM\Common\Topcom_USB_4001g.exe

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [INTERNATIONAL] International*

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe

Log SilentRunners

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"(Default)" = "(empty string)" [file not found]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]

"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]

"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]

"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]

"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{6F894A69-0CAF-4FC8-B799-4270BA15A7F9}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\awvts.dll" [null data]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Groove GFS Browser Helper"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"

  -> {HKLM...CLSID} = "Groove GFS Browser Helper"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"

  -> {HKLM...CLSID} = "Groove Folder Synchronization"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"

  -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"

  -> {HKLM...CLSID} = "Groove XML Icon Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Outlook File Icon Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

  -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

                   \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"

  -> {HKLM...CLSID} = "Web Anti-Virus statistics"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

"{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook"

  -> {HKLM...CLSID} = "VPCHostCopyHook"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Virtual PC\VPCShExH.DLL" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

<> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"

  -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<> awvts\DLLName = "C:\WINDOWS\system32\awvts.dll" [null data]

<> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

  -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"NoInternetOpenWith" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Łukasz" & "All Users" startup folders:

--------------------------------------------------------


C:\Documents and Settings\Łukasz\Menu Start\Programy\Autostart

"Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007" -> shortcut to: "C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"BlueSoleil" -> shortcut to: "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]

"Topcom Wireless LAN Utility" -> shortcut to: "C:\Program Files\TOPCOM\Common\Topcom_USB_4001g.exe -s" ["Topcom Corp."]



Enabled Scheduled Tasks:

------------------------


"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\

"ButtonText" = "Web Anti-Virus statistics"


{2670000A-7350-4F3C-8081-5663EE0C6C49}\

"ButtonText" = "Wyślij do programu OneNote"

"MenuText" = "Wyślij &do programu OneNote"

"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"

  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll" [MS]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

Kaspersky Internet Security 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r" ["Kaspersky Lab"]

LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"" [MS]

NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]

Parallels DHCP Service for Virtual NIC, PRLDHCP, "C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe" ["Parallels Software International, Inc."]

Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 88 seconds, including 13 seconds for message boxes)

Log ComboScan


(adam9870) #2

Ściągasz program KillBox, zaznaczasz Delete on reboot , w polu full path of file wklej ścieżkę:

C:\WINDOWS\system32\awvts.dll

Klikasz X czerwony i restart kompa.

Otwórz Notatnik i wklej w nim to:

Plik >>> Zapisz jako >>> Zmień rozszerzenie z TXT na Wszystkie pliki >>> Zapisz pod nazwą FIX.REG >>> kliknij dwa razy na utworzony plik FIX.REG i potwierdź dodanie do rejestru >>> restart.

Użyj VundoFix + FixVundo + VirtumundoBeGone. Wszystkie narzędzia należy uruchomić będąc w trybie awaryjnym.

Po wykonaniu wklej nowy log z Hijacka, Silenta i ComboFix'a.


(Lukasz) #3

przy killboxie pojawia sie komunikat :

i dalej nic sie nie dzieje


(adam9870) #4

Komunikat informuje o tym, że plik nie istnieje lub jest używany przez zewnętrzny proces. Skoro się pojawia to przejdź do wykonywania dalszych czynności.


(Lukasz) #5

ComboScan:

ComboScan v20070306.20 run by Łukasz on 2007-04-03 at 18:32:05

Computer is in Normal Mode.

--------------------------------------------------------------------------------




-- HijackThis (run as Łukasz.exe) ----------------------------------------------


Logfile of HijackThis v1.99.1

Scan saved at 18:32:08, on 2007-04-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\TOPCOM\Common\Topcom_USB_4001g.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Łukasz\Pulpit\comboscan.exe

C:\DOCUME~1\UKASZ~1\Pulpit\UKASZ~1.EXE


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.bmj.net.pl:3128

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {7E582C44-06D9-491E-BFA2-8777D10DC9EB} - C:\WINDOWS\system32\awvts.dll

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O4 - Global Startup: Topcom Wireless LAN Utility.lnk = C:\Program Files\TOPCOM\Common\Topcom_USB_4001g.exe

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [INTERNATIONAL] International*

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: urqpomn - C:\WINDOWS\

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe



-- Files created between 2007-03-03 and 2007-04-03 -----------------------------


2007-04-03 17:57:18 0 d--hs---- C:\WINDOWS\CSC

2007-04-03 17:50:36 0 d-------- C:\!KillBox

2007-04-03 17:45:24 504832 --a------ C:\WINDOWS\system32\winlogon.exe

2007-04-03 17:40:50 126976 --a------ C:\WINDOWS\system32\zip.exe

2007-04-03 17:40:50 175616 --a------ C:\WINDOWS\system32\strings.exe

2007-04-03 17:40:50 16384 --a------ C:\WINDOWS\system32\restart.exe

2007-04-03 17:40:50 11254 --a------ C:\WINDOWS\system32\locate.com

2007-04-03 17:40:49 73728 --a------ C:\WINDOWS\system32\pv.exe

2007-04-03 17:40:49 39184 --a------ C:\WINDOWS\system32\Ntrights.exe

2007-04-03 17:10:54 0 d-------- C:\l2mfix

2007-04-03 15:52:47 0 d-------- C:\Program Files\Lavasoft

2007-04-03 15:52:35 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-04-03 15:36:53 0 d--h----- C:\WINDOWS\system32\GroupPolicy

2007-04-03 15:30:05 0 d-------- C:\WINDOWS\setup.pss

2007-04-03 15:29:40 0 d-------- C:\WINDOWS\setupupd

2007-04-03 15:11:43 0 d-------- C:\Program Files\Windows Defender

2007-04-02 22:05:45 100992 --a------ C:\WINDOWS\system32\drivers\bthpan.sys

2007-04-02 22:05:36 59648 --a------ C:\WINDOWS\system32\drivers\rfcomm.sys

2007-04-02 22:05:35 27648 --a------ C:\WINDOWS\system32\irmon.dll

2007-04-02 22:05:35 153088 --a------ C:\WINDOWS\system32\irftp.exe

2007-04-02 22:05:35 17024 --a------ C:\WINDOWS\system32\drivers\BthEnum.sys

2007-04-02 22:05:34 8192 --a------ C:\WINDOWS\system32\wshirda.dll

2007-04-02 22:05:29 275200 --a------ C:\WINDOWS\system32\drivers\bthport.sys

2007-04-02 22:05:28 18944 --a------ C:\WINDOWS\system32\drivers\BTHUSB.SYS

2007-04-02 22:03:15 115880 -----n--- C:\WINDOWS\system32\pxinsi64.exe

2007-04-02 22:03:15 129784 -----n--- C:\WINDOWS\system32\pxafs.dll

2007-04-02 22:03:15 36528 -----n--- C:\WINDOWS\system32\drivers\PxHelp20.sys

2007-04-02 22:03:15 2560 -----n--- C:\WINDOWS\system32\drivers\cdralw2k.sys

2007-04-02 22:03:15 2432 -----n--- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2007-04-02 22:03:10 0 d-------- C:\Program Files\Winamp

2007-04-02 21:53:15 0 d-------- C:\Program Files\IrfanView

2007-04-02 21:40:07 10880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys

2007-04-02 21:40:05 15360 --a------ C:\WINDOWS\system32\drivers\StreamIP.sys

2007-04-02 21:40:01 11136 --a------ C:\WINDOWS\system32\drivers\SLIP.sys

2007-04-02 21:39:58 19328 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS

2007-04-02 21:39:54 85376 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys

2007-04-02 21:39:51 5504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys

2007-04-02 21:39:49 17024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys

2007-04-02 21:38:11 54784 --a------ C:\WINDOWS\system32\drivers\vfwwdm32.dll

2007-04-02 21:35:26 0 d-------- C:\Program Files\IVT Corporation

2007-04-02 20:04:45 0 d-------- C:\Program Files\Microsoft Virtual PC

2007-04-02 19:15:02 0 d-------- C:\WINDOWS\system32\NtmsData

2007-04-02 19:13:05 12399 --a------ C:\WINDOWS\system32\drivers\pvsnet.sys

2007-04-02 19:12:58 8320 --a------ C:\WINDOWS\system32\drivers\PvsUM.sys

2007-04-02 19:12:58 13344 --a------ C:\WINDOWS\system32\drivers\pvspth.sys

2007-04-02 19:12:57 28512 --a------ C:\WINDOWS\system32\drivers\pvs.sys

2007-04-02 19:12:57 51200 --a------ C:\WINDOWS\system32\drivers\hypervisor.sys

2007-04-02 19:12:56 22752 --a------ C:\WINDOWS\system32\drivers\pvsusb.sys

2007-04-02 19:12:19 4437 --a------ C:\WINDOWS\system32\drivers\pvsvnic.sys

2007-04-02 16:27:21 0 d-------- C:\Program Files\Common Files\Skype

2007-04-02 16:27:12 0 d-------- C:\Program Files\Skype

2007-04-02 15:27:26 0 d-------- C:\7c1032e1f6743681e5151e898f<7C1032~1>

2007-04-02 15:27:23 0 d-------- C:\Program Files\MSXML 4.0

2007-04-01 22:29:14 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat

2007-04-01 22:29:14 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat

2007-04-01 22:29:03 0 d-------- C:\Program Files\Kaspersky Lab

2007-04-01 22:29:02 74528 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2007-04-01 22:29:02 2098464 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2007-04-01 22:28:42 0 d-------- C:\KAV

2007-04-01 22:27:20 280676 -----n--- C:\WINDOWS\system32\awvts.dll

2007-04-01 22:03:06 0 d-------- C:\Program Files\eMule

2007-04-01 21:57:20 0 d-------- C:\Program Files\Parallels

2007-04-01 21:47:44 0 d-------- C:\Program Files\Common Files\LightScribe

2007-04-01 19:50:59 0 d-------- C:\Program Files\Common Files\Adobe

2007-04-01 19:26:26 0 d-------- C:\Program Files\Nero

2007-04-01 19:26:26 0 d-------- C:\Program Files\Common Files\Ahead

2007-04-01 19:08:32 0 d-------- C:\Program Files\Rozliczenie Roczne Rzeczpospolitej 2006

2007-04-01 16:30:43 454656 --a------ C:\putty.exe

2007-04-01 15:28:08 290918 --a------ C:\WINDOWS\system32\Install7x.dll

2007-04-01 15:28:08 245248 --a------ C:\WINDOWS\system32\drivers\rt73.sys

2007-04-01 15:28:08 245376 --a------ C:\WINDOWS\system32\drivers\rt2500usb.SYS

2007-04-01 15:28:08 311296 --a------ C:\WINDOWS\system32\AegisI5.exe

2007-04-01 15:27:58 20747 --a------ C:\WINDOWS\system32\drivers\AegisP.sys

2007-04-01 15:27:48 0 d-------- C:\Program Files\TOPCOM

2007-04-01 13:39:52 178408 --a------ C:\WINDOWS\system32\muweb.dll

2007-04-01 13:39:52 128232 --a------ C:\WINDOWS\system32\mucltui.dll

2007-04-01 13:24:55 30512 --a------ C:\WINDOWS\system32\mdimon.dll

2007-04-01 13:24:46 32592 --a------ C:\WINDOWS\system32\msonpmon.dll

2007-04-01 13:23:30 0 d-------- C:\Program Files\Microsoft Works

2007-04-01 13:22:37 0 d-------- C:\Program Files\Microsoft.NET

2007-04-01 13:21:03 0 d-------- C:\IDE

2007-04-01 13:21:00 0 d-------- C:\Program Files\Microsoft Visual Studio 8

2007-04-01 13:20:32 0 d-------- C:\WINDOWS\SHELLNEW

2007-04-01 13:20:07 0 dr-h----- C:\MSOCache

2007-04-01 12:49:02 0 d-------- C:\Program Files\CesarFTP

2007-04-01 00:13:28 6400 --a------ C:\WINDOWS\system32\drivers\splitter.sys

2007-04-01 00:13:27 142464 --a------ C:\WINDOWS\system32\drivers\aec.sys

2007-04-01 00:13:26 2944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys

2007-04-01 00:13:24 4992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys

2007-04-01 00:13:23 54272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys

2007-04-01 00:13:22 52864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys

2007-04-01 00:13:20 7552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys

2007-04-01 00:13:19 82944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys

2007-04-01 00:13:17 5376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2007-04-01 00:13:16 172416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys

2007-04-01 00:13:15 60800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys

2007-04-01 00:13:11 3072 --a------ C:\WINDOWS\system32\drivers\audstub.sys

2007-04-01 00:12:23 58624 --a------ C:\WINDOWS\system32\drivers\redbook.sys

2007-04-01 00:12:11 3712 --a------ C:\WINDOWS\system32\drivers\ctljystk.sys

2007-04-01 00:12:09 51200 --a------ C:\WINDOWS\system32\sfman32.dll

2007-04-01 00:12:09 36480 --a------ C:\WINDOWS\system32\drivers\sfmanm.sys

2007-04-01 00:12:08 495616 --a------ C:\WINDOWS\system32\sblfx.dll

2007-04-01 00:12:08 283904 --a------ C:\WINDOWS\system32\drivers\emu10k1m.sys

2007-04-01 00:12:08 6912 --a------ C:\WINDOWS\system32\drivers\ctlfacem.sys

2007-04-01 00:12:08 24064 --a------ C:\WINDOWS\system32\devldr32.exe

2007-04-01 00:12:08 256512 --a------ C:\WINDOWS\system32\devcon32.dll

2007-04-01 00:12:08 4096 --a------ C:\WINDOWS\system32\ctwdm32.dll

2007-04-01 00:12:04 20992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys

2007-04-01 00:11:55 2944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys

2007-04-01 00:11:54 4096 --a------ C:\WINDOWS\system32\ksuser.dll

2007-04-01 00:11:54 145792 --a------ C:\WINDOWS\system32\drivers\portcls.sys

2007-04-01 00:11:54 60288 --a------ C:\WINDOWS\system32\drivers\drmk.sys

2007-04-01 00:11:52 10624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys

2007-04-01 00:11:36 77312 --a------ C:\WINDOWS\system32\usbui.dll

2007-04-01 00:10:30 0 d--hs---- C:\WINDOWS\Installer

2007-04-01 00:10:30 0 d-------- C:\Program Files\Common Files\ODBC

2007-04-01 00:10:25 0 d-------- C:\Program Files\Common Files\SpeechEngines

2007-04-01 00:10:24 0 dr------- C:\Program Files

2007-04-01 00:10:15 6144 -ra------ C:\WINDOWS\system32\kbdtuq.dll

2007-04-01 00:10:15 6144 -ra------ C:\WINDOWS\system32\kbdtuf.dll

2007-04-01 00:10:15 5632 -ra------ C:\WINDOWS\system32\kbdazel.dll

2007-04-01 00:10:12 5632 -ra------ C:\WINDOWS\system32\kbdmon.dll

2007-04-01 00:10:12 5632 -ra------ C:\WINDOWS\system32\kbdkyr.dll

2007-04-01 00:10:08 8192 -ra------ C:\WINDOWS\system32\kbdhept.dll

2007-04-01 00:10:07 6656 -ra------ C:\WINDOWS\system32\kbdhela3.dll

2007-04-01 00:10:07 6144 -ra------ C:\WINDOWS\system32\kbdhela2.dll

2007-04-01 00:10:07 5632 -ra------ C:\WINDOWS\system32\kbdhe319.dll

2007-04-01 00:10:07 5632 -ra------ C:\WINDOWS\system32\kbdhe220.dll

2007-04-01 00:10:07 5632 -ra------ C:\WINDOWS\system32\kbdhe.dll

2007-04-01 00:10:07 6144 -ra------ C:\WINDOWS\system32\kbdgkl.dll

2007-04-01 00:10:05 5632 -ra------ C:\WINDOWS\system32\kbdlt1.dll

2007-04-01 00:10:05 5632 -ra------ C:\WINDOWS\system32\kbdlt.dll

2007-04-01 00:10:04 6144 -ra------ C:\WINDOWS\system32\kbdlv1.dll

2007-04-01 00:10:04 6144 -ra------ C:\WINDOWS\system32\kbdlv.dll

2007-04-01 00:10:04 6144 -ra------ C:\WINDOWS\system32\kbdest.dll

2007-04-01 00:09:53 6656 -ra------ C:\WINDOWS\system32\kbdsl1.dll

2007-04-01 00:09:53 6656 -ra------ C:\WINDOWS\system32\kbdsl.dll

2007-04-01 00:09:53 5632 -ra------ C:\WINDOWS\system32\kbdro.dll

2007-04-01 00:09:52 6656 -ra------ C:\WINDOWS\system32\kbdycl.dll

2007-04-01 00:09:52 5632 -ra------ C:\WINDOWS\system32\kbdhu1.dll

2007-04-01 00:09:52 6656 -ra------ C:\WINDOWS\system32\kbdhu.dll

2007-04-01 00:09:52 6656 -ra------ C:\WINDOWS\system32\kbdcz2.dll

2007-04-01 00:09:52 6656 -ra------ C:\WINDOWS\system32\kbdcz1.dll

2007-04-01 00:09:52 7168 -ra------ C:\WINDOWS\system32\kbdcz.dll

2007-04-01 00:09:52 6656 -ra------ C:\WINDOWS\system32\kbdcr.dll

2007-04-01 00:09:52 6656 -ra------ C:\WINDOWS\system32\KBDAL.DLL

2007-04-01 00:09:51 13312 --a------ C:\WINDOWS\system32\irclass.dll

2007-04-01 00:09:51 85532 --a------ C:\WINDOWS\system32\dgsetup.dll

2007-04-01 00:09:51 176157 --a------ C:\WINDOWS\system32\dgrpsetu.dll

2007-04-01 00:09:50 24661 --a------ C:\WINDOWS\system32\spxcoins.dll

2007-04-01 00:09:50 103424 --a------ C:\WINDOWS\system32\EqnClass.Dll

2007-04-01 00:09:50 9168 --a------ C:\WINDOWS\system\VER.DLL

2007-04-01 00:09:49 19200 --a------ C:\WINDOWS\system\TAPI.DLL

2007-04-01 00:09:49 5120 --a------ C:\WINDOWS\system\SHELL.DLL

2007-04-01 00:09:49 24064 --a------ C:\WINDOWS\system\OLESVR.DLL

2007-04-01 00:09:49 83456 --a------ C:\WINDOWS\system\OLECLI.DLL

2007-04-01 00:09:49 127008 --a------ C:\WINDOWS\system\MSVIDEO.DLL

2007-04-01 00:09:48 9936 --a------ C:\WINDOWS\system\LZEXPAND.DLL

2007-04-01 00:09:48 33376 --a------ C:\WINDOWS\system\COMMDLG.DLL

2007-04-01 00:09:47 15360 --a------ C:\WINDOWS\TASKMAN.EXE

2007-04-01 00:09:47 109488 --a------ C:\WINDOWS\system\AVIFILE.DLL

2007-04-01 00:09:47 70096 --a------ C:\WINDOWS\system\AVICAP.DLL

2007-04-01 00:09:46 11264 --a------ C:\WINDOWS\system32\drivers\irenum.sys

2007-04-01 00:09:46 8704 --a------ C:\WINDOWS\system32\batt.dll

2007-04-01 00:09:46 69552 --a------ C:\WINDOWS\system\MMSYSTEM.DLL

2007-04-01 00:09:46 70144 --a------ C:\WINDOWS\NOTEPAD.EXE

2007-04-01 00:09:45 75776 --a------ C:\WINDOWS\system32\storprop.dll

2007-04-01 00:09:11 0 d-------- C:\WINDOWS\system32\CatRoot2

2007-04-01 00:09:11 0 d-------- C:\WINDOWS\system32\CatRoot

2007-04-01 00:08:40 0 d--hs---- C:\System Volume Information

2007-04-01 00:08:40 0 d-------- C:\Documents and Settings

2007-04-01 00:04:34 0 d-------- C:\Program Files\DAEMON Tools

2007-04-01 00:02:43 646392 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2007-04-01 00:02:24 0 d-------- C:\WINDOWS

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\WinSxS

2007-04-01 00:02:24 0 dr------- C:\WINDOWS\Web

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\twain_32

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\wins

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\wbem

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\usmt

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\spool

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\ShellExt

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\Setup

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\ras

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\oobe

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\npp

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\mui

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\inetsrv

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\IME

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\icsxml

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\ias

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\export

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\drivers

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\drivers\etc

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\drivers\disdn

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\dhcp

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\config

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\3com_dmi

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\3076

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\2052

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1054

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1045

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1042

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1041

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1037

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1033

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1031

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1028

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system32\1025

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\system

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\security

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Resources

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\repair

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Provisioning

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\PeerNet

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\pchealth

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\mui

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\msapps

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\msagent

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Media

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\java

2007-04-01 00:02:24 0 d--h----- C:\WINDOWS\inf

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\ime

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Help

2007-04-01 00:02:24 0 dr--s---- C:\WINDOWS\Fonts

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\ehome

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Driver Cache

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Debug

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Cursors

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Connection Wizard

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\Config

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\AppPatch

2007-04-01 00:02:24 0 d-------- C:\WINDOWS\addins

2007-03-31 23:43:12 0 d-------- C:\WINDOWS\ie7updates

2007-03-31 23:36:25 1779 --a------ C:\WINDOWS\mozver.dat

2007-03-31 23:35:30 0 d-------- C:\Program Files\Gadu-Gadu

2007-03-31 23:29:46 0 d--h---c- C:\WINDOWS\ie7

2007-03-31 23:13:05 520192 --------- C:\WINDOWS\system32\ati2sgag.exe

2007-03-31 23:12:51 0 d-------- C:\Program Files\ATI Technologies

2007-03-31 23:12:49 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-03-31 23:12:13 0 d-------- C:\ATI

2007-03-31 23:12:01 172032 --a------ C:\WINDOWS\system32\nvuide.exe

2007-03-31 23:11:43 159744 --a------ C:\WINDOWS\system32\nvuenet.exe

2007-03-31 23:11:42 172032 --a------ C:\WINDOWS\system32\nvusmb.exe

2007-03-31 23:11:40 172032 --a------ C:\WINDOWS\system32\NVUNINST.EXE

2007-03-31 23:11:40 172032 --a------ C:\WINDOWS\system32\nvumctl.exe

2007-03-31 23:11:33 172032 --a------ C:\WINDOWS\system32\nvugart.exe

2007-03-31 23:11:13 0 d-------- C:\Program Files\Common Files\InstallShield

2007-03-31 23:11:08 0 d-------- C:\NVIDIA

2007-03-31 23:06:53 0 --a------ C:\WINDOWS\nsreg.dat

2007-03-31 23:06:16 0 d-------- C:\Program Files\MSBuild

2007-03-31 23:02:52 0 d-------- C:\WINDOWS\system32\XPSViewer

2007-03-31 23:02:51 0 d-------- C:\WINDOWS\system32\en-us

2007-03-31 23:02:28 0 d-------- C:\Program Files\Reference Assemblies

2007-03-31 23:01:44 14048 --------- C:\WINDOWS\system32\spmsg2.dll

2007-03-31 23:01:35 0 d-------- C:\6bc2fa3e65f0761d292746a4<6BC2FA~1>

2007-03-31 22:58:50 0 d-------- C:\Program Files\Windows Media Connect 2

2007-03-31 22:58:16 0 d-------- C:\WINDOWS\system32\LogFiles

2007-03-31 22:58:16 0 d-------- C:\WINDOWS\system32\drivers\UMDF

2007-03-31 22:57:21 0 d-------- C:\WINDOWS\WBEM

2007-03-31 22:56:10 121856 --------- C:\WINDOWS\system32\xmllite.dll

2007-03-31 22:55:48 0 d-------- C:\WINDOWS\network diagnostic

2007-03-31 22:55:08 0 d-------- C:\WINDOWS\system32\pl-pl

2007-03-31 22:51:01 0 d-------- C:\WINDOWS\RegisteredPackages

2007-03-31 22:49:46 0 d-------- C:\WINDOWS\system32\ReinstallBackups

2007-03-31 22:48:39 0 dr--s---- C:\WINDOWS\assembly

2007-03-31 22:48:38 0 d-------- C:\WINDOWS\system32\URTTemp

2007-03-31 22:48:38 0 d-------- C:\WINDOWS\Microsoft.NET

2007-03-31 22:43:01 0 d-------- C:\Program Files\Mozilla Firefox

2007-03-31 22:30:25 0 d-------- C:\WINDOWS\system32\PreInstall

2007-03-31 22:30:24 23856 --a------ C:\WINDOWS\system32\spupdsvc.exe

2007-03-31 22:30:23 0 d--h----- C:\WINDOWS\$hf_mig$

2007-03-31 22:27:19 0 d-------- C:\WINDOWS\pss

2007-03-31 22:27:08 0 d-------- C:\WINDOWS\system32\DllCache

2007-03-31 22:26:54 0 d-------- C:\WINDOWS\system32\SoftwareDistribution

2007-03-31 22:25:42 0 d-------- C:\WINDOWS\SoftwareDistribution

2007-03-31 22:25:33 0 d-------- C:\WINDOWS\Prefetch

2007-03-31 22:24:03 0 -rahs---- C:\MSDOS.SYS

2007-03-31 22:24:03 0 -rahs---- C:\IO.SYS

2007-03-31 22:24:03 0 --a------ C:\CONFIG.SYS

2007-03-31 22:24:03 0 --a------ C:\AUTOEXEC.BAT

2007-03-31 22:23:47 112128 --a------ C:\WINDOWS\system32\mapi32.dll

2007-03-31 22:22:48 0 dr------- C:\WINDOWS\Offline Web Pages

2007-03-31 22:22:48 0 d---s---- C:\WINDOWS\Downloaded Program Files

2007-03-31 22:22:38 0 d--h----- C:\Program Files\WindowsUpdate

2007-03-31 22:22:35 0 d-------- C:\Program Files\Usługi online

2007-03-31 22:22:15 0 d-------- C:\WINDOWS\system32\DirectX

2007-03-31 22:21:44 11264 --a------ C:\WINDOWS\system32\atrace.dll

2007-03-31 22:21:32 12288 --a------ C:\WINDOWS\system32\nmevtmsg.dll

2007-03-31 22:21:30 67584 --a------ C:\WINDOWS\system32\acctres.dll

2007-03-31 22:21:25 0 d---s---- C:\WINDOWS\Tasks

2007-03-31 22:21:25 16384 --a------ C:\WINDOWS\system32\icfgnt5.dll

2007-03-31 22:21:24 0 d-------- C:\Program Files\Common Files\MSSoap

2007-03-31 22:21:18 0 d-------- C:\WINDOWS\srchasst

2007-03-31 22:21:16 0 d-------- C:\WINDOWS\system32\Macromed

2007-03-31 22:21:12 173536 --a------ C:\WINDOWS\system32\wuweb.dll

2007-03-31 22:21:12 128280 --a------ C:\WINDOWS\system32\wucltui.dll

2007-03-31 22:21:12 6656 --a------ C:\WINDOWS\system32\wuauserv.dll

2007-03-31 22:21:12 195352 --a------ C:\WINDOWS\system32\wuaueng1.dll

2007-03-31 22:21:11 41240 --a------ C:\WINDOWS\system32\wups.dll

2007-03-31 22:21:11 1343768 --a------ C:\WINDOWS\system32\wuaueng.dll

2007-03-31 22:21:11 175384 --a------ C:\WINDOWS\system32\wuauclt1.exe

2007-03-31 22:21:11 125208 --a------ C:\WINDOWS\system32\wuauclt.exe

2007-03-31 22:21:10 466200 --a------ C:\WINDOWS\system32\wuapi.dll

2007-03-31 22:21:10 18944 --a------ C:\WINDOWS\system32\qmgrprxy.dll

2007-03-31 22:21:10 382464 --a------ C:\WINDOWS\system32\qmgr.dll

2007-03-31 22:21:10 7168 --a------ C:\WINDOWS\system32\bitsprx3.dll

2007-03-31 22:21:10 8192 --a------ C:\WINDOWS\system32\bitsprx2.dll

2007-03-31 22:21:03 0 d-------- C:\Program Files\Movie Maker

2007-03-31 22:20:58 45568 --a------ C:\WINDOWS\system32\safrslv.dll

2007-03-31 22:20:58 29696 --a------ C:\WINDOWS\system32\safrdm.dll

2007-03-31 22:20:58 43520 --a------ C:\WINDOWS\system32\safrcdlg.dll

2007-03-31 22:20:58 43520 --a------ C:\WINDOWS\system32\racpldlg.dll

2007-03-31 22:20:52 23040 --a------ C:\WINDOWS\system32\fltmc.exe

2007-03-31 22:20:52 16896 --a------ C:\WINDOWS\system32\fltlib.dll

2007-03-31 22:20:52 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys

2007-03-31 22:20:51 171008 --a------ C:\WINDOWS\system32\srsvc.dll

2007-03-31 22:20:51 240128 --a------ C:\WINDOWS\system32\srrstr.dll

2007-03-31 22:20:51 67584 --a------ C:\WINDOWS\system32\srclient.dll

2007-03-31 22:20:51 0 d-------- C:\WINDOWS\system32\Restore

2007-03-31 22:20:51 73472 --a------ C:\WINDOWS\system32\drivers\sr.sys

2007-03-31 22:20:50 34560 --a------ C:\WINDOWS\system32\mnmdd.dll

2007-03-31 22:20:50 32768 --a------ C:\WINDOWS\system32\isrdbg32.dll

2007-03-31 22:20:50 81920 --a------ C:\WINDOWS\system32\ils.dll

2007-03-31 22:20:49 28672 --a------ C:\WINDOWS\system32\nmmkcert.dll

2007-03-31 22:20:49 69632 --a------ C:\WINDOWS\system32\msconf.dll

2007-03-31 22:20:49 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe

2007-03-31 22:20:45 105984 --a------ C:\WINDOWS\system32\msoert2.dll

2007-03-31 22:20:45 252928 --a------ C:\WINDOWS\system32\msoeacct.dll

2007-03-31 22:20:43 49664 --a------ C:\WINDOWS\system32\inetres.dll

2007-03-31 22:20:43 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

2007-03-31 22:20:40 192000 --a------ C:\WINDOWS\system32\schedsvc.dll

2007-03-31 22:20:39 12288 --a------ C:\WINDOWS\system32\mstinit.exe

2007-03-31 22:20:39 278528 --a------ C:\WINDOWS\system32\mstask.dll

2007-03-31 22:20:39 65536 --a------ C:\WINDOWS\system32\icwphbk.dll

2007-03-31 22:20:39 73728 --a------ C:\WINDOWS\system32\icwdial.dll

2007-03-31 22:20:38 86016 --a------ C:\WINDOWS\system32\isign32.dll

2007-03-31 22:20:38 278528 --a------ C:\WINDOWS\system32\inetcfg.dll

2007-03-31 22:20:03 21856 --a------ C:\WINDOWS\system32\emptyregdb.dat

2007-03-31 22:19:51 0 d-------- C:\WINDOWS\Registration

2007-03-31 22:19:39 0 d-------- C:\Program Files\Messenger

2007-03-31 22:19:34 5632 --a------ C:\WINDOWS\system32\write.exe

2007-03-31 22:19:34 0 d-------- C:\Program Files\MSN Gaming Zone

2007-03-31 22:19:21 44544 --a------ C:\WINDOWS\system32\hticons.dll

2007-03-31 22:19:21 73216 --a------ C:\WINDOWS\system32\avwav.dll

2007-03-31 22:19:21 16384 --a------ C:\WINDOWS\system32\avmeter.dll

2007-03-31 22:19:20 35328 --a------ C:\WINDOWS\system32\winchat.exe

2007-03-31 22:19:20 231424 --a------ C:\WINDOWS\system32\avtapi.dll

2007-03-31 22:19:09 605696 --a------ C:\WINDOWS\system32\getuname.dll

2007-03-31 22:19:09 80896 --a------ C:\WINDOWS\system32\charmap.exe

2007-03-31 22:19:08 57344 --a------ C:\WINDOWS\system32\sol.exe

2007-03-31 22:19:08 115200 --a------ C:\WINDOWS\system32\calc.exe

2007-03-31 22:19:07 119808 --a------ C:\WINDOWS\system32\winmine.exe

2007-03-31 22:19:07 128000 --a------ C:\WINDOWS\system32\mshearts.exe

2007-03-31 22:19:07 55808 --a------ C:\WINDOWS\system32\freecell.exe

2007-03-31 22:19:06 1225 --a------ C:\WINDOWS\system32\usrlogon.cmd

2007-03-31 22:19:06 17920 --a------ C:\WINDOWS\system32\tsshutdn.exe

2007-03-31 22:19:06 16384 --a------ C:\WINDOWS\system32\tskill.exe

2007-03-31 22:19:06 15360 --a------ C:\WINDOWS\system32\tsdiscon.exe

2007-03-31 22:19:06 15360 --a------ C:\WINDOWS\system32\tscon.exe

2007-03-31 22:19:06 15360 --a------ C:\WINDOWS\system32\shadow.exe

2007-03-31 22:19:06 9728 --a------ C:\WINDOWS\system32\reset.exe

2007-03-31 22:19:05 16384 --a------ C:\WINDOWS\system32\rwinsta.exe

2007-03-31 22:19:05 33792 --a------ C:\WINDOWS\system32\regini.exe

2007-03-31 22:19:05 4608 --a------ C:\WINDOWS\system32\rdpcfgex.dll

2007-03-31 22:19:05 22528 --a------ C:\WINDOWS\system32\qwinsta.exe

2007-03-31 22:19:05 17408 --a------ C:\WINDOWS\system32\qappsrv.exe

2007-03-31 22:19:05 22528 --a------ C:\WINDOWS\system32\msg.exe

2007-03-31 22:19:05 15872 --a------ C:\WINDOWS\system32\logoff.exe

2007-03-31 22:19:05 15872 --a------ C:\WINDOWS\system32\cdmodem.dll

2007-03-31 22:19:03 54272 --a------ C:\WINDOWS\system32\stclient.dll

2007-03-31 22:19:03 25088 --a------ C:\WINDOWS\system32\mtxlegih.dll

2007-03-31 22:19:03 4096 --a------ C:\WINDOWS\system32\mtxex.dll

2007-03-31 22:19:03 20480 --a------ C:\WINDOWS\system32\mtxdm.dll

2007-03-31 22:19:03 5120 --a------ C:\WINDOWS\system32\dcomcnfg.exe

2007-03-31 22:19:03 97792 --a------ C:\WINDOWS\system32\comrepl.dll

2007-03-31 22:19:03 25600 --a------ C:\WINDOWS\system32\comaddin.dll

2007-03-31 22:19:02 147456 --a------ C:\WINDOWS\system32\comsnap.dll

2007-03-31 22:18:54 187904 --a------ C:\WINDOWS\system32\accwiz.exe

2007-03-31 22:18:53 132608 --a------ C:\WINDOWS\system32\sndrec32.exe

2007-03-31 22:18:53 124928 --a------ C:\WINDOWS\system32\mplay32.exe

2007-03-31 22:18:53 351744 --a------ C:\WINDOWS\system32\hypertrm.dll

2007-03-31 22:18:52 345088 --a------ C:\WINDOWS\system32\mspaint.exe

2007-03-31 22:18:52 103424 --a------ C:\WINDOWS\system32\clipbrd.exe

2007-03-31 22:18:52 0 d-------- C:\Program Files\Windows NT

2007-03-31 22:18:51 539136 --a------ C:\WINDOWS\system32\spider.exe

2007-03-31 22:18:51 21896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys

2007-03-31 22:18:51 12040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys

2007-03-31 22:18:50 94720 --a------ C:\WINDOWS\system32\tscfgwmi.dll

2007-03-31 22:18:50 1866240 --a------ C:\WINDOWS\system32\mstscax.dll

2007-03-31 22:18:50 600576 --a------ C:\WINDOWS\system32\mstsc.exe

2007-03-31 22:18:50 139528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys

2007-03-31 22:18:49 44544 --a------ C:\WINDOWS\system32\tscupgrd.exe

2007-03-31 22:18:49 141824 --a------ C:\WINDOWS\system32\sessmgr.exe

2007-03-31 22:18:49 60928 --a------ C:\WINDOWS\system32\remotepg.dll

2007-03-31 22:18:49 67072 --a------ C:\WINDOWS\system32\rdshost.exe

2007-03-31 22:18:49 13824 --a------ C:\WINDOWS\system32\rdsaddin.exe

2007-03-31 22:18:49 147968 --a------ C:\WINDOWS\system32\rdchost.dll

2007-03-31 22:18:48 296448 --a------ C:\WINDOWS\system32\termsrv.dll

2007-03-31 22:18:48 87176 --a------ C:\WINDOWS\system32\rdpwsx.dll

2007-03-31 22:18:48 19968 --a------ C:\WINDOWS\system32\rdpsnd.dll

2007-03-31 22:18:48 62464 --a------ C:\WINDOWS\system32\rdpclip.exe

2007-03-31 22:18:48 20992 --a------ C:\WINDOWS\system32\qprocess.exe

2007-03-31 22:18:48 11264 --a------ C:\WINDOWS\system32\icaapi.dll

2007-03-31 22:18:48 38912 --a------ C:\WINDOWS\system32\cfgbkend.dll

2007-03-31 22:18:47 91136 --a------ C:\WINDOWS\system32\mtxoci.dll

2007-03-31 22:18:47 161280 --a------ C:\WINDOWS\system32\msdtcuiu.dll

2007-03-31 22:18:47 426496 --a------ C:\WINDOWS\system32\msdtcprx.dll

2007-03-31 22:18:47 0 d-------- C:\WINDOWS\system32\MsDtc

2007-03-31 22:18:46 11776 --a------ C:\WINDOWS\system32\xolehlp.dll

2007-03-31 22:18:46 956416 --a------ C:\WINDOWS\system32\msdtctm.dll

2007-03-31 22:18:46 58880 --a------ C:\WINDOWS\system32\msdtclog.dll

2007-03-31 22:18:46 6144 --a------ C:\WINDOWS\system32\msdtc.exe

2007-03-31 22:18:44 0 d-------- C:\WINDOWS\system32\Com

2007-03-31 22:18:44 60416 --a------ C:\WINDOWS\system32\colbact.dll

2007-03-31 22:18:44 110080 --a------ C:\WINDOWS\system32\clbcatex.dll

2007-03-31 22:18:44 85504 --a------ C:\WINDOWS\system32\catsrvps.dll

2007-03-31 22:18:43 625152 --a------ C:\WINDOWS\system32\catsrvut.dll

2007-03-31 22:18:43 225792 --a------ C:\WINDOWS\system32\catsrv.dll

2007-03-31 22:18:42 540160 --a------ C:\WINDOWS\system32\comuid.dll

2007-03-31 22:18:42 1267200 --a------ C:\WINDOWS\system32\comsvcs.dll

2007-03-31 22:18:41 498688 --a------ C:\WINDOWS\system32\clbcatq.dll

2007-03-31 22:18:31 56320 --a------ C:\WINDOWS\system32\servdeps.dll

2007-03-31 22:18:31 17920 --a------ C:\WINDOWS\system32\mmfutil.dll

2007-03-31 22:18:31 58880 --a------ C:\WINDOWS\system32\licwmi.dll

2007-03-31 22:18:31 187904 --a------ C:\WINDOWS\system32\cmprops.dll

2007-03-31 22:18:28 40840 --a------ C:\WINDOWS\system32\drivers\termdd.sys

2007-03-31 22:18:28 196864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys

2007-03-09 19:58:06 25734 --a------ C:\WINDOWS\system32\drivers\klop.dat

2007-03-09 19:52:52 200768 --a------ C:\WINDOWS\system32\klogon.dll

2007-03-03 20:39:06 110360 --a------ C:\WINDOWS\system32\drivers\kl1.sys



-- Find3M Report ---------------------------------------------------------------


2007-04-03 15:53:04 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\Lavasoft

2007-04-02 23:27:26 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\Skype

2007-04-02 22:06:52 499332 --a------ C:\WINDOWS\system32\perfh015.dat

2007-04-02 22:06:52 88940 --a------ C:\WINDOWS\system32\perfc015.dat

2007-04-02 20:07:16 0 d---s---- C:\Documents and Settings\Łukasz\Dane aplikacji\Microsoft

2007-04-01 19:51:15 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\Adobe

2007-04-01 19:27:40 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\Ahead

2007-04-01 00:09:27 62 --ahs---- C:\Documents and Settings\Łukasz\Dane aplikacji\desktop.ini

2007-03-31 23:36:29 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\Macromedia

2007-03-31 23:15:27 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\ATI

2007-03-31 23:06:57 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\Talkback

2007-03-31 22:43:06 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\Mozilla

2007-03-31 22:26:59 0 d-------- C:\Documents and Settings\Łukasz\Dane aplikacji\Identities

2007-03-02 22:57:04 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll

2007-03-02 22:54:35 307200 --a------ C:\WINDOWS\system32\ATIDEMGX.dll

2007-03-02 22:53:36 265728 --a------ C:\WINDOWS\system32\ati2dvag.dll

2007-03-02 22:47:51 118784 --a------ C:\WINDOWS\system32\atipdlxx.dll

2007-03-02 22:47:42 110592 --a------ C:\WINDOWS\system32\Oemdspif.dll

2007-03-02 22:47:35 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe

2007-03-02 22:47:30 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll

2007-03-02 22:47:19 110592 --a------ C:\WINDOWS\system32\ati2evxx.dll

2007-03-02 22:46:12 446464 --a------ C:\WINDOWS\system32\ati2evxx.exe

2007-03-02 22:45:32 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL

2007-03-02 22:38:53 2824512 --a------ C:\WINDOWS\system32\ati3duag.dll

2007-03-02 22:29:23 1288960 --a------ C:\WINDOWS\system32\ativvaxx.dll

2007-03-02 22:29:08 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat

2007-03-02 22:21:15 5398528 --a------ C:\WINDOWS\system32\atioglxx.dll

2007-03-02 22:17:37 258048 --a------ C:\WINDOWS\system32\atikvmag.dll

2007-03-02 22:16:23 17408 --a------ C:\WINDOWS\system32\atitvo32.dll

2007-03-02 22:11:44 348160 --a------ C:\WINDOWS\system32\ati2cqag.dll

2007-02-28 20:53:50 972336 --a------ C:\WINDOWS\UNNeroVision.exe

2007-02-28 15:41:02 972336 --a------ C:\WINDOWS\UNNeroShowTime.exe

2007-02-26 17:44:06 147685 --a------ C:\WINDOWS\system32\atiicdxx.dat

2007-01-29 10:58:06 60416 --------- C:\WINDOWS\system32\tzchange.exe

2007-01-29 06:20:34 144800 --a------ C:\WINDOWS\system32\VMNetSrv.dll

2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll

2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll

2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll

2007-01-12 09:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll

2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll

2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll

2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll

2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll

2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll

2007-01-08 19:02:02 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll

2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll

2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll

2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll

2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll

2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll

2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe

2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe



-- Registry Dump ---------------------------------------------------------------



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

@=""

"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"

"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""

"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"

"AVP"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""

"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"

"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\

  33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00


[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]

"tscuninstall"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,6d,\

  33,32,5c,74,73,63,75,70,67,72,64,2e,65,78,65,00


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"=""

"hkey"="HKLM"

"command"=""

"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundService]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="gmsjyfrr"

"hkey"="HKLM"

"command"="rundll32.exe \"C:\\WINDOWS\\system32\\gmsjyfrr.dll\",setvm"

"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="CLIStart"

"hkey"="HKCU"

"command"="C:\\Program Files\\ATI Technologies\\ATI.ACE\\Core-Static\\CLIStart.exe"

"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"ATI Smart"=dword:00000002

"Ati HotKey Poller"=dword:00000002


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"appinit_dlls"="C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll"



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"

"{27CA571B-14D3-4937-B387-BE72FA7A0F87}"=""

"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]

"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"


[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"=dword:00000001


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpomn


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0

LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService	REG_MULTI_SZ DnsCache\0\0

DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0

rpcss	REG_MULTI_SZ RpcSs\0\0

imgsvc	REG_MULTI_SZ StiSvc\0\0

termsvcs	REG_MULTI_SZ TermService\0\0

WudfServiceGroup	REG_MULTI_SZ WUDFSvc\0\0

bthsvcs	REG_MULTI_SZ BthServ\0\0




-- End of ComboScan: finished at 2007-04-03 at 18:32:47 ------------------------

Złączono Posta : 03.04.2007 (Wto) 18:45Sorry, ze osobny post ale za duzo znakow zawiera i nie moglem wyslac. Loga z Sillent runners nie zmieszcze HiJackThis:

Logfile of HijackThis v1.99.1

Scan saved at 18:45:21, on 2007-04-03

Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)


Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Gadu-Gadu\gg.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\TOPCOM\Common\Topcom_USB_4001g.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Łukasz\Pulpit\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = w3cache.bmj.net.pl:3128

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL

O2 - BHO: (no name) - {7E582C44-06D9-491E-BFA2-8777D10DC9EB} - C:\WINDOWS\system32\awvts.dll

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - Startup: Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: BlueSoleil.lnk = C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

O4 - Global Startup: Topcom Wireless LAN Utility.lnk = C:\Program Files\TOPCOM\Common\Topcom_USB_4001g.exe

O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm

O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll

O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O11 - Options group: [INTERNATIONAL] International*

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll

O20 - Winlogon Notify: urqpomn - C:\WINDOWS\

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Parallels DHCP Service for Virtual NIC (PRLDHCP) - Parallels Software International, Inc. - C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe

(squeet) #6

No to dawaj jeszcze z SilentRunners - czekamy.


(Lukasz) #7

silent runners

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/

Operating System: Windows XP SP2

Output limited to non-default values, except where indicated by "{++}"



Startup items buried in registry:

---------------------------------


HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

"(Default)" = "(empty string)" [file not found]

"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]

"DAEMON Tools" = ""C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033" ["DT Soft Ltd."]

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}" = ""C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"" ["Nero AG"]


HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]

"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]

"AVP" = ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"" ["Kaspersky Lab"]

"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]

"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "AcroIEHlprObj Class"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\(Default) = (no title provided)

  -> {HKLM...CLSID} = "Groove GFS Browser Helper"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

{C88F887A-FC04-4186-A777-1ED246FDD404}\(Default) = (no title provided)

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\awvts.dll" [null data]


HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"

  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"

                   \InProcServer32\(Default) = "deskpan.dll" [file not found]

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"

  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

  -> {HKLM...CLSID} = "SimpleShlExt Class"

                   \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" [empty string]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"

  -> {HKLM...CLSID} = "Groove GFS Browser Helper"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"

  -> {HKLM...CLSID} = "Groove Folder Synchronization"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"

  -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"

  -> {HKLM...CLSID} = "Groove XML Icon Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

  -> {HKLM...CLSID} = "Outlook File Icon Extension"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

  -> {HKLM...CLSID} = "Microsoft Office Outlook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

  -> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

                   \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Web Anti-Virus statistics"

  -> {HKLM...CLSID} = "Web Anti-Virus statistics"

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]

"{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook"

  -> {HKLM...CLSID} = "VPCHostCopyHook"

                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Virtual PC\VPCShExH.DLL" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"

  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]

<> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"

  -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"

                   \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]


HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

  -> {HKLM...CLSID} = "WPDShServiceObj Class"

                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\

<> "AppInit_DLLs" = "C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll" ["Kaspersky Lab"]


HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<> awvts\DLLName = "C:\WINDOWS\system32\awvts.dll" [null data]

<> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\PROTOCOLS\Filter\

<> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ColumnHandlers\

{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"

  -> {HKLM...CLSID} = "PDF Shell Extension"

                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]


HKLM\Software\Classes\*\shellex\ContextMenuHandlers\

Cover Designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

  -> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

                   \InProcServer32\(Default) = "C:\Program Files\Nero\Nero 7\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\

Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"

  -> {HKLM...CLSID} = (no title provided)

                   \InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ShellEx.dll" ["Kaspersky Lab"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

  -> {HKLM...CLSID} = "WinRAR"

                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]



Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------


Note: detected settings may not have any effect.


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\


"ForceClassicControlPanel" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\


"NoInternetOpenWith" = (REG_DWORD) hex:0x00000001

{unrecognized setting}


"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}


"undockwithoutlogon" = (REG_DWORD) hex:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}



Active Desktop and Wallpaper:

-----------------------------


Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"



Startup items in "Łukasz" & "All Users" startup folders:

--------------------------------------------------------


C:\Documents and Settings\Łukasz\Menu Start\Programy\Autostart

"Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007" -> shortcut to: "C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE /tsr" [MS]


C:\Documents and Settings\All Users\Menu Start\Programy\Autostart

"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]

"BlueSoleil" -> shortcut to: "C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe" ["IVT Corporation"]

"Topcom Wireless LAN Utility" -> shortcut to: "C:\Program Files\TOPCOM\Common\Topcom_USB_4001g.exe -s" ["Topcom Corp."]



Enabled Scheduled Tasks:

------------------------


"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]



Winsock2 Service Provider DLLs:

-------------------------------


Namespace Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000004\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]


Transport Service Providers


HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05



Toolbars, Explorer Bars, Extensions:

------------------------------------


Explorer Bars


HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\


HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL" [MS]


HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Web Anti-Virus statistics"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll" ["Kaspersky Lab"]


HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL" [MS]


Extensions (Tools menu items, main toolbar menu buttons)


HKLM\Software\Microsoft\Internet Explorer\Extensions\

{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\

"ButtonText" = "Web Anti-Virus statistics"


{2670000A-7350-4F3C-8081-5663EE0C6C49}\

"ButtonText" = "Wyślij do programu OneNote"

"MenuText" = "Wyślij &do programu OneNote"

"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"

  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"

                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll" [MS]


{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"


{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]



Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------


BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]

Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}

Kaspersky Internet Security 6.0, AVP, ""C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r" ["Kaspersky Lab"]

LightScribeService Direct Disc Labeling Service, LightScribeService, ""C:\Program Files\Common Files\LightScribe\LSSrvc.exe"" ["Hewlett-Packard Company"]

Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe"" [MS]

NMIndexingService, NMIndexingService, ""C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe"" ["Nero AG"]

Office Source Engine, ose, ""C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"" [MS]

Parallels DHCP Service for Virtual NIC, PRLDHCP, "C:\Program Files\Parallels\Parallels Workstation\PRLDHCP.exe" ["Parallels Software International, Inc."]

Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]



Print Monitors:

---------------


HKLM\System\CurrentControlSet\Control\Print\Monitors\

Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]



----------

<>: Suspicious data at a malware launch point.


+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

  launch it from a command prompt or a shortcut with the -all parameter.

+ To search all directories of local fixed drives for DESKTOP.INI

  DLL launch points, use the -supp parameter or answer "No" at the

  first message box and "Yes" at the second message box.

---------- (total run time: 60 seconds, including 1 second for message boxes)

(Joan Sunshine) #8

Pobierz i uruchom narzędzie The Avenger Zaznacz opcję Input script manually i kliknij na Lupkę z prawej strony. W okienku, które się otworzy wklejasz:

Klikasz Done , a następnie zielone światełko i zgadzasz się na restart klikając OK.

Kasujesz ręcznie z dysku plik: C:\Avenger\backup.zip i wklejasz na forum raport: C:\avenger.txt

usuń wpisy w hijacku, daj nowe logi :slight_smile:


(Lukasz) #9

log avenger:

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\ykoomlad


*******************


Script file located at: \??\C:\WINDOWS\system32\fbhfrvhk.txt

Script file opened successfully.


Script file read successfully


Backups directory opened successfully at C:\Avenger


*******************


Beginning to process script file:


File C:\WINDOWS\system32\awvts.dll deleted successfully.


Completed script processing.


*******************


Finished! Terminate.

czyli wszystko ok

hijackthis:

combo scan:

Złączono Posta : 03.04.2007 (Wto) 21:36

niestety silent runners nie moge zamiescic bo jest ograniczenie na 65 000 znakow


(Gutek) #10

Już powino być Ok