Regulamin forum
1. Każdy temat powinien odzwierciedlać treść wątku.2. W przypadku wklejania logów; należy je wykonać od razu przynajmniej z dwóch narzędzi: FRST oraz z GMER
3. Wszelkie logi proszę publikować na przeznaczonych do tego stronach a w poście wklejać tylko link.
4. Nie wskazane jest skracanie logów, należy wkleić cały - od początku, do końca.
5. Nie wskazane jest podczepianie się do tematów innych użytkowników - proszę założyć nowy temat w dziale Bezpieczeństwo, ułatwi to pomoc sprawdzającemu.
6. Osoby nie posiadające odpowiedniej wiedzy, nie powinny sprawdzać logów, ponieważ grozi to poważnym uszkodzeniem systemu lub aplikacji zainstalowanych na komputerze.
7. Należy dokładnie opisać problem, występujące objawy oraz wszelkie podjęte działania.
8. Każdy skrypt jest unikatowy, napisany dla każdego przypadku z osobna, więc nie może być stosowany przez innych.
9. W przypadku zamieszczenia zrzutu ekranu (screenshot'a) proszę korzystać z zewnętrznego serwisu oferującego hosting zdjęć.
Sprawdzenie loga
07 Sie 2007, 17:11
Prosze o sprawdzenie loga ponieważ ciągle moj firewall mnie informuje że są ataki na komputer oto log
wydaje mi sie że to trzeba z fixowac
O17 - HKLM\System\CCS\Services\Tcpip\..\{07453553-76BA-4C59-895C-AC798DF9BB2E}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{07453553-76BA-4C59-895C-AC798DF9BB2E}: NameServer = 194.204.159.1 217.98.63.164
Logfile of HijackThis v1.99.1
Scan saved at 17:11:31, on 2007-08-07
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Kaspersky\avp.exe
E:\bluetooth\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Alcohol 52\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
E:\Kaspersky\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
E:\Gadu\gg.exe
C:\Program Files\Neostrada TP\NeostradaTP.exe
C:\Program Files\Neostrada TP\ComComp.exe
C:\Program Files\Neostrada TP\Watch.exe
E:\Gadu\gg.exe
E:\Outpost Firewall\outpost.exe
E:\Instalki\hijackthis\HijackThis.exe
E:\Mozilla\firefox.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {52D06F97-5511-43FA-8FDA-C481864FD26E} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Alcohol Toolbar - {4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2} - C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMax] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVP] "E:\Kaspersky\avp.exe"
O4 - HKLM\..\Run: [BearFlix] "E:\Program Files\BearFlix\BearFlix.exe" /pause
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://E:\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Statystyki ochrony WWW - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - E:\Kaspersky\scieplugin.dll
O9 - Extra button: Badanie - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ ... .0.228.cab
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{07453553-76BA-4C59-895C-AC798DF9BB2E}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{07453553-76BA-4C59-895C-AC798DF9BB2E}: NameServer = 194.204.159.1 217.98.63.164
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - E:\Kaspersky\avp.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - E:\bluetooth\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - E:\Outpost Firewall\outpost.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - E:\Alcohol 52\StarWind\StarWindService.exe
wydaje mi sie że to trzeba z fixowac
O17 - HKLM\System\CCS\Services\Tcpip\..\{07453553-76BA-4C59-895C-AC798DF9BB2E}: NameServer = 194.204.159.1 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{07453553-76BA-4C59-895C-AC798DF9BB2E}: NameServer = 194.204.159.1 217.98.63.164
07 Sie 2007, 17:34
Są to DNSy od Twojego dostawcy internetu.
Odinstaluj z Panelu sterowania DaemonTools_WhenUSave_Installer.
Jeżeli folder na dysku nadal będzie, usuń go ręcznie w trybie awaryjnym z wyłączonym przywracaniem systemu, a wpisy zafixuj.
Pokaż log z Silent Runners i ComboFix.
Odinstaluj z Panelu sterowania DaemonTools_WhenUSave_Installer.
O4 - HKLM\..\Run: [DaemonTools_WhenUSave_Installer] C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
Jeżeli folder na dysku nadal będzie, usuń go ręcznie w trybie awaryjnym z wyłączonym przywracaniem systemu, a wpisy zafixuj.
Pokaż log z Silent Runners i ComboFix.
07 Sie 2007, 18:01
Log z silent runners
"Silent Runners.vbs", revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"KEMailKb" = "C:\PROGRA~1\KEMailKb\KEMailKb.EXE" ["Dritek System Inc."]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"SoundMax" = ""C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray" ["Analog Devices, Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AVP" = ""E:\Kaspersky\avp.exe"" ["Kaspersky Lab"]
"BearFlix" = ""E:\Program Files\BearFlix\BearFlix.exe" /pause" [file not found]
"DaemonTools_WhenUSave_Installer" = "C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe" ["WhenU.com, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
{HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{52D06F97-5511-43FA-8FDA-C481864FD26E}\(Default) = (no title provided)
{HKLM...CLSID} = "Alcohol Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
{HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
{HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
{HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
{HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
{HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
{HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
{HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
{HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
{HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
{HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\Office\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
{HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "E:\Office\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Office\OFFICE11\msohev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
{HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
{HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
{HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "E:\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
{HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "E:\dBpowerAMP\dMCShell.dll" [empty string]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"
{HKLM...CLSID} = "Statystyki ochrony WWW"
\InProcServer32\(Default) = "E:\Kaspersky\scieplugin.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
{HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
{HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
{HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Młody\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
"Silent Runners.vbs", revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"KEMailKb" = "C:\PROGRA~1\KEMailKb\KEMailKb.EXE" ["Dritek System Inc."]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"SoundMax" = ""C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray" ["Analog Devices, Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AVP" = ""E:\Kaspersky\avp.exe"" ["Kaspersky Lab"]
"BearFlix" = ""E:\Program Files\BearFlix\BearFlix.exe" /pause" [file not found]
"DaemonTools_WhenUSave_Installer" = "C:\Program Files\DaemonTools_WhenUSave_Installer\DaemonTools_WhenUSave_Installer.exe" ["WhenU.com, Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
{HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{52D06F97-5511-43FA-8FDA-C481864FD26E}\(Default) = (no title provided)
{HKLM...CLSID} = "Alcohol Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
{HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
{HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
{HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
{HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
{HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
{HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
{HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
{HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
{HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
{HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\Office\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
{HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "E:\Office\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Office\OFFICE11\msohev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
{HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
{HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
{HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "E:\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
{HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "E:\dBpowerAMP\dMCShell.dll" [empty string]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"
{HKLM...CLSID} = "Statystyki ochrony WWW"
\InProcServer32\(Default) = "E:\Kaspersky\scieplugin.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
{HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
{HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
{HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Młody\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]
07 Sie 2007, 20:10
Czy wykonałeś porady z mojego posta?
Log z Silent'a jest ucięty. Poczekaj aż pojawi się odpowiedni komunikat, dopiero wtedy log będzie gotowy.
Pokaż także log z ComboFix.
Log z Silent'a jest ucięty. Poczekaj aż pojawi się odpowiedni komunikat, dopiero wtedy log będzie gotowy.
Pokaż także log z ComboFix.
07 Sie 2007, 20:42
Tak wykonałem, oto cały log z silent runners::
"Silent Runners.vbs", revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"KEMailKb" = "C:\PROGRA~1\KEMailKb\KEMailKb.EXE" ["Dritek System Inc."]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"SoundMax" = ""C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray" ["Analog Devices, Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AVP" = ""E:\Kaspersky\avp.exe"" ["Kaspersky Lab"]
"BearFlix" = ""E:\Program Files\BearFlix\BearFlix.exe" /pause" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
{HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{52D06F97-5511-43FA-8FDA-C481864FD26E}\(Default) = (no title provided)
{HKLM...CLSID} = "Alcohol Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
{HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
{HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
{HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
{HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
{HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
{HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
{HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
{HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
{HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
{HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\Office\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
{HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "E:\Office\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Office\OFFICE11\msohev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
{HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
{HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
{HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "E:\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
{HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "E:\dBpowerAMP\dMCShell.dll" [empty string]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"
{HKLM...CLSID} = "Statystyki ochrony WWW"
\InProcServer32\(Default) = "E:\Kaspersky\scieplugin.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
{HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
{HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
{HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Młody\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
{HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2}"
{HKLM...CLSID} = "Alcohol Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
{HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2}" = "Alcohol Toolbar"
{HKLM...CLSID} = "Alcohol Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki ochrony WWW"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Kaspersky\scieplugin.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Office\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statystyki ochrony WWW"
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
{HKLM...CLSID} = "Search Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
BlueSoleil Hid Service, BlueSoleil Hid Service, "E:\bluetooth\BTNtService.exe" [null data]
Kaspersky Anti-Virus 6.0, AVP, "E:\Kaspersky\avp.exe -r" ["Kaspersky Lab"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Outpost Firewall Service, OutpostFirewall, "E:\Outpost Firewall\outpost.exe /service" ["Agnitum Ltd."]
StarWind iSCSI Service, StarWindService, "E:\Alcohol 52\StarWind\StarWindService.exe" ["Rocket Division Software"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2007-08-07 20:40:03)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 111 seconds.
---------- (total run time: 182 seconds)
"Silent Runners.vbs", revision R51, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"KEMailKb" = "C:\PROGRA~1\KEMailKb\KEMailKb.EXE" ["Dritek System Inc."]
"SoundMAXPnP" = "C:\Program Files\Analog Devices\Core\smax4pnp.exe" ["Analog Devices, Inc."]
"SoundMax" = ""C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray" ["Analog Devices, Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"AVP" = ""E:\Kaspersky\avp.exe"" ["Kaspersky Lab"]
"BearFlix" = ""E:\Program Files\BearFlix\BearFlix.exe" /pause" [file not found]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
{HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{52D06F97-5511-43FA-8FDA-C481864FD26E}\(Default) = (no title provided)
{HKLM...CLSID} = "Alcohol Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
{HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll" ["Sun Microsystems, Inc."]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
{HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
{HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
{HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
{HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
{HKLM...CLSID} = "DesktopContext Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
{HKLM...CLSID} = "NVIDIA CPL Extension"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
{HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
{HKLM...CLSID} = "nView Desktop Context Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
{HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "E:\Office\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
{HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "E:\Office\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Office\OFFICE11\msohev.dll" [MS]
"{B327765E-D724-4347-8B16-78AE18552FC3}" = "NeroDigitalIconHandler"
{HKLM...CLSID} = "NeroDigitalIconHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" = "NeroDigitalPropSheetHandler"
{HKLM...CLSID} = "NeroDigitalPropSheetHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
{HKLM...CLSID} = "dBpShell Class"
\InProcServer32\(Default) = "E:\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
{HKLM...CLSID} = "dMCIShell Class"
\InProcServer32\(Default) = "E:\dBpowerAMP\dMCShell.dll" [empty string]
"{85E0B171-04FA-11D1-B7DA-00A0C90348D6}" = "Statystyki ochrony WWW"
{HKLM...CLSID} = "Statystyki ochrony WWW"
\InProcServer32\(Default) = "E:\Kaspersky\scieplugin.dll" ["Kaspersky Lab"]
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
{HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> klogon\DLLName = "C:\WINDOWS\system32\klogon.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{7D4D6379-F301-4311-BEBA-E26EB0561882}\(Default) = "NeroDigitalExt.NeroDigitalColumnHandler"
{HKLM...CLSID} = "NeroDigitalColumnHandler Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Ahead\lib\NeroDigitalExt.dll" ["Nero AG"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = ""E:\Open Office\program\shlxthdl.dll"" ["Sun Microsystems, Inc."]
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
{HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
ASW\(Default) = "{33C9E362-3EDA-4930-8AFE-5DA39A8BB77A}"
{HKLM...CLSID} = "Outpost.ASWShellExt Component"
\InProcServer32\(Default) = "E:\Outpost Firewall\op_shell.dll" ["Agnitum Ltd."]
Kaspersky Anti-Virus\(Default) = "{dd230880-495a-11d1-b064-008048ec2fc5}"
{HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "E:\Kaspersky\ShellEx.dll" ["Kaspersky Lab"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
{HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "E:\Winrar\rarext.dll" [null data]
Group Policies {policy setting}:
--------------------------------
Note: detected settings may not have any effect.
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\
"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}
"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}
Active Desktop and Wallpaper:
-----------------------------
Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Młody\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
{HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2}"
{HKLM...CLSID} = "Alcohol Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = (no title provided)
{HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
"{4C4E7CDB-5BFC-4D74-83E2-8AE659B7EDA2}" = "Alcohol Toolbar"
{HKLM...CLSID} = "Alcohol Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Alcohol Toolbar\v3.2.0.0\Alcohol_Toolbar.dll" [null data]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]
HKLM\Software\Classes\CLSID\{85E0B171-04FA-11D1-B7DA-00A0C90348D6}\(Default) = "Statystyki ochrony WWW"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Kaspersky\scieplugin.dll" ["Kaspersky Lab"]
HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Badanie"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "E:\Office\OFFICE11\REFIEBAR.DLL" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}\
"ButtonText" = "Statystyki ochrony WWW"
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Badanie"
Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
{HKLM...CLSID} = "Search Class"
\InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]
<<H>> "{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = (no title provided)
{HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
BlueSoleil Hid Service, BlueSoleil Hid Service, "E:\bluetooth\BTNtService.exe" [null data]
Kaspersky Anti-Virus 6.0, AVP, "E:\Kaspersky\avp.exe -r" ["Kaspersky Lab"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Outpost Firewall Service, OutpostFirewall, "E:\Outpost Firewall\outpost.exe /service" ["Agnitum Ltd."]
StarWind iSCSI Service, StarWindService, "E:\Alcohol 52\StarWind\StarWindService.exe" ["Rocket Division Software"]
Print Monitors:
---------------
HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
---------- (launch time: 2007-08-07 20:40:03)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 111 seconds.
---------- (total run time: 182 seconds)
07 Sie 2007, 21:03
Log z combofixa :
ComboFix 07-08-07.6 - "Mˆody" 2007-08-07 20:56:11.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.1.1045.18.680 [GMT 2:00]
((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))
2007-08-07 18:03 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-07 10:05 <DIR> d-------- C:\Program Files\DaemonTools_WhenUSave_Installer
2007-07-20 23:10 <DIR> d-------- C:\Program Files\Common Files\Agnitum Shared
2007-07-20 22:31 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-20 22:31 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-20 22:31 5,772,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-20 22:31 180,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-20 22:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Kaspersky Lab
2007-07-20 22:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Yahoo! Companion
2007-07-20 22:21 <DIR> d-------- C:\Program Files\uTorrent
2007-07-20 22:21 <DIR> d-------- C:\DOCUME~1\MODY~1\DANEAP~1\uTorrent
2007-07-20 16:40 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-18 21:34 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-11 13:24 <DIR> d-------- C:\Program Files\Xilisoft
2007-07-09 21:11 <DIR> d-------- C:\Acala3gpMovies
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-07 19:45 50748 --a------ C:\WINDOWS\system32\perfc015.dat
2007-08-07 19:45 358702 --a------ C:\WINDOWS\system32\perfh015.dat
2007-08-07 19:42 --------- d-------- C:\Program Files\Neostrada TP
2007-08-07 18:24 75776 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-07 18:24 15440 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-07 17:57 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\Skype
2007-08-07 09:47 --------- d-------- C:\Program Files\KEMailKb
2007-08-07 09:46 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 18:59 --------- d-------- C:\Program Files\Google
2007-08-04 13:53 219648 --a--c--- C:\WINDOWS\system32\dllcache\uxtheme.dll
2007-08-04 13:53 219648 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-07-05 22:02 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\Cream Software
2007-07-02 22:28 --------- d-------- C:\Program Files\SimTractor 3.5
2007-07-02 11:56 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\CyberLink
2007-07-01 11:13 10345 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-06-28 09:29 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\invibes
2007-06-24 21:57 --------- d-------- C:\Program Files\MegauploadToolbar
2007-06-19 11:08 1516 --a------ C:\WINDOWS\unins000.dat
2007-06-07 20:10 3052 --a------ C:\WINDOWS\mozver.dat
2007-05-31 19:29 2520 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
2007-05-31 19:29 131584 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-16 17:19 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:19 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:19 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-16 17:18 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:18 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:18 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-14 14:42 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-13 12:09 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-05-13 12:09 286720 --------- C:\WINDOWS\Setup1.exe
2007-05-08 11:00 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll]
"KEMailKb"="C:\PROGRA~1\KEMailKb\KEMailKb.EXE" [2003-10-21 20:47]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2006-04-10 10:19]
"nwiz"="nwiz.exe" [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe]
"AVP"="E:\Kaspersky\avp.exe" [2007-03-09 20:50]
"BearFlix"="E:\Program Files\BearFlix\BearFlix.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
R0 BTHidMgr;Bluetooth HID Manager Service;C:\WINDOWS\system32\Drivers\BTHidMgr.sys
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 AmdK8;Sterownik procesora AMD;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 SandBox;Outpost Firewall Sandbox Driver;\??\E:\Outpost Firewall\kernel\Sandbox.SYS
R1 VFILT;Outpost Firewall Kernel Driver;\??\E:\Outpost Firewall\kernel\FILTNT.SYS
R2 Vcs;Vcs support;\??\C:\WINDOWS\system32\Drivers\Vcs.sys
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\E:\Outpost Firewall\kernel\ADBLOCK.DLL
R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);\??\E:\Outpost Firewall\kernel\ARP.DLL
R3 axvdkbus;axvdkbus;C:\WINDOWS\system32\DRIVERS\axvdkbus.sys
R3 axvodka;axvodka;C:\WINDOWS\system32\DRIVERS\axvodka.sys
R3 BlueletAudio;Bluetooth Audio Service;C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
R3 BT;Bluetooth PAN Network Adapter;C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
R3 BTHidEnum;Bluetooth HID Enumerator;C:\WINDOWS\system32\DRIVERS\vbtenum.sys
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\E:\Outpost Firewall\kernel\CONTENT.DLL
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\E:\Outpost Firewall\kernel\DNSCACHE.DLL
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\E:\Outpost Firewall\kernel\FTPFILT.DLL
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\E:\Outpost Firewall\kernel\HTMLFILT.DLL
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\E:\Outpost Firewall\kernel\HTTPFILT.DLL
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\E:\Outpost Firewall\kernel\IMAPFILT.DLL
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\E:\Outpost Firewall\kernel\MAILFILT.DLL
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\E:\Outpost Firewall\kernel\NNTPFILT.DLL
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\E:\Outpost Firewall\kernel\POP3FILT.DLL
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\E:\Outpost Firewall\kernel\PROTECT.DLL
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);\??\E:\Outpost Firewall\kernel\SECRET.DLL
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 VComm;Virtual Serial port driver;C:\WINDOWS\system32\DRIVERS\VComm.sys
R3 VcommMgr;Bluetooth VComm Manager Service;C:\WINDOWS\system32\Drivers\VcommMgr.sys
S3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINDOWS\system32\Drivers\btcusb.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
S3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S3 PID_0920;Labtec WebCam(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 STIrUsb;STIrUsb.sys USB-IrDA Adapter;C:\WINDOWS\system32\DRIVERS\irstusb.sys
S3 usbser;Motorola A1000 USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 20:57:50
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-07 20:58:47
--- E O F ---
07 Sie 2007, 21:09
W logu z ComboFix nadal widnieje:
Sprawdź, czy folder jest usunięty.
C:\Program Files\DaemonTools_WhenUSave_Installer
Sprawdź, czy folder jest usunięty.
07 Sie 2007, 21:35
Pokaż nowy log z ComboFix, być może teraz już nie będzie tego folderu.
07 Sie 2007, 22:20
ComboFix 07-08-07.6 - "Mˆody" 2007-08-07 22:14:11.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.704 [GMT 2:00]
((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))
2007-08-07 18:03 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 23:10 <DIR> d-------- C:\Program Files\Common Files\Agnitum Shared
2007-07-20 22:31 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-20 22:31 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-20 22:31 5,772,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-20 22:31 180,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-20 22:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Kaspersky Lab
2007-07-20 22:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Yahoo! Companion
2007-07-20 22:21 <DIR> d-------- C:\Program Files\uTorrent
2007-07-20 22:21 <DIR> d-------- C:\DOCUME~1\MODY~1\DANEAP~1\uTorrent
2007-07-20 16:40 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-18 21:34 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-11 13:24 <DIR> d-------- C:\Program Files\Xilisoft
2007-07-09 21:11 <DIR> d-------- C:\Acala3gpMovies
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-07 22:10 --------- d-------- C:\Program Files\Neostrada TP
2007-08-07 20:58 50748 --a------ C:\WINDOWS\system32\perfc015.dat
2007-08-07 20:58 358702 --a------ C:\WINDOWS\system32\perfh015.dat
2007-08-07 18:24 75776 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-07 18:24 15440 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-07 17:57 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\Skype
2007-08-07 09:47 --------- d-------- C:\Program Files\KEMailKb
2007-08-07 09:46 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 18:59 --------- d-------- C:\Program Files\Google
2007-08-04 13:53 219648 --a--c--- C:\WINDOWS\system32\dllcache\uxtheme.dll
2007-08-04 13:53 219648 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-07-05 22:02 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\Cream Software
2007-07-02 22:28 --------- d-------- C:\Program Files\SimTractor 3.5
2007-07-02 11:56 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\CyberLink
2007-07-01 11:13 10345 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-06-28 09:29 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\invibes
2007-06-24 21:57 --------- d-------- C:\Program Files\MegauploadToolbar
2007-06-19 11:08 1516 --a------ C:\WINDOWS\unins000.dat
2007-06-07 20:10 3052 --a------ C:\WINDOWS\mozver.dat
2007-05-31 19:29 2520 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
2007-05-31 19:29 131584 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-16 17:19 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:19 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:19 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-16 17:18 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:18 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:18 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-14 14:42 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-13 12:09 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-05-13 12:09 286720 --------- C:\WINDOWS\Setup1.exe
2007-05-08 11:00 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll]
"KEMailKb"="C:\PROGRA~1\KEMailKb\KEMailKb.EXE" [2003-10-21 20:47]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2006-04-10 10:19]
"nwiz"="nwiz.exe" [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe]
"AVP"="E:\Kaspersky\avp.exe" [2007-03-09 20:50]
"BearFlix"="E:\Program Files\BearFlix\BearFlix.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
R0 BTHidMgr;Bluetooth HID Manager Service;C:\WINDOWS\system32\Drivers\BTHidMgr.sys
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 AmdK8;Sterownik procesora AMD;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 SandBox;Outpost Firewall Sandbox Driver;\??\E:\Outpost Firewall\kernel\Sandbox.SYS
R1 VFILT;Outpost Firewall Kernel Driver;\??\E:\Outpost Firewall\kernel\FILTNT.SYS
R2 Vcs;Vcs support;\??\C:\WINDOWS\system32\Drivers\Vcs.sys
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\E:\Outpost Firewall\kernel\ADBLOCK.DLL
R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);\??\E:\Outpost Firewall\kernel\ARP.DLL
R3 axvdkbus;axvdkbus;C:\WINDOWS\system32\DRIVERS\axvdkbus.sys
R3 axvodka;axvodka;C:\WINDOWS\system32\DRIVERS\axvodka.sys
R3 BlueletAudio;Bluetooth Audio Service;C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
R3 BT;Bluetooth PAN Network Adapter;C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
R3 BTHidEnum;Bluetooth HID Enumerator;C:\WINDOWS\system32\DRIVERS\vbtenum.sys
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\E:\Outpost Firewall\kernel\CONTENT.DLL
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\E:\Outpost Firewall\kernel\DNSCACHE.DLL
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\E:\Outpost Firewall\kernel\FTPFILT.DLL
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\E:\Outpost Firewall\kernel\HTMLFILT.DLL
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\E:\Outpost Firewall\kernel\HTTPFILT.DLL
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\E:\Outpost Firewall\kernel\IMAPFILT.DLL
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\E:\Outpost Firewall\kernel\MAILFILT.DLL
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\E:\Outpost Firewall\kernel\NNTPFILT.DLL
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\E:\Outpost Firewall\kernel\POP3FILT.DLL
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\E:\Outpost Firewall\kernel\PROTECT.DLL
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);\??\E:\Outpost Firewall\kernel\SECRET.DLL
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 VComm;Virtual Serial port driver;C:\WINDOWS\system32\DRIVERS\VComm.sys
R3 VcommMgr;Bluetooth VComm Manager Service;C:\WINDOWS\system32\Drivers\VcommMgr.sys
S3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINDOWS\system32\Drivers\btcusb.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
S3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S3 PID_0920;Labtec WebCam(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 STIrUsb;STIrUsb.sys USB-IrDA Adapter;C:\WINDOWS\system32\DRIVERS\irstusb.sys
S3 usbser;Motorola A1000 USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 22:15:44
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-07 22:16:46
C:\ComboFix2.txt ... 2007-08-07 22:08
C:\ComboFix3.txt ... 2007-08-07 20:58
--- E O F ---
Microsoft Windows XP Home Edition 5.1.2600.2.1250.48.1045.18.704 [GMT 2:00]
((((((((((((((((((((((((( Files Created from 2007-07-07 to 2007-08-07 )))))))))))))))))))))))))))))))
2007-08-07 18:03 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-20 23:10 <DIR> d-------- C:\Program Files\Common Files\Agnitum Shared
2007-07-20 22:31 82,258 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-20 22:31 82,258 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-20 22:31 5,772,064 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-20 22:31 180,000 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-07-20 22:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Kaspersky Lab
2007-07-20 22:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DANEAP~1\Yahoo! Companion
2007-07-20 22:21 <DIR> d-------- C:\Program Files\uTorrent
2007-07-20 22:21 <DIR> d-------- C:\DOCUME~1\MODY~1\DANEAP~1\uTorrent
2007-07-20 16:40 <DIR> d-------- C:\Program Files\Yahoo!
2007-07-18 21:34 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-11 13:24 <DIR> d-------- C:\Program Files\Xilisoft
2007-07-09 21:11 <DIR> d-------- C:\Acala3gpMovies
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-07 22:10 --------- d-------- C:\Program Files\Neostrada TP
2007-08-07 20:58 50748 --a------ C:\WINDOWS\system32\perfc015.dat
2007-08-07 20:58 358702 --a------ C:\WINDOWS\system32\perfh015.dat
2007-08-07 18:24 75776 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-08-07 18:24 15440 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-08-07 17:57 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\Skype
2007-08-07 09:47 --------- d-------- C:\Program Files\KEMailKb
2007-08-07 09:46 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-05 18:59 --------- d-------- C:\Program Files\Google
2007-08-04 13:53 219648 --a--c--- C:\WINDOWS\system32\dllcache\uxtheme.dll
2007-08-04 13:53 219648 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-07-05 22:02 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\Cream Software
2007-07-02 22:28 --------- d-------- C:\Program Files\SimTractor 3.5
2007-07-02 11:56 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\CyberLink
2007-07-01 11:13 10345 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-06-28 09:29 --------- d-------- C:\DOCUME~1\MODY~1\DANEAP~1\invibes
2007-06-24 21:57 --------- d-------- C:\Program Files\MegauploadToolbar
2007-06-19 11:08 1516 --a------ C:\WINDOWS\unins000.dat
2007-06-07 20:10 3052 --a------ C:\WINDOWS\mozver.dat
2007-05-31 19:29 2520 --a------ C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
2007-05-31 19:29 131584 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-16 17:19 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 17:19 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 17:19 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2007-05-16 17:18 86528 --a--c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 17:18 683520 --a--c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 17:18 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-14 14:42 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-05-13 12:09 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-05-13 12:09 286720 --------- C:\WINDOWS\Setup1.exe
2007-05-08 11:00 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll]
"KEMailKb"="C:\PROGRA~1\KEMailKb\KEMailKb.EXE" [2003-10-21 20:47]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 04:07]
"SoundMax"="C:\Program Files\Analog Devices\SoundMAX\smax4.exe" [2006-04-10 10:19]
"nwiz"="nwiz.exe" [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe]
"AVP"="E:\Kaspersky\avp.exe" [2007-03-09 20:50]
"BearFlix"="E:\Program Files\BearFlix\BearFlix.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 14:00]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
R0 BTHidMgr;Bluetooth HID Manager Service;C:\WINDOWS\system32\Drivers\BTHidMgr.sys
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\WINDOWS\system32\drivers\sfsync03.sys
R0 speedfan;speedfan;C:\WINDOWS\system32\speedfan.sys
R1 AmdK8;Sterownik procesora AMD;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 SandBox;Outpost Firewall Sandbox Driver;\??\E:\Outpost Firewall\kernel\Sandbox.SYS
R1 VFILT;Outpost Firewall Kernel Driver;\??\E:\Outpost Firewall\kernel\FILTNT.SYS
R2 Vcs;Vcs support;\??\C:\WINDOWS\system32\Drivers\Vcs.sys
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);\??\E:\Outpost Firewall\kernel\ADBLOCK.DLL
R3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN);C:\WINDOWS\system32\DRIVERS\alcan5wn.sys
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);\??\E:\Outpost Firewall\kernel\ARP.DLL
R3 axvdkbus;axvdkbus;C:\WINDOWS\system32\DRIVERS\axvdkbus.sys
R3 axvodka;axvodka;C:\WINDOWS\system32\DRIVERS\axvodka.sys
R3 BlueletAudio;Bluetooth Audio Service;C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
R3 BT;Bluetooth PAN Network Adapter;C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
R3 BTHidEnum;Bluetooth HID Enumerator;C:\WINDOWS\system32\DRIVERS\vbtenum.sys
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);\??\E:\Outpost Firewall\kernel\CONTENT.DLL
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);\??\E:\Outpost Firewall\kernel\DNSCACHE.DLL
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);\??\E:\Outpost Firewall\kernel\FTPFILT.DLL
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);\??\E:\Outpost Firewall\kernel\HTMLFILT.DLL
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);\??\E:\Outpost Firewall\kernel\HTTPFILT.DLL
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);\??\E:\Outpost Firewall\kernel\IMAPFILT.DLL
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);\??\E:\Outpost Firewall\kernel\MAILFILT.DLL
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);\??\E:\Outpost Firewall\kernel\NNTPFILT.DLL
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);\??\E:\Outpost Firewall\kernel\POP3FILT.DLL
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);\??\E:\Outpost Firewall\kernel\PROTECT.DLL
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);\??\E:\Outpost Firewall\kernel\SECRET.DLL
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 VComm;Virtual Serial port driver;C:\WINDOWS\system32\DRIVERS\VComm.sys
R3 VcommMgr;Bluetooth VComm Manager Service;C:\WINDOWS\system32\Drivers\VcommMgr.sys
S3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINDOWS\system32\Drivers\btcusb.sys
S3 MSIRCOMM;Microsoft IR Communications Driver;C:\WINDOWS\system32\DRIVERS\MSIRCOMM.sys
S3 P2k;Motorola USB Device;C:\WINDOWS\system32\DRIVERS\P2k.sys
S3 PavSRK.sys;PavSRK.sys;\??\C:\WINDOWS\system32\PavSRK.sys
S3 PavTPK.sys;PavTPK.sys;\??\C:\WINDOWS\system32\PavTPK.sys
S3 PID_0920;Labtec WebCam(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS
S3 STIrUsb;STIrUsb.sys USB-IrDA Adapter;C:\WINDOWS\system32\DRIVERS\irstusb.sys
S3 usbser;Motorola A1000 USB Modem Driver;C:\WINDOWS\system32\DRIVERS\usbser.sys
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-07 22:15:44
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\A\1\5\1c]
"Order"=hex:08,00,00,00,02,00,00,00,b8,01,00,00,01,00,00,00,04,00,00,00,8c,..
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-07 22:16:46
C:\ComboFix2.txt ... 2007-08-07 22:08
C:\ComboFix3.txt ... 2007-08-07 20:58
--- E O F ---
07 Sie 2007, 22:56
Czysto 
08 Sie 2007, 07:34
oki dzięki