prosba o sprawdzenie loga (pokapoka.exe.)

[pawfer]

Witam.Mam problem z tymze ustrojstwem,probowalem wywalic to w awaryjnym killboxem wraz z towarzyrzacymi mu smieciami,niestety powrocil.Objawy :wyskakujace okienka IE.

Logi:

Hijack :

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 20:43:08, on 2007-08-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\pawfer\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Shell] C:\WINDOWS\system32\shell32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteuke32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\sp2protect.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_75.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.117.128.162/activex/AxisCamControl.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://195.136.36.165/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D8245-A7A7-4814-B541-D221AA4D19B7}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



Silent:

Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 52, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"AutoConnect" = "C:\Program Files\AutoConnect\AutoConnect.exe" ["http://autoconnect.prv.pl"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Gadu-Gadu" = ""C:\Program Files\Gadu-Gadu\gg.exe" /tray" ["Gadu-Gadu S.A."]
"Picasa Media Detector" = "C:\Program Files\Picasa2\PicasaMediaDetector.exe" ["Google Inc."]
"userinit" = "C:\WINDOWS\system32\ntos.exe" [null data]

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"Web Offer" = "C:\WINDOWS\system32\sp2protect.exe" ["PubID139WO"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON Telecom Belgium"]
"cFosSpeed" = "C:\Program Files\cFosSpeed\cFosSpeed.exe" ["cFos Software GmbH"]
"GrooveMonitor" = ""C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"" [MS]
"LClock" = "C:\Program Files\LClock\LClock.exe" [file not found]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RunDLL32.exe NvMCTray.dll,NvTaskbarInit" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Nero AG"]
"Windows Shell" = "C:\WINDOWS\system32\shell32.exe" [null data]
"Media Access" = "C:\Program Files\Media Access\MediaAccK.exe" [file not found]
"etbrun" = "C:\windows\system32\eliteuke32.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"System service79" = "C:\WINDOWS\etb\pokapoka79.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
  -> {HKLM...CLSID} = "DisplayCplExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbui.dll" ["Stardock.Net, Inc"]
"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"
  -> {HKLM...CLSID} = "Groove GFS Browser Helper"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"
  -> {HKLM...CLSID} = "Groove Folder Synchronization"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"
  -> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"
  -> {HKLM...CLSID} = "Groove XML Icon Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
  -> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]
"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
  -> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MSOHEVI.DLL" [MS]
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"
  -> {HKLM...CLSID} = "Microsoft Office Metadata Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"
  -> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{B5A7F190-DDA6-4420-B3BA-52453494E6CD}" = "Groove GFS Stub Execution Hook"
  -> {HKLM...CLSID} = "Groove GFS Stub Execution Hook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\
<<!>> "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe," [MS], [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> WBSrv\DLLName = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll" ["Stardock"]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"
                   \InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"
  -> {HKLM...CLSID} = "Groove GFS Context Menu Handler"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\pawfer\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Startup items in "pawfer" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Development Company, L.P."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"At4" -> launches: "C:\WINDOWS\system32\username.exe" [null data]
"At6" -> launches: "C:\WINDOWS\system32\shell32.exe" [null data]
"At7" -> launches: "C:\WINDOWS\system32\wudupdate.exe" [null data]
"At8" -> launches: "C:\WINDOWS\system32\sp2protect.exe" ["PubID139WO"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" [file not found]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
  -> {HKLM...CLSID} = "&EliteBar"
                   \InProcServer32\(Default) = "C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll" [empty string]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{01002DB2-8170-4D9B-A8B1-DDC9DD114E03}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]

HKLM\Software\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\Software\Classes\CLSID\{3BAF4A27-C764-4E1A-A6F4-62F7A7E5E51C}\(Default) = "ToolBand Class"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]

HKLM\Software\Classes\CLSID\{5BF498C0-931E-4A4F-B33F-456D07137EAA}\(Default) = "Volet Wanadoo"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\audience\audience.dll" [empty string]

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Poszukaj"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2670000A-7350-4F3C-8081-5663EE0C6C49}\
"ButtonText" = "Wyślij do programu OneNote"
"MenuText" = "Wyślij &do programu OneNote"
"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"
  -> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
<<H>> "{08C06D61-F1F3-4799-86F8-BE1A89362C85}" = (no title provided)
  -> {HKLM...CLSID} = "Search Class"
                   \InProcServer32\(Default) = "C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

cFosSpeed System Service, cFosSpeedS, ""C:\Program Files\cFosSpeed\spd.exe" -service" ["cFos Software GmbH"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
PCL hpz3l054\Driver = "hpz3l054.dll" ["Hewlett-Packard Company"]


---------- (launch time: 2007-08-29 20:44:06)
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 45 seconds, including 10 seconds for message boxes)


ComboFix :

Kod: Zaznacz wszystko


ComboFix 07-08-29.3 - "pawfer" 2007-08-29 20:46:00.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1250.1.1045.18.176 [GMT 2:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\pawfer\DANEAP~1\addon.dat
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll


(((((((((((((((((((((((((   Files Created from 2007-07-28 to 2007-08-29  )))))))))))))))))))))))))))))))


2007-08-29 20:45   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-08-29 20:27   <DIR>   d--------   C:\Program Files\ToniArts
2007-08-29 19:56   <DIR>   d--------   C:\!KillBox
2007-08-26 17:17   6,144   --a------   C:\WINDOWS\system32\mscorews.dll
2007-08-26 17:17   48,904   --a------   C:\WINDOWS\system32\nvquetys.dll
2007-08-26 17:17   444   --a------   C:\WINDOWS\system32\dcstream.dll
2007-08-25 11:34   <DIR>   d--------   C:\Program Files\Picasa2
2007-08-23 23:44   <DIR>   d--------   C:\WINDOWS\system32\AGEIA
2007-08-23 23:44   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-08-23 23:44   <DIR>   d--------   C:\Program Files\AGEIA Technologies
2007-08-23 20:20   <DIR>   d--------   C:\WINDOWS\Winexe
2007-08-23 20:19   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\Google
2007-08-23 20:18   <DIR>   d--------   C:\Program Files\Google
2007-08-22 22:13   107,888   --a------   C:\WINDOWS\system32\CmdLineExt.dll
2007-08-22 22:13   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\Bioshock
2007-08-22 22:08   <DIR>   d--------   C:\Program Files\2K Games
2007-08-22 22:08   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\InstallShield
2007-08-20 21:35   <DIR>   d--------   C:\Program Files\JoWood
2007-08-19 12:15   11,589   --a------   C:\WINDOWS\system32\temperror32.dat
2007-08-19 12:15   <DIR>   d--------   C:\WINDOWS\etb
2007-08-19 12:15   <DIR>   d--------   C:\WINDOWS\EliteToolBar
2007-08-19 12:15   <DIR>   d--------   C:\Program Files\SWAT 4
2007-08-19 12:15   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\SurfAccuracy
2007-08-19 01:07   5,888   ---------   C:\WINDOWS\system32\drivers\imagedrv.sys
2007-08-19 01:07   127,488   ---------   C:\WINDOWS\system32\drivers\imagesrv.sys
2007-08-19 01:06   476,320   ---------   C:\WINDOWS\system32\ImagXpr7.dll
2007-08-19 01:06   471,040   ---------   C:\WINDOWS\system32\ImagXRA7.dll
2007-08-19 01:06   364,544   ---------   C:\WINDOWS\system32\TwnLib4.dll
2007-08-19 01:06   262,144   ---------   C:\WINDOWS\system32\ImagXR7.dll
2007-08-19 01:06   155,648   --a------   C:\WINDOWS\system32\NeroCheck.exe
2007-08-19 01:06   106,496   --a------   C:\WINDOWS\system32\TwnLib20.dll
2007-08-19 01:06   1,568,768   ---------   C:\WINDOWS\system32\ImagX7.dll
2007-08-19 01:06   <DIR>   d--------   C:\Program Files\Common Files\Ahead
2007-08-19 01:06   <DIR>   d--------   C:\Program Files\Ahead
2007-08-18 22:28   <DIR>   d--------   C:\Program Files\AskTBar
2007-08-17 15:07   <DIR>   d--------   C:\Program Files\Common Files\DirectX
2007-08-17 09:04   <DIR>   d--------   C:\DOCUME~1\ADMINI~1.000\Ustawienia lokalne
2007-08-17 09:04   <DIR>   d--------   C:\DOCUME~1\ADMINI~1.000\Szablony
2007-08-17 09:04   <DIR>   d--------   C:\DOCUME~1\ADMINI~1.000\Dane aplikacji
2007-08-16 19:06   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\nView_Profiles
2007-08-16 17:23   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\Apple Computer
2007-08-15 11:58   <DIR>   d--------   C:\Program Files\Ganymede
2007-08-15 10:29   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\Nokia
2007-08-15 10:29   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\DataLayer
2007-08-15 10:28   <DIR>   d--------   C:\DOCUME~1\pawfer\Phone Browser
2007-08-15 10:27   <DIR>   d--------   C:\Program Files\DIFX
2007-08-15 10:26   50,688   --a------   C:\WINDOWS\system32\nmwcdcls.dll
2007-08-15 10:26   <DIR>   d----c---   C:\WINDOWS\system32\DRVSTORE
2007-08-15 10:26   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\PC Suite
2007-08-15 10:26   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\PC Suite
2007-08-15 10:26   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\Downloaded Installations
2007-08-15 01:06   <DIR>   d--------   C:\WINDOWS\nview
2007-08-14 21:01   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\Image Zone Express
2007-08-14 20:57   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\HP
2007-08-14 20:57   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\HP
2007-08-14 20:56   <DIR>   d--------   C:\Program Files\Common Files\HP
2007-08-14 20:55   <DIR>   d--------   C:\Program Files\Hewlett-Packard
2007-08-14 20:55   <DIR>   d--------   C:\Program Files\Common Files\Hewlett-Packard
2007-08-14 20:54   38,400   --a------   C:\WINDOWS\system32\hpz3l054.dll
2007-08-14 20:54   15,104   --a------   C:\WINDOWS\system32\drivers\usbscan.sys
2007-08-14 20:52   94,208   --a------   C:\WINDOWS\system32\HPZipt12.dll
2007-08-14 20:52   69,632   --a------   C:\WINDOWS\system32\HPZipm12.exe
2007-08-14 20:52   65,536   --a------   C:\WINDOWS\system32\HPZinw12.exe
2007-08-14 20:52   57,344   --a------   C:\WINDOWS\system32\HPZisn12.dll
2007-08-14 20:52   306,688   --a------   C:\WINDOWS\IsUninst.exe
2007-08-14 20:52   282,680   --a------   C:\WINDOWS\system32\HPZidr12.dll
2007-08-14 20:52   25,856   --a------   C:\WINDOWS\system32\drivers\usbprint.sys
2007-08-14 20:52   204,800   --a------   C:\WINDOWS\system32\HPZipr12.dll
2007-08-14 20:52   <DIR>   d--------   C:\Program Files\HP
2007-08-14 20:51   49,664   --a------   C:\WINDOWS\system32\drivers\HPZid412.sys
2007-08-14 20:51   31,616   --a------   C:\WINDOWS\system32\drivers\usbccgp.sys
2007-08-14 20:51   21,568   --a------   C:\WINDOWS\system32\drivers\HPZius12.sys
2007-08-14 20:51   16,496   --a------   C:\WINDOWS\system32\drivers\HPZipr12.sys
2007-08-14 20:51   119,737   --a------   C:\WINDOWS\hpoins11.dat
2007-08-14 20:49   98,304   --a------   C:\WINDOWS\system32\hpzjsn01.dll
2007-08-14 20:49   827,392   --a------   C:\WINDOWS\system32\hpotiop2.dll
2007-08-14 20:49   77,824   --a------   C:\WINDOWS\system32\HPZIDS01.dll
2007-08-14 20:49   659,456   --a------   C:\WINDOWS\system32\hpowiax2.dll
2007-08-14 20:49   282,624   --a------   C:\WINDOWS\system32\HPZc3212.dll
2007-08-14 20:49   254,026   --a------   C:\WINDOWS\system32\hpovst09.dll
2007-08-14 20:47   11,634   --a------   C:\WINDOWS\hpomdl11.dat
2007-08-14 13:00   <DIR>   d--------   C:\Program Files\DITel
2007-08-13 18:58   221,184   --a------   C:\WINDOWS\system32\wmpns.dll
2007-08-13 13:52   <DIR>   d--------   C:\Program Files\eMule
2007-08-13 08:57   <DIR>   d---s----   C:\DOCUME~1\pawfer\UserData
2007-08-12 01:32   <DIR>   d--------   C:\Program Files\Sierra
2007-08-10 21:24   139,264   --a------   C:\WINDOWS\NeoUninstall.exe
2007-08-10 21:24   <DIR>   d--------   C:\Program Files\Neoact
2007-08-10 19:29   737,280   --a------   C:\WINDOWS\iun6002.exe
2007-08-10 19:29   420,240   --a------   C:\WINDOWS\system32\mpg4c32.dll
2007-08-10 19:29   309,616   --a------   C:\WINDOWS\system32\wmv8dmod.dll
2007-08-10 19:23   <DIR>   d--------   C:\Program Files\SEGA
2007-08-10 19:16   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\FLEXnet
2007-08-10 19:05   <DIR>   d--------   C:\Program Files\Common Files\Macrovision Shared
2007-08-10 11:09   <DIR>   d--------   C:\DOCUME~1\pawfer\DANEAP~1\Media Player Classic
2007-08-10 10:29   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\DANEAP~1\NVIDIA
2007-08-10 10:17   <DIR>   d--------   C:\Program Files\Counter-Strike 1.6
2007-08-10 09:23   <DIR>   d--------   C:\DOCUME~1\pawfer\.jpi_cache
2007-08-10 08:47   <DIR>   d--------   C:\Program Files\Axis Communications
2007-08-10 07:18   4   --a------   C:\WINDOWS\system32\proc1395793746.bin


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-10 19:31   163644   --a------   C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-19 08:59   70400   --a------   C:\WINDOWS\system32\PhysXLoader.dll
2007-05-31 19:30   266088   --a------   C:\WINDOWS\system32\xactengine2_8.dll
2007-05-31 19:29   18280   --a------   C:\WINDOWS\system32\x3daudio1_2.dll
   ---------      C:\Program Files\Usługi online
2005-03-30 20:38:22   667,769   --sha-r   C:\WINDOWS\system32\shell32.exe
2005-02-14 22:25:32   528,384   --sha-r   C:\WINDOWS\system32\sp2protect.exe
2005-03-21 20:48:41   593,920   --sha-r   C:\WINDOWS\system32\username.exe
2005-03-09 23:04:21   462,848   --sha-r   C:\WINDOWS\system32\wudupdate.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"= C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll [2007-08-19 12:15 92672]

[HKEY_CLASSES_ROOT\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-07-09 17:10]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"LClock"="C:\Program Files\LClock\LClock.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22]
"nwiz"="nwiz.exe" [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"Windows Shell"="C:\WINDOWS\system32\shell32.exe" [2005-03-30 22:38]
"Media Access"="C:\Program Files\Media Access\MediaAccK.exe" []
"etbrun"="C:\windows\system32\eliteuke32.exe" [2001-08-19 13:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"System service79"="C:\WINDOWS\etb\pokapoka79.exe" [2007-08-29 20:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" [2004-08-28 20:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 22:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"Web Offer"=C:\WINDOWS\system32\sp2protect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-01 12:58 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WooCnxMon]
C:\PROGRA~1\NEOSTR~1\CnxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]
C:\PROGRA~1\NEOSTR~1\Watch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
F:\setup.exe

S3 gdrv;gdrv;\??\C:\WINDOWS\gdrv.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}]
C:\Documents and Settings\pawfer\Dane aplikacji\MY Pics.exe s

Contents of the 'Scheduled Tasks' folder
2007-08-28 12:55:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-19 10:15:20 C:\WINDOWS\Tasks\At4.job - C:\WINDOWS\system32\username.exe
2007-08-19 10:15:21 C:\WINDOWS\Tasks\At6.job
2007-08-19 10:15:21 C:\WINDOWS\Tasks\At7.job - C:\WINDOWS\system32\wudupdate.exe
2007-08-19 10:15:21 C:\WINDOWS\Tasks\At8.job - C:\WINDOWS\system32\sp2protect.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-29 20:52:53
Windows 5.1.2600 Dodatek Service Pack 2 NTFS

detected NTDLL code modification:
ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\eliteuke32.exe [836] 0x81884790


scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\EliteToolBar
C:\WINDOWS\system32\eliteuke32.exe

scan completed successfully
hidden files: 2

**************************************************************************

Completion time: 2007-08-29 20:53:32 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-29 20:53

   --- E O F ---


[wojtas]

nie stosuj combofixa narazie ma blad ktory moze usuwac pliki systemowe

Użyj WWDC :
http://www.firewallleaktester.com/wwdc.htm
Zmień opcje z disable na enable. Uruchom ponownie komputer.
Tak powinny wyglądać porty (NetBIOS może być żółty) :
http://www.firewallleaktester.com/images_site/wwdc.jpg

sciagnij gmera:

http://gmer.net/gmer.zip

Wklej do notatnika

gmer -del file C:\WINDOWS\etb\pokapoka79.exe
gmer -del file C:\WINDOWS\system32\ntos.exe
gmer -del file C:\WINDOWS\system32\shell32.exe
gmer -del file C:\Program Files\Media Access
gmer -del file C:\windows\system32\eliteuke32.exe
gmer -del file C:\WINDOWS\system32\sp2protect.exe
gmer -del file C:\WINDOWS\EliteToolBar
gmer -del file C:\WINDOWS\Tasks\At8.job
gmer -del file C:\WINDOWS\Tasks\At7.job
gmer -del file C:\WINDOWS\Tasks\At4.job
gmer -del file C:\WINDOWS\Tasks\At6.job
gmer -del file C:\WINDOWS\system32\username.exe
gmer -del file C:\WINDOWS\system32\wudupdate.exe
gmer –reboot

Plik >>> zapisz jako >>> zmien rozszerzenie z TXT na wszystkie typy plików >>> zapisz pod nazwa FIX.BAT


Uruchamiasz Gmera, w zakładce Procesy wybierasz opcje Gmer Awaryjny. Komputer się zresetuje i uruchomi się Gmer. Wybierasz znów zakładke Procesy i na dole w poleceniu przez trzy kropki wskaz plik FIX.BAT i go uruchom.

potem skasuj:

Kod: Zaznacz wszystko

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O4 - HKLM\..\Run: [Windows Shell] C:\WINDOWS\system32\shell32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteuke32.exe
O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe 
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\sp2protect.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

potem nowy log z hijacka oraz dss'a

[pawfer]

Nowe logi:

Hijack :

Kod: Zaznacz wszystko

Logfile of HijackThis v1.99.1
Scan saved at 22:58:37, on 2007-08-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\pawfer\Pulpit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Shell] C:\WINDOWS\system32\shell32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_75.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.117.128.162/activex/AxisCamControl.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://195.136.36.165/activex/AMC.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



Kod: Zaznacz wszystko


Deckard's System Scanner v20070826.66
Run by pawfer on 2007-08-29 23:01:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as pawfer.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:01:57, on 2007-08-29
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\cFosSpeed\spd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\cFosSpeed\cFosSpeed.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Documents and Settings\pawfer\Pulpit\dss.exe
C:\WINDOWS\system32\taskmgr.exe
C:\DOCUME~1\pawfer\Pulpit\pawfer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [cFosSpeed] C:\Program Files\cFosSpeed\cFosSpeed.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Shell] C:\WINDOWS\system32\shell32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AutoConnect] C:\Program Files\AutoConnect\AutoConnect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - -{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_75.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://217.117.128.162/activex/AxisCamControl.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://195.136.36.165/activex/AMC.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{686D8245-A7A7-4814-B541-D221AA4D19B7}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: cFosSpeed System Service (cFosSpeedS) - Unknown owner - C:\Program Files\cFosSpeed\spd.exe" -service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


-- HijackThis Fixed Entries (C:\DOCUME~1\pawfer\Pulpit\backups\) ---------------

backup-20070829-225708-409 O4 - HKLM\..\Run: [System service79] C:\WINDOWS\etb\pokapoka79.exe
backup-20070829-225708-629 O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteuke32.exe
backup-20070829-225708-712 O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
backup-20070829-225708-804 O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

-- File Associations -----------------------------------------------------------

[color=red].cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*[/color]
[color=red].cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*[/color]


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfsync02 (StarForce Protection Synchronization Driver (version 2.x)) - c:\windows\system32\drivers\sfsync02.sys <Not Verified; Protection Technology; StarForce Protection System>

S3 catchme - c:\docume~1\pawfer\ustawi~1\temp\catchme.sys (file missing)
S3 gdrv - c:\windows\gdrv.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-28 14:55:09       284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-07-29 and 2007-08-29 -----------------------------

2007-08-29 20:27:27         0 d-------- C:\Program Files\ToniArts
2007-08-29 19:56:39         0 d-------- C:\!KillBox
2007-08-26 17:17:27     48904 --a------ C:\WINDOWS\system32\nvquetys.dll
2007-08-26 17:17:27      6144 --a------ C:\WINDOWS\system32\mscorews.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-08-26 17:17:27       444 --a------ C:\WINDOWS\system32\dcstream.dll
2007-08-25 11:34:50         0 d-------- C:\Program Files\Picasa2
2007-08-23 23:44:19         0 d-------- C:\WINDOWS\system32\AGEIA
2007-08-23 23:44:18         0 d-------- C:\Program Files\AGEIA Technologies
2007-08-23 23:44:07         0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-23 20:20:45         0 d-------- C:\WINDOWS\Winexe
2007-08-23 20:18:33         0 d-------- C:\Program Files\Google
2007-08-22 22:08:40         0 d-------- C:\Program Files\2K Games
2007-08-20 21:35:49         0 d-------- C:\Program Files\JoWood
2007-08-20 21:28:48         0 d-------- C:\WINDOWS\system32\appmgmt
2007-08-19 12:15:28         0 d-------- C:\WINDOWS\etb
2007-08-19 12:15:24     11589 --a------ C:\WINDOWS\system32\temperror32.dat
2007-08-19 12:15:20         0 d-a------ C:\WINDOWS\EliteToolBar
2007-08-19 12:15:16         0 d-------- C:\Program Files\SWAT 4
2007-08-19 01:06:49    364544 -----n--- C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corp.; TwnLib4>
2007-08-19 01:06:49    106496 --a------ C:\WINDOWS\system32\TwnLib20.dll <Not Verified; Pegasus Software; TWNLIB20>
2007-08-19 01:06:49    155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Nero AG; Nero AG NeroCheck>
2007-08-19 01:06:49    471040 -----n--- C:\WINDOWS\system32\ImagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-08-19 01:06:49    262144 -----n--- C:\WINDOWS\system32\ImagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-08-19 01:06:49   1568768 -----n--- C:\WINDOWS\system32\ImagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2007-08-19 01:06:48         0 d-------- C:\Program Files\Common Files\Ahead
2007-08-19 01:06:48         0 d-------- C:\Program Files\Ahead
2007-08-18 22:28:21         0 d-------- C:\Program Files\AskTBar
2007-08-17 15:07:03         0 d-------- C:\Program Files\Common Files\DirectX
2007-08-15 16:41:56         0 d-------- C:\WINDOWS\CSC
2007-08-15 11:58:35         0 d-------- C:\Program Files\Ganymede
2007-08-15 10:27:26         0 d-------- C:\Program Files\DIFX
2007-08-15 10:26:57         0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-08-15 10:26:56     50688 --a------ C:\WINDOWS\system32\nmwcdcls.dll <Not Verified; Nokia; >
2007-08-15 01:06:00         0 d-------- C:\WINDOWS\nview
2007-08-14 20:56:29         0 d-------- C:\Program Files\Common Files\HP
2007-08-14 20:55:42         0 d-------- C:\Program Files\Hewlett-Packard
2007-08-14 20:55:29         0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-14 20:52:28    306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-08-14 20:52:12         0 d-------- C:\Program Files\HP
2007-08-14 20:51:27    119737 --a------ C:\WINDOWS\hpoins11.dat
2007-08-14 20:49:28     98304 --a------ C:\WINDOWS\system32\hpzjsn01.dll <Not Verified; Hewlett Packard Company; HPJZSN01 Dynamic Link Library>
2007-08-14 20:47:51     11634 --a------ C:\WINDOWS\hpomdl11.dat
2007-08-14 13:00:38         0 d-------- C:\Program Files\DITel
2007-08-13 13:52:09         0 d-------- C:\Program Files\eMule
2007-08-12 01:32:54         0 d-------- C:\Program Files\Sierra
2007-08-10 21:24:44    139264 --a------ C:\WINDOWS\NeoUninstall.exe <Not Verified; Neoact; NeoUninstall Application>
2007-08-10 21:24:41         0 d-------- C:\Program Files\Neoact
2007-08-10 19:29:45    737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2007-08-10 19:23:25         0 d-------- C:\Program Files\SEGA
2007-08-10 19:05:23         0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-10 19:04:12         0 d-------- C:\Program Files\Common Files\Adobe
2007-08-10 10:17:00         0 d-------- C:\Program Files\Counter-Strike 1.6
2007-08-10 08:47:45         0 d-------- C:\Program Files\Axis Communications
2007-08-10 07:18:26         4 --a------ C:\WINDOWS\system32\proc1395793746.bin
2007-08-10 00:47:09    111104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-08-10 00:47:09     19968 --a------ C:\WINDOWS\system32\reico.exe <Not Verified; Dead Knight; >
2007-08-10 00:47:09      8636 --a------ C:\WINDOWS\system32\modifype.exe
2007-08-10 00:47:09     81920 --a------ C:\WINDOWS\system32\closeapp.exe <Not Verified; Noël Danjou; CloseApp>
2007-08-10 00:32:37         0 d--hs---- C:\WINDOWS\Installer
2007-08-10 00:32:36         0 d-------- C:\Program Files\Common Files\ODBC
2007-08-10 00:32:34         0 d-------- C:\Program Files\Common Files\SpeechEngines
2007-08-10 00:32:33         0 dr------- C:\Program Files
2007-08-10 00:32:33         0 d-------- C:\Program Files\Common Files
2007-08-10 00:31:55         0 d-------- C:\WINDOWS\system32\CatRoot2
2007-08-10 00:31:55         0 d-------- C:\WINDOWS\system32\CatRoot
2007-08-10 00:31:34         0 d-------- C:\Documents and Settings
2007-08-10 00:31:33         0 d--hs---- C:\System Volume Information
2007-08-10 00:26:44         0 d-------- C:\WINDOWS
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\WinSxS
2007-08-10 00:26:44         0 dr------- C:\WINDOWS\Web
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\twain_32
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\wins
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\wbem
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\usmt
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\spool
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\ShellExt
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\Setup
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\ras
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\oobe
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\npp
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\mui
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\inetsrv
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\IME
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\icsxml
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\ias
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\export
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\drivers
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\drivers\etc
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\drivers\disdn
2007-08-10 00:26:44         0 dr-hs--c- C:\WINDOWS\system32\dllcache
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\dhcp
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\config
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\3com_dmi
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\3076
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\2052
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1054
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1045
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1042
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1041
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1037
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1033
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1031
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1028
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system32\1025
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\system
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\security
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Resources
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\repair
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Provisioning
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\PeerNet
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\pchealth
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\mui
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\msapps
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\msagent
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Media
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\java
2007-08-10 00:26:44         0 d--h----- C:\WINDOWS\inf
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\ime
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Help
2007-08-10 00:26:44         0 dr--s---- C:\WINDOWS\Fonts
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\ehome
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Driver Cache
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Debug
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Cursors
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Connection Wizard
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\Config
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\AppPatch
2007-08-10 00:26:44         0 d-------- C:\WINDOWS\addins
2007-08-10 00:07:11         0 d-------- C:\WINDOWS\system32\VIRepair
2007-08-10 00:05:49         0 d-------- C:\Program Files\ViStart
2007-08-09 23:54:42         0 d-------- C:\Program Files\Microsoft Works
2007-08-09 23:54:36         0 d-------- C:\Program Files\MSBuild
2007-08-09 23:51:36         0 d-------- C:\WINDOWS\SHELLNEW
2007-08-09 23:50:55         0 dr-h----- C:\MSOCache
2007-08-09 23:44:58         0 d-------- C:\Program Files\DAEMON Tools
2007-08-09 23:43:37    682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-09 23:35:44     36864 --a------ C:\WINDOWS\system32\wbsys.dll <Not Verified; Stardock.Net, Inc; WindowBlinds 4.x for x86 machines>
2007-08-09 23:35:44     20480 --a------ C:\WINDOWS\system32\wbload.dll
2007-08-09 23:35:44         0 d-------- C:\Program Files\Stardock
2007-08-09 23:34:48         0 d-------- C:\Program Files\QuickTime
2007-08-09 23:34:42         0 d-------- C:\Program Files\Apple Software Update
2007-08-09 23:30:20         0 d-------- C:\WINDOWS\system32\Lang
2007-08-09 23:23:22         0 d-------- C:\Program Files\BitLord
2007-08-09 23:22:53      1713 --a------ C:\WINDOWS\mozver.dat
2007-08-09 23:19:02         0 d-------- C:\WINDOWS\pss
2007-08-09 23:14:54         0 d-------- C:\Program Files\cFosSpeed
2007-08-09 23:13:24         0 --a------ C:\WINDOWS\nsreg.dat
2007-08-09 23:10:10         0 d-------- C:\WINDOWS\RegisteredPackages
2007-08-09 23:09:56         0 d-------- C:\Program Files\AutoConnect
2007-08-09 23:09:42         0 d-------- C:\Program Files\Winamp
2007-08-09 23:09:23    217088 --a------ C:\WINDOWS\system32\yv12vfw.dll <Not Verified; www.helixcommunity.org; Helix YV12 YUV Codec>
2007-08-09 23:09:23    180224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-08-09 23:09:23    593920 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-08-09 23:09:22   3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-08-09 23:09:22     10752 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-08-09 23:09:22     73728 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-08-09 23:09:22    740442 --a------ C:\WINDOWS\system32\divx.dll <Not Verified; DivX, Inc.; DivX®>
2007-08-09 23:09:21         0 d-------- C:\Program Files\K-Lite Codec Pack
2007-08-09 23:08:58         0 d-------- C:\Program Files\Gadu-Gadu
2007-08-09 22:58:48     32768 --a------ C:\WINDOWS\system32\WooDial2000.dll <Not Verified; France Télécom R&D; Kit de Connexion et de Services>
2007-08-09 22:58:11         0 d-------- C:\Program Files\Thomson
2007-08-09 22:57:37     41068 -----n--- C:\WINDOWS\system32\ActPanel.dll
2007-08-09 22:57:37         0 d-------- C:\Program Files\Java
2007-08-09 22:56:59         0 d-------- C:\Program Files\Neostrada TP
2007-08-09 22:56:45         0 d--hs---- C:\WINDOWS\ftpcache
2007-08-09 22:51:34         0 d-------- C:\Program Files\Realtek Sound Manager
2007-08-09 22:51:32         0 d-------- C:\Program Files\AvRack
2007-08-09 22:51:28     40960 -----n--- C:\WINDOWS\system32\ChCfg.exe
2007-08-09 22:51:19    208896 -----n--- C:\WINDOWS\alcupd.exe <Not Verified; Realtek Semiconductor Corp.; Update Application for Realtek AC'97>
2007-08-09 22:51:18    139264 -----n--- C:\WINDOWS\alcrmv.exe <Not Verified; Realtek Semiconductor Corp.; Realtek AC'97 Removing Tool>
2007-08-09 22:50:41         0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-09 22:50:41         0 d-------- C:\Program Files\AMD
2007-08-09 22:49:48      4096 --a------ C:\WINDOWS\gdrv.sys
2007-08-09 22:47:45         0 d-------- C:\WINDOWS\system32\ReinstallBackups
2007-08-09 22:47:37         0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-09 22:45:45         0 d-------- C:\WINDOWS\SoftwareDistribution
2007-08-09 22:45:44         0 d---s---- C:\WINDOWS\system32\Microsoft
2007-08-09 22:45:44         0 d-------- C:\WINDOWS\Prefetch
2007-08-09 22:41:56         0 d-------- C:\WINDOWS\system32\xircom
2007-08-09 22:41:56         0 d-------- C:\Program Files\microsoft frontpage
2007-08-09 22:41:38         0 -rahs---- C:\MSDOS.SYS
2007-08-09 22:41:38         0 -rahs---- C:\IO.SYS
2007-08-09 22:41:38         0 --a------ C:\CONFIG.SYS
2007-08-09 22:40:33         0 dr------- C:\WINDOWS\Offline Web Pages
2007-08-09 22:40:32         0 d---s---- C:\WINDOWS\Downloaded Program Files
2007-08-09 22:40:22         0 d--h----- C:\Program Files\WindowsUpdate
2007-08-09 22:40:19         0 d-------- C:\Program Files\Usługi online
2007-08-09 22:40:02         0 d-------- C:\WINDOWS\system32\DirectX
2007-08-09 22:39:31         0 d---s---- C:\WINDOWS\Tasks
2007-08-09 22:39:30         0 d-------- C:\Program Files\Common Files\MSSoap
2007-08-09 22:39:26         0 d-------- C:\WINDOWS\system32\Macromed
2007-08-09 22:39:26         0 d-------- C:\WINDOWS\srchasst
2007-08-09 22:39:19         0 d-------- C:\Program Files\Movie Maker
2007-08-09 22:39:12         0 d-------- C:\WINDOWS\system32\Restore
2007-08-09 22:38:33     21856 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-09 22:38:19         0 d-------- C:\WINDOWS\Registration
2007-08-09 22:38:06         0 d-------- C:\Program Files\Messenger
2007-08-09 22:38:03         0 d-------- C:\Program Files\MSN Gaming Zone
2007-08-09 22:37:35         0 d-------- C:\Program Files\Windows NT
2007-08-09 22:37:32         0 d-------- C:\WINDOWS\system32\MsDtc
2007-08-09 22:37:30         0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2007-08-29 23:02:04    355830 --a------ C:\WINDOWS\system32\perfh015.dat
2007-08-29 23:02:04     49712 --a------ C:\WINDOWS\system32\perfc015.dat
2007-08-29 20:11:29         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\SurfAccuracy
2007-08-25 18:47:58         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\GanymedeNet
2007-08-25 09:30:48         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Image Zone Express
2007-08-23 20:19:18         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Google
2007-08-22 23:11:45         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Bioshock
2007-08-22 22:08:29         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\InstallShield
2007-08-16 18:56:31         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Adobe
2007-08-16 17:23:29         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Apple Computer
2007-08-15 10:29:07         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Nokia
2007-08-15 10:29:07         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\DataLayer
2007-08-15 10:26:54         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\PC Suite
2007-08-14 20:57:49         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\HP
2007-08-10 11:09:41         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Media Player Classic
2007-08-10 00:53:11         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Styler
2007-08-10 00:51:00         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Stardock
2007-08-10 00:32:08        62 --ahs---- C:\Documents and Settings\pawfer\Dane aplikacji\desktop.ini
2007-08-10 00:11:51         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\ViStart
2007-08-09 23:23:52         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Macromedia
2007-08-09 23:13:23         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Mozilla
2007-08-09 23:11:59         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Gadu-Gadu
2007-08-09 22:46:22         0 d-------- C:\Documents and Settings\pawfer\Dane aplikacji\Identities


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"= C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll [2007-08-19 12:15 92672]

[-HKEY_CLASSES_ROOT\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA8DEF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"cFosSpeed"="C:\Program Files\cFosSpeed\cFosSpeed.exe" [2007-07-09 17:10]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"LClock"="C:\Program Files\LClock\LClock.exe" []
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 02:41]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 11:22]
"nwiz"="nwiz.exe" [2006-06-01 11:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 11:22 C:\WINDOWS\system32\nvmctray.dll]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 16:40]
"Windows Shell"="C:\WINDOWS\system32\shell32.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect"="C:\Program Files\AutoConnect\AutoConnect.exe" [2004-08-28 20:27]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2007-07-09 09:39]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-08-17 22:48]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 04:21:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll 2005-12-01 12:58 176128 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RunDLL32.exe NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WooCnxMon]
C:\PROGRA~1\NEOSTR~1\CnxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOTASKBARICON]
C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WOOWATCH]
C:\PROGRA~1\NEOSTR~1\Watch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzGBK]
F:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}]
C:\Documents and Settings\pawfer\Dane aplikacji\MY Pics.exe s



-- End of Deckard's System Scanner: finished at 2007-08-29 23:04:31 ------------



[wojtas]

skasuj;

O4 - HKLM\..\Run: [Windows Shell] C:\WINDOWS\system32\shell32.exe

te pliki:

C:\WINDOWS\system32\nvquetys.dll
C:\WINDOWS\system32\mscorews.dll
C:\WINDOWS\system32\dcstream.dll

http://virusscan.jotti.org/
http://www.virustotal.com/

wrzuc na skanery i daj raporty

skasuj w awaryjnym pogrubione:

C:\WINDOWS\etb
C:\WINDOWS\system32\temperror32.dat
C:\WINDOWS\EliteToolBar

potem daj raporty i nowy log z dss