Problem z systemem, wirus z pendrive?

[Andrew_wojownik]

Witam, chyba udało mi się załapać jakiegoś wirusa na pendrive, objaw jest taki, że na pamięci pojawia się folder recycle oraz autorun.inf o zawartości:

Kod: Zaznacz wszystko

[autorun]
open=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe
icon=%SystemRoot%\system32\SHELL32.dll,4
action=Open folder to view files
shell\open=Open
shell\open\command=RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe
shell\open\default=1


format pamięci nic na to nie pomaga, ręczne usunięcie tego pliku i folderu recycler z pamięci też, odrazu się pojawiaja ponownie.

Z góry dzięki za pomoc.

Log z HiJackThis:

Kod: Zaznacz wszystko

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:16:08, on 2009-02-01
Platform: Windows XP Dodatek SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\XAMPP\apache\bin\apache.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
F:\XAMPP\apache\bin\apache.exe
C:\WINDOWS\system32\oodag.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
C:\WINDOWS\system32\taskswitch.exe
D:\Programy\TortoiseSVN\bin\TSVNCache.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\VMware\VMware Server\vmware-authd.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
D:\Programy\StatBar\StatBar.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\vmnetdhcp.exe
D:\gry\steam\steam.exe
C:\Program Files\VMware\VMware Server\vmware-hostd.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Programy\Stickies\stickies.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Konnekt\konnekt.exe
D:\Programy\Winamp\winamp.exe
D:\Programy\Notepad++\notepad++.exe
D:\Programy\FOXITS~1\FOXITR~1\FOXITR~1.EXE
C:\WINDOWS\system32\cmd.exe
D:\Przegladarki internetowe\Fire Fox\firefox.exe
D:\Przegladarki internetowe\Opera\opera.exe
C:\WINDOWS\system32\mstsc.exe
D:\Programy\OpenOffice.org 3\program\scalc.exe
D:\Programy\OpenOffice.org 3\program\soffice.exe
D:\Programy\OpenOffice.org 3\program\soffice.bin
C:\Documents and Settings\Andrew\Pulpit\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5CCB2023-AEF5-436C-A78B-133CF6F5F2A7} - C:\WINDOWS\system32\csserchk.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [StatBar] D:\Programy\StatBar\StatBar.exe
O4 - HKCU\..\Run: [AtiTrayTools] "C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"
O4 - HKCU\..\Run: [Steam] "d:\gry\steam\steam.exe" -silent
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [ALLUpdate] "D:\Programy\MarBit\ALLPlayer\ALLUpdate.exe" "sleep"
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\eHome" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_02] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\msagent" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_03] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Srchasst" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_04] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\help" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_05] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\pchealth" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_06] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\Help\Tours" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_07] cmd.exe /c md "%USERPROFILE%\Ustawienia lokalne\Temp" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_08] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_09] rundll32 advpack.dll,LaunchINFSection nlite.inf,nLiteReg (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlpo_10] rundll32 advpack.dll,LaunchINFSection nlite.inf,S (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlpo_01] rundll32 advpack.dll,DelNodeRunDLL32 "C:\WINDOWS\eHome" (User 'USŁUGA SIECIOWA')
O4 - Startup: Stickies.lnk = D:\Programy\Stickies\stickies.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware server\vsocklib.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA577A95-5EE9-4E1E-B044-03FC1F93CA15}: NameServer = 195.177.64.66,195.177.64.69,195.177.64.34
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AODService - Unknown owner - D:\Programy\AMD\OverDrive\AODAssist (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - F:\XAMPP\apache\bin\apache.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - F:\XAMPP\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Parallels Dispatcher Service - Parallels, Inc. - C:\Program Files\Parallels\Parallels Server\Application\prl_disp_service.exe
O23 - Service: Parallels Networking Service - Parallels, Inc. - C:\Program Files\Parallels\Parallels Server\Application\prl_naptd.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: VMware Host Agent (VMwareHostd) - Unknown owner - C:\Program Files\VMware\VMware Server\vmware-hostd.exe
O23 - Service: VMware Server Web Access (VMwareServerWebAccess) - Apache Software Foundation - C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe
O23 - Service: VMware VSS Writer (vmwriter) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmVssWriter.exe

--
End of file - 8604 bytes



Log z Silent Runnerw:

Kod: Zaznacz wszystko

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"StatBar" = "D:\Programy\StatBar\StatBar.exe" ["Globe Software"]
"AtiTrayTools" = ""C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe"" ["Ray Adams"]
"Steam" = ""d:\gry\steam\steam.exe" -silent" ["Valve Corporation"]
"DAEMON Tools Pro Agent" = ""C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"" ["DT Soft Ltd."]
"ALLUpdate" = ""D:\Programy\MarBit\ALLPlayer\ALLUpdate.exe" "sleep"" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RTHDCPL" = "RTHDCPL.EXE" ["Realtek Semiconductor Corp."]
"Alcmtr" = "ALCMTR.EXE" ["Realtek Semiconductor Corp."]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"CoolSwitch" = "C:\WINDOWS\system32\taskswitch.exe" [null data]
"UnlockerAssistant" = ""C:\Program Files\Unlocker\UnlockerAssistant.exe"" [null data]
"amd_dc_opt" = "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" ["AMD"]
"StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun" ["Advanced Micro Devices, Inc."]

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\
{729CC054-9FC8-238E-0A98-75B7A1C73972}\(Default) = (no title provided)
                                       \StubPath   = "C:\WINDOWS\system32\kb478342122.exe s" [null data]
{88ABC5C0-4FCB-11BB-AAX5-81CX1C635612}\(Default) = (no title provided)
                                       \StubPath   = "C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = "WormRadar.com IESiteBlocker.NavFilter"
  -> {HKLM...CLSID} = "AVG Safe Search"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{5CCB2023-AEF5-436C-A78B-133CF6F5F2A7}\(Default) = (no title provided)
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\csserchk.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
  -> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{3028902F-6374-48b2-8DC6-9725E775B926}" = "IE Microsoft AutoComplete"
  -> {HKLM...CLSID} = "IE Microsoft AutoComplete"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
  -> {HKLM...CLSID} = "History Band"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{efb97cb8-a4a4-4357-a261-002ffaed0267}" = "CD Slideshow Powertoy"
  -> {HKCU...CLSID} = "CD Burn Slideshow Hook"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\slideshow.dll" [MS]
"{1530F7EE-5128-43BD-9977-84A4B0FAD7DF}" = "PhotoToys"
  -> {HKCU...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\phototoys.dll" [MS]
"{709C6E11-538F-4759-86AC-6ACB302AA0DE}" = "Desktop Manager"
  -> {HKCU...CLSID} = "Desktop Manager"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\msvdm.dll" [null data]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{544F5441-4C43-4D44-5550-5348454C4C00}" = "TCUP: Shell Extention"
  -> {HKLM...CLSID} = "TCUP: Shell Extention"
                   \InProcServer32\(Default) = "D:\Programy\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL" [null data]
"{30351348-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{30351347-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{3035134A-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{30351346-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{30351349-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{3035134F-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{30351350-7B7D-4FCC-81B4-1E394CA267EB}" = "TortoiseSVN"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
"{C5994560-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{C5994561-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{C5994562-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{C5994563-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{C5994564-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{C5994565-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{C5994566-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{C5994567-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{C5994568-53D9-4125-87C9-F193FC689CB2}" = "TortoiseOverlays"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\TortoiseOverlays\TortoiseOverlays.dll" ["http://tortoisesvn.net"]
"{0561EC90-CE54-4f0c-9C55-E226110A740C}" = "Haali Column Provider"
  -> {HKLM...CLSID} = "Haali Column Provider"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data]
"{5574006C-28F5-4a65-A28C-74DE6BFBE0BB}" = "Haali Matroska Shell Property Page"
  -> {HKLM...CLSID} = "Haali Matroska Shell Property Page"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data]
"{327669A0-59A7-4be9-B99E-1C9F3A57611A}" = "Haali Matroska Thumbnail Extractor"
  -> {HKLM...CLSID} = "Haali Matroska Thumbnail Extractor"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
  -> {HKLM...CLSID} = "SimpleShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "D:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
"{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}" = "PowerISO"
  -> {HKLM...CLSID} = "PowerISO"
                   \InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}" = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""D:\Programy\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}" = "OpenOffice.org Infotip Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""D:\Programy\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{63542C48-9552-494A-84F7-73AA6A7C99C1}" = "OpenOffice.org Property Sheet Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""D:\Programy\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]
"{3B092F0C-7696-40E3-A80F-68D74DA84210}" = "OpenOffice.org Thumbnail Viewer"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""D:\Programy\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\
<<!>> "Debugger" = ""C:\WINDOWS\system32\vsjitdebugger.exe" -p %ld -e %ld" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"oodbs" ["O&O Software GmbH"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
<<!>> avgrsstarter\DLLName = "avgrsstx.dll" ["AVG Technologies CZ, s.r.o."]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{0561EC90-CE54-4f0c-9C55-E226110A740C}\(Default) = "Haali Column Provider"
  -> {HKLM...CLSID} = "Haali Column Provider"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\mmfinfo.dll" [null data]
{30351349-7B7D-4FCC-81B4-1E394CA267EB}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}\(Default) = "OpenOffice.org Column Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = ""D:\Programy\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll"" ["Sun Microsystems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "D:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
DaemonShellExtImage\(Default) = "{40966797-8FFE-46C8-9EF8-7003F33CCF0F}"
  -> {HKLM...CLSID} = "DaemonShellExtImage Class"
                   \InProcServer32\(Default) = "C:\Program Files\DAEMON Tools Pro\imgshl32.dll" ["DT Soft Ltd."]
Notepad++\(Default) = "{120B94B5-2E6A-4F13-94D0-414BCB64FA0F}"
  -> {HKLM...CLSID} = "Notepad++"
                   \InProcServer32\(Default) = "D:\Programy\Notepad++\nppcm.dll" ["Burgaud.com"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
  -> {HKLM...CLSID} = "PowerISO"
                   \InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
TCUPShellExt\(Default) = "{544F5441-4C43-4D44-5550-5348454C4C00}"
  -> {HKLM...CLSID} = "TCUP: Shell Extention"
                   \InProcServer32\(Default) = "D:\Programy\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL" [null data]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
7-Zip\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
  -> {HKLM...CLSID} = "7-Zip Shell Extension"
                   \InProcServer32\(Default) = "D:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
  -> {HKLM...CLSID} = "PowerISO"
                   \InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
TCUPShellExt\(Default) = "{544F5441-4C43-4D44-5550-5348454C4C00}"
  -> {HKLM...CLSID} = "TCUP: Shell Extention"
                   \InProcServer32\(Default) = "D:\Programy\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL" [null data]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
PowerISO\(Default) = "{967B2D40-8B7D-4127-9049-61EA0C2C6DCE}"
  -> {HKLM...CLSID} = "PowerISO"
                   \InProcServer32\(Default) = "C:\Program Files\PowerISO\PWRISOSH.DLL" ["PowerISO Computing, Inc."]
TortoiseSVN\(Default) = "{30351349-7B7D-4FCC-81B4-1E394CA267EB}"
  -> {HKLM...CLSID} = "TortoiseSVN"
                   \InProcServer32\(Default) = "D:\Programy\TortoiseSVN\bin\TortoiseStub.dll" ["http://tortoisesvn.net"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
  -> {HKLM...CLSID} = "WinRAR"
                   \InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Default executables:
--------------------

<<!>> HKLM\SOFTWARE\Classes\.hta\(Default) = "hta"
<<!>> HKLM\SOFTWARE\Classes\hta\shell\open\command\(Default) = ""D:\Programy\TC UP\PLUGINS\Media\XnView\xnview.exe" "%1"" ["XnView, http://www.xnview.com"]

<<!>> HKLM\SOFTWARE\Classes\.scr\(Default) = "scr"
<<!>> HKLM\SOFTWARE\Classes\scr\shell\open\command\(Default) = ""D:\Programy\TC UP\PLUGINS\Media\XnView\xnview.exe" "%1"" ["XnView, http://www.xnview.com"]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoSMHelp" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove Help menu from Start Menu}

"NoSMMyPictures" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Start Menu and Taskbar|
Remove My Pictures icon from Start Menu}

"ClearRecentDocsOnExit" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoRecentDocsMenu" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoRecentDocsHistory" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoStartBanner" = (REG_DWORD) dword:0x00000001
{Remove "Click here to begin" from Start button}

"NoInstrumentation" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoStartMenuMFUprogramsList" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoResolveTrack" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"LinkResolveIgnoreLinkInfo" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoResolveSearch" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSMConfigurePrograms" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoSharedDocuments" = (REG_DWORD) dword:0x00000001
{User Configuration|Administrative Templates|Windows Components|Windows Explorer|
Remove Shared Documents from My Computer}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoDesktopCleanupWizard" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"DisableStatusMessages" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"VerboseStatus" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"NoInternetOpenWith" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Andrew\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

AlcoholAutoPlayV2.BurnDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "BurnDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""D:\Programy\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

AlcoholAutoPlayV2.ReadDisc\
"Provider" = "Alcohol 120%"
"InvokeProgID" = "AlcoholAutoPlayV2"
"InvokeVerb" = "ReadDisc"
HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command\(Default) = ""D:\Programy\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

NeroAutoPlay2AudioToNeroDigital\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_AudioToNeroDigital"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_AudioToNeroDigital\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracks  /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CDAudio\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_CDAudio"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_CDAudio\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:AudioCD /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2CopyCD\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_CopyCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_CopyCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /Dialog:DiscCopy /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2DataDisc\
"Provider" = "Nero Express"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_DataDisc"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_DataDisc\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /w /New:ISODisc /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2LaunchNeroStartSmart\
"Provider" = "Nero StartSmart"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "HandleCDBurningOnArrival_LaunchNeroStartSmart"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\HandleCDBurningOnArrival_LaunchNeroStartSmart\command\(Default) = "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe /AutoPlay /Drive:%L" ["Ahead Software AG"]

NeroAutoPlay2RipCD\
"Provider" = "Nero Burning ROM"
"InvokeProgID" = "Nero.AutoPlay2"
"InvokeVerb" = "PlayCDAudioOnArrival_RipCD"
HKLM\SOFTWARE\Classes\Nero.AutoPlay2\shell\PlayCDAudioOnArrival_RipCD\command\(Default) = "C:\Program Files\Ahead\nero\nero.exe /Dialog:SaveTracks  /Drive:%L" ["Ahead Software AG"]

TC UP\
"Provider" = "Total Commander Ultima Prime"
"InvokeProgID" = "TC UP\AutoPlay"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\TC UP\AutoPlay\shell\open\command\(Default) = "D:\Programy\TC UP\TC UP.exe /O /T /R="%1"" [null data]

WinampMTPHandler\
"Provider" = "Winamp"
"ProgID" = "Shell.HWEventHandlerShellExecute"
"InitCmdLine" = "D:\Programy\Winamp\winamp.exe"
HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"
  -> {HKLM...CLSID} = "ShellExecute HW Event Handler"
                   \LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\
"Provider" = "Winamp"
"InvokeProgID" = "Winamp.File"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""D:\Programy\Winamp\winamp.exe" "%1"" ["Nullsoft"]
HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\DropTarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"
  -> {HKLM...CLSID} = (no title provided)
                   \LocalServer32\(Default) = ""D:\Programy\Winamp\winamp.exe"" ["Nullsoft"]


Startup items in "Andrew" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\Andrew\Menu Start\Programy\Autostart
"Stickies" -> shortcut to: "D:\Programy\Stickies\stickies.exe" ["Zhorn Software"]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Service Manager" -> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
C:\Program Files\VMware\VMware Server\vsocklib.dll ["VMware, Inc."], 18 - 19


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_04"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_04"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_04\bin\npjpi160_04.dll" ["Sun Microsystems, Inc."]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apache2.2, Apache2.2, ""F:\XAMPP\apache\bin\apache.exe" -k runservice" ["Apache Software Foundation"]
AVG8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
O&O Defrag, O&O Defrag, "C:\WINDOWS\system32\oodag.exe" ["O&O Software GmbH"]
SQL Server (SQLEXPRESS), MSSQL$SQLEXPRESS, ""C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS" [MS]
SQL Server VSS Writer, SQLWriter, ""C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"" [MS]
VMware Authorization Service, VMAuthdService, ""C:\Program Files\VMware\VMware Server\vmware-authd.exe"" ["VMware, Inc."]
VMware DHCP Service, VMnetDHCP, "C:\WINDOWS\system32\vmnetdhcp.exe" ["VMware, Inc."]
VMware Host Agent, VMwareHostd, ""C:\Program Files\VMware\VMware Server\vmware-hostd.exe" -u "C:\Documents and Settings\All Users\Dane aplikacji\VMware\VMware Server\hostd\config.xml"" [null data]
VMware NAT Service, VMware NAT Service, "C:\WINDOWS\system32\vmnat.exe" ["VMware, Inc."]
VMware Server Web Access, VMwareServerWebAccess, ""C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe" //RS//VMwareServerWebAccess" ["Apache Software Foundation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
BJ Language Monitor\Driver = "cnbjmon.dll" [file not found]
hpZJLanguageMonitor\Driver = "ZLMhp1.DLL" ["Zenographics"]
PJL Language Monitor\Driver = "pjlmon.dll" [file not found]


---------- (launch time: 2009-02-01 17:22:10)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 439 seconds.
---------- (total run time: 475 seconds)



[Okocza]

Andrew_wojownik, sformatuj pendrive i daj log z combofixa.

[Andrew_wojownik]

Pendrive właśnie pare razy formatowałem i ciągle mi sie to pojawia tam Niby cośtam z niego combofix usunął, ale recycler nadal jest, a chyba nie powinien?

z combofixa

Kod: Zaznacz wszystko

ComboFix 09-02-01.01 - Andrew 2009-02-01 19:17:10.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.48.1045.18.2047.846 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Andrew\Pulpit\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

UWAGA - TEN KOMPUTER NIE MA ZAINSTALOWANEJ KONSOLI ODZYSKIWANIA !!
.

(((((((((((((((((((((((((((((((((((((((   Usunięto   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Andrew\Dane aplikacji\addon.dat
c:\documents and settings\Andrew\Dane aplikacji\addons.dat
c:\documents and settings\Andrew\Ustawienia lokalne\Temporary Internet Files\ijjistarter_verinfo.dat
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\recycler\S-1-5-21-1482476501-1644491937-682003330-1013\spoolsv.exe
C:\server.exe
c:\windows\system32\kb478342122.exe
c:\windows\system32\mdm.exe
c:\windows\system32\mssrv32.exe
E:\install.exe
N:\autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Sterowniki/Usługi   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


(((((((((((((((((((((((((   Pliki utworzone od 2009-01-01 do 2009-02-01  )))))))))))))))))))))))))))))))
.

2009-02-01 17:44 . 2009-02-01 17:44   <DIR>   d--------   c:\program files\Spybot - Search & Destroy
2009-02-01 17:44 . 2009-02-01 18:03   <DIR>   d--------   c:\documents and settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2009-01-31 13:25 . 2009-01-31 13:25   <DIR>   d--------   c:\documents and settings\Andrew\Dane aplikacji\Kingston
2009-01-25 15:43 . 2009-01-25 15:43   <DIR>   d--------   c:\documents and settings\Andrew\Dane aplikacji\Felix_Deimel
2009-01-23 21:54 . 2009-01-23 21:54   3,553   --a------   C:\Tomasz00.rar
2009-01-23 12:32 . 2009-01-23 02:41   3,911,813   --a------   C:\GameServer_CS.exe
2009-01-23 12:32 . 2009-01-22 23:23   76,800   --a------   C:\GameServer.dll
2009-01-22 18:07 . 2009-01-22 18:07   <DIR>   d--------   C:\JoinServer
2009-01-22 12:56 . 2009-01-20 12:37   276,899   --a------   C:\JoinServer_0.83.rar
2009-01-21 16:18 . 2009-01-21 21:14   <DIR>   d-a------   c:\documents and settings\All Users\Dane aplikacji\TEMP
2009-01-20 14:50 . 2002-12-17 16:23   33,340   ---------   c:\windows\system32\dbmsqlgc.dll
2009-01-20 14:50 . 2002-10-20 14:05   24,576   ---------   c:\windows\system32\dbmsgnet.dll
2009-01-16 10:01 . 2009-01-16 10:00   801,898   --a------   C:\MuEditor-S3-[12-08-2007].rar
2009-01-15 22:59 . 2009-01-15 22:59   <DIR>   d--------   C:\ollydbg 110
2009-01-14 22:32 . 2009-01-14 22:32   <DIR>   d--------   c:\windows\PokeCyrus Online
2009-01-14 22:20 . 2009-01-14 22:14   21,047   --a------   C:\readme project Mu.NET.rtf
2009-01-14 22:18 . 2009-01-14 22:18   <DIR>   d--------   C:\svrGG
2009-01-14 22:14 . 2009-01-14 21:56   6,666,500   --a------   C:\svrGG.rar
2009-01-02 14:38 . 2007-09-18 21:25   1,032,657   --a------   c:\windows\system32\libxml2.dll
2009-01-02 14:38 . 2007-09-18 21:25   126,976   --a------   c:\windows\system32\sqlapi.dll
2009-01-02 14:38 . 2005-05-08 16:56   55,808   --a------   c:\windows\system32\zlib1.dll
2009-01-01 16:13 . 2005-07-27 20:29   65,536   --a------   C:\WZ_MD5_MOD.dll
2009-01-01 12:31 . 2009-01-01 12:31   <DIR>   d--------   C:\CzFMUEditorV1.5a

.
((((((((((((((((((((((((((((((((((((((((   Sekcja Find3M   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 18:21   ---------   d-----w   c:\documents and settings\Andrew\Dane aplikacji\stickies
2009-02-01 18:20   ---------   d-----w   c:\documents and settings\NetworkService\Dane aplikacji\VMware
2009-02-01 18:20   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\VMware
2009-02-01 18:06   ---------   d-----w   c:\documents and settings\Andrew\Dane aplikacji\VMware
2009-02-01 07:17   ---------   d-----w   c:\documents and settings\All Users\Dane aplikacji\avg8
2009-02-01 07:16   325,128   ----a-w   c:\windows\system32\drivers\avgldx86.sys
2009-02-01 07:16   107,272   ----a-w   c:\windows\system32\drivers\avgtdix.sys
2009-01-25 20:03   ---------   d-----w   c:\documents and settings\Andrew\Dane aplikacji\Azureus
2009-01-20 22:54   ---------   d--h--w   c:\program files\InstallShield Installation Information
2009-01-20 13:50   ---------   d-----w   c:\program files\Microsoft SQL Server
2009-01-10 22:52   ---------   d--h--w   c:\documents and settings\Andrew\Dane aplikacji\ijjigame
2009-01-04 22:28   ---------   d-----w   c:\program files\VMware
2008-12-31 20:30   ---------   d-----w   c:\documents and settings\Andrew\Dane aplikacji\Notepad++
2008-12-22 20:56   678,367   ----a-w   C:\gs.zip
2008-12-17 09:56   81,360   ----a-w   c:\windows\system32\drivers\VBoxNetFlt.sys
2008-12-17 09:56   41,680   ----a-w   c:\windows\system32\drivers\VBoxUSBMon.sys
2008-12-17 09:56   100,368   ----a-w   c:\windows\system32\drivers\VBoxDrv.sys
.

(((((((((((((((((((((((((((((((((((((   Wpisy startowe rejestru   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CCB2023-AEF5-436C-A78B-133CF6F5F2A7}]
2008-08-20 21:35   14848   --a------   c:\windows\system32\csserchk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-16 16:52   80384   --a------   c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StatBar"="d:\programy\StatBar\StatBar.exe" [2003-07-25 335872]
"AtiTrayTools"="c:\program files\Ray Adams\ATI Tray Tools\atitray.exe" [2007-05-22 521128]
"Steam"="d:\gry\steam\steam.exe" [2008-10-10 1410296]
"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"ALLUpdate"="d:\programy\MarBit\ALLPlayer\ALLUpdate.exe" [2008-11-24 869888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-01 1601304]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-07 15872]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-09 c:\windows\RTHDCPL.exe]

c:\documents and settings\Andrew\Menu Start\Programy\Autostart\
Stickies.lnk - d:\programy\Stickies\stickies.exe [2008-08-28 765952]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 74308]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-01 08:17 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      autocheck autochk *\[u]0[/u]oodbs

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
path=c:\documents and settings\Andrew\Menu Start\Programy\Autostart\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Menu Start^Programy^Autostart^OpenOffice.org 3.0.lnk]
path=c:\documents and settings\Andrew\Menu Start\Programy\Autostart\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Andrew^Menu Start^Programy^Autostart^WinMySQLadmin.lnk]
path=c:\documents and settings\Andrew\Menu Start\Programy\Autostart\WinMySQLadmin.lnk
backup=c:\windows\pss\WinMySQLadmin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-07-24 16:02 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-11-02 09:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 02:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"Firewalboverride"=dword:00000004
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Gry\\Kalypso\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"d:\\Gry\\RedFaction\\RF.exe"=
"e:\\Gry\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"e:\\Gry\\LucasArts\\Star Wars Empire at War Siły korupcji\\swfoc.exe"=
"d:\\Gry\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"d:\\Gry\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Gry\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Gry\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-authd.exe"=
"c:\\Program Files\\VMware\\VMware Server\\vmware-hostd.exe"=
"e:\\Gry\\Ubisoft\\Prince of Persia\\Prince of Persia.exe"=
"e:\\Gry\\Ubisoft\\Prince of Persia\\PrinceOfPersia_Launcher.exe"=

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 18088]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-08 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-08-08 107272]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [2008-08-10 100368]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [2008-08-10 41680]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [2006-01-13 15872]
R2 Apache2.2;Apache2.2;f:\xampp\apache\bin\apache.exe [2008-06-14 17408]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-08-09 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-08-09 298264]
R2 Parallels Virtualization Hypervisor;Parallels Virtualization Hypervisor;c:\program files\Parallels\Parallels Server\Drivers\prl_hypervisor_32.sys [2008-08-10 538176]
R2 prl_net;Parallels Networking Driver;c:\windows\system32\drivers\prl_net.sys [2008-08-10 23616]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2008-10-12 54960]
R2 VMwareHostd;VMware Host Agent;c:\program files\VMware\VMware Server\vmware-hostd.exe [2008-10-12 322096]
R2 VMwareServerWebAccess;VMware Server Web Access;c:\program files\VMware\VMware Server\tomcat\bin\tomcat6.exe [2008-10-12 57344]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [2008-12-18 81360]
S2 AODService;AODService;d:\programy\AMD\OverDrive\AODAssist --> d:\programy\AMD\OverDrive\AODAssist [?]
S2 prl_usb_mng;Parallels USB Device Manager;\??\c:\program files\Parallels\Parallels Server\Drivers\prl_usb_mng.sys --> c:\program files\Parallels\Parallels Server\Drivers\prl_usb_mng.sys [?]
S3 cglptnt;cglptnt;d:\programy\TC UP\CGLPTNT.SYS [2008-07-29 7888]
S3 kbeepm;kbeepm;\??\c:\docume~1\Andrew\USTAWI~1\Temp\kbeepm.sys --> c:\docume~1\Andrew\USTAWI~1\Temp\kbeepm.sys [?]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Andrew\Pulpit\Cabalbot\NtProcDrv.sys --> c:\documents and settings\Andrew\Pulpit\Cabalbot\NtProcDrv.sys [?]
S3 Parallels Dispatcher Service;Parallels Dispatcher Service;c:\program files\Parallels\Parallels Server\Application\prl_disp_service.exe [2008-08-10 11959744]
S3 Parallels Networking Service;Parallels Networking Service;c:\program files\Parallels\Parallels Server\Application\prl_naptd.exe [2008-08-10 2002368]
S3 PRLVNIC;Parallels Virtual NIC Adapter;c:\windows\system32\drivers\prl_vnic.sys [2008-08-10 12992]
S3 VBoxTAP;VirtualBox TAP Adapter;c:\windows\system32\drivers\VBoxTAP.sys [2008-08-10 47152]
S3 vmwriter;VMware VSS Writer;c:\program files\VMware\VMware Server\vmVssWriter.exe [2008-10-12 29744]

--- Inne Usługi/Sterowniki w Pamięci ---

*NewlyCreated* - HELPSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{240623b5-b322-11dd-909f-005056c00008}]
\Shell\AutoRun\command - N:\SETUP.EXE /AUTORUN
\Shell\configure\command - N:\SETUP.EXE
\Shell\install\command - N:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ce7f93c1-6cac-11dd-907f-001d92b44444}]
\Shell\AutoRun\command - H:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{729CC054-9FC8-238E-0A98-75B7A1C73972}]
c:\windows\system32\kb478342122.exe s
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.com/
LSP: c:\program files\VMware\VMware Server\vsocklib.dll
TCP: {BA577A95-5EE9-4E1E-B044-03FC1F93CA15} = 195.177.64.66,195.177.64.69,195.177.64.34
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 19:21:30
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ... 

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ... 

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\AODService]
"ImagePath"="d:\programy\AMD\OverDrive\AODAssist"
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_USERS\S-1-5-21-1409082233-343818398-839522115-1001\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3746B97A-557E-4C69-5B54-C974A424E428}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="92D2132C798B5ACCE08348591E5F4082E3FC01B3A619CF77855E50ADAE88B2E3F47C78C483F7F3F1E5C0CF40E1F0AE22CB50BF42C84F530ABB114D2A4FAAFA55C86FB5C09C03492480FA94BEDFCB5BB071D6251761BF4EC8BD73041C21015295469C916C0510C935DCD3D8B69515FD230F7E8AC850E9606E7860076E8309E045ABEDF7A53CBB484CA9DE7F1C47A0B3C564266D7FBA01918C5B258A201DF3B55AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B555A6A0AC4980AC7933EFBE008C4265673C1C58598822F0496FAE6F3B48B8236349EBEFAA46EA522C00F3470706D14414E55918D034D9D919354451821AEF7AE92DAF7F83D9425D176EAA0297FE0E9ED541AE8272627E23531508C34A5B974B16DA503D0A383BF6F131EA098719315F89D6A39C4D89CBB65EF8D3D977738F1B7947966A9EE0F56297DF90684D893DA67083C6601333C4AF8423849A96E57825053752B8446A559543E2FB218819F5C63074283C1B7DACDEF4A8FB81D5C3B9D513C3D6D123FA013A947B9129F8A662C7D1AFDB92DC1B8E494271A07C87347C4E5DDAF8D288CFE4B0913BB6E702A1CF65448C7BB878D2B627613ADAEFA3F2AF64833F93C8E1B82D88228959BC2F904D0FD6B52278ADFEB5652D1598B1C4CF85228806083AC51B508C12216776AB0C3068BFAB7291E40CE1A365E4CB0D29AD73C55498351F6AEC83331211D55B49C18FC899C2103426FE53B7AAE3EAC0B404343E323605612B3C42ADB63A9A247C72C83C5FA2A3071FEBE729849DED816DDCC5B3D1EEDE63892A4D5D7855B3FDDDF47B81F446D9A3A3FDBF345C745474FED8E9FDC529B477A869A459336C9F0AAA300B0C1E7DE29928F3414B829B9D36B72B27AA061F77E6D04191EAA7DE615CC323210584EC746A461F1690A71ED1D38A1BC7FCED5E1D6D6D119F127B5E817E2F5D28C5368B460A3DE529DDE2D579D28F8359E83EC7A23A8E469D81B4730B6E9386D0DE242695E4EDC2AD3F2EF4A1A77FD22F19971204F168669D9DC1F60E1C3F561193245B22585EC417F5E701DB3FBA0FDE6904C645ACD10A7703F0981E6CA39B1F5C6E20B135388D2075D2D140F7C4CCC16C6C446DF6495D4600F85BD2B9D33576E322BA0DC34B53C4E79514E424423877E7A23C074F6BA0E9957016C8CF8A19590A3F48003C86E047A8B9C86A0C80106055D8B320AB7DA6047C55F11EEF23D24B622BB7DB4E81132BC72E45EF6A6D29A4E1A504CA72E85A7D1E07EF764F207C93B3B1CDF399F65DBB0A45B01E6D1BE82CEE865C1F81B6367F1849627B17A54ABF797C20A236C2C505E8B68A1C38C14D279259BD372699497BBE46EDD5E3FC7F1EE41F1E43AD68E657909AA0"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(1236)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
d:\programy\TortoiseSVN\bin\TSVNCache.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
f:\xampp\FileZillaFTP\FileZillaServer.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\windows\system32\oodag.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\vmnat.exe
c:\program files\VMware\VMware Server\vmware-authd.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Czas ukończenia: 2009-02-01 19:23:16 - komputer został uruchomiony ponownie [Andrew]
ComboFix-quarantined-files.txt  2009-02-01 18:23:14

Przed: 1 459 900 416 bajtów wolnych
Po: 1,990,152,192 bajtów wolnych

279



[wojtas]

1. Ściągnij OTMoveIt i go włacz i odpal go z opcji CleanUp oraz skasuj folder C:\Qoobox
2. wykonaj optymalizację windowsa
3.sciagnij ATF_Cleaner
zaznacz
Windows Temp
All users Temp
Temporary internet files
Recycle Bin
i wcisnij EMPTY SELECTED
4.Wyłącz przywracanie systemu ( właściwości mój komputer-zakładka przywracanie - wyłącz przywracanie na wszystkich dyskach). Po chwili włącz je powrotem
5. Wykonaj skan Dr. Web CureIt
6. Przeskanuj obszar mojego komputera http://www.kaspersky.pl/virusscanner.html (uruchom przez IE) Daj raport z niego na forum.

i tym:

FixIEDef.