"Silent Runners.vbs", revision 41, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"


Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Gadu–Gadu" = ""C:\Program Files\Gadu–Gadu\gg.exe" /tray" ["sms–express.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"WOOWATCH" = "C:\PROGRA~1\Wanadoo\Watch.exe" ["France Tlcom R&D"]
"WOOTASKBARICON" = "C:\PROGRA~1\Wanadoo\TaskbarIcon.exe" ["France Tlcom R&D"]
"nForce Tray Options" = "sstray.exe /r" ["NVIDIA Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]
"SpeedTouch USB Diagnostics" = ""C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon" ["THOMSON multimedia"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"MSConfig" = "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{8F7261D0–D2B9–11D2–9909–00605205B24C}" = "CuteFTP Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GLOBAL~1\CuteFTP\CuteShell.dll" [empty string]
"{F802F260–519B–11D1–BB5D–0060974C6013}" = "ICQ Shell Extension"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{654D0431–C930–43C4–B8DA–9AA01BA5B486}" = "PDI GUI Engine COM Obj"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Portrait Displays\MagicTune\HtmlEngine.dll" ["Portrait Displays, Inc"]
"{1CDB2949–8F65–4355–8456–263E7C208A5D}" = "Desktop Explorer"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A47}" = "Desktop Explorer Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{29e3fb5b–cf62–45b5–b8bf–1ad500385fc7}" = "Shell Context Menu Handler for Application References"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{29e3fb5b–cf62–45b5–b8bf–1ad500385fc6}" = "Shell Context Menu Handler for Application Manifests"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028–CE1A–4f42–AF05–6CEABC4E5D75}" = "Shell Icon Handler for Application References"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{A70C977A–BF00–412C–90B7–034C51DA2439}" = "NvCpl DesktopContext Class"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0–306A–11d3–8BD1–00104B6F7516}" = "Play on my TV helper"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1E9B04FB–F9E5–4718–997B–B8DA88302A48}" = "nView Desktop Context Menu"
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{4CCEFB41–18FA–11D3–9EF3–00A0C9E897FD}" = "Skladnik rozszerzenia powloki CorelDRAW"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Corel\Corel Graphics 11\DRAW\CDRVIEWER\CrlShell110.dll" [null data]
"{955CCAF8–DC2A–4292–9D64–A76BC752ABAD}" = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\cYbview.dll" [null data]
"{472083B0–C522–11CF–8763–00608CC02F24}" = "avast"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{F879E3EB–2542–45D4–A237–85E45161BBB0}" = (no title provided)
–> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\FH20.DLL" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! RunServices\DLLName = "C:\WINDOWS\system32\lvr6099se.dll" [null data]
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
CuteFTP\(Default) = "{8f7261d0–d2b9–11d2–9909–00605205b24c}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GLOBAL~1\CuteFTP\CuteShell.dll" [empty string]
EncodeDivXExt\(Default) = "{E9F5B111–CACC–4FD4–81FD–4EB4FD6765A3}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll" [file not found]
ICQMenu\(Default) = "{f802f260–519b–11d1–bb5d–0060974c6013}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5–41EB–4A2F–9616–CE1D4F6C35B2}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CuteFTP\(Default) = "{8f7261d0–d2b9–11d2–9909–00605205b24c}"
–> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\GLOBAL~1\CuteFTP\CuteShell.dll" [empty string]
ICQMenu\(Default) = "{f802f260–519b–11d1–bb5d–0060974c6013}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQ\ICQShExt.dll" ["ICQ"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0–C522–11CF–8763–00608CC02F24}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
FineReader\(Default) = "{AC0DD14A–8F29–4F88–BE1D–0F0ED1B06C9F}"
–> {CLSID}\InProcServer32\(Default) = "c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll" ["ABBYY (BIT Software)"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5–41EB–4A2F–9616–CE1D4F6C35B2}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies [Description] {enabled Group Policy setting}:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
"NoActiveDesktop"=dword:00000001
[disables Active Desktop; removes Web tab from Display Properties|
Desktop (tab)|Customize Desktop... (button)|Desktop Items (window)]
{User Configuration|Administrative Templates|Desktop|Active Desktop|
Disable Active Desktop}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Disable changing home page settings}


Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop disabled via Group Policy.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\mentosik\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
–––––––––––––––––––––

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "mentosik" & "All Users" startup folders:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"MagicTune" –> shortcut to: "C:\Program Files\Portrait Displays\MagicTune\DTHtml.exe –startup_folder" ["Portrait Displays, Inc"]
"NaturalColorLoad" –> shortcut to: "C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe" [empty string]
"Service Manager" –> shortcut to: "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe /n" [MS]


Enabled Scheduled Tasks:
––––––––––––––––––––––––

"Symantec NetDetect" –> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\Program Files\NetLimiter\nl_lsp.dll [null data], 01 – 05, 11
%SystemRoot%\system32\mswsock.dll [MS], 06 – 08, 12 – 31
%SystemRoot%\system32\rsvpsp.dll [MS], 09 – 10


Toolbars, Explorer Bars, Extensions:
––––––––––––––––––––––––––––––––––––

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF–3FFB–4238–8AD1–7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2EAF5BB1–070F–11D3–9307–00C04FAE2D4F}\
"ButtonText" = "Utwórz Ulubione dla urządzenia przenośnego"
"CLSIDExtension" = "{2EAF5BB0–070F–11D3–9307–00C04FAE2D4F}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]

{2EAF5BB2–070F–11D3–9307–00C04FAE2D4F}\
"MenuText" = "Utwórz Ulubione dla urządzenia przenośnego..."
"CLSIDExtension" = "{2EAF5BB0–070F–11D3–9307–00C04FAE2D4F}"
–> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]

{6224F700–CBA3–4071–B251–47CB894244CD}\
"ButtonText" = "ICQ Pro"
"MenuText" = "ICQ"
"Exec" = "C:\PROGRA~1\ICQ\ICQ.exe" [file not found]

{FB5F1910–F110–11D2–BB9E–00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Apache2, Apache2, ""C:\Program Files\Apache Group\Apache2\bin\Apache.exe" –k runservice" ["Apache Software Foundation"]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" [null data]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
Diskeeper, Diskeeper, ""C:\Program Files\Executive Software\Diskeeper\DkService.exe"" ["Executive Software International, Inc."]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe –k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
MSSQLSERVER, MSSQLSERVER, "C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe" [MS]
MySql, MySql, "c:\usr/MYSQL/bin/mysqld.exe" [null data]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
Portrait Displays Display Tune Service, DTSRVC, "C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe" [null data]
SAVScan, SAVScan, ""C:\Program Files\Norton AntiVirus\SAVScan.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, ""C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"" ["Symantec Corporation"]
Usługa Auto Protect programu Norton AntiVirus, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
VMware Authorization Service, VMAuthdService, "C:\Program Files\VMware\VMware Player\vmware–authd.exe" ["VMware, Inc."]
VMware DHCP Service, VMnetDHCP, "C:\WINDOWS\system32\vmnetdhcp.exe" ["VMware, Inc."]
VMware NAT Service, VMware NAT Service, "C:\WINDOWS\system32\vmnat.exe" ["VMware, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 88 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 52 seconds.
–––––––––– (total run time: 268 seconds)

Logfile of HijackThis v1.99.1
Scan saved at 17:36:31, on 2005–11–21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
c:\usr\MYSQL\bin\mysqld.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\VMware\VMware Player\vmware–authd.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\D–Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Gadu–Gadu\gg.exe
C:\Program Files\Portrait Displays\MagicTune\DTHtml.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Tibia\Tibia Black Ice v0.1.exe
C:\Program Files\Tibia\Tibia.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\WScript.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\mentosik\USTAWI~1\Temp\Rar$EX00.031\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.93.62.106:80
O4 – HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 – HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 – HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 – HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 – HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 – HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [Gadu–Gadu] "C:\Program Files\Gadu–Gadu\gg.exe" /tray
O4 – Global Startup: MagicTune.lnk = C:\Program Files\Portrait Displays\MagicTune\DTHtml.exe
O4 – Global Startup: NaturalColorLoad.lnk = ?
O4 – Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 – Extra button: Utwórz Ulubione dla urządzenia przenośnego – {2EAF5BB1–070F–11D3–9307–00C04FAE2D4F} – C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 – Extra button: (no name) – {2EAF5BB2–070F–11D3–9307–00C04FAE2D4F} – C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 – Extra 'Tools' menuitem: Utwórz Ulubione dla urządzenia przenośnego... – {2EAF5BB2–070F–11D3–9307–00C04FAE2D4F} – C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 – Extra button: ICQ Pro – {6224f700–cba3–4071–b251–47cb894244cd} – C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 – Extra 'Tools' menuitem: ICQ – {6224f700–cba3–4071–b251–47cb894244cd} – C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 – Extra button: Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O9 – Extra 'Tools' menuitem: Windows Messenger – {FB5F1910–F110–11d2–BB9E–00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
O16 – DPF: {6414512B–B978–451D–A0D8–FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119473669214
O16 – DPF: {E7544C6C–CFD6–43EA–B4E9–360CEE20BDF7} (MainControl Class) – http://skaner.mks.com.pl/SkanerOnline.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{F1BB1510–EDEB–4930–8031–252CFF05C1FE}: NameServer = 194.204.152.34 217.98.63.164
O18 – Protocol: msnim – {828030A1–22C1–4009–854F–8E305202313F} – "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 – Winlogon Notify: RunServices – C:\WINDOWS\system32\lvr6099se.dll
O23 – Service: Apache2 – Unknown owner – C:\Program Files\Apache Group\Apache2\bin\Apache.exe" –k runservice (file missing)
O23 – Service: avast! iAVS4 Control Service (aswUpdSv) – Unknown owner – C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 – Service: avast! Antivirus – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 – Service: avast! Mail Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 – Service: avast! Web Scanner – Unknown owner – C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 – Service: Symantec Event Manager (ccEvtMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 – Service: Symantec Password Validation (ccPwdSvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 – Service: Symantec Settings Manager (ccSetMgr) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 – Service: Diskeeper – Executive Software International, Inc. – C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 – Service: Portrait Displays Display Tune Service (DTSRVC) – Unknown owner – C:\Program Files\Portrait Displays\MagicTune\dtsrvc.exe
O23 – Service: MySql – Unknown owner – c:\usr/MYSQL/bin/mysqld.exe
O23 – Service: Usługa Auto Protect programu Norton AntiVirus (navapsvc) – Symantec Corporation – C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe
O23 – Service: SAVScan – Symantec Corporation – C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 – Service: ScriptBlocking Service (SBService) – Symantec Corporation – C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 – Service: Symantec Network Drivers Service (SNDSrvc) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 – Service: SymWMI Service (SymWSC) – Symantec Corporation – C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 – Service: VMware Authorization Service (VMAuthdService) – VMware, Inc. – C:\Program Files\VMware\VMware Player\vmware–authd.exe
O23 – Service: VMware DHCP Service (VMnetDHCP) – VMware, Inc. – C:\WINDOWS\system32\vmnetdhcp.exe
O23 – Service: VMware Virtual Mount Manager Extended (vmount2) – VMware, Inc. – C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 – Service: VMware NAT Service – VMware, Inc. – C:\WINDOWS\system32\vmnat.exe
O23 – Service: Windows Smrss Service – Unknown owner – C:\WINDOWS\svchost.exe (file missing)

O20 – Winlogon Notify: msupdate – C:\WINDOWS\SYSTEM32\msupdate32.dll

R1 – HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.93.62.106:80

O23 – Service: Windows Smrss Service – Unknown owner – C:\WINDOWS\svchost.exe (file missing)

O9 – Extra button: Spyware Doctor – {2D663D1A–8670–49D9–A1A5–4C56B4E14E84} – C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll