Logfile of HijackThis v1.99.1
Scan saved at 18:31:37, on 2006–03–14
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\QW5vbnltb3Vz\command.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
c:\usr\MYSQL\bin\mysqld.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Network Monitor\netmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\svchost.exe
D:\PROGRA~1\NEOSTR~1\CnxMon.exe
D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\NEOSTR~1\NeostradaTP.exe
D:\PROGRA~1\NEOSTR~1\ComComp.exe
D:\PROGRA~1\NEOSTR~1\Watch.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Valve\Steam\Steam.exe
D:\WINDOWS\Regedit.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\xxx.KOMPUTER1.001\Pulpit\hijackthis\HijackThis.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.onet.pl/
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada TP
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 – URLSearchHook: Search Class – {08C06D61–F1F3–4799–86F8–BE1A89362C85} – D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL
O4 – HKLM\..\Run: [KAVPersonal50] D:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal\kav.exe /minimize
O4 – HKLM\..\Run: [WooCnxMon] D:\PROGRA~1\NEOSTR~1\CnxMon.exe
O4 – HKLM\..\Run: [WOOWATCH] D:\PROGRA~1\NEOSTR~1\Watch.exe
O4 – HKLM\..\Run: [WOOTASKBARICON] D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe
O4 – HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 – HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 – HKLM\..\RunServices: [winlog] winlog.exe
O4 – HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 – HKCU\..\Run: [mmuz] D:\PROGRA~1\COMMON~1\mmuz\mmuzm.exe
O4 – Global Startup: DSLMON.lnk = D:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe
O4 – Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 – DPF: {8FCDF9D9–A28B–480F–8C3D–581F119A8AB8} (MediaGatewayX) – http://static.zangocash.com/cab/Seekmo/ie/bridge–c569.cab
O16 – DPF: {9059F30F–4EB1–4BD2–9FDC–36F43A218F4A} (Microsoft RDP Client Control (redist)) – http://komputer1/tsweb/msrdp.cab
O16 – DPF: {FDDBE2B8–6602–4AD8–946D–94C5A32FA6C1} (GameDesire Pool 8) – http://67.15.101.3/g_bin/pl/billard8_2_0_0_24.cab
O17 – HKLM\System\CCS\Services\Tcpip\..\{1DF2C0BD–BB79–457F–A72A–833F58A04FA0}: NameServer = 194.204.159.1,194.204.152.34
O17 – HKLM\System\CCS\Services\Tcpip\..\{5F6B84AB–6E3D–4EF0–ABE7–568FEBEAFD88}: NameServer = 194.204.152.34 217.98.63.164
O20 – Winlogon Notify: WindowsUpdate – D:\WINDOWS\system32\j6j60g1se6.dll
O23 – Service: Ati HotKey Poller – Unknown owner – D:\WINDOWS\system32\Ati2evxx.exe
O23 – Service: ATI Smart – Unknown owner – D:\WINDOWS\system32\ati2sgag.exe
O23 – Service: Command Service (cmdService) – Unknown owner – D:\WINDOWS\QW5vbnltb3Vz\command.exe
O23 – Service: kavsvc – Kaspersky Labs – D:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal\kavsvc.exe
O23 – Service: MySql – Unknown owner – c:\usr/MYSQL/bin/mysqld.exe
O23 – Service: Network Monitor – Unknown owner – D:\Program Files\Network Monitor\netmon.exe

"Silent Runners.vbs", revision 44, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non–default values, except where indicated by "{++}"


Startup items buried in registry:
–––––––––––––––––––––––––––––––––

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "D:\WINDOWS\system32\ctfmon.exe" [MS]
"(Default)" = (empty string)
"Steam" = (empty string)
"mmuz" = "D:\PROGRA~1\COMMON~1\mmuz\mmuzm.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"KAVPersonal50" = "D:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal\kav.exe /minimize" ["Kaspersky Labs"]
"WooCnxMon" = "D:\PROGRA~1\NEOSTR~1\CnxMon.exe" [empty string]
"WOOWATCH" = "D:\PROGRA~1\NEOSTR~1\Watch.exe" ["France Tlcom R&D"]
"WOOTASKBARICON" = "D:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe" ["France Tlcom R&D"]
"WinampAgent" = "D:\Program Files\Winamp\winampa.exe" [null data]
"KernelFaultCheck" = "D:\WINDOWS\system32\dumprep 0 –k" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714–76d4–11d1–8b24–00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania"
–> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560–9AA2–1069–930E–00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu"
–> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "D:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860–8EE4–11D2–9906–E49FADC173CA}" = "WinRAR shell extension"
–> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{0006F045–0000–0000–C000–000000000046}" = "Microsoft Outlook Custom Icon Handler"
–> {HKLM...CLSID} = "Rozszerzenie ikon plików programu Outlook"
\InProcServer32\(Default) = "D:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{e57ce731–33e8–4c51–8354–bb4de9d215d1}" = "Uniwersalne urządzenia Plug and Play"
–> {HKLM...CLSID} = "Uniwersalne urządzenia Plug and Play"
\InProcServer32\(Default) = "D:\WINDOWS\system32\upnpui.dll" [MS]
"{640167b4–59b0–47a6–b335–a6b3c0695aea}" = "Portable Media Devices"
–> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a–b60a–48e6–996b–41d25ed39a1e}" = "Portable Media Devices Menu"
–> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "D:\WINDOWS\system32\Audiodev.dll" [MS]
"{21569614–B795–46b1–85F4–E737A8DC09AD}" = "Shell Search Band"
–> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "D:\WINDOWS\system32\browseui.dll" [MS]
"{84BBC893–1010–43EF–BF52–E8E6D3C3B27E}" = (no title provided)
–> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\WINDOWS\system32\jicript.dll" [null data]
"{B1A007AA–653D–4578–AD26–B24C1E48F1FA}" = (no title provided)
–> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "D:\WINDOWS\system32\twpelib.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! WindowsUpdate\DLLName = "D:\WINDOWS\system32\j6j60g1se6.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320–233E–11D1–9F84–707F02C10627}\(Default) = "PDF Column Info"
–> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Library\(Default) = "{54F51408–DD44–4a12–82EF–519AD2A80DE9}"
–> {HKLM...CLSID} = "Media Library Shell Extension"
\InProcServer32\(Default) = "D:\Program Files\ATI Multimedia\mlibrary\MLShell.dll" ["ATI Technologies Inc."]
WinRAR\(Default) = "{B41DB860–8EE4–11D2–9906–E49FADC173CA}"
–> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
–––––––––––––––––––––––––––––

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\WINDOWS\system32\config\systemprofile\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp"

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "D:\WINDOWS\system32\ad.html"
"SubscribedURL" = ""


Startup items in "xxx" & "All Users" startup folders:
–––––––––––––––––––––––––––––––––––––––––––––––––––––

D:\Documents and Settings\All Users.WINDOWS\Menu Start\Programy\Autostart
"DSLMON" –> shortcut to: "D:\Program Files\SAGEM\SAGEM F@st 800–840\dslmon.exe /W" [empty string]
"Microsoft Office" –> shortcut to: "D:\Program Files\Microsoft Office\Office\OSA9.EXE –b –l" [MS]


Winsock2 Service Provider DLLs:
–––––––––––––––––––––––––––––––

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 – 03, 06 – 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 – 05


Miscellaneous IE Hijack Points
––––––––––––––––––––––––––––––

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English–language version):
"{08C06D61–F1F3–4799–86F8–BE1A89362C85}" = (no title provided)
–> {HKLM...CLSID} = "Search Class"
\InProcServer32\(Default) = "D:\PROGRA~1\NEOSTR~1\SEARCH~1.DLL" [empty string]


Running Services (Display Name, Service Name, Path {Service DLL}):
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Ati HotKey Poller, Ati HotKey Poller, "D:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Command Service, cmdService, "D:\WINDOWS\QW5vbnltb3Vz\command.exe" [null data]
kavsvc, kavsvc, "D:\Program Files\Kaspersky Lab\Kaspersky Anti–Virus Personal\kavsvc.exe" ["Kaspersky Labs"]
MySql, MySql, "c:\usr/MYSQL/bin/mysqld.exe" [null data]
Network Monitor, Network Monitor, "D:\Program Files\Network Monitor\netmon.exe service" [null data]
Windows User Mode Driver Framework, UMWdf, "D:\WINDOWS\system32\wdfmgr.exe" [MS]


––––––––––
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the –all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the –supp parameter or answer "No" at the first message box.
–––––––––– (total run time: 30 seconds, including 4 seconds for message boxes)