View Full Version : problems with dns-trojan
mavplz
16 Jun 2008, 3:44pm
My problem has started few days ago. I have WinXP SP2 and ADSL internet connection. I ve never had any problems with it but now, when i try to connect with Internet, there is a message like "cannot establish connection" (i have Polish OS so i just translate... in reality it may be a bit different, but i hope u know what i mean). So to connect i have to restart a computer few times and it is the only way to make the connection work. I did a scan by the newest Ad-Aware, Spyware Doctor and HijackThis. Ad-aware found nothing. Spyware Doc found few infections and deleted it. Hijack also found few dangerous logs, and also deleted it. But the problem is it didn't solved a problem. Every time i connect to internet, restart computer and make a new scan, there is the same situation: identical infections appear again. In Hijack there are two logs i can't delete:
1) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
2) O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
The same situation is in Spyware Doctor. It finds all the time the following infections:
1) Application.NirCmd
2) Trojan.DNS-Changer
3) Trojan-Downloader.Popuper
I can delete it many times but it will appear again.
I looked for some info about DNS-Changers and i found out it redirects some porn *tube like sites into other. I tried to enter redtube, porntube and it truly redirects me to other addresses: http://216.255.178.179/ or some fake antyvirus sites (like http://virus-scanonline.com) (http://virus-scanonline.com%29/).
Moreover, i switched the realtime protection of Spyware Doc on and when i try to connect to internet, it blocks connection and show informations that my internet connection is a Trojan Downloader. Also tried do a system restore but it didn't help.
I completely don't know what to do... Any ideas? THX in advace!
Here is my Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09, on 2008-06-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtnn.exe] C:\WINDOWS\system32\kdtnn.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame (http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame)
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image (http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image)
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link (http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link)
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude (http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude)
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report (http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
Thomas
18 Jun 2008, 3:48am
Welcome to Icrontic mavplz,
Sounds like an active DNS hijacker there, and infection is showing in this log file. Let's get a more detailed look and then start some repairs.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download Deckard's System Scanner (http://www.techsupportforum.com/sectools/Deckard/dss.exe) (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Options, place a check next to the following:
Backup Registry Hives
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)
-------------------------------------
Also Download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply (usually at C:\rapport.txt).
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there.
NOTE: Please do not run any other options from SmitfraudFix until we discuss the results.
You can use extra posts here if needed for that.
mavplz
18 Jun 2008, 12:22pm
Thank u for reply!
Here are my logs:
Dss main:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-18 13:12:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Backed up registry hives.
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12, on 2008-06-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtnn.exe] C:\WINDOWS\system32\kdtnn.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 6186 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Files created between 2008-05-18 and 2008-06-18 -----------------------------
2008-06-17 12:43:35 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-17 12:22:11 0 d-------- C:\Program Files\a-squared Anti-Malware
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:58 0 d-------- C:\Program Files\Spyware Doctor
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-16 12:29:27 0 d-------- C:\Program Files\Enigma Software Group
2008-06-15 21:02:00 0 d-------- C:\Program Files\Exterminate It!
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 15:55:43 0 d-------- C:\Program Files\Lavasoft
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
2008-06-07 19:11:28 0 d-------- C:\Program Files\uTorrent
2008-05-23 18:00:33 0 d-------- C:\Program Files\Microsoft Bootvis
2008-05-23 17:52:31 0 d-------- C:\Program Files\SiSoftware
2008-05-22 21:10:50 0 d-------- C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 20:09:19 0 d-------- C:\Program Files\CCleaner
2008-05-22 17:28:17 0 d--h----- C:\ckis
2008-05-22 16:35:50 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-22 16:35:50 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-22 16:35:16 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-22 16:35:14 300576 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-22 16:35:14 8529952 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 16:34:17 0 d-------- C:\kav
2008-05-21 23:41:44 0 d-------- C:\Program Files\kmp
2008-05-21 22:48:37 0 d-------- C:\WINDOWS\nvidia icons
2008-05-21 21:58:05 0 d-------- C:\Program Files\CD Catalog Expert
-- Find3M Report ---------------------------------------------------------------
2008-06-17 12:43:35 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com
2008-06-17 12:43:22 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-16 12:42:58 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\PC Tools
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
2008-04-30 18:05:08 0 d-------- C:\Program Files\Electronic Arts
2008-04-30 17:59:37 0 d-------- C:\Program Files\Easy CD-DA Extractor 11
2008-04-19 19:13:03 0 d-------- C:\Program Files\Audacity
2008-03-24 15:18:02 43537 --a------ C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a------ C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"C:\WINDOWS\system32\kdtnn.exe"="C:\WINDOWS\system32\kdtnn.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"WMI Standard Event Consumer - Scripting"= C:\WINDOWS\system32\wbem\scrcons32.exe
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6074756e-3052-11dc-a240-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-18 13:13:45 ------------
mavplz
18 Jun 2008, 12:22pm
Dss extra:
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Polish
CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
CPU 1: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 2047.48 MiB / 1696.34 MiB
Pagefile Memory (total/avail): 3939.66 MiB / 3740.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.43 MiB
C: is Fixed (NTFS) - 232.88 GiB total, 72.09 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 37.27 GiB total, 22.15 GiB free.
F: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - ST3250620AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Instalowalny system plików - 232.88 GiB - C:
\\.\PHYSICALDRIVE1 - ST340810A - 37.27 GiB - 1 partition
\PARTITION0 - Instalowalny system plików - 37.27 GiB - E:
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Dane aplikacji
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=Z
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\Z
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Avid;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\PROGRA~1\thriXXX\3D SexVilla;C:\Program Files\ZipGenius 6
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
USERDOMAIN=Z
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI
-- User Profiles ---------------------------------------------------------------
Administrator (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> MsiExec /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Malware 3.5 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Ad Muncher --> C:\Program Files\Ad Muncher\uninst.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AGEIA PhysX v7.07.09 --> MsiExec.exe /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
Aktualizacja dla systemu Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB896256) --> "C:\WINDOWS\$NtUninstallKB896256$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Archiwizator WinRAR --> C:\Program Files\WinRAR\uninstall.exe
Assassin's Creed --> C:\Program Files\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0015 -removeonly
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AutoConnect v0.1.3.1 --> C:\Program Files\AutoConnect\uninst.exe
BearShare --> C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
BitSpirit v3.2.2.215 Stable --> "C:\Program Files\BitSpirit\unins000.exe"
Call of Duty(R) 4 - Modern Warfare(TM) --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch --> C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch --> C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch --> C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD Catalog Expert 9.2.7.515 --> "C:\Program Files\CD Catalog Expert\unins000.exe"
Condition Zero --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/80
Condition Zero Deleted Scenes --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/100
Counter-Strike --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/10
Counter-Strike 1.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9ABFB92D-93DA-49EE-8ABF-F8195DE45CA9}\Setup.exe" -l0x19
Counter-Strike(TM) --> MsiExec.exe /I{DF5A03CC-D5AA-43D8-B948-D9903F2AF94A}
Day of Defeat --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/30
DC++ 0.699 --> "C:\Program Files\DC++\uninstall.exe"
Deathmatch Classic --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/40
Dedicated Server --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/5
Dziobas Rar Player 0.007PL --> "C:\Program Files\Dziobas Rar Player\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Exterminate It! --> C:\Program Files\Exterminate It!\ExterminateIt_Uninst.exe
ffdshow [rev 1900] [2008-03-15] --> "C:\Program Files\Film\unins000.exe"
Firebird SQL Server - MAGIX Edition 2.0.0.1 (US) --> C:\Program Files\MAGIX\Common\Database\uninstall.exe
Free Download Manager 2.5 --> "C:\Program Files\Free Download Manager\unins000.exe"
Gadu-Gadu 7.7 --> C:\Program Files\Gadu-Gadu\Setup.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
MAGIX Movie Edit Pro 12 e-version 6.5.4.2 (US) --> C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\instslct.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medieval CUE Splitter --> MsiExec.exe /I{E9A5B341-167D-4042-8854-46F671F94049}
Medieval II Total War --> C:\Program Files\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Americas --> C:\Program Files\InstallShield Installation Information\{75983B66-804C-40D1-BA13-64DAF652A6F1}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Britannia --> C:\Program Files\InstallShield Installation Information\{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Crusades --> C:\Program Files\InstallShield Installation Information\{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Teutonic --> C:\Program Files\InstallShield Installation Information\{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0015-0415-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0016-0415-0000-0000000FF1CE}
Microsoft Office Groove MUI (Polish) 2007 --> MsiExec.exe /X{90120000-00BA-0415-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0044-0415-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Polish) 2007 --> MsiExec.exe /X{90120000-00A1-0415-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Polish) 2007 --> MsiExec.exe /X{90120000-001A-0415-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0018-0415-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007 --> MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Polish) 2007 --> MsiExec.exe /X{90120000-001F-0415-0000-0000000FF1CE}
Microsoft Office Proofing (Polish) 2007 --> MsiExec.exe /X{90120000-002C-0415-0000-0000000FF1CE}
Microsoft Office Publisher MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0019-0415-0000-0000000FF1CE}
Microsoft Office Shared MUI (Polish) 2007 --> MsiExec.exe /X{90120000-006E-0415-0000-0000000FF1CE}
Microsoft Office Word MUI (Polish) 2007 --> MsiExec.exe /X{90120000-001B-0415-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Nero 7 Ultra Edition --> MsiExec.exe /I{235BBFC6-D863-4066-A01A-3BD504C31045}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
O&O Defrag Professional Edition --> MsiExec.exe /I{53480330-E1D1-41CA-B8F8-7F78644F7F50}
Poprawka dla systemu Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Poprawka systemu Windows XP - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Poprawka systemu Windows XP - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Professional Registry Doctor v6.2.3.3 --> "C:\Program Files\Professional Registry Doctor\unins000.exe"
ProXmedia - Edytor Zdjęć --> MsiExec.exe /I{C18B4F4F-9C7D-45A8-A1EE-AAB1A4ADE4C2}
PunkBuster Services --> C:\WINDOWS\system32\pbsvc.exe -u
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe" -l0x15 -removeonly
Ricochet --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/60
RocketDock 1.3.5 --> "C:\Program Files\RocketDock\unins000.exe"
SAGEM F@st 800-840 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\setup.exe" -l0x9
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Steam(TM) --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (PLK) --> MsiExec.exe /X{2D43FD89-B225-4334-B4AA-0983400BE61B}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows Workflow Foundation PL Language Pack --> MsiExec.exe /I{DB76863D-D4D9-4AB3-AFDC-26717BA1E11C}
Xilisoft DVD Ripper Platinum 4 --> C:\Program Files\Xilisoft\DVD Ripper Platinum 4\Uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0 --> "C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
Your Uninstaller! 2008 Version 6.0 --> "C:\Program Files\Your Uninstaller 2008\unins000.exe"
-- Application Event Log -------------------------------------------------------
Event Record #/Type3198 / Error
Event Submitted/Written: 06/18/2008 01:13:27 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
Event Record #/Type3195 / Error
Event Submitted/Written: 06/18/2008 01:13:25 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
Event Record #/Type3194 / Error
Event Submitted/Written: 06/18/2008 01:13:24 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
Event Record #/Type3191 / Error
Event Submitted/Written: 06/18/2008 01:13:23 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
Event Record #/Type3190 / Error
Event Submitted/Written: 06/18/2008 01:13:23 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type8200 / Error
Event Submitted/Written: 06/18/2008 01:07:00 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Usługa PnkBstrA niespodziewanie zakończyła pracę. Wystąpiło to razy: 1.
Event Record #/Type8198 / Error
Event Submitted/Written: 06/18/2008 01:06:57 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
Usługa a-squared Anti-Malware Service niespodziewanie zakończyła pracę. Wystąpiło to razy: 1. W przeciągu 0 milisekund zostanie podjęta następująca czynność korekcyjna: Uruchom usługę ponownie.
Event Record #/Type8197 / Error
Event Submitted/Written: 06/18/2008 01:06:55 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
Usługa Lavasoft Ad-Aware Service niespodziewanie zakończyła pracę. Wystąpiło to razy: 2. W przeciągu 10000 milisekund zostanie podjęta następująca czynność korekcyjna: Uruchom usługę ponownie.
Event Record #/Type8196 / Error
Event Submitted/Written: 06/18/2008 01:06:51 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Usługa NVIDIA Display Driver Service niespodziewanie zakończyła pracę. Wystąpiło to razy: 1.
Event Record #/Type8194 / Error
Event Submitted/Written: 06/18/2008 01:06:34 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Usługa Usługa bramy warstwy aplikacji niespodziewanie zakończyła pracę. Wystąpiło to razy: 1.
-- End of Deckard's System Scanner: finished at 2008-06-18 13:13:45 ------------
There are some text in polish here, if u think it is important let me know and i will translate it.
mavplz
18 Jun 2008, 12:23pm
SmitFraudFix v2.326
Scan done at 13:15:57.00, 2008-06-18
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\Ulubione
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Moja bieľĄca strona gˆ˘wna"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"system"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Your computer may be victim of a DNS Hijack: 85.255.x.x detected !
Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 85.255.113.78
DNS Server Search Order: 85.255.112.36
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer=85.255.113.78 85.255.112.36
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
I am waiting for the next instructions!
Thomas
18 Jun 2008, 5:49pm
You have been making your own changes and choices there, and to be honest with you, some of them were not good ones. HijackThis was developed to be used for forum repairs like here, and really not meant as a personal user removal tool. Looks like you tried to remove the bad DNS nameserver settings, without the corrections to the actual DhcpNameServer changes first. And removed legit services of installed security software with Spyware Doctor. The first could have possibly left you with no net access, the second with no reboot. Fortunately Spyware Doctor recreated it's own server registry settings.
Active autoloading worm infection here along with DNS issues, so let's start some repairs.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Go to Start – Settings – Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel.
BearShare - adware bundled
-------------------------
Go here (http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe) and download Flash_Disinfector.exe and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Especially the G drive device. Leave any of these installed now until all repairs are completed.
--------------------------------
Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtnn.exe] C:\WINDOWS\system32\kdtnn.exe
------------------------
REGEDIT4
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"WMI Standard Event Consumer - Scripting"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{6074756e-3052-11dc-a240-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{a7eb314c-b535-11dc-9002-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{e0a35061-ca86-11dc-9072-4d6564696130}]
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
-----------------------------
Please download FixWareout from here (http://downloads.subratam.org/Fixwareout.exe)
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet). Note: You must must be online to run this utility
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.
Once your desktop loads, notepad will open a report.txt file. Close this, and allow the reboot to complete. On reboot you will also get notified about possible difficulties making a connection after the fix is run. If you do have net access difficulties double click the registry file dnsbak.reg located in the Fixwareout folder on the root of the drive windows is installed (normally c:\ as suggested).
Once your desktop loads, please post the contents of the logfile C:\fixwareout\report.txt back here in your next reply.
--------------------------------
Then Download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the Malwarebytes log and the C:\fixwareout\report.txt please.
mavplz
18 Jun 2008, 8:22pm
Report from Fixwareout:
Username "Administrator" - 2008-06-18 21:09:09 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}
"nameserver"="85.255.113.78" <Value cleared.
Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"SoundMan"="SOUNDMAN.EXE"
"Ad Muncher"="\"C:\\Program Files\\Ad Muncher\\AdMunch.exe\" /bt"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"
"RocketDock"="\"C:\\Program Files\\RocketDock\\RocketDock.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Report from dss:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-18 21:17:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:00, on 2008-06-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5927 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Files created between 2008-05-18 and 2008-06-18 -----------------------------
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:58 0 d-------- C:\Program Files\Spyware Doctor
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 15:55:43 0 d-------- C:\Program Files\Lavasoft
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
2008-05-22 21:10:50 0 d-------- C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 20:09:19 0 d-------- C:\Program Files\CCleaner
2008-05-22 17:28:17 0 d--h----- C:\ckis
2008-05-22 16:35:50 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-22 16:35:50 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-22 16:35:16 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-22 16:35:14 307232 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-22 16:35:14 8633888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 16:34:17 0 d-------- C:\kav
2008-05-21 23:41:44 0 d-------- C:\Program Files\kmp
2008-05-21 22:48:37 0 d-------- C:\WINDOWS\nvidia icons
2008-05-21 21:58:05 0 d-------- C:\Program Files\CD Catalog Expert
-- Find3M Report ---------------------------------------------------------------
2008-06-18 20:17:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-16 12:42:58 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\PC Tools
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
2008-04-30 18:05:08 0 d-------- C:\Program Files\Electronic Arts
2008-04-19 19:13:03 0 d-------- C:\Program Files\Audacity
2008-03-24 15:18:02 43537 --a------ C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a------ C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6074756e-3052-11dc-a240-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-18 21:18:44 ------------
Malwarebytes found no infections.
Thomas
18 Jun 2008, 11:52pm
new external drive autoload functions created just then. When it called for installing all external drives, did you then add a new H drive device (flash/thumb drive perhaps)? Either way leave all installed now, and let's scan for what is not showing yet. FixWareout made some DNS changes - if not enough we can always complete those manually.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
REGEDIT4
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{6074756e-3052-11dc-a240-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{a7eb314c-b535-11dc-9002-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{e0a35061-ca86-11dc-9072-4d6564696130}]
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it nextfix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
------------------------------
Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
------------------------------
Go here (http://www.kaspersky.com/virusscanner) and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
My steps are no outdated, and actually have more steps than required. I haven't had a chance to update them, but you should be able to run the scan once you see the website requirements.
------------------------------
Then assuming you used it, click the dssrun.vbs again to start Deckards.
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that and the Kaspersky log back here please.
mavplz
19 Jun 2008, 9:53pm
dss log:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-19 22:49:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:24, on 2008-06-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5814 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080619-144127-419 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Files created between 2008-05-19 and 2008-06-19 -----------------------------
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:58 0 d-------- C:\Program Files\Spyware Doctor
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 15:55:43 0 d-------- C:\Program Files\Lavasoft
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
2008-05-22 21:10:50 0 d-------- C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 20:09:19 0 d-------- C:\Program Files\CCleaner
2008-05-22 17:28:17 0 d--h----- C:\ckis
2008-05-22 16:35:50 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-22 16:35:50 88774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-22 16:35:16 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-22 16:35:14 318240 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-22 16:35:14 10160672 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 16:34:17 0 d-------- C:\kav
2008-05-21 23:41:44 0 d-------- C:\Program Files\kmp
2008-05-21 22:48:37 0 d-------- C:\WINDOWS\nvidia icons
2008-05-21 21:58:05 0 d-------- C:\Program Files\CD Catalog Expert
-- Find3M Report ---------------------------------------------------------------
2008-06-18 20:17:42 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-16 12:42:58 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\PC Tools
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
2008-04-30 18:05:08 0 d-------- C:\Program Files\Electronic Arts
2008-04-19 19:13:03 0 d-------- C:\Program Files\Audacity
2008-03-24 15:18:02 43537 --a------ C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a------ C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6074756e-3052-11dc-a240-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-19 22:50:17 ------------
Kaspersky:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 19, 2008
Operating System: Microsoft Windows XP Professional Dodatek Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 19, 2008 15:17:52
Records in database: 879503
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 69567
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 00:38:50
File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Pulpit\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Av-test.txt Infected: EICAR-Test-File 1
C:\Downloads\appz\1\ariskkey.exe Infected: not-a-virus:PSWTool.Win32.Aster.55 2
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
The selected area was scanned.
Thomas
20 Jun 2008, 4:37am
Hmm - the autoload registry keys again, and nothing of real note found by Kaspersky. Some files we use mistaken for badware, and innocent Eicar test file and then I reckon you have been trying to crack a file's password for some reason there. The active files from this worm are known though, so let's ask a different scan to check here.
Disable your antivirus program (remember to re-enable it once this scan is complete) and go here (http://www.bitdefender.com/scan8/ie.html) (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.
When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export the scan report". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here please.
mavplz
20 Jun 2008, 1:42pm
Hi,
I don't know why but i could't run BitDefender on-line scan - i installed activex, opened it it IE, but "Scan" button was still inactive... So i downloaded trial version of BitDefender, installed it and made a scan: it detected 4 infected files, 3 of them were automaticly deleted, one couldn't be deleted. Here is a log:
BitDefender Log FileBitDefender Log File !!!!!
Product : BitDefender Total Security 2008 Version : BitDefender UIScanner v.11 Log date : 14:36:59 20/06/2008 Log path : C:\Documents and Settings\All Users\Dane aplikacji\BitDefender\Desktop\Profiles\Logs\full_scan\1213965419_1_02.xml
Scan Paths: Path0000: C:\ Path0001: E:\
Scan Options: Scan for viruses : Yes Scan for adware : Yes Scan for spyware : Yes Scan for applications : Yes Scan for dialers : Yes Scan for rootkits : Yes
Target selection options: Scan registry keys : Yes Scan cookies : Yes Scan boot sectors : Yes Scan memory processes : Yes Scan archives : No Scan runtime packers : Yes Scan emails : Yes Scan all files : Yes Heuristic Scan : Yes Scanned extensions : Excluded extensions :
Target Processing Default action for infected objects : Disinfect Default action for suspicious objects : None Default action for hidden objects : None
Scan engines summary Number of virus signatures : 1262238 Archive plugins : 42 Email plugins : 6 Scan plugins : 12 Archive plugins : 42 System plugins : 4 Unpack plugins : 7
Overall scan summary Scanned items : 147140 Infected items : 4 Suspicious items : 0 Resolved items : 3 Individual viruses found : 3 Scanned directories : 7175 Scanned boot sectors : 4 Scanned archives : 6720 Input-output errors : 37 Scan time : 00:01:06:37 Files per second : 36
Scanned processes summary Scanned : 27 Infected : 0
Scanned registry keys summary Scanned : 331 Infected : 0
Scanned cookies summary Scanned : 0 Infected : 0
Remaining issues: Object Name Threat Name Final Status C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Av-test.txt EICAR-Test-File (not a virus) Disinfect Failed
Resolved issues: Object Name Threat Name Final Status C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP485\A0271239.exe IRC-Worm.Generic.3335 Deleted C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP463\A0266640.dll Trojan.Agent.ABFL Deleted C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP478\A0269710.dll Trojan.Agent.ABFL Deleted
Thomas
20 Jun 2008, 6:46pm
Important you try to to vary from the steps posted - there is a large difference between what might change from an online ActiveX object scan tool, and a full install of a major antivirus software. Just don't' need unnecessary changes while we get this repair work done. The scan did not really pick up much more than some infection held harmless in the System restore. Let's do a few things and then continue repairs.
First I have been made aware you posted this same request at other helping forums. You need to go to those request threads and post to let those good folks that you are already receiving help. All of us our fairly busy volunteers, so we do not want duplication of effort occurring.
Then do this temporary blocking action for autoruns, so we can maybe stop some of the worm activity for a moment.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autostop.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
And let's see where some of the bad files might be still.
Go to Start - Run, type cmd (and Enter). At the prompt copy/paste the following, then press Enter.
(dir /s "c:\desktop*.*" & dir /s "c:\recycle*.*") >c:\find2.txt & start notepad c:\find2.txt
A quick scan will run and then notepad will open - copy/paste those contents back here please (these will also be located at c:\find2.txt)
mavplz
20 Jun 2008, 7:25pm
The log:
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 787A-D614
Katalog: c:\Documents and Settings\Administrator\Dane aplikacji\BitDefender
2008-06-20 08:40 <DIR> Desktop
0 plik(˘w) 0 bajt˘w
Katalog: c:\Documents and Settings\All Users\Dane aplikacji\BitDefender
2008-06-20 08:40 <DIR> Desktop
0 plik(˘w) 0 bajt˘w
Katalog: c:\Program Files\BitDefender\BitDefender Backup\plugins\sys
2007-07-06 13:13 11,776 desktop.dll
2007-07-06 13:13 1,406 desktop.ico
2007-07-06 13:13 212 desktop.plugin
3 plik(˘w) 13,394 bajt˘w
Katalog: c:\Program Files\Common Files\Microsoft Shared\web server extensions\50\bin
2000-02-25 11:03 114 DESKTOP.INI
1 plik(˘w) 114 bajt˘w
Katalog: c:\Program Files\Microsoft Office\Office12\1045\DataServices
2000-07-27 13:30 70 DESKTOP.INI
1 plik(˘w) 70 bajt˘w
Katalog: c:\QooBox\BackEnv
2008-06-15 20:00 96 desktop.folder.dat
1 plik(˘w) 96 bajt˘w
Katalog: c:\WINDOWS
2001-07-22 00:36 2 desktop.ini
1 plik(˘w) 2 bajt˘w
Katalog: c:\WINDOWS\Help\Tours\htmlTour
2001-10-26 17:43 67,776 desktop_screen_shot.jpg
2001-10-26 17:43 4,232 desktop_up.jpg
2 plik(˘w) 72,008 bajt˘w
Katalog: c:\WINDOWS\PCHEALTH\HELPCTR\System\images\48x48
2007-07-11 00:29 9,270 desktop_icon_01.bmp
2007-07-11 00:29 9,270 desktop_icon_02.bmp
2007-07-11 00:29 9,270 desktop_icon_03.bmp
2007-07-11 00:29 9,270 desktop_icon_04.bmp
2007-07-11 00:29 9,270 desktop_icon_generic.bmp
5 plik(˘w) 46,350 bajt˘w
Katalog: c:\WINDOWS\system32
2001-07-22 00:36 2 desktop.ini
1 plik(˘w) 2 bajt˘w
Katalog: c:\WINDOWS\system32\oobe\html\mouse\images
2001-07-22 00:17 17,486 desktop3.gif
1 plik(˘w) 17,486 bajt˘w
Razem wymienionych plik˘w:
16 plik(˘w) 149,522 bajt˘w
2 katalog(˘w) 76,858,245,120 bajt˘w wolnych
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 787A-D614
Katalog: c:\Program Files\RocketDock\Icons
2007-01-01 19:24 43,574 Recycle Bin (full).png
2007-01-01 19:24 40,440 Recycle Bin.png
2 plik(˘w) 84,014 bajt˘w
Katalog: c:\WINDOWS\Help
2001-10-26 17:42 20,478 recycle.chm
1 plik(˘w) 20,478 bajt˘w
Katalog: c:\WINDOWS\Media
2006-11-12 13:39 111,788 recycle.wav
1 plik(˘w) 111,788 bajt˘w
Katalog: c:\WINDOWS\Media\XPBCKUP(2)
2001-07-22 00:30 25,434 recycle.wav
1 plik(˘w) 25,434 bajt˘w
Razem wymienionych plik˘w:
5 plik(˘w) 241,714 bajt˘w
0 katalog(˘w) 76,858,245,120 bajt˘w wolnych
For sure i will paste the solution for this problem on other forums i started the topic. I just want to finish with it with your help and then post final solution.
Thomas
21 Jun 2008, 5:31am
Those forums do not need anyone else's ideas or solutions - they have plenty of skilled people for their own good solutions. But if you check you will find your other threads have been closed anyway. Posting in more than one location when so many ask for assistance is just not being helpful.
No infection items located in that last check. I think that either you did not quite do the fixer.reg correctly earlier (here (http://icrontic.com/forum/showpost.php?p=625094&postcount=6)) or your security software is blocking the Registry changes.
Follow those steps again to create a new fixer.reg. Then make sure your security software, such as Spyware Doctor, is completely disabled, and right click/Merge the fixer.reg with the Registry.
Reboot, and run and post back a new Deckards log please.
mavplz
21 Jun 2008, 3:50pm
You are right, i shouldn't post it on few forums at the same time...
I have uninstalled all anti-virus appz from my computer because i could't close all the processes they run. Then I have created new fixer.reg and added it to registry and made scan by dss.
I firstly made a scan before i connected to the internet, and then a second scan being connected. There is one difference between the - when I connect to internet one more log appears:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
Here is this log:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-21 16:36:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36:21, on 2008-06-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\różne\1\apteczka\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5287 bytes
-- Files created between 2008-05-21 and 2008-06-21 -----------------------------
2008-06-20 08:22:10 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
2008-05-22 21:10:50 0 d-------- C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 17:28:17 0 d--h----- C:\ckis
2008-05-22 16:35:16 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-22 16:34:17 0 d-------- C:\kav
2008-05-21 23:41:44 0 d-------- C:\Program Files\kmp
2008-05-21 22:48:37 0 d-------- C:\WINDOWS\nvidia icons
2008-05-21 21:58:05 0 d-------- C:\Program Files\CD Catalog Expert
-- Find3M Report ---------------------------------------------------------------
2008-06-21 16:30:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d-------- C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
2008-03-24 15:18:02 43537 --a------ C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a------ C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-21 16:36:45 ------------
Thomas
22 Jun 2008, 2:08am
Yes, I did see the DNS changer had been active again. In looking back I do not see where you ever downloaded or ran the Malwarebytes scan step. Not log from that, and actually nothing in these other logs showing it ever used. Do the following steps exactly as posted please.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Then you will want to print or have other access to a copy of the next steps, as some will be done without net access or in Safe Mode.
Download SDFix.exe (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.
===================================================
Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).
In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.
Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.
=============================
After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe).
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the Malwarebytes log and the SDFix report.txt log please.
mavplz
22 Jun 2008, 12:17pm
I disconnected my internet connection and phone line and run SDFix in SafeMode:
SDFix: Version 1.195
Run by Administrator on 2008-06-22 at 13:00
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Pulpit\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\TFTP1288 - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 13:04:15
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:83,01,1c,7b,b2,05,f8,a2,99,7e,19,48,80,72,29,bc,51,84,28,ef,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:5c,6f,21,38,4e,3a,dd,1e,7a,60,d8,6e,66,82,bc,61,88,52,99,74,a3,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:72,d0,b2,51,7d,11,a4,7d,3e,14,f4,2c,97,fd,83,80,27,c1,73,35,48,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:20,39,06,ca,56,b3,ca,7f,6e,78,00,be,23,de,be,e8,64,09,0d,ba,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,a9,01,f5,6f,41,81,29,f5,ab,5e,5a,78,86,54,17,6e,3b,db,0d,43,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:83,01,1c,7b,b2,05,f8,a2,99,7e,19,48,80,72,29,bc,51,84,28,ef,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:5c,6f,21,38,4e,3a,dd,1e,7a,60,d8,6e,66,82,bc,61,88,52,99,74,a3,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:f9,c8,fa,b7,f1,dd,98,4d,56,44,bf,de,1b,80,17,9e,f7,a8,9f,0d,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:94,c3,65,20,c9,d0,d7,9f,b2,3d,92,7f,9f,53,f6,ad,45,75,80,fb,8c,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:94,c3,65,20,c9,d0,d7,9f,b2,3d,92,7f,9f,53,f6,ad,45,75,80,fb,8c,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="0B65498EC5D57D496570DA3DA8125A1E426EB9DF26F7662C31CA476928EC02AC76EBC436B70C356F6121087A1DC1E83AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5C9DB7CE019D40AA5CA6A0AC4980AC7933DF28EBF58B51444BC56755B3746CC10CF23584AAAB75E7C2045257CFA1CB2B6C75017942870C8EE271788EC779AB603FC720F40C2CDF797DDBA10F37B0D917813BCB274FCA4BC15B2E42D9734D3E426CE67B94559043A84CBC93A81BF1626489F1EDE3796BEB67B6949F44AB3087E043E339B2B9622500A9CD4FD10A56B14DEFF8DFE049E21F0D6C5CFE229AC33C3C676F5CE21E0FE1100ADC8C02C8B3679211D6B112818F68C3E566E5099D10665572E17DFA9EE4A7EBCEDB1A6E4DC275F9C035853195B4232384B66952468164B4EEB7C9180A9A79AB535D571443A127CB4262913BAF78F9429A71B51DD96667E3DD907F98E0C62E6BE39CB9330BD0155452509FF12BE46E41EDE38A4AD2F1747132B1751F5B676F4941F44C51B7B6B0631E958DDA9768553FBA7BB981DC3CE671D480911364DB3E6AA068AB34111C3C50C6E9503DBAD657E4AF4BABAB5C416BF8A28BD19F9868EA752C9B08E812AFD1F1632EEA278D6470D8700BDC7763DE0422E800C534CB359D9500D6A7C0EA015B247EE0786A3B2C734A9315D9D73E58078DED34120484CFD0FC2C87E3CEFE0719C8142BA81C25AD03EB23E8C60269571D5D6A1E6E857D28D25DB7BE28EA65191F441855BC1460C919702028DC709666C5B787DA27F3A39247ED1AAFF8326AF6D50070CD8B7134C80114FA9AE4602B73D04667AA1ECE9C48A56B413669838C40F7E6F4A47E949D525E931E2B4055C0D2E4BA9D70455ABBE3B6160D4D238400FB94EA769213A1CDF723B161686014243C7CC4B2B4259B0D6699AF5495631DAC92128035EF5E02A82A9A319585CD28D74A631BA1A25C5F4FB4C2815ED4FB78AD51A52068BA85E346BF5FDE7D5922DE917E3E7ADA0B98B37318F6D569F35287D1E85CC6B815413873F2E1074F5F8FCAB93980A042E01F6CA2BA537DA5005EFD1EF094F446C4E033B162E97B37355642EE43F4CFB0BCC82135AFC44B38292E5448E0842FA0B4474F34100D11D31F4FDE0249B9CE715A81AB3A680D973B4563473E97B17D4FF06A4865E2BA223782E5FE7859BF69459949ACF4BF463DBA4B33559C56796E4C2C53A0DF25B18D6AEB99440DE54C6C5E7F34855B70591D37DAE6C339C08A10843DA19D74858733E6097B162CC87BAA66B1EB5F979C041A27335A9A1B61E9F9DB9C88C6A79524F89B2D369EF6BB38FB7AFDAA238947DA9B72B881A67CA56D4127694C69334D4649ECCF8249445E46BA27D242024259C30E76F55FF6CEDF430630"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"="C:\\Program Files\\BitSpirit\\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\DOCUME~1\ADMINI~1\Pulpit\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 31 Jul 2002 106 ..SH. --- "C:\WINDOWS\WSYS049.SYS"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09997411a62459b007c5b4c27727b812\BIT48.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1b4906af34b69bb3b3bff77c77c36269\BIT4D.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\238ea9fc36cfe91e6d8d2a057bf59e53\BIT53.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2ac354659614029836a3e6f43f478d68\BIT56.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\395a6b3cc3ef33ceb456d5772d320a49\BIT52.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3fb99568c483077faade564bf19fd5b1\BIT5E.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4982a61e2216973813f44f56425bf3d9\BIT4B.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\49de99a94f2b671fa314de00469bc9ee\BIT5D.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4a43476dc86b4dbe7da8acc0ef0e5c5f\BIT5C.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\504a292ad849178ad9c5188c7eecd6e6\BIT5F.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2D.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6adaf981e12b6d73d603b0b7cd1bd3b0\BIT58.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78670cbd6a90baaa408a8a72f52fdce2\BIT32.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\86e5b4dadbb28e067b72e96af284a2b0\BIT4E.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\90b64af20ec49650e48013f156470238\BIT50.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94af39a0130ee1aef6c5b5f008af01e9\BIT4C.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aff5d7c797f1e254b0042756b4877f70\BIT5B.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3785b22f905d6c0e99056e24099a0a7\BIT57.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b66e85416787cab176e98d4d637c4f81\BIT5A.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b8f841be0a4a9c344276ad0e6d2e6ef7\BIT49.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b9075ab76028414158858b84810726f9\BIT4F.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT35.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\becfb2439d7d5a97f7e2da7b1433c139\BIT51.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c6d686951b1308c6fd3d9343b47193cb\BIT4A.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d3c4aebdee35f35b6bda63780eafaf85\BIT62.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edb846a7ab7add3b71d83f6a232086a3\BIT54.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edf69d5dc5cba73e15a467a90c9e07b0\BIT59.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ffdc7af41a0409dddb9ddefe4faf90de\BIT55.tmp"
Sat 17 Nov 2007 6,297 ...HR --- "C:\Documents and Settings\Administrator\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"
Finished!
mavplz
22 Jun 2008, 12:21pm
Then, after restar i made a scan by Malwarebytes' Anti-Malware, being connected to internet and it found no infections:
Malwarebytes' Anti-Malware 1.17
Database version: 863
13:11:08 2008-06-22
mbam-log-6-22-2008 (13-11-08).txt
Scan type: Quick Scan
Objects scanned: 37905
Time elapsed: 2 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Then i made scan by DSS and as i can see 85.255.113.78 85.255.112.36 log is still there.... :
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12:45, on 2008-06-22
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5232 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080619-144127-419 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080621-162516-565 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
backup-20080621-162516-855 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080621-162516-950 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080621-162517-652 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
backup-20080621-162517-830 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080621-162552-282 O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
R3 catchme - c:\docume~1\admini~1\ustawi~1\temp\catchme.sys (file missing)
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys (file missing)
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys (file missing)
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
S3 Trufos - c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Files created between 2008-05-22 and 2008-06-22 -----------------------------
2008-06-22 12:57:22 0 d-------- C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
2008-05-22 21:10:50 0 d-------- C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 17:28:17 0 d--h----- C:\ckis
2008-05-22 16:35:16 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-22 16:34:17 0 d-------- C:\kav
-- Find3M Report ---------------------------------------------------------------
2008-06-21 16:30:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d-------- C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-22 21:54:13 0 d-------- C:\Program Files\kmp
2008-05-21 21:58:51 0 d-------- C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
2008-03-24 15:18:02 43537 --a------ C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a------ C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-22 13:13:23 ------------
Thomas
22 Jun 2008, 5:04pm
The question for there is what is recreating these registry entries - both the DNS changes you notice, as well as those that should have been corrected by the nextfix.reg you created and "Merged". Almost as if some security software there is blocking them still. See if you can determine if anythign esle needs disabling, even that Ad Muncher program.
Again right click nextfix.reg and merge that information with your registry. Also again use HijackThis to remove that "O17 - HKLM\..." entry.
Then there is a file SDFix located to check.
Make sure you can View Hidden Files (http://www.xtra.co.nz/help/0,,4155-1916458,00.html). Also uncheck "Hide Extensions for Known File Types"
Then go here (http://www.thespykiller.co.uk/index.php?board=1.0), press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.
C:\WINDOWS\WSYS049.SYS
You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.
mavplz
23 Jun 2008, 9:00am
The link: http://thespykiller.co.uk/index.php/topic,6665.0.html
Thomas
23 Jun 2008, 9:44pm
Good. I will not be able to check that for a while, but will post back with the findings once I do.
Thomas
24 Jun 2008, 3:42am
I received the file, thanks. Only a few lines of alpha-numeric characters. On this system, despite the 2002 date showing for the file I still list it as suspect (dates can be spoofed). For now rename it by changing the ending ".sys" to ."old" just to keep it out of harms way.
I see in web searches the infection showing here is most often showing on Polish systems, which suggests an autorun type malware passed through sharing flash drives. You haven't by chance been using then removing and flash drive during these repairs (basically reinfecting things)?
The logs show Ad-Aware's Ad-Watch. The services for that show as stopped, but I am not sure Ad-Watch may not have become corrupted somehow, and is involved in blocking these registry changes. The return of them, with no other infeciton showing, suggests an older nuisance behavior of older softwares like that and SpyBot's TeaTimer. You can always reinstall it later, but for now save any registration information needed for that and uninstall Ad-Watch please.
Then click to merge nextfix.reg again, and reboot and post back a new Deckards log for review.
Thomas
24 Jun 2008, 3:44am
One other item to mention - on those infected Polish systems shows the presence of cracked software in use. We won't get into details on which or what, but if by chance you suspect any of that present on your computer make sure right now to uninstall it and delete any related files. Just a mention.
mavplz
24 Jun 2008, 9:05am
still the same situation... 85.255.113.78 log appears after connecting to internet... I closed all possible processes but it doesn't help. I was using 2 drivers, one is my own mp3 player with music only, second is my own driver too with few .doc files.
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-24 09:56:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56:19, on 2008-06-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\różne\1\apteczka\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5100 bytes
-- Files created between 2008-05-24 and 2008-06-24 -----------------------------
2008-06-22 12:57:22 0 d-------- C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
-- Find3M Report ---------------------------------------------------------------
2008-06-21 16:30:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d-------- C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-22 21:54:13 0 d-------- C:\Program Files\kmp
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 17:32:48 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-21 21:58:51 0 d-------- C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
2008-03-24 15:18:02 43537 --a------ C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a------ C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-24 09:56:43 ------------
Thomas
24 Jun 2008, 8:54pm
A re-appearing infection, but still no sources showing. Unfortunately this leads us to running extra scans, and attempt to locate what the logs so far are not showing.
One driver only showing recently in threads, each with unknown issues involved. Let's take it out of the way for now. Go to Start > Run and type
cmd
and OK. At the prompt type (or copy\paste) the below commands and hit "Enter" after each line
sc config UTSCSI start= disabled
Type Exit to close.
-------------------------------------
Download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and doubleclick on it to extract the files. It will create a folder named OTScanIt on your Desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close all open programs and open the OTScanIt folder. Doubleclick on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose "Run as Administrator").
In the Drivers section click on Non-Microsoft. Under Additional Scans click the checkboxes in front of the following items to select them. Do not change any other settings.
Reg - BotCheck
File - Additional Folder Scans
Next click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
This will be a very large log, so instead of posting it save it and zip a copy of it, and send it to jintan@cfl.rr.com as an attachment. Please place "Submitted Files - mavplz otscanit" as the email Subject.
mavplz
25 Jun 2008, 8:28am
Mail sent
Thomas
25 Jun 2008, 7:35pm
I received the log, thanks. One very suspect IE registry entry we need to check, and then a Synnack-v2.part1.rar file bad idea. Only few copies of that I find are uploads originating from Russian crack sites, and the download sites are rife with hard pop-under ads that attempt to download rogue software. If this file has been unzipped already delete whatever it created, and delete this rar file as well.
@ECHO OFF
if exist Regsearch1.txt del /q Regsearch1.txt
regedit /e Regsearch1.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt"
Notepad Regsearch1.txt
Open Notepad (Start - Run, type notepad and press Enter).
Copy/paste the above text into the open text box, then save this to your desktop as "cfgcheck.bat"
Be sure to include the "" quotes in the name. Then click on cfgcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
mavplz
25 Jun 2008, 7:52pm
This .rar file has never been unpacked yet. You are right, it's a music album that comes from one russian site, i were downloading from it a lot of times before (most albums are legal as there are kind of minimal amateur music) and hadn't any problems... But for now i deleted this file.
Here is log of cfgcheck:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block frame with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block image with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block link with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Don't filter page with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&ksportuj do programu Microsoft Excel]
@="res://C:\\PROGRA~1\\MICROS~2\\Office12\\EXCEL.EXE/3000"
"Contexts"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@="res://C:\\PROGRA~1\\MICROS~2\\Office10\\EXCEL.EXE/3000"
"Contexts"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz plik wideo we Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlfvideo.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dllink.htm"
"Contexts"=dword:00000022
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz wszystkie pliki w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlall.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz z &BitSpirit]
@="C:\\Program Files\\BitSpirit\\bsurl.htm"
"Contexts"=dword:00000020
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz zaznaczone w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlselected.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Report page to the Ad Muncher developers]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ÓñČĚŘľ«ÁéĎÂÔŘ(&B)]
Thomas
26 Jun 2008, 4:48pm
I may have trouble understanding all the Polish language that has been showing, but I really don't feel "ÓñČĚŘľ«ÁéĎÂÔŘ(&B)" means any more in Polski than it does in Angielski. That setting does have the capabilities to link to a URL, so let's remove that now. Let's see if Regedit will successfully import that. if not you can make the changes manually.
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ÓñČĚŘľ«ÁéĎÂÔŘ(&B)]
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it "oddfix.reg"
Be sure to include the quotes "" in the name. Then right click oddfix.reg and select Merge to allow it to merge with the Registry.
To confirm the change succeeded click cfgcheck.bat again and post that new log please.
mavplz
26 Jun 2008, 10:25pm
The change succeeded but it hasn't helped in any way... 85.255.113.78 85.255.112.36 still appears just after connection...
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block frame with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block image with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block link with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Don't filter page with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&ksportuj do programu Microsoft Excel]
@="res://C:\\PROGRA~1\\MICROS~2\\Office12\\EXCEL.EXE/3000"
"Contexts"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@="res://C:\\PROGRA~1\\MICROS~2\\Office10\\EXCEL.EXE/3000"
"Contexts"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz plik wideo we Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlfvideo.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dllink.htm"
"Contexts"=dword:00000022
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz wszystkie pliki w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlall.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz z &BitSpirit]
@="C:\\Program Files\\BitSpirit\\bsurl.htm"
"Contexts"=dword:00000020
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz zaznaczone w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlselected.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Report page to the Ad Muncher developers]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report"
"Installed by Ad Muncher"=""
Thomas
27 Jun 2008, 12:30am
We need a new view now, to make complete changes before verifying no improvements were made.
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
This one will include processes so may be a bit larger than others.
mavplz
27 Jun 2008, 8:38am
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-27 09:36:27
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Performed disk cleanup.
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:36:36, on 2008-06-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\kmp\KMPlayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5229 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080619-144127-419 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080621-162516-565 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
backup-20080621-162516-855 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080621-162516-950 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080621-162517-652 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
backup-20080621-162517-830 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080621-162552-282 O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
backup-20080623-095411-757 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080626-232335-307 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
-- File Associations -----------------------------------------------------------
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys (file missing)
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys (file missing)
S3 catchme - c:\docume~1\admini~1\ustawi~1\temp\catchme.sys (file missing)
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
S3 Trufos - c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Process Modules -------------------------------------------------------------
C:\WINDOWS\system32\winlogon.exe (pid 588)
2007-07-24 21:56:36 219648 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
C:\WINDOWS\system32\svchost.exe (pid 816)
2007-07-24 21:56:36 219648 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
C:\WINDOWS\system32\svchost.exe (pid 920)
2007-07-24 21:56:36 219648 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
C:\WINDOWS\system32\svchost.exe (pid 1352)
2007-07-24 21:56:36 219648 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
C:\WINDOWS\explorer.exe (pid 1672)
2007-07-24 21:56:36 219648 --a------ C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
2007-09-02 14:57:36 69632 --a------ C:\Program Files\RocketDock\RocketDock.dll
2007-11-03 06:26:52 24576 --a------ C:\Program Files\Ad Muncher\AM28140.dll
2006-09-14 00:20:24 126464 --a------ C:\Program Files\WinRAR\RarExt.dll
2006-11-10 19:18:26 73728 --a------ C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll <Not Verified; Nero AG; Nero BackItUp>
2006-12-21 14:30:44 102400 --a------ C:\Program Files\Gadu-Gadu\ggwhook.dll <Not Verified; Gadu-Gadu S.A.; Gadu-Gadu>
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
-- Files created between 2008-05-27 and 2008-06-27 -----------------------------
2008-06-22 12:57:22 0 d-------- C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
-- Find3M Report ---------------------------------------------------------------
2008-06-24 15:19:22 0 d-------- C:\Program Files\kmp
2008-06-21 16:30:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d-------- C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 17:32:48 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-21 21:58:51 0 d-------- C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-27 09:37:22 ------------
Thomas
27 Jun 2008, 2:16pm
Until we locate where the active worm is there I sense more changes will not help. Pieces missing still.
Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool (scroll down the page to locate it). Type (or copy/paste) scrcons32 in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them back here please. Also do a search using the following, and post those results as well:
85.255.113.78
------------------------------
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\scrcons32*.*" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
mavplz
27 Jun 2008, 4:06pm
For 85.255.113.78:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "85.255.113.78" 2008-06-27 16:50:04
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}]
"NameServer"="85.255.113.78 85.255.112.36"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}]
"NameServer"="85.255.113.78 85.255.112.36"
For scrcons32.exe:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "scrcons32" 2008-06-27 16:51:15
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"WMI Standard Event Consumer - Scripting"="C:\\WINDOWS\\system32\\wbem\\scrcons32.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\wbem\\scrcons32.exe"="C:\\WINDOWS\\system32\\wbem\\scrcons32.exe:*:Enabled:WMI Standard Event Consumer - Scripting"
When i do a scan by cmd.exe, appears the message: "The file hasn't been found" and in notepad i have only 2 lines:
Volume in drive C has no label
Serial number: 787A-D614
Thomas
27 Jun 2008, 8:48pm
The last one indicates no files by that name located there. So no desktop.dll and no scrcons32.exe, the two active known parts of this worm infection. I'll have to review and determine our next moves there. Do you shut this system down frequently - have there been shutdowns that might bring things back? Those last registry items are an odd assortment of different control sets which we are going to check, but the differing numbers suggest changes have been made related to them. Did you do a System Restore after this infection started?
@ECHO OFF
if exist Regsearch3.txt del /q Regsearch3.txt
regedit /e Regsearch3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
Notepad Regsearch3.txt
Open Notepad (Start - Run, type notepad and press Enter).
Copy/paste the above text into the open text box, then save this to your desktop as "cslook.bat"
Be sure to include the "" quotes in the name. Then click on cslook.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
mavplz
28 Jun 2008, 9:29am
I don't know what exactly do u mean by "bring things back" but i shut down my system 2/3 times per day. The last restore i have done was before i posted this problem on this forum - i tried to remove it by resotre but didn't help.
Scan results:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=dword:00000000
"HideLogoffScripts"=dword:00000000
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000000
"HideStartupScripts"=dword:00000000
Thomas
28 Jun 2008, 10:43pm
Autoloading infection can sometimes benefit from reboots, if done when somethign remains.
In IE, click on Tools -> Internet Options, then select Use Blank (and Apply/OK).
Disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"WMI Standard Event Consumer - Scripting"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\wbem\\scrcons32.exe"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{3C 08CBDB-2261-4A71-A965-34F67B93A9F9}]
"NameServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces \{3C08CBDB-2261-4A71-A965-34F67B93A9F9}]
"NameServer"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{a7eb314c-b535-11dc-9002-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{e0a35061-ca86-11dc-9072-4d6564696130}]
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it kubuntu.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
Then reboot, reconnect to net access and again run and post back a new Deckards scan log please. BUT, when reconnecting to net access only open your browser to here, then wait a little, and run the Deckards scan. But no other surfing before that.
Thomas
28 Jun 2008, 10:45pm
:) Not a very good sequence there. Why not create the kubuntu.reg file first, then make the IE changes, shut your browser and disconnect from net access, and then Merge the kubuntu.reg with your Registry. Then follow the rest of the steps as posted please.
mavplz
29 Jun 2008, 12:44pm
I run IE very rarely, usually i use Mozilla Firefox. But i did like u wrote. I set a blank site, disconnected, run this reg file, reebot, connected again, and went straight to this page and run Dss. Unfortunately 85.xx.... log is still here. The problem is it appears with an act of connection to internet not after opening a browser...
Thomas
29 Jun 2008, 4:10pm
Since you would recognize them by now, if you now run a Deckards scan and check the log, do those "currentversion\explorer\mountpoints 2" registry keys all show at the bottom again? No need to post it - just check to see if both these changes get made on connection there and let me know.
mavplz
29 Jun 2008, 6:46pm
They are still there - both before and after connection.
Thomas
30 Jun 2008, 2:15am
Sheesh - in doing a web search related to info here I came across one of your other request threads, and only then really noticed your proxy settings reference.
Disconnect from net access as you have done (completely - disconnect the cable/phone line while doing the repairs to assure no hidden contact made).
Right click and Merge the kubuntu.reg you created.
Close all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. I am assuming you do not use a proxy server in the People's Republic of China bound to your ports there.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
(The reg merge may have removed the DNS entry).
Then reboot into Safe Mode, locate the C:\SDFix folder and click the RunThis.bat again to start that scan. Follow the prompts and allow the reboot.
After the reboot run a new Deckards scan, same steps you have been using. No net access yet.
Reconnect to net access, and run a second Deckards scan, then post both of those (sorry but yes, more posting) and the SDFix report.txt log please.
mavplz
30 Jun 2008, 10:59am
I noticed that with disconnection both 211.xxx and 85.xxx logs disappear, so i did't have to remove them.
SDFix: Version 1.199
Run by Administrator on 2008-06-30 at 11:45
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 11:49:44
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:83,01,1c,7b,b2,05,f8,a2,99,7e,19,48,80,72,29,bc,51,84,28,ef,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:5c,6f,21,38,4e,3a,dd,1e,7a,60,d8,6e,66,82,bc,61,88,52,99,74,a3,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:72,d0,b2,51,7d,11,a4,7d,3e,14,f4,2c,97,fd,83,80,27,c1,73,35,48,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:20,39,06,ca,56,b3,ca,7f,6e,78,00,be,23,de,be,e8,64,09,0d,ba,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,a9,01,f5,6f,41,81,29,f5,ab,5e,5a,78,86,54,17,6e,3b,db,0d,43,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:83,01,1c,7b,b2,05,f8,a2,99,7e,19,48,80,72,29,bc,51,84,28,ef,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:5c,6f,21,38,4e,3a,dd,1e,7a,60,d8,6e,66,82,bc,61,88,52,99,74,a3,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:f9,c8,fa,b7,f1,dd,98,4d,56,44,bf,de,1b,80,17,9e,f7,a8,9f,0d,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:94,c3,65,20,c9,d0,d7,9f,b2,3d,92,7f,9f,53,f6,ad,45,75,80,fb,8c,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:94,c3,65,20,c9,d0,d7,9f,b2,3d,92,7f,9f,53,f6,ad,45,75,80,fb,8c,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="0B65498EC5D57D496570DA3DA8125A1E426EB9DF26F7662C31CA476928EC02AC76EBC436B70C356F6121087A1DC1E83AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5C9DB7CE019D40AA5CA6A0AC4980AC7933DF28EBF58B51444BC56755B3746CC10CF23584AAAB75E7C2045257CFA1CB2B6C75017942870C8EE271788EC779AB603FC720F40C2CDF797DDBA10F37B0D917813BCB274FCA4BC15B2E42D9734D3E426CE67B94559043A84CBC93A81BF1626489F1EDE3796BEB67B6949F44AB3087E043E339B2B9622500A9CD4FD10A56B14DEFF8DFE049E21F0D6C5CFE229AC33C3C676F5CE21E0FE1100ADC8C02C8B3679211D6B112818F68C3E566E5099D10665572E17DFA9EE4A7EBCEDB1A6E4DC275F9C035853195B4232384B66952468164B4EEB7C9180A9A79AB535D571443A127CB4262913BAF78F9429A71B51DD96667E3DD907F98E0C62E6BE39CB9330BD0155452509FF12BE46E41EDE38A4AD2F1747132B1751F5B676F4941F44C51B7B6B0631E958DDA9768553FBA7BB981DC3CE671D480911364DB3E6AA068AB34111C3C50C6E9503DBAD657E4AF4BABAB5C416BF8A28BD19F9868EA752C9B08E812AFD1F1632EEA278D6470D8700BDC7763DE0422E800C534CB359D9500D6A7C0EA015B247EE0786A3B2C734A9315D9D73E58078DED34120484CFD0FC2C87E3CEFE0719C8142BA81C25AD03EB23E8C60269571D5D6A1E6E857D28D25DB7BE28EA65191F441855BC1460C919702028DC709666C5B787DA27F3A39247ED1AAFF8326AF6D50070CD8B7134C80114FA9AE4602B73D04667AA1ECE9C48A56B413669838C40F7E6F4A47E949D525E931E2B4055C0D2E4BA9D70455ABBE3B6160D4D238400FB94EA769213A1CDF723B161686014243C7CC4B2B4259B0D6699AF5495631DAC92128035EF5E02A82A9A319585CD28D74A631BA1A25C5F4FB4C2815ED4FB78AD51A52068BA85E346BF5FDE7D5922DE917E3E7ADA0B98B37318F6D569F35287D1E85CC6B815413873F2E1074F5F8FCAB93980A042E01F6CA2BA537DA5005EFD1EF094F446C4E033B162E97B37355642EE43F4CFB0BCC82135AFC44B38292E5448E0842FA0B4474F34100D11D31F4FDE0249B9CE715A81AB3A680D973B4563473E97B17D4FF06A4865E2BA223782E5FE7859BF69459949ACF4BF463DBA4B33559C56796E4C2C53A0DF25B18D6AEB99440DE54C6C5E7F34855B70591D37DAE6C339C08A10843DA19D74858733E6097B162CC87BAA66B1EB5F979C041A27335A9A1B61E9F9DB9C88C6A79524F89B2D369EF6BB38FB7AFDAA238947DA9B72B881A67CA56D4127694C69334D4649ECCF8249445E46BA27D242024259C30E76F55FF6CEDF430630"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"="C:\\Program Files\\BitSpirit\\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
Files with Hidden Attributes :
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09997411a62459b007c5b4c27727b812\BIT48.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1b4906af34b69bb3b3bff77c77c36269\BIT4D.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\238ea9fc36cfe91e6d8d2a057bf59e53\BIT53.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2ac354659614029836a3e6f43f478d68\BIT56.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\395a6b3cc3ef33ceb456d5772d320a49\BIT52.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3fb99568c483077faade564bf19fd5b1\BIT5E.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4982a61e2216973813f44f56425bf3d9\BIT4B.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\49de99a94f2b671fa314de00469bc9ee\BIT5D.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4a43476dc86b4dbe7da8acc0ef0e5c5f\BIT5C.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\504a292ad849178ad9c5188c7eecd6e6\BIT5F.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2D.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6adaf981e12b6d73d603b0b7cd1bd3b0\BIT58.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78670cbd6a90baaa408a8a72f52fdce2\BIT32.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\86e5b4dadbb28e067b72e96af284a2b0\BIT4E.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\90b64af20ec49650e48013f156470238\BIT50.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94af39a0130ee1aef6c5b5f008af01e9\BIT4C.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aff5d7c797f1e254b0042756b4877f70\BIT5B.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3785b22f905d6c0e99056e24099a0a7\BIT57.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b66e85416787cab176e98d4d637c4f81\BIT5A.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b8f841be0a4a9c344276ad0e6d2e6ef7\BIT49.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b9075ab76028414158858b84810726f9\BIT4F.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT35.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\becfb2439d7d5a97f7e2da7b1433c139\BIT51.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c6d686951b1308c6fd3d9343b47193cb\BIT4A.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d3c4aebdee35f35b6bda63780eafaf85\BIT62.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edb846a7ab7add3b71d83f6a232086a3\BIT54.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edf69d5dc5cba73e15a467a90c9e07b0\BIT59.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ffdc7af41a0409dddb9ddefe4faf90de\BIT55.tmp"
Sat 17 Nov 2007 6,297 ...HR --- "C:\Documents and Settings\Administrator\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"
Finished!
mavplz
30 Jun 2008, 11:00am
Dss before connection:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-30 11:53:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:26, on 2008-06-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5196 bytes
-- Files created between 2008-05-30 and 2008-06-30 -----------------------------
2008-06-22 12:57:22 0 d-------- C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
-- Find3M Report ---------------------------------------------------------------
2008-06-24 15:19:22 0 d-------- C:\Program Files\kmp
2008-06-21 16:30:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d-------- C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 17:32:48 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-21 21:58:51 0 d-------- C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-30 11:53:57 ------------
And after:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-30 11:55:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Administrator.exe) ---------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:34, on 2008-06-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5213 bytes
-- Files created between 2008-05-30 and 2008-06-30 -----------------------------
2008-06-22 12:57:22 0 d-------- C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d-------- C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a------ C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a------ C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a------ C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d-------- C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d-------- C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d-------- C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d-------- C:\Program Files\Ad Muncher
-- Find3M Report ---------------------------------------------------------------
2008-06-24 15:19:22 0 d-------- C:\Program Files\kmp
2008-06-21 16:30:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d-------- C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d-------- C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a------ C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a------ C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d-------- C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d-------- C:\Program Files\Soulseek
2008-05-22 21:09:41 0 d-------- C:\Program Files\OO Software
2008-05-22 17:32:48 0 d-------- C:\Program Files\Kaspersky Lab
2008-05-21 21:58:51 0 d-------- C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d-------- C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d-------- C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a------ C:\amt1
2008-05-05 21:12:59 0 d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a------ C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a------ C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a------ C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d-------- C:\Program Files\Medieval Software
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-30 11:55:52 ------------
Thomas
30 Jun 2008, 8:06pm
And no scans locate active infection. These are always showing there as running processes:
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
They all need to be completely disabled from any activity whatsoever. AdMuncher has functions to block change, and I suspect if connected may undo change made - here we are discussing positive change. If necessary uninstall it to remove it from the equation - you can reinstall it later if you choose. And if any of those are not from the vendor's own source, uninstall any like that now as well. Then redo the cleaning steps as before, and check after net access. Though I do not often suggest it just let me know if you see the same DNS bad setting and mountoints return for now - no need to post the same logs again yet.
GG is Polish well-known messenger, RocketDock is sth like Windows Vista top panel, all these appz are from legal sources. But i unchecked autorun in gg, RD and AddMuncher so during all scans they were closed. I have repeated all steps from your previous post and raports are exactly the same. These mountoins logs are still there. Sory, but i don't know were i can check "DNS bad setting"?
One more thing: during RunThis.bat scan, between 25 and 50%, 2 times appeared for few seconds a message like that (it were in Polish so in eng it may sound a bit different): "FINDSTR: Can not read from the list of files TextPatched3.txt". But the scan has been complited succesfully. btw after first scan of RunThis.bat, there is a reebot, and next scan. My question is after the rebot system shoud be run in safe of normal mode? I have run it in normal mode.
Thomas
1 Jul 2008, 10:07pm
I can't be sure what SDFix had trouble reading - it can be creating it's own temp files in the processes. We should surely look though.
The softwares themselves are not necessarily suspect, and if you know their sources even better. At least AdMuncher has the abilities to block and undo, so it needs to be out of the way.
The bad DNS settings are the "85.255.113.78 85.255.112.36" 017 items that show again in HijackThis after you make a net connection. Since malware has changed them in rare occasions, do you use a router there?
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\patched*.*" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Like after first scan by cmd, there appeared a message "The file hasn't been found" and in notepad there are only 2 lines:
Volume in drive C has no label
Serial number of volume: 787A-D614
You didn't say about the router - unfortunately if a router with a poor password is involved, and one specific and bad idea malware as well, slim chance your router firmware settings have been altered.
Download Dr.Web CureIt! from here to your Desktop.
When you have done this, boot into safe mode (restart your computer and tap F8 continuously as it restarts)
Doubleclick the drweb-cureit.exe file. Click on Start and Ok and allow it to run the express scan. This is a short scan and will scan all files currently running in memory. If something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, click on Custom Scan and choose the drives that you want to scan. Click on the drive to select it. A red dot shows which drives have been chosen. Click the green arrow > to the right and the scan will begin. At the first sign of infection, Select 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, click the "Select all" button and then click on the Move button. This will move any infected files to the %userprofile%\DoctorWeb\quarantine folder.
Next and this is important, from the main Dr.Web CureIt menu (top left), click File and choose save report list and save the report to your desktop. The report will be called DrWeb.csv and it can be opened in Notepad.
Close Cureit and restart your computer to completely remove any stubborn files. You may get a message saying "No operations performed with some objects in list. Exit program". If so, click "Yes" (You may get a popup offering you a discount if you purchase DrWeb AntiVirus. You may or may not wish to take advantage of this offer later but for now, just close the popup wait for the scan to finish).
Please post the log in this thread.
I downloaded Polish version of DrWeb so i should give a little lesson of my language:
- Usuniety = Deleted
- Przeniesiony = Moved
- Archiwum zawierające zainfekowane obiekty - The archive contains infected objects
- Niewyleczalny = Incurable
- Prawdobodobnie = Probably
stream023\livesrv.exe;C:\WINDOWS\Installer\2536ea.msi\stream023;Prawdopodobnie DLOADER.Trojan;;
stream023;C:\WINDOWS\Installer\2536ea.msi;Archiwum zawierające zainfekowane obiekty;;
2536ea.msi;C:\WINDOWS\Installer;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0256206.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP435;Trojan.KeyLogger.origin;Niewyleczalny.Przeniesiony.;
A0256209.exe\InstallUpdate.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP435\A0256209.exe;Trojan.KeyLogger.origin;;
A0256209.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP435;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0256219.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP436;Trojan.KeyLogger.origin;Niewyleczalny.Przeniesiony.;
A0256589.exe\InstallUpdate.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP436\A0256589.exe;Trojan.KeyLogger.origin;;
A0256589.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP436;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0267002.dll;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP469;Adware.SearchAid.40;Przeniesiony.;
A0267040.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP470;Trojan.StartPage.1505;Usunięty.;
A0267277.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP470;Trojan.StartPage.1505;Usunięty.;
A0267362.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP471;Trojan.StartPage.1505;Usunięty.;
A0267600.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP471;Trojan.StartPage.1505;Usunięty.;
A0267689.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP471;Trojan.StartPage.1505;Usunięty.;
A0267762.EXE;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP472;Program.PsExec.170;Przeniesiony.;
A0267772.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP472;Prawdopodobnie SCRIPT.Virus;Przeniesiony.;
A0267950.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473;Prawdopodobnie SCRIPT.Virus;Przeniesiony.;
A0267957.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473\A0267957.exe;Prawdopodobnie SCRIPT.Virus;;
A0267957.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473\A0267957.exe;Program.PsExec.171;;
A0267957.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0267983.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473;Trojan.StartPage.1505;Usunięty.;
A0268288.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473;Prawdopodobnie SCRIPT.Virus;Przeniesiony.;
A0269379.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP476;Trojan.StartPage.1505;Usunięty.;
A0269502.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP478;Prawdopodobnie SCRIPT.Virus;Przeniesiony.;
A0272239.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP485;Prawdopodobnie DLOADER.Trojan;Przeniesiony.;
stream023\livesrv.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP495\A0272990.msi\stream023;Prawdopodobnie DLOADER.Trojan;;
stream023;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP495\A0272990.msi;Archiwum zawierające zainfekowane obiekty;;
A0272990.msi;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP495;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0273534.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497\A0273534.exe;Tool.Prockill;;
A0273534.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0274708.exe\keygen.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497\A0274708.exe;Trojan.DownLoader.55602;;
A0274708.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0274749.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497;Tool.Prockill;Przeniesiony.;
A0278493.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278494.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278495.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278496.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Tool.Prockill;Przeniesiony.;
A0278497.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278497.exe;Tool.Prockill;;
A0278497.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0278498.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;BackDoor.IRC.Chazz.38;;
A0278498.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;BackDoor.IRC.Chazz.38;;
A0278498.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;BackDoor.IRC.Chazz.38;;
A0278498.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;BackDoor.IRC.Chazz.38;;
A0278498.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;Tool.Prockill;;
A0278498.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;Tool.ShutDown.11;;
A0278498.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0278499.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278500.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278501.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278502.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278546.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278546.exe;Prawdopodobnie SCRIPT.Virus;;
A0278546.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278546.exe;Program.PsExec.171;;
A0278546.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0278550.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Tool.Prockill;Przeniesiony.;
A0278551.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Tool.ShutDown.11;Przeniesiony.;
A0278552.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Program.Tcpip;Przeniesiony.;
stream023\livesrv.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP505\A0278640.msi\stream023;Prawdopodobnie DLOADER.Trojan;;
stream023;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP505\A0278640.msi;Archiwum zawierające zainfekowane obiekty;;
A0278640.msi;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP505;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
stream023\livesrv.exe;C:\WINDOWS\Installer\2536ea.msi\stream023;Prawdopodobnie DLOADER.Trojan;;
stream023;C:\WINDOWS\Installer\2536ea.msi;Archiwum zawierające zainfekowane obiekty;;
2536ea.msi;C:\WINDOWS\Installer;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
404Fix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Usunięty.;
IEDFix.C.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Usunięty.;
IEDFix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Usunięty.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Niewyleczalny.Usunięty.;
HLGL 3.exe;C:\Documents and Settings\Administrator\Moje dokumenty\Moje obrazy\zielona szkoła\HLGL 3;Trojan.MulDrop.origin;Niewyleczalny.Przeniesiony.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\Pulpit\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Administrator\Pulpit;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
ComboFix.exe\327882R2FWJFW\FIND3M.bat;C:\Downloads\różne\1\apteczka\ComboFix.exe;Prawdopodobnie SCRIPT.Virus;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Downloads\różne\1\apteczka\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Downloads\różne\1\apteczka;Archiwum zawierające zainfekowane obiekty;;
SmitfraudFix.exe\SmitfraudFix\404Fix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\GenericRenosFix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.C.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;Tool.ShutDown.11;;
SmitfraudFix.exe;C:\Downloads\różne\1\apteczka;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
404Fix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;BackDoor.IRC.Chazz.38;Usunięty.;
GenericRenosFix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;BackDoor.IRC.Chazz.38;Usunięty.;
IEDFix.C.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;BackDoor.IRC.Chazz.38;Usunięty.;
IEDFix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;BackDoor.IRC.Chazz.38;Usunięty.;
Process.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;Tool.ShutDown.11;;
btw i tried a scan by Hijack and my favourite log is still there
PS: Somebody told me i should Ashampoo AntiSpyWare, do u think it's worth?
I am traveling until tomorrow so can only check in from a borrowed connection right now (so can only do some limited work for the moment).
I can sorta see in the Dr. Web log the infection, but in all honesty it is too backwards to work with (file, path, name and Polish language action). The keygen.exe System Restore find suggests the original infection source, so again if there is any installed software from the wrong source it needs to be gone from that system.
I see now in the SDFix log the constant bit binary info tranfsers occurring there, like this one:
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09997411a62459b007c5b4c27727b812\BIT48 .tmp"
A likely source of the recurring infection, so something still installed there has an active backdoor.
I appreciate your translation portion, but for now suggest you go ahead and have Dr. Web remove everything it found. This will include it's usual mistaken identity of our tools, but we can replace those handily. And perhaps some BitDefender installer files. But I can only do some quick checking here, so for now removing all will be fine. I will get back with you tomorrow and do some more detailed work.
I am back from my travels. The Dr Web log is tough - the logs place the file before the path. But as a guess I sense most of it is referring to a BitDefender install (liveserve.exe) and some of our tools we use. But the keygen is a reality, as far as undesirable and suggesting bad installed software:
A0274708.exe\keygen.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497\A0274708.exe;Trojan.DownLoader.55602;;
As I have been implying, if we are going back and forth in repairs, yet there remains there software from an unauthorized source, we will get no where. I have to be forward in these type suggestions, as too many of the requests we get are related to the use of illegal software initially.
This is also an unknown - looks like related to a Half Life game, but D Web suggests it included infection bundled with it:
HLGL 3.exe;C:\Documents and Settings\Administrator\Moje dokumenty\Moje obrazy\zielona szkoła\HLGL 3;Trojan.MulDrop.origin;Niewyleczalny.Przeniesiony.;
mavplz
7 Jul 2008, 10:28am
Ok, i removed unauthorized software installed in last months. However i must admit i still have one or more unautorized appz but i have been using it for a long time (also on my old systems) and it never caused any problems, so i belive these appz are not infection source.
I don't have HL game installed but i have a legal Counter Strike, which i play on-line on authorized Steam servers, so this HL file comes from it for sure and i don't know why it's infected.
I made a Hijack scan few time since my previous reply, and sometimes i can see that this proxy server log appears again. Then i do completely nothing and it disappears itself...
Do u have any ideas what more can i do? Maybe i should try any ohter anty-spyware appz that could cure it or localize infection source?
btw how can i removed these files found by DrWeb? Should i make a scan again?
Thomas
8 Jul 2008, 12:17am
You have Kaspersky, and just used Dr. Web, among the good few we have already run there, so the system has had many apps assess things so far. One issue with the use of unauthorized software is it does run contrary to Icrontic forum rules - assistance ends if those become known or show in logs. As you so far only indicate your view of what "unauthorized" is I am not pushing that much further at this time. However, in that same frame of thought, I expect ALL illegal software I do not know is there is also actually not there after you read this. Or the steps are done to make that so. If not, I am not interested in continuing here. I hope that made sense.
Most of what D Web found it quarantined or deleted, and others that are just mistaken identity for tools we use it just shows as suspect, so not seeing any bad items left from it. Resetting the System Restore would remove any remnants there, those these are harmless unless an actual Restore is done.
In again weeding back through the logs posted, I see an worm startup item you removed with HijackThis that the logs do not account for, as far as an actual deletion of change.
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\mstmdm*.*" > c:\find3.txt & start notepad c:\find3.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
----------------------------
Open Bobbi Flekman's Regsearch again. In the display panel, copy and paste the following into the upper box:
6B244BC7-1D9D-4B40-8243-D90107A30880
Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regearch.exe file you clicked).
I recall we used it - but if we did not, here (http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip) is the download for the Regsearch.zip to unzip and use now.
Like after two previous scans cmd.exe raport shows:
Volume in drive C has no label
Serial number of volume: 787A-D614
Maybe this command should be different in Polish system?
RegSearch log:
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 2008-07-08 08:43:35 for strings:
; '6b244bc7-1d9d-4b40-8243-d90107a30880'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...
Thomas
9 Jul 2008, 11:16am
At some point recently you ran ComboFix there - see if the log from that, C:\ComboFix.txt, still is there, and if so post that please.
ComboFix 08-07-08.7 - Administrator 2008-07-09 14:05:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1680 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.
2008-07-03 09:48 . 2008-07-03 09:56 <DIR> d-------- C:\Documents and Settings\Administrator\DoctorWeb
2008-06-30 22:40 . 2008-06-30 22:40 <DIR> d-------- C:\Program Files\OE-Mail Recovery
2008-06-30 20:48 . 2008-06-30 20:48 <DIR> d-------- C:\Program Files\NAPI-PROJEKT
2008-06-30 11:39 . 2008-07-01 18:34 <DIR> d-------- C:\SDFix
2008-06-22 12:57 . 2008-06-22 12:57 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-21 10:18 . 2008-06-21 13:30 121 --a------ C:\WINDOWS\bdagent.INI
2008-06-20 16:59 . 2008-07-07 12:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-20 16:59 . 2008-06-20 16:59 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-20 08:22 . 2008-06-20 08:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-06-18 13:16 . 2008-06-18 13:16 690 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-18 13:15 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-18 13:15 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-18 13:15 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:10 . 2008-06-18 13:10 <DIR> d-------- C:\Deckard
2008-06-17 12:43 . 2008-06-17 12:43 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-06-17 11:40 . 2008-06-17 11:40 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 11:40 . 2008-06-17 11:40 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-06-17 11:40 . 2008-06-17 11:40 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-17 11:40 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 11:40 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 12:55 . 2008-06-16 14:10 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-06-16 12:42 . 2008-06-16 12:42 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-06-16 12:42 . 2005-09-23 07:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-06-15 16:18 . 2008-06-15 16:21 535 --a------ C:\WINDOWS\wininit.ini
2008-06-15 16:01 . 2008-06-16 13:39 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-06-15 14:57 . 2008-06-18 21:10 <DIR> d-------- C:\fixwareout
2008-06-15 12:25 . 2008-06-15 12:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 16:16 . 2008-06-15 21:15 <DIR> d-------- C:\Program Files\Free Download Manager
2008-06-11 16:16 . 2008-06-11 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\FreeDownloadManager.ORG
2008-06-11 16:16 . 2008-06-11 16:17 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 20:45 136,888 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-08 20:45 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-07-07 16:22 --------- d-----w C:\Program Files\AutoConnect
2008-07-07 07:05 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-06-24 13:19 --------- d-----w C:\Program Files\kmp
2008-06-21 14:30 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 14:11 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-20 19:52 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-06-20 19:52 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-06-20 19:52 22,328 ----a-w C:\Documents and Settings\Administrator\Dane aplikacji\PnkBstrK.sys
2008-06-20 19:30 --------- d-----w C:\Program Files\Electronic Arts
2008-06-15 13:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-06-15 11:47 --------- d-----w C:\Program Files\FlashGet
2008-06-07 18:06 --------- d-----w C:\Program Files\Ad Muncher
2008-06-06 19:57 --------- d-----w C:\Program Files\Soulseek
2008-05-22 15:32 --------- d-----w C:\Program Files\Kaspersky Lab
2008-05-21 19:58 --------- d-----w C:\Program Files\CD Catalog Expert
2008-05-17 16:29 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 16:09 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Ubisoft
2008-05-17 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 16:02 --------- d-----w C:\Program Files\Ubisoft
2008-05-10 19:11 --------- d-----w C:\Program Files\Dziobas Rar Player
2008-04-30 15:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-01-25 17:37 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2001-02-23 17:22 299,008 ----a-w C:\Program Files\bestplayer1.0.exe
.
------- Sigcheck -------
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2001-08-18 08:24 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2001-08-18 08:24 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\SoftwareDistribution\Download\43ab4310d3c682d7f669ad4db86a272d\backup\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 13:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29 2119104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46 13529088]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 577536 C:\WINDOWS\soundman.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-03 05:46 13529088 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-03 05:46 86016 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
--a------ 2006-10-04 16:41 86016 C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\Trayserver.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-03 05:46 1630208 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
R0 ALLOW-IO;ALLOW-IO;C:\WINDOWS\system32\Drivers\ALLOW-IO.sys [2005-06-21 16:47]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-24 14:39]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-zoneLINK MultiCore Optimizer - C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe
MSConfigStartUp-FrameWork 2 - FrameWork.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 14:07:26
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-09 14:08:11
ComboFix-quarantined-files.txt 2008-07-09 12:08:07
ComboFix2.txt 2008-06-15 18:07:46
Pre-Run: 100,144,889,856 bajtów wolnych
Post-Run: 100,235,923,456 bajtów wolnych
193
No, I wasn't looking for you to run ComboFix, I was looking for the previous run's log. It would be renamed now, so post this one instead:
ComboFix2.txt 2008-06-15 18:07:46
Actually i haven't done a scan by ComboFix previously...
Thomas
10 Jul 2008, 12:13am
Go ahead and post the C:\ComboFix2.txt log, and let's take a look at that.
mavplz
10 Jul 2008, 8:38am
I don't have ComboFix2.txt log, only the log i posted that is ComboFix.txt.
Thomas
10 Jul 2008, 5:51pm
Have me scratching my head, but the older information just might be helpful. See if you can locate this file, created June 15, in a search:
Completion time: 2008-07-09 14:08:11
ComboFix-quarantined-files.txt 2008-07-09 12:08:07
ComboFix2.txt 2008-06-15 18:07:46 <--------
mavplz
10 Jul 2008, 7:04pm
I've got it, i feel stupid it didn't enter my head to use search...
It was in C:\QooBox\
ComboFix 08-06-12.2 - Administrator 2008-06-15 20:01:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1649 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\Fonts\CALIBRIB.TTF
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_NPF
((((((((((((((((((((((((( Files Created from 2008-05-15 to 2008-06-15 )))))))))))))))))))))))))))))))
.
2008-06-15 16:18 . 2008-06-15 16:21 535 --a------ C:\WINDOWS\wininit.ini
2008-06-15 16:01 . 2008-06-15 17:34 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-15 16:01 . 2008-06-15 17:34 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-06-15 15:55 . 2008-06-15 15:55 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-15 14:57 . 2008-06-15 17:34 <DIR> d-------- C:\fixwareout
2008-06-15 12:25 . 2008-06-15 12:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-11 16:16 . 2008-06-15 19:36 <DIR> d-------- C:\Program Files\Free Download Manager
2008-06-11 16:16 . 2008-06-11 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\FreeDownloadManager.ORG
2008-06-11 16:16 . 2008-06-11 16:17 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-07 20:09 . 2008-06-15 13:42 <DIR> d-------- C:\Program Files\AutoConnect
2008-06-07 20:04 . 2008-06-07 20:06 <DIR> d-------- C:\Program Files\Ad Muncher
2008-06-07 19:11 . 2008-06-07 20:11 <DIR> d-------- C:\Program Files\uTorrent
2008-05-23 18:19 . 2008-06-11 16:09 <DIR> d-------- C:\Program Files\GetRight
2008-05-23 18:00 . 2008-06-07 20:09 <DIR> d-------- C:\Program Files\Microsoft Bootvis
2008-05-23 17:52 . 2008-06-07 20:10 <DIR> d-------- C:\Program Files\SiSoftware
2008-05-22 21:22 . 2008-06-15 20:04 141,747 --a------ C:\WINDOWS\system32\oodbs.lor
2008-05-22 21:13 . 2008-05-22 21:20 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-05-22 21:12 . 2008-05-22 21:12 0 --a------ C:\WINDOWS\oodcnt.INI
2008-05-22 21:10 . 2008-05-22 21:10 <DIR> d-------- C:\WINDOWS\system32\oodag
2008-05-22 21:09 . 2008-05-22 21:09 <DIR> d-------- C:\Program Files\OO Software
2008-05-22 20:09 . 2008-05-22 20:09 <DIR> d-------- C:\Program Files\CCleaner
2008-05-22 17:28 . 2008-02-07 17:10 <DIR> d--h----- C:\ckis
2008-05-22 16:35 . 2008-05-22 17:32 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-05-22 16:35 . 2008-06-15 20:04 7,555,104 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 16:35 . 2008-06-15 20:04 232,480 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-22 16:35 . 2008-06-15 20:03 103,280 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-22 16:35 . 2008-06-15 12:10 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-05-22 16:35 . 2008-06-15 12:10 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-05-22 16:35 . 2008-06-15 20:03 22,820 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-05-22 16:34 . 2008-05-22 16:34 <DIR> d-------- C:\kav
2008-05-21 23:41 . 2008-05-22 21:54 <DIR> d-------- C:\Program Files\kmp
2008-05-21 22:57 . 2005-04-05 21:22 261,888 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2008-05-21 22:57 . 2005-04-05 21:22 208,256 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys
2008-05-21 22:57 . 2005-04-05 21:19 201,728 -ra------ C:\WINDOWS\system32\fdco1.dll
2008-05-21 22:57 . 2005-04-04 12:59 176,128 --a------ C:\WINDOWS\system32\nvunrm.exe
2008-05-21 22:57 . 2005-04-05 21:22 33,536 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2008-05-21 22:57 . 2005-04-04 13:00 32,256 -ra------ C:\WINDOWS\system32\nvconrm.dll
2008-05-21 22:57 . 2005-04-05 21:22 12,928 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2008-05-21 22:57 . 2005-04-05 21:19 9,728 -ra------ C:\WINDOWS\system32\bdco1.dll
2008-05-21 22:57 . 2005-02-08 08:26 3,596 --a------ C:\WINDOWS\system32\nvnrm.nvu
2008-05-21 22:48 . 2008-05-21 23:02 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-21 21:58 . 2008-05-21 21:58 <DIR> d-------- C:\Program Files\CD Catalog Expert
2008-05-17 18:29 . 2008-05-17 18:29 <DIR> d-------- C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:09 . 2008-05-17 18:09 <DIR> d-------- C:\Documents and Settings\All Users\Dane aplikacji\Ubisoft
2008-05-17 18:09 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-05-17 18:09 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-05-17 18:09 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-05-17 18:09 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-05-17 18:02 . 2008-05-17 18:02 <DIR> d-------- C:\Program Files\Ubisoft
2008-05-17 16:45 . 2008-06-12 18:10 <DIR> d-------- C:\AC
2008-05-17 16:44 . 2008-05-17 16:44 <DIR> d--hs---- C:\$RECYCLE.BIN
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-15 17:37 --------- d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-06-15 15:45 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-15 15:34 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 13:55 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-06-15 13:08 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-15 11:47 --------- d-----w C:\Program Files\FlashGet
2008-06-15 10:10 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-06 19:57 --------- d-----w C:\Program Files\Soulseek
2008-05-17 16:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-10 19:11 --------- d-----w C:\Program Files\Dziobas Rar Player
2008-05-07 18:36 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 18:16 --------- d-----w C:\Documents and Settings\All Users\Dane aplikacji\SolidDocuments
2008-05-05 19:12 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 03:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-04-30 16:37 --------- d-----w C:\Program Files\Medieval Software
2008-04-30 16:05 --------- d-----w C:\Program Files\Electronic Arts
2008-04-30 15:59 --------- d-----w C:\Program Files\Easy CD-DA Extractor 11
2008-04-29 09:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 09:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 09:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-19 17:13 --------- d-----w C:\Program Files\Audacity
2008-04-16 18:14 --------- d-----w C:\Documents and Settings\Administrator\Dane aplikacji\Juce VST Host
2008-01-25 17:37 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2007-12-16 19:34 22,328 ----a-w C:\Documents and Settings\Administrator\Dane aplikacji\PnkBstrK.sys
2001-02-23 17:22 299,008 ----a-w C:\Program Files\bestplayer1.0.exe
.
------- Sigcheck -------
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2001-08-18 08:24 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2001-08-18 08:24 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\SoftwareDistribution\Download\43ab4310d3c682d7f669ad4db86a272d\backup\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 13:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29 2119104]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58 495616]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 577536 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48 779776]
"C:\WINDOWS\system32\kdtnn.exe"="C:\WINDOWS\system32\kdtnn.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46 13529088]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
WMI Standard Event Consumer - Scripting REG_SZ C:\WINDOWS\system32\wbem\scrcons32.exe
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2008-05-03 05:46 13529088 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-03 05:46 86016 C:\WINDOWS\System32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2008-05-03 05:46 1630208 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
--a------ 2006-10-04 16:41 86016 C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
R0 ALLOW-IO;ALLOW-IO;C:\WINDOWS\system32\Drivers\ALLOW-IO.sys [2005-06-21 16:47]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-24 14:39]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6074756e-3052-11dc-a240-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 20:04:56
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-15 20:07:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-15 18:07:40
Pre-Run: 76,963,004,416 bajtów wolnych
Post-Run: 77,246,656,512 bajt˘w wolnych
240
Quarantined files:
2005-12-19 12:28 243132 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Fonts\CALIBRIB.TTF.vir
2008-06-15 20:02 276 --a------ C:\Qoobox\Quarantine\Registry_backups\Legacy_NPF.reg.dat
2008-07-09 14:07 108 --a------ C:\Qoobox\Quarantine\catchme.log
2008-07-09 14:07 137793 --a------ C:\Qoobox\Quarantine\catchme2008-07-09_140725.06.zip
2008-07-09 14:08 540 --a------ C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-FrameWork 2.reg.dat
2008-07-09 14:08 726 --a------ C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-zoneLINK MultiCore Optimizer.reg.dat
Thomas
10 Jul 2008, 10:32pm
A few things to check, but I would also like to see what was removed as well.
Go here (http://www.thespykiller.co.uk/index.php?board=1.0), press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.
C:\Qoobox\Quarantine\catchme2008-07-09_140725.06.zip
You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.
mavplz
11 Jul 2008, 7:48am
http://thespykiller.co.uk/index.php/topic,6739.new.html#new?PHPSESSID=604f73160be0b596eaea849d5463f35d
Thomas
11 Jul 2008, 11:23am
File received, thanks. Just a copy of Catchme itself inside though. Let's check against the older info now in the ComboFix log. I suspect for now issues related to the many services you have disabled in msconfig possibly involved, but I have had many "suspects" so far here.
Go to the C:\SDFix folder, and again click on the RunThis.bat file.
When the display opens select "B" (Create Service/Driver List), and allow the scan to complete. When it does a textbox will open - copy/paste those contents back here (this will also be located at C:\SDFix\Service Driver.txt)
mavplz
11 Jul 2008, 2:37pm
Unfortunately it's in Polish language, so if u like to translate sth plz let me know. You may need this: sterownik = drivers
Service/Driver List:
*******************
Run on 2008-07-11 at 15:33
Microsoft Windows XP [Wersja 5.1.2600]
Drivers:
SERVICE_NAME: ACPI
DISPLAY_NAME: Sterownik Microsoft ACPI
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: adiusbaw
DISPLAY_NAME: USB ADSL WAN Adapter
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: AFD
DISPLAY_NAME:
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: ALCXWDM
DISPLAY_NAME: Service for Realtek AC97 Audio (WDM)
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: ALLOW-IO
DISPLAY_NAME: ALLOW-IO
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: AmdK8
DISPLAY_NAME: Sterownik procesora AMD
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: ASPI32
DISPLAY_NAME: ASPI32
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: atapi
DISPLAY_NAME: Standardowy kontroler dysku twardego IDE/ESDI
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: atksgt
DISPLAY_NAME: atksgt
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: audstub
DISPLAY_NAME: Sterownik Audio Stub
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Beep
DISPLAY_NAME: Beep
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Cdfs
DISPLAY_NAME: Cdfs
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Cdrom
DISPLAY_NAME: Sterownik stacji dysków CD-ROM
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Disk
DISPLAY_NAME: Sterownik dysku
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: dmio
DISPLAY_NAME: Sterownik Mened
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: dmload
DISPLAY_NAME: dmload
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Fdc
DISPLAY_NAME: Sterownik kontrolera stacji dyskietek
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Fips
DISPLAY_NAME: Fips
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: FltMgr
DISPLAY_NAME: FltMgr
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Ftdisk
DISPLAY_NAME: Sterownik Mened
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Gpc
DISPLAY_NAME: Rodzajowy klasyfikator pakietu
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: HidUsb
DISPLAY_NAME: Sterownik Microsoft klasy HID
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: i8042prt
DISPLAY_NAME: Sterownik portu klawiatury i8042 i myszy PS/2
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: imagedrv
DISPLAY_NAME: imagedrv
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: imagesrv
DISPLAY_NAME: imagesrv
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Imapi
DISPLAY_NAME: Sterownik filtru nagrywania dysków CD
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: IpNat
DISPLAY_NAME: Translator adresów sieciowych IP
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: IPSec
DISPLAY_NAME: Sterownik IPSEC
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: isapnp
DISPLAY_NAME: Sterownik PnP magistrali ISA/EISA
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Kbdclass
DISPLAY_NAME: Sterownik klasy klawiatury
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: kmixer
DISPLAY_NAME: Microsoft Kernel Wave Audio Mixer
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: KSecDD
DISPLAY_NAME: KSecDD
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: lirsgt
DISPLAY_NAME: lirsgt
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: mnmdd
DISPLAY_NAME: mnmdd
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Mouclass
DISPLAY_NAME: Sterownik klasy myszy
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: mouhid
DISPLAY_NAME: Sterownik myszy HID
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: MountMgr
DISPLAY_NAME: Mened
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: MRxSmb
DISPLAY_NAME: MRxSmb
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Msfs
DISPLAY_NAME: Msfs
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: mssmbios
DISPLAY_NAME: Sterownik BIOS zarz
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Mup
DISPLAY_NAME: Mup
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: NDIS
DISPLAY_NAME: Sterownik systemu NDIS
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: NdisTapi
DISPLAY_NAME: Sterownik us
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Ndisuio
DISPLAY_NAME: Protokó
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: NdisWan
DISPLAY_NAME: Sterownik us
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: NDProxy
DISPLAY_NAME: Serwer proxy NDIS
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: NetBIOS
DISPLAY_NAME: Interfejs NetBIOS
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: NetBT
DISPLAY_NAME: NetBios przez TCP/IP
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Npfs
DISPLAY_NAME: Npfs
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Ntfs
DISPLAY_NAME: Ntfs
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Null
DISPLAY_NAME: Null
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: nv
DISPLAY_NAME: nv
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: nvnetbus
DISPLAY_NAME: NVIDIA Network Bus Enumerator
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: PartMgr
DISPLAY_NAME: Mened
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: PCI
DISPLAY_NAME: Sterownik magistrali PCI
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: PCIIde
DISPLAY_NAME: PCIIde
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: PptpMiniport
DISPLAY_NAME: WAN Miniport (PPTP)
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: PSched
DISPLAY_NAME: Harmonogram pakietów QoS
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Ptilink
DISPLAY_NAME: Sterownik bezpo
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: PxHelp20
DISPLAY_NAME: PxHelp20
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: RasAcd
DISPLAY_NAME: Sterownik automatycznego po
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Rasl2tp
DISPLAY_NAME: WAN Miniport (L2TP)
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: RasPppoe
DISPLAY_NAME: Sterownik us
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Raspti
DISPLAY_NAME: Bezpo
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Rdbss
DISPLAY_NAME: Rdbss
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: RDPCDD
DISPLAY_NAME: RDPCDD
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: rdpdr
DISPLAY_NAME: Sterownik przekierowania urz
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: redbook
DISPLAY_NAME: Sterownik filtru odtwarzania audio cyfrowych dysków CD
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: SCDEmu
DISPLAY_NAME: SCDEmu
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Secdrv
DISPLAY_NAME: Secdrv
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: sptd
DISPLAY_NAME: sptd
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: sr
DISPLAY_NAME: Sterownik filtru Przywracania systemu
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Srv
DISPLAY_NAME: Srv
TYPE : 2 FILE_SYSTEM_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: swenum
DISPLAY_NAME: Sterownik magistrali programowej
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: sysaudio
DISPLAY_NAME: Urz
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Tcpip
DISPLAY_NAME: Sterownik protoko
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: TermDD
DISPLAY_NAME: Sterownik urz
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Update
DISPLAY_NAME: Sterownik Microcode Update
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: usbehci
DISPLAY_NAME: Sterownik Miniport rozszerzonego kontrolera hosta USB 2.0 Microsoft
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: usbhub
DISPLAY_NAME: Koncentrator z obs
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: usbohci
DISPLAY_NAME: Sterownik Miniport otwartego kontrolera hosta USB Microsoft
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: usbprint
DISPLAY_NAME: Klasa PRINTER USB Microsoft
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: VgaSave
DISPLAY_NAME: Kontroler ekranu VGA.
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: VolSnap
DISPLAY_NAME: VolSnap
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Wanarp
DISPLAY_NAME: Sterownik us
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: wdmaud
DISPLAY_NAME: Sterownik zgodno
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
Services:
SERVICE_NAME: Adobe LM Service
AdobeLM Service
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : "C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe"
DISPLAY_NAME : Adobe LM Service
SERVICE_NAME: Alerter
Powiadamia wybranych użytkowników i komputery o alertach administracyjnych. Jeśli ta usługa zostanie zatrzymana, programy korzystające z alertów administracyjnych nie będą ich odbierać. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
DISPLAY_NAME : Urządzenie alarmowe
SERVICE_NAME: ALG
Zapewnia obsługę dodatków protokołów innych firm dla Udostępniania połączenia internetowego i Zapory systemu Windows.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
DISPLAY_NAME : Usługa bramy warstwy aplikacji
SERVICE_NAME: AppMgmt
Zapewnia usługi związane z instalacją oprogramowania, takie jak Przypisz, Opublikuj i Usuń.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Zarządzanie aplikacjami
SERVICE_NAME: aspnet_state
„Zapewnia obsługę pozaprocesowych stanów sesji platformy ASP.NET. Jeśli ta usługa zostanie zatrzymana, żądania pozaprocesowe nie zostaną przetworzone. Jeśli usługa zostanie wyłączona, żadna jawnie zależna od niej usługa nie zostanie uruchomiona.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
DISPLAY_NAME : „Usługa stanu ASP.NET
SERVICE_NAME: AudioSrv
Zarządza urządzeniami audio dla programów dla systemu Windows. Jeśli ta usługa zostanie zatrzymana, urządzenia audio i efekty nie będą działały właściwie. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Windows Audio
SERVICE_NAME: BITS
Przesyła pliki w tle przy użyciu niewykorzystanej przepustowości sieci. Jeśli ta usługa zostanie zatrzymana, funkcje takie jak Windows Update i MSN Explorer nie będą mogły automatycznie pobierać programów i innych informacji. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne mogą przestać przesyłać pliki, jeśli nie mają mechanizmu obsługi awarii dla przesyłania plików za pomocą programu IE w przypadku, gdy wyłączono BITS.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Usługa inteligentnego transferu w tle
SERVICE_NAME: Browser
Utrzymuje aktualną listę komputerów w sieci i dostarcza ją do komputerów wyznaczonych jako przeglądarki. Jeśli ta usługa zostanie zatrzymana, lista nie będzie aktualizowana ani zachowywana. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Przeglądarka komputera
SERVICE_NAME: cisvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
DISPLAY_NAME : Indexing Service
SERVICE_NAME: ClipSrv
Umożliwia Podglądowi Wieloschowka przechowywanie informacji i udostępnianie ich komputerom zdalnym. Jeśli ta usługa zostanie zatrzymana, Podgląd Wieloschowka nie będzie udostępniał informacji komputerom zdalnym. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
DISPLAY_NAME : ClipBook
SERVICE_NAME: clr_optimization_v2.0.50727_32
Microsoft .NET Framework NGEN
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
DISPLAY_NAME : .NET Runtime Optimization Service v2.0.50727_X86
SERVICE_NAME: COMSysApp
Zarządza konfiguracją i śledzeniem składników opartych na modelu Component Object Model (COM)+. Jeżeli usługa zostanie zatrzymana, większość składników opartych na modelu COM+ nie będzie działać właściwie. Jeżeli usługa ta zostanie wyłączona, wszystkie usługi od niej zależne nie będą mogły zostać uruchomione.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
DISPLAY_NAME : Aplikacja systemowa modelu COM+
SERVICE_NAME: CryptSvc
Zapewnia trzy usługi zarządzania: Usługę bazy danych wykazu, która potwierdza podpisy plików systemu Windows, Usługę chronionego magazynu głównego, która dodaje i usuwa certyfikaty zaufanego głównego urzędu certyfikacji z tego komputera i Usługę kluczy, która pomaga zarejestrować ten komputer dla certyfikatów. Jeśli ta usługa zostanie zatrzymana, te usługi zarządzania nie będą działać właściwie. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Usługi kryptograficzne
SERVICE_NAME: DcomLaunch
Zapewnia funkcje uruchamiania dla usług DCOM.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
DISPLAY_NAME : Program uruchamiający proces serwera DCOM
SERVICE_NAME: Dhcp
Zarządza konfiguracją sieci poprzez rejestrację i aktualizację adresów IP i nazw DNS.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Klient DHCP
SERVICE_NAME: dmadmin
Konfiguruje dyski twarde i woluminy. Usługa działa tylko dla procesów konfiguracyjnych, a następnie zatrzymuje się.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
DISPLAY_NAME : Usługa administracyjna Menedżera dysków logicznych
SERVICE_NAME: dmserver
Wykrywa i monitoruje nowe dyski twarde i wysyła informacje o woluminach do usługi administracyjnej Menedżera dysków logicznych w celu konfiguracji. Jeśli ta usługa zostanie zatrzymana, informacje o stanie i konfiguracji dysków dynamicznych mogą stać się nieaktualne. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Menedżer dysków logicznych
SERVICE_NAME: Dnscache
Rozpoznaje i buforuje nazwy systemu Domain Name System (DNS). Jeśli ta usługa zostanie zatrzymana, ten komputer nie będzie mógł rozpoznawać nazw DNS ani lokalizować kontrolerów domen w usłudze Active Directory. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k NetworkService
DISPLAY_NAME : Klient DNS
SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Error Reporting Service
SERVICE_NAME: Eventlog
Umożliwia wyświetlanie w Podglądzie zdarzeń komunikatów dziennika zdarzeń pochodzących od programów dla systemu Windows i składników. Tej usługi nie można zatrzymać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
DISPLAY_NAME : Dziennik zdarzeń
SERVICE_NAME: EventSystem
Obsługuje usługę zawiadamiania o zdarzeniu systemowym (SENS, System Event Notification Service), która zapewnia automatyczną dystrybucję zdarzeń do subskrybowania składników modelu COM (Component Object Model). Jeżeli usługa zostanie zatrzymana, usługa SENS zostanie zamknięta i nie będzie mogła dostarczać informacji o logowaniu i wylogowaniu. Jeżeli usługa ta zostanie wyłączona, wszystkie usługi, które od niej zależą, nie będą mogły zostać uruchomione.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : System zdarzeń COM+
SERVICE_NAME: FastUserSwitchingCompatibility
Zapewnia zarządzanie aplikacjami, które wymagają pomocy w środowisku wielu użytkowników.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Zgodność szybkiego przełączania użytkowników
SERVICE_NAME: FirebirdServerMAGIXInstance
(null)
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
DISPLAY_NAME : Firebird Server - MAGIX Instance
SERVICE_NAME: FontCache3.0.0.0
Optimizes performance of Windows Presentation Foundation (WPF) applications by caching commonly used font data. WPF applications will start this service if it is not already running. It can be disabled, though doing so will degrade the performance of WPF applications.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
DISPLAY_NAME : Windows Presentation Foundation Font Cache 3.0.0.0
SERVICE_NAME: helpsvc
Umożliwia działanie Centrum pomocy i obsługi technicznej na tym komputerze. Jeśli ta usługa zostanie zatrzymana, Centrum pomocy i obsługi technicznej będzie niedostępne. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Pomoc i obsługa techniczna
SERVICE_NAME: HidServ
Umożliwia rodzajowy dostęp do urządzeń interfejsu HID, który uaktywnia i obsługuje używanie wstępnie zdefiniowanych przycisków akcji na klawiaturze i innych urządzeń multimedialnych. Jeśli ta usługa zostanie zatrzymana, przyciski akcji sterowane przez tę usługę nie będą działać. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : HID Input Service
SERVICE_NAME: HTTPFilter
Ta usługa implementuje protokół HTTPS dla usługi HTTP przy użyciu protokołu SSL. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
DISPLAY_NAME : HTTP SSL
SERVICE_NAME: IDriverT
Provides support for the Running Object Table for InstallShield Drivers
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
DISPLAY_NAME : InstallDriver Table Manager
SERVICE_NAME: idsvc
Securely enables the creation, management, and disclosure of digital identities.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
DISPLAY_NAME : Windows CardSpace
SERVICE_NAME: ImapiService
Zarządza nagrywaniem dysków CD za pomocą interfejsu IMAPI (ang. Image Mastering Applications Programming Interface). Jeśli ta usługa zostanie zatrzymana, nie będzie można nagrywać dysków CD na tym komputerze. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\imapi.exe
DISPLAY_NAME : Usługa COM nagrywania dysków CD IMAPI
SERVICE_NAME: lanmanserver
Oferuje udostępnianie w sieci plików, drukarek i potoków dla tego komputera. Jeśli ta usługa zostanie zatrzymana, te funkcje staną się niedostępne. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Serwer
SERVICE_NAME: lanmanworkstation
Tworzy i zachowuje połączenia sieciowe klientów z serwerami zdalnymi. Jeśli ta usługa zostanie zatrzymana, połączenia te staną się niedostępne. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Stacja robocza
SERVICE_NAME: LmHosts
Włącza obsługę systemu NetBIOS w usłudze TCP/IP (NetBT) i rozpoznawanie nazw systemu NetBIOS.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
DISPLAY_NAME : Pomoc TCP/IP NetBIOS
SERVICE_NAME: Messenger
Przesyła wiadomości usług net send i Urządzenie alarmowe między klientami i serwerami. Ta usługa nie jest powiązana z usługą Windows Messenger. Jeśli ta usługa zostanie zatrzymana, wiadomości Urządzenia alarmowego nie będą przesyłane. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Posłaniec
SERVICE_NAME: mnmsrvc
Umożliwia autoryzowanym użytkownikom zdalne uzyskiwanie dostępu do Twojego pulpitu Windows, za pomocą programu NetMeeting.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\mnmsrvc.exe
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
SERVICE_NAME: MSDTC
Koordynuje transakcje obejmujące kilku menedżerów zasobów, takich jak bazy danych, kolejki wiadomości i systemy plików. Jeżeli ta usługa zostanie zatrzymana, transakcje te nie zostaną przeprowadzone. Jeżeli usługa ta zostanie wyłączona, wszystkie usługi, które od niej zależą, nie będą mogły zostać uruchomione.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\msdtc.exe
DISPLAY_NAME : Distributed Transaction Coordinator
SERVICE_NAME: MSIServer
Dodaje, modyfikuje i usuwa aplikacje dostarczane jako pakiet Instalatora Windows (*.msi). Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\msiexec.exe /V
DISPLAY_NAME : Instalator Windows
SERVICE_NAME: NBService
Nero BackItUp Service is responsible to control all jobs created using Nero BackItUp. These jobs can create backups of selected files/folders/partitions or complete hard disk to hard disk, network drive, CD/DVD or FTP.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
DISPLAY_NAME : NBService
SERVICE_NAME: NetDDE
Zapewnia transport sieciowy i zabezpieczenia dla procesu dynamicznej wymiany danych (DDE - Dynamic Data Exchange) dla programów na tym samym lub innym komputerze. Jeśli ta usługa zostanie zatrzymana, transport DDE i zabezpieczenia będą niedostępne. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
DISPLAY_NAME : DDE sieci
SERVICE_NAME: NetDDEdsdm
Zarządza udziałami sieciowymi DDE (Dynamic Data Exchange). Jeśli ta usługa zostanie zatrzymana, udziały sieciowe DDE będą niedostępne. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
DISPLAY_NAME : DSDM DDE sieci
SERVICE_NAME: Netlogon
Obsługuje uwierzytelnienie przekazujące zdarzeń logowania na konta w komputerach domeny.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : Logowanie do sieci
SERVICE_NAME: Netman
Zarządza obiektami w folderze Połączenia sieciowe i telefoniczne, w którym można wyświetlać zarówno połączenia sieci lokalnej (LAN), jak i połączenia zdalne.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Połączenia sieciowe
SERVICE_NAME: NetTcpPortSharing
Provides ability to share TCP ports over the net.tcp protocol.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
DISPLAY_NAME : Net.Tcp Port Sharing Service
SERVICE_NAME: Nla
Zbiera i magazynuje informacje o konfiguracji sieci i lokalizacji sieciowej, powiadamiając aplikacje o zmianach tych informacji.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Rozpoznawanie lokalizacji w sieci (NLA)
SERVICE_NAME: NtLmSsp
Zapewnia zabezpieczenia dla programów korzystających z usługi zdalnego wywoływania procedury (RPC) i używają transportu innego niż potoki nazwane.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\lsass.exe
DISPLAY_NAME : Usługa NT LM Security Support Provider
SERVICE_NAME: NtmsSvc
(null)
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Magazyn wymienny
SERVICE_NAME: NVSvc
Provides system and desktop level support to the NVIDIA display driver
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\nvsvc32.exe
DISPLAY_NAME : NVIDIA Display Driver Service
SERVICE_NAME: odserv
Uruchom części Diagnostyki pakietu Microsoft Office.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
DISPLAY_NAME : Microsoft Office Diagnostics Service
SERVICE_NAME: ose
Zapisuje pliki instalacyjne używane przy aktualizacjach i naprawach. Jest niezbędny do pobierania aktualizacji Instalatora i zgłaszania raportów programu Watson o błędach.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
DISPLAY_NAME : Office Source Engine
SERVICE_NAME: PlugPlay
Umożliwia komputerowi rozpoznawanie i adaptowanie zmian sprzętu bez udziału lub przy nieznacznym udziale użytkownika. Zatrzymanie lub wyłączenie tej usługi spowoduje niestabilność systemu.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
DISPLAY_NAME : Plug and Play
SERVICE_NAME: PnkBstrA
PunkBuster Service Component [v1029] http://www.evenbalance.com
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\PnkBstrA.exe
DISPLAY_NAME : PnkBstrA
SERVICE_NAME: PolicyAgent
Zarządza zasadami zabezpieczeń IP i uruchamia sterownik ISAKMP/Oakley (IKE) i sterownik zabezpieczeń IP.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : Usługi IPSEC
SERVICE_NAME: ProtectedStorage
Zapewnia chroniony magazyn dla wrażliwych danych, takich jak klucze prywatne, w celu ich ochrony przed dostępem niepowołanych usług, procesów lub użytkowników.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : Magazyn chroniony
SERVICE_NAME: RasAuto
Tworzy połączenie do sieci zdalnej za każdym razem, gdy dowolny program odwołuje się do nazwy lub adresu zdalnego systemu DNS lub NetBIOS.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Menedżer autopołączenia dostępu zdalnego
SERVICE_NAME: RasMan
Tworzy połączenie sieciowe.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Menedżer połączeń usługi Dostęp zdalny
SERVICE_NAME: RDSessMgr
Zarządza i steruje usługą Pomoc zdalna. Jeśli ta usługa zostanie zatrzymana, Pomoc zdalna stanie się niedostępna. Przed zatrzymaniem usługi zobacz kartę Zależności w oknie dialogowym Właściwości.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
DISPLAY_NAME : Menedżer sesji pomocy pulpitu zdalnego
SERVICE_NAME: RemoteAccess
Oferuje usługi routingu firmom w środowiskach sieci lokalnych i rozległych.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Routing i dostęp zdalny
SERVICE_NAME: RemoteRegistry
Umożliwia użytkownikom zdalnym modyfikowanie ustawień rejestru na tym komputerze. Jeśli ta usługa zostanie zatrzymana, rejestr będą mogli modyfikować tylko użytkownicy tego komputera. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
DISPLAY_NAME : Rejestr zdalny
SERVICE_NAME: RpcLocator
Zarządza bazą danych usługi nazw RPC.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\locator.exe
DISPLAY_NAME : Lokalizator usługi zdalnego wywołania procedury (RPC)
SERVICE_NAME: RpcSs
Zapewnia program mapowania punktów końcowych i rozmaite inne usługi RPC.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
DISPLAY_NAME : Zdalne wywoływanie procedur (RPC)
SERVICE_NAME: RSVP
Zapewnia możliwość ustawienia sygnalizacji i kontroli ruchu lokalnego dla programów korzystających z technologii QoS i apletów kontrolujących.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\rsvp.exe
DISPLAY_NAME : QoS RSVP
SERVICE_NAME: SamSs
Przechowuje informacje o zabezpieczeniach dla kont użytkowników lokalnych.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
DISPLAY_NAME : Menedżer kont zabezpieczeń
SERVICE_NAME: SCardSvr
Zarządza dostępem do kart inteligentnych czytanych przez ten komputer. Jeśli ta usługa zostanie zatrzymana, ten komputer nie będzie mógł czytać kart inteligentnych. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
DISPLAY_NAME : Karta inteligentna
SERVICE_NAME: Schedule
Umożliwia użytkownikowi konfigurowanie i planowanie automatycznych zadań na tym komputerze. Jeśli ta usługa zostanie zatrzymana, zadania te nie będą uruchamiane o wyznaczonej godzinie. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Harmonogram zadań
SERVICE_NAME: seclogon
Umożliwia uruchamianie procesów z użyciem alternatywnych poświadczeń. Jeśli ta usługa zostanie zatrzymana, ten typ dostępu poprzez logowanie stanie się niedostępny. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Logowanie pomocnicze
SERVICE_NAME: SENS
Śledzi zdarzenia systemowe, takie jak zdarzenia związane z logowaniem do systemu Windows, siecią i zasilaniem. Zawiadamia o tych zdarzeniach subskrybentów systemu zdarzeń COM+.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Zawiadomienie o zdarzeniu systemowym
SERVICE_NAME: SharedAccess
Zapewnia usługi translacji adresów sieciowych, adresowania, rozpoznawania nazw i/lub blokowania dostępu intruzów wszystkim komputerom w sieci domowej lub biurowej.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Zapora systemu Windows/Udostępnianie połączenia internetowego
SERVICE_NAME: ShellHWDetection
(null)
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Wykrywanie sprzętu powłoki
SERVICE_NAME: Spooler
Ładuje pliki do pamięci w celu późniejszego wydrukowania.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
DISPLAY_NAME : Bufor wydruku
SERVICE_NAME: srservice
Wykonuje funkcje przywracania systemu. Aby zatrzymać usługę, wyłącz Przywracanie systemu na karcie Przywracanie systemu w Mój komputer->Właściwości
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Usługa przywracania systemu
SERVICE_NAME: SSDPSRV
Włącza odnajdywanie urządzeń UPnP w tej sieci domowej.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
DISPLAY_NAME : Usługa odnajdywania SSDP
SERVICE_NAME: stisvc
Zapewnia usługi pozyskiwania obrazów dla skanerów i aparatów fotograficznych.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k imgsvc
DISPLAY_NAME : Windows Image Acquisition (WIA)
SERVICE_NAME: SwPrv
Zarządza kopiami woluminów w tle opartymi na oprogramowaniu, wykonanymi przez Usługę kopiowania woluminów w tle. Jeżeli usługa jest zatrzymana, nie można zarządzać kopiami woluminów w tle opartymi na oprogramowaniu. Jeżeli ta usługa jest wyłączona, uruchomienie każdej usługi jawnie od niej zależnej nie powiedzie się.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\dllhost.exe /Processid:{9C139E44-1E2A-410E-BDFA-6DC8CFDD9648}
DISPLAY_NAME : MS Software Shadow Copy Provider
SERVICE_NAME: SysmonLog
Zbiera dane dotyczące wydajności z komputerów lokalnych i zdalnych w oparciu o wstępnie skonfigurowane parametry harmonogramu, a następnie zapisuje dane do dziennika lub wywołuje alert. Jeśli ta usługa zostanie zatrzymana, informacje o wydajności nie będą zbierane. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
DISPLAY_NAME : Dzienniki wydajności i alerty
SERVICE_NAME: TapiSrv
Zapewnia obsługę telefonii API (TAPI) dla programów sterujących urządzeniami telefonii i połączeniami głosowymi opartymi na protokole IP na komputerze lokalnym i, za pośrednictwem sieci LAN, na serwerach, na których działa ta usługa.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Telefonia
SERVICE_NAME: TermService
Pozwala wielu użytkownikom na interaktywne połączenia z komputerem oraz na wyświetlanie pulpitów i aplikacji na komputerach zdalnych. Podstawa dla pulpitu zdalnego (w tym pulpitu zdalnego dla administratorów), szybkiego przełączania użytkowników, pomocy zdalnej i serwera terminali.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
DISPLAY_NAME : Usługi terminalowe
SERVICE_NAME: Themes
Zapewnia zarządzanie kompozycjami obsługiwanymi przez użytkownika.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Kompozycje
SERVICE_NAME: TlntSvr
Umożliwia użytkownikowi zdalnemu zalogowanie się na tym komputerze i obsługuje rozmaitych klientów usługi Telnet TCP/IP, w tym komputery z systemami UNIX i Windows. Jeśli ta usługa zostanie zatrzymana, funkcja dostępu użytkowników zdalnych do programów może stać się niedostępna. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\tlntsvr.exe
DISPLAY_NAME : Telnet
SERVICE_NAME: TrkWks
Konserwuje łącza między plikami systemu NTFS w komputerze lub komputerach w domenie sieciowej.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Klient śledzenia łączy rozproszonych
SERVICE_NAME: TuneUp.Defrag
Allows TuneUp Drive Defrag to defragment your disks so that your computer runs faster and more efficiently.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\TuneUpDefragService.exe
DISPLAY_NAME : TuneUp Drive Defrag Service
SERVICE_NAME: upnphost
Zapewnia obsługę urządzeń hosta typu Universal Plug and Play.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
DISPLAY_NAME : Host uniwersalnego urządzenia Plug and Play
SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
DISPLAY_NAME : Uninterruptible Power Supply
SERVICE_NAME: UTSCSI
(null)
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\system32\UTSCSI.EXE
DISPLAY_NAME : CLCV0
SERVICE_NAME: VSS
Zarządza i implementuje kopie woluminów w tle używane dla kopii zapasowej i do innych celów. Jeśli ta usługa zostanie zatrzymana, kopie w tle będą niedostępne dla kopii zapasowej, co może spowodować błąd kopii zapasowej. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
DISPLAY_NAME : Kopiowanie woluminów w tle
SERVICE_NAME: W32Time
Zachowuje synchronizację daty i godziny na wszystkich klientach i serwerach w sieci. Jeśli ta usługa zostanie zatrzymana, synchronizacja daty i godziny stanie się niedostępna. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Usługa Czas systemu Windows
SERVICE_NAME: WebClient
Umożliwia programom dla systemu Windows tworzenie, dostęp i modyfikowanie plików w Internecie. Jeśli ta usługa zostanie zatrzymana, funkcje te będą niedostępne. Jeśli ta usługa zostanie wyłączona, wszelkie usługi jawnie od niej zależne przestaną się uruchamiać.
START_TYPE : 4 DISABLED
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
DISPLAY_NAME : WebClient
SERVICE_NAME: winmgmt
Dostarcza interfejs i model obiektowy w celu uzyskiwania dostępu do informacji zarządzania o systemie operacyjnym, urządzeniach, aplikacjach i usługach. Jeśli ta usługa zostanie zatrzymana, większość oprogramowania opartego na systemie Windows nie będzie działać właściwie. Jeśli ta usługa zostanie wyłączona, uruchomienie usług od niej zależnych nie powiedzie się.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Instrumentacja zarządzania Windows
SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Portable Media Serial Number Service
SERVICE_NAME: Wmi
Dostarcza sterownikom i pobiera ze sterowników informacje o zarządzaniu systemami.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Rozszerzenia sterownika Instrumentacji zarządzania Windows
SERVICE_NAME: WmiApSrv
Udostępnia informacje biblioteki wydajności uzyskane do dostawców WMI HiPerf.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\wbem\wmiapsrv.exe
DISPLAY_NAME : Karta wydajności WMI
SERVICE_NAME: WMPNetworkSvc
Udostępnia biblioteki programu Windows Media Player innym odtwarzaczom i urządzeniom multimedialnym w sieci przy użyciu technologii Universal Plug and Play
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : "C:\Program Files\Windows Media Player\WMPNetwk.exe"
DISPLAY_NAME : Usługa udostępniania w sieci programu Windows Media Player
SERVICE_NAME: wscsvc
Monitoruje ustawienia zabezpieczeń i konfiguracje systemu.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Centrum zabezpieczeń
SERVICE_NAME: wuauserv
Umożliwia pobieranie i instalowanie aktualizacji systemu Windows. Jeśli ta usługa jest wyłączona, ten komputer nie będzie mógł używać funkcji Aktualizacje automatyczne lub witryny Windows Update w sieci Web.
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
DISPLAY_NAME : Aktualizacje automatyczne
SERVICE_NAME: WudfSvc
Manages user-mode driver host processes
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
DISPLAY_NAME : Windows Driver Foundation - User-mode Driver Framework
SERVICE_NAME: WZCSVC
Zapewnia automatyczną konfigurację kart 802.11
START_TYPE : 2 AUTO_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Konfiguracja zerowej sieci bezprzewodowej
SERVICE_NAME: xmlprov
Zarządza plikami konfiguracyjnymi XML na bazie domeny w celu automatycznego dostarczania sieci.
START_TYPE : 3 DEMAND_START
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
DISPLAY_NAME : Usługa dostarczania sieci
Finished!
Thomas
11 Jul 2008, 11:31pm
Malware coders usually don't have the luxury of installing language specific drivers/services, so their work very often shows quite clearly on non-English systems. I d need your assistance with one though - do these hilighted terms mean the same thing, or is Bezpo unknown?
SERVICE_NAME: Raspti
DISPLAY_NAME: Bezpo
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
SERVICE_NAME: Raspti
DISPLAY_NAME: Direct Parallel
In again doing log reviews I see Free Download Manager 2.5. Although the software itself is rated not suspect (yet), it's downloads and associations are with some of the worst rogue malware available. Is see the McAfee watered down opinion here (http://www.siteadvisor.com/sites/freedownloadmanager.org), but in a quick check of my own it took only seconds to see these available downloads, among many, many more:
AntiVirus Defender 1.5
Anti Adware Spyware 2.7.33
Apolo Adware Spyware Tools Pro 2.7.33
If a software has those affiliations (if the links are there, financial ties are as well) it is not something to trust on your computer.
One worm folder we will add to the next removals, but another folder I need you to check first. Either look in C:\AC and tell me what is there, or do this command run instead to get the info:
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "C:\AC" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
mavplz
12 Jul 2008, 10:36am
I have no idea what are Bezpo and Driver Paraller, for sure not Polish words :)
I had downloaded and installed this Free Download Manager but didn't use it. I have already uninstalled it.
This AC folder is a content moved from game Assasins Creed DVD. I had to move it from DVD to my hard drive as i could't install it in other way, DVD was a bit scratched. btw it's completely original game. I have not installed it now. Here is the log:
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 787A-D614
Katalog: C:\AC
2008-06-12 18:10 <DIR> .
2008-06-12 18:10 <DIR> ..
2008-03-28 21:53 1˙027˙768 00000000.256
2008-03-28 21:53 20˙482˙048 00000001.TMP
2008-03-28 21:53 317˙440 00000002.TMP
2008-03-28 22:09 131˙720 autorun.exe
2008-02-22 18:08 58˙601 autorun.ico
2008-02-22 18:08 47 autorun.inf
2008-02-22 18:08 382 autorun.ini
2008-03-28 21:55 1˙493˙199 data1.cab
2008-03-28 21:55 24˙040 data1.hdr
2008-03-28 22:08 5˙349˙165˙729 data2.cab
2007-09-17 23:31 492˙164 ISSetup.dll
2008-03-28 22:09 5˙651 layout.bin
2008-02-22 18:08 1˙027˙768 setup.bmp
2008-03-28 22:09 459˙400 setup.exe
2008-03-28 21:54 462 setup.ini
2008-03-28 21:54 239˙188 setup.inx
2008-05-17 16:46 <DIR> splash
2008-05-17 16:46 <DIR> Support
2008-05-17 16:47 <DIR> System
2006-05-17 18:21 385˙968 _Setup.dll
17 plik(˘w) 5˙375˙311˙575 bajt˘w
Katalog: C:\AC\splash
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-03-28 22:09 508˙552 demo32.exe
2008-02-22 18:08 717˙106 Splash.dbd
2008-02-22 18:08 24˙996 splash.txt
3 plik(˘w) 1˙250˙654 bajt˘w
Katalog: C:\AC\Support
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-05-17 16:46 <DIR> DirectX
2008-05-17 16:46 <DIR> License
2008-05-17 16:46 <DIR> Manual
2008-05-17 16:46 <DIR> ReadMe
2008-05-17 16:46 <DIR> Register
0 plik(˘w) 0 bajt˘w
Katalog: C:\AC\Support\DirectX
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-02-22 18:08 1˙348˙242 Apr2005_d3dx9_25_x64.cab
2008-02-22 18:08 1˙079˙850 Apr2005_d3dx9_25_x86.cab
2008-02-22 18:08 1˙398˙718 Apr2006_d3dx9_30_x64.cab
2008-02-22 18:08 1˙116˙109 Apr2006_d3dx9_30_x86.cab
2008-02-22 18:08 917˙318 Apr2006_MDX1_x86.cab
2008-02-22 18:08 4˙163˙518 Apr2006_MDX1_x86_Archive.cab
2008-02-22 18:08 180˙021 Apr2006_XACT_x64.cab
2008-02-22 18:08 133˙991 Apr2006_XACT_x86.cab
2008-02-22 18:08 87˙989 Apr2006_xinput_x64.cab
2008-02-22 18:08 46˙898 Apr2006_xinput_x86.cab
2008-02-22 18:08 702˙212 APR2007_d3dx10_33_x64.cab
2008-02-22 18:08 699˙465 APR2007_d3dx10_33_x86.cab
2008-02-22 18:08 1˙610˙958 APR2007_d3dx9_33_x64.cab
2008-02-22 18:08 1˙609˙639 APR2007_d3dx9_33_x86.cab
2008-02-22 18:08 199˙366 APR2007_XACT_x64.cab
2008-02-22 18:08 154˙825 APR2007_XACT_x86.cab
2008-02-22 18:08 100˙417 APR2007_xinput_x64.cab
2008-02-22 18:08 56˙902 APR2007_xinput_x86.cab
2008-02-22 18:08 1˙351˙430 Aug2005_d3dx9_27_x64.cab
2008-02-22 18:08 1˙078˙532 Aug2005_d3dx9_27_x86.cab
2008-02-22 18:08 183˙863 AUG2006_XACT_x64.cab
2008-02-22 18:08 138˙195 AUG2006_XACT_x86.cab
2008-02-22 18:08 88˙102 AUG2006_xinput_x64.cab
2008-02-22 18:08 47˙018 AUG2006_xinput_x86.cab
2008-02-22 18:08 855˙886 AUG2007_d3dx10_35_x64.cab
2008-02-22 18:08 800˙467 AUG2007_d3dx10_35_x86.cab
2008-02-22 18:08 1˙803˙760 AUG2007_d3dx9_35_x64.cab
2008-02-22 18:08 1˙711˙752 AUG2007_d3dx9_35_x86.cab
2008-02-22 18:08 201˙696 AUG2007_XACT_x64.cab
2008-02-22 18:08 156˙612 AUG2007_XACT_x86.cab
2008-02-22 18:08 1˙156˙363 BDANT.cab
2008-02-22 18:08 976˙020 BDAXP.cab
2008-02-22 18:08 1˙358˙864 Dec2005_d3dx9_28_x64.cab
2008-02-22 18:08 1˙080˙344 Dec2005_d3dx9_28_x86.cab
2008-02-22 18:08 213˙767 DEC2006_d3dx10_00_x64.cab
2008-02-22 18:08 192˙680 DEC2006_d3dx10_00_x86.cab
2008-02-22 18:08 1˙572˙114 DEC2006_d3dx9_32_x64.cab
2008-02-22 18:08 1˙575˙336 DEC2006_d3dx9_32_x86.cab
2008-02-22 18:08 193˙435 DEC2006_XACT_x64.cab
2008-02-22 18:08 146˙559 DEC2006_XACT_x86.cab
2008-02-22 18:08 76˙808 DSETUP.dll
2008-02-22 18:08 1˙673˙224 dsetup32.dll
2008-02-22 18:08 44˙850 dxdllreg_x86.cab
2008-02-22 18:08 13˙265˙040 dxnt.cab
2008-02-22 18:08 502˙792 DXSETUP.exe
2008-02-22 18:08 86˙802 dxupdate.cab
2008-02-22 18:08 1˙248˙387 Feb2005_d3dx9_24_x64.cab
2008-02-22 18:08 1˙014˙113 Feb2005_d3dx9_24_x86.cab
2008-02-22 18:08 1˙363˙684 Feb2006_d3dx9_29_x64.cab
2008-02-22 18:08 1˙085˙608 Feb2006_d3dx9_29_x86.cab
2008-02-22 18:08 179˙247 Feb2006_XACT_x64.cab
2008-02-22 18:08 133˙297 Feb2006_XACT_x86.cab
2008-02-22 18:08 198˙275 FEB2007_XACT_x64.cab
2008-02-22 18:08 151˙583 FEB2007_XACT_x86.cab
2008-02-22 18:08 1˙336˙890 Jun2005_d3dx9_26_x64.cab
2008-02-22 18:08 1˙065˙813 Jun2005_d3dx9_26_x86.cab
2008-02-22 18:08 181˙745 JUN2006_XACT_x64.cab
2008-02-22 18:08 134˙631 JUN2006_XACT_x86.cab
2008-02-22 18:08 702˙644 JUN2007_d3dx10_34_x64.cab
2008-02-22 18:08 702˙072 JUN2007_d3dx10_34_x86.cab
2008-02-22 18:08 1˙611˙374 JUN2007_d3dx9_34_x64.cab
2008-02-22 18:08 1˙610˙886 JUN2007_d3dx9_34_x86.cab
2008-02-22 18:08 200˙722 JUN2007_XACT_x64.cab
2008-02-22 18:08 156˙509 JUN2007_XACT_x86.cab
2008-02-22 18:08 867˙848 NOV2007_d3dx10_36_x64.cab
2008-02-22 18:08 807˙132 NOV2007_d3dx10_36_x86.cab
2008-02-22 18:08 1˙805˙306 NOV2007_d3dx9_36_x64.cab
2008-02-22 18:08 1˙712˙608 NOV2007_d3dx9_36_x86.cab
2008-02-22 18:08 49˙392 NOV2007_X3DAudio_x64.cab
2008-02-22 18:08 21˙744 NOV2007_X3DAudio_x86.cab
2008-02-22 18:08 200˙010 NOV2007_XACT_x64.cab
2008-02-22 18:08 151˙512 NOV2007_XACT_x86.cab
2008-02-22 18:08 86˙925 Oct2005_xinput_x64.cab
2008-02-22 18:08 46˙247 Oct2005_xinput_x86.cab
2008-02-22 18:08 1˙413˙862 OCT2006_d3dx9_31_x64.cab
2008-02-22 18:08 1˙128˙177 OCT2006_d3dx9_31_x86.cab
2008-02-22 18:08 183˙321 OCT2006_XACT_x64.cab
2008-02-22 18:08 138˙977 OCT2006_XACT_x86.cab
78 plik(˘w) 69˙829˙290 bajt˘w
Katalog: C:\AC\Support\License
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-05-17 16:46 <DIR> Polish
0 plik(˘w) 0 bajt˘w
Katalog: C:\AC\Support\License\Polish
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-02-22 18:08 42˙511 lic.rtf
1 plik(˘w) 42˙511 bajt˘w
Katalog: C:\AC\Support\Manual
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-05-17 16:46 <DIR> Polish
0 plik(˘w) 0 bajt˘w
Katalog: C:\AC\Support\Manual\Polish
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-03-28 21:52 683˙262 AssassinsCreed.pdf
1 plik(˘w) 683˙262 bajt˘w
Katalog: C:\AC\Support\ReadMe
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-05-17 16:46 <DIR> Polish
0 plik(˘w) 0 bajt˘w
Katalog: C:\AC\Support\ReadMe\Polish
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-03-26 23:08 9˙618 CzytajTo.txt
1 plik(˘w) 9˙618 bajt˘w
Katalog: C:\AC\Support\Register
2008-05-17 16:46 <DIR> .
2008-05-17 16:46 <DIR> ..
2008-03-28 22:09 967˙304 RegistrationReminder.exe
1 plik(˘w) 967˙304 bajt˘w
Katalog: C:\AC\System
2008-05-17 16:47 <DIR> .
2008-05-17 16:47 <DIR> ..
2008-03-28 22:09 25˙667˙160 AssassinsCreed_Dx10.exe
2008-05-05 13:25 24˙662˙016 AssassinsCreed_Dx9.exe
2008-03-28 22:09 434˙824 AssassinsCreed_Game.exe
2008-03-28 22:09 619˙144 AssassinsCreed_Launcher.exe
2008-05-17 16:47 <DIR> Resources
4 plik(˘w) 51˙383˙144 bajt˘w
Katalog: C:\AC\System\Resources
2008-05-17 16:47 <DIR> .
2008-05-17 16:47 <DIR> ..
2008-05-17 16:47 <DIR> de
2008-05-17 16:47 <DIR> es
2008-05-17 16:47 <DIR> fr
2008-05-17 16:47 <DIR> it
2008-05-17 16:47 <DIR> uk
2008-05-17 16:47 <DIR> us
0 plik(˘w) 0 bajt˘w
Katalog: C:\AC\System\Resources\de
2008-05-17 16:47 <DIR> .
2008-05-17 16:47 <DIR> ..
2008-02-22 18:08 7˙201 GameUpdate.de
1 plik(˘w) 7˙201 bajt˘w
Katalog: C:\AC\System\Resources\es
2008-05-17 16:47 <DIR> .
2008-05-17 16:47 <DIR> ..
2008-02-22 18:08 8˙105 GameUpdate.es
1 plik(˘w) 8˙105 bajt˘w
Katalog: C:\AC\System\Resources\fr
2008-05-17 16:47 <DIR> .
2008-05-17 16:47 <DIR> ..
2008-02-22 18:08 7˙968 GameUpdate.fr
1 plik(˘w) 7˙968 bajt˘w
Katalog: C:\AC\System\Resources\it
2008-05-17 16:47 <DIR> .
2008-05-17 16:47 <DIR> ..
2008-02-22 18:08 7˙371 GameUpdate.it
1 plik(˘w) 7˙371 bajt˘w
Katalog: C:\AC\System\Resources\uk
2008-05-17 16:47 <DIR> .
2008-05-17 16:47 <DIR> ..
2008-02-22 18:08 6˙294 GameUpdate.uk
1 plik(˘w) 6˙294 bajt˘w
Katalog: C:\AC\System\Resources\us
2008-05-17 16:47 <DIR> .
2008-05-17 16:47 <DIR> ..
2008-02-22 18:08 6˙303 GameUpdate.us
1 plik(˘w) 6˙303 bajt˘w
Razem wymienionych plik˘w:
112 plik(˘w) 5˙499˙520˙600 bajt˘w
56 katalog(˘w) 116˙046˙540˙800 bajt˘w wolnych
Thomas
13 Jul 2008, 2:26am
Well, we can be safe in assuming AC stands for Assassin'sCreed. As I have stated over again mavplz, no support for illegal/unauthorized software users. It has been hard ignoring the telltale indications so far, and getting harder as we go.
Please locate and upload this file:
AssassinsCreed_Dx9.exe
It checks out as the hack "Reload" file instead of the original copy (your file date is mismatched with the 3/8 install, and the size is a match for the hacked copy) I will have to close this request. I have asked nothing remain on the computer all along, in hopes of determining why this infection recreates.
Just go here and do the upload please.
If it is larger than the allowed limit there, instead zip a copy, and and send it to jintan@cfl.rr.com as an attachment. Please place "Submitted Files - mavplz" as the email Subject.
mavplz
13 Jul 2008, 1:21pm
File sent. As i wrote u my dvd is scratched and my dvd-rom drive does not read it, so the only option is to crack a game or mount a disc image. U can believe me or not, if u want i can send u game box photo or original key. I don't think it is illegal. A lot of people who even don't have any problems with their original discs use cracks cause they don't want to put a cd/dvd few times per day to their drives.
Moreover i downloaded this crack from GameCopyWorld where they usually check a file whether it is infected or clear.
Thomas
13 Jul 2008, 3:44pm
These are security forums, which means security for you, for me, and for the software vendors.
I buy a television, then it gets broken. I don't go to another store and steal one. Assistance ended.
mavplz
13 Jul 2008, 5:16pm
So i got fixed my old television not stolen a new one.
But i really appreciate your huge help and have a respect to your point of way. THX for all.
Trogan
13 Jul 2008, 5:36pm
Glad we could be of assistance! The help you received here was free.
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan (http://icrontic.com/forum/private.php?do=newpm&u=2703) with a link to your thread.
If you are not the user who started this thread, you must start your own Thread (http://icrontic.com/forum/newthread.php?do=newthread&f=57) instead (grin)
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.