Options
problems with dns-trojan
My problem has started few days ago. I have WinXP SP2 and ADSL internet connection. I ve never had any problems with it but now, when i try to connect with Internet, there is a message like "cannot establish connection" (i have Polish OS so i just translate... in reality it may be a bit different, but i hope u know what i mean). So to connect i have to restart a computer few times and it is the only way to make the connection work. I did a scan by the newest Ad-Aware, Spyware Doctor and HijackThis. Ad-aware found nothing. Spyware Doc found few infections and deleted it. Hijack also found few dangerous logs, and also deleted it. But the problem is it didn't solved a problem. Every time i connect to internet, restart computer and make a new scan, there is the same situation: identical infections appear again. In Hijack there are two logs i can't delete:
1) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
2) O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
The same situation is in Spyware Doctor. It finds all the time the following infections:
1) Application.NirCmd
2) Trojan.DNS-Changer
3) Trojan-Downloader.Popuper
I can delete it many times but it will appear again.
I looked for some info about DNS-Changers and i found out it redirects some porn *tube like sites into other. I tried to enter redtube, porntube and it truly redirects me to other addresses: http://216.255.178.179/ or some fake antyvirus sites (like http://virus-scanonline.com).
Moreover, i switched the realtime protection of Spyware Doc on and when i try to connect to internet, it blocks connection and show informations that my internet connection is a Trojan Downloader. Also tried do a system restore but it didn't help.
I completely don't know what to do... Any ideas? THX in advace!
Here is my Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09, on 2008-06-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtnn.exe] C:\WINDOWS\system32\kdtnn.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
1) R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
2) O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
The same situation is in Spyware Doctor. It finds all the time the following infections:
1) Application.NirCmd
2) Trojan.DNS-Changer
3) Trojan-Downloader.Popuper
I can delete it many times but it will appear again.
I looked for some info about DNS-Changers and i found out it redirects some porn *tube like sites into other. I tried to enter redtube, porntube and it truly redirects me to other addresses: http://216.255.178.179/ or some fake antyvirus sites (like http://virus-scanonline.com).
Moreover, i switched the realtime protection of Spyware Doc on and when i try to connect to internet, it blocks connection and show informations that my internet connection is a Trojan Downloader. Also tried do a system restore but it didn't help.
I completely don't know what to do... Any ideas? THX in advace!
Here is my Hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:09, on 2008-06-16
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtnn.exe] C:\WINDOWS\system32\kdtnn.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_i...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_i...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_i...menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_i...=menu_ie_report
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
0
Comments
Sounds like an active DNS hijacker there, and infection is showing in this log file. Let's get a more detailed look and then start some repairs.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Download Deckard's System Scanner (dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button (if the "Uncheck All" button shows, click that, then click "Check All"). Next, Under Main Log, uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Options, place a check next to the following:
Backup Registry Hives
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here (main.txt). Also a second text file, extra.txt, will show as minimized in your Task Bar. Maximize/Open this, and copy/paste those contents back here along with the main.txt please. (The logs can also be found in the C:\Deckard\System Scanner folder)
Also Download SmitfraudFix (by S!Ri)
Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply (usually at C:\rapport.txt).
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually the C drive), and launch from there.
NOTE: Please do not run any other options from SmitfraudFix until we discuss the results.
You can use extra posts here if needed for that.
Here are my logs:
Dss main:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-18 13:12:01
Computer is in Normal Mode.
Backed up registry hives.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12, on 2008-06-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtnn.exe] C:\WINDOWS\system32\kdtnn.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 6186 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
-- File Associations
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Files created between 2008-05-18 and 2008-06-18
2008-06-17 12:43:35 0 d
C:\Program Files\SUPERAntiSpyware
2008-06-17 12:22:11 0 d
C:\Program Files\a-squared Anti-Malware
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:58 0 d
C:\Program Files\Spyware Doctor
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-16 12:29:27 0 d
C:\Program Files\Enigma Software Group
2008-06-15 21:02:00 0 d
C:\Program Files\Exterminate It!
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 15:55:43 0 d
C:\Program Files\Lavasoft
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
2008-06-07 19:11:28 0 d
C:\Program Files\uTorrent
2008-05-23 18:00:33 0 d
C:\Program Files\Microsoft Bootvis
2008-05-23 17:52:31 0 d
C:\Program Files\SiSoftware
2008-05-22 21:10:50 0 d
C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 20:09:19 0 d
C:\Program Files\CCleaner
2008-05-22 17:28:17 0 d--h
C:\ckis
2008-05-22 16:35:50 96966 --a
C:\WINDOWS\system32\drivers\klin.dat
2008-05-22 16:35:50 88774 --a
C:\WINDOWS\system32\drivers\klick.dat
2008-05-22 16:35:16 0 d
C:\Program Files\Kaspersky Lab
2008-05-22 16:35:14 300576 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-22 16:35:14 8529952 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 16:34:17 0 d
C:\kav
2008-05-21 23:41:44 0 d
C:\Program Files\kmp
2008-05-21 22:48:37 0 d
C:\WINDOWS\nvidia icons
2008-05-21 21:58:05 0 d
C:\Program Files\CD Catalog Expert
-- Find3M Report
2008-06-17 12:43:35 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SUPERAntiSpyware.com
2008-06-17 12:43:22 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-16 12:42:58 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\PC Tools
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
2008-04-30 18:05:08 0 d
C:\Program Files\Electronic Arts
2008-04-30 17:59:37 0 d
C:\Program Files\Easy CD-DA Extractor 11
2008-04-19 19:13:03 0 d
C:\Program Files\Audacity
2008-03-24 15:18:02 43537 --a
C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a
C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"C:\WINDOWS\system32\kdtnn.exe"="C:\WINDOWS\system32\kdtnn.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"WMI Standard Event Consumer - Scripting"= C:\WINDOWS\system32\wbem\scrcons32.exe
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6074756e-3052-11dc-a240-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-18 13:13:45
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
-- System Information
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Polish
CPU 0: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
CPU 1: AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Percentage of Memory in Use: 17%
Physical Memory (total/avail): 2047.48 MiB / 1696.34 MiB
Pagefile Memory (total/avail): 3939.66 MiB / 3740.3 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.43 MiB
C: is Fixed (NTFS) - 232.88 GiB total, 72.09 GiB free.
D: is CDROM (No Media)
E: is Fixed (NTFS) - 37.27 GiB total, 22.15 GiB free.
F: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - ST3250620AS - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Instalowalny system plików - 232.88 GiB - C:
\\.\PHYSICALDRIVE1 - ST340810A - 37.27 GiB - 1 partition
\PARTITION0 - Instalowalny system plików - 37.27 GiB - E:
-- Security Center
AUOptions is disabled.
-- Environment Variables
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Dane aplikacji
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=Z
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\Z
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Avid;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\PROGRA~1\thriXXX\3D SexVilla;C:\Program Files\ZipGenius 6
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=4b02
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp
USERDOMAIN=Z
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI
-- User Profiles
Administrator (admin)
-- Add/Remove Programs
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> MsiExec /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Anti-Malware 3.5 --> "C:\Program Files\a-squared Anti-Malware\unins000.exe"
Ad-Aware --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Ad Muncher --> C:\Program Files\Ad Muncher\uninst.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 7.0.7 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70700000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
AGEIA PhysX v7.07.09 --> MsiExec.exe /X{65F1CF63-31E0-450B-96F3-4A88BE7361A6}
Aktualizacja dla systemu Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB896256) --> "C:\WINDOWS\$NtUninstallKB896256$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB920342) --> "C:\WINDOWS\$NtUninstallKB920342$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Aktualizacja dla systemu Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla systemu Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Aktualizacja zabezpieczeń dla Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Apple Software Update --> MsiExec.exe /I{74EC78BC-B379-4E29-9006-8F161DCAABA6}
Archiwizator WinRAR --> C:\Program Files\WinRAR\uninstall.exe
Assassin's Creed --> C:\Program Files\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0015 -removeonly
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
AutoConnect v0.1.3.1 --> C:\Program Files\AutoConnect\uninst.exe
BearShare --> C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
BitSpirit v3.2.2.215 Stable --> "C:\Program Files\BitSpirit\unins000.exe"
Call of Duty(R) 4 - Modern Warfare(TM) --> C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch --> C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch --> C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch --> C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD Catalog Expert 9.2.7.515 --> "C:\Program Files\CD Catalog Expert\unins000.exe"
Condition Zero --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/80
Condition Zero Deleted Scenes --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/100
Counter-Strike --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/10
Counter-Strike 1.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9ABFB92D-93DA-49EE-8ABF-F8195DE45CA9}\Setup.exe" -l0x19
Counter-Strike(TM) --> MsiExec.exe /I{DF5A03CC-D5AA-43D8-B948-D9903F2AF94A}
Day of Defeat --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/30
DC++ 0.699 --> "C:\Program Files\DC++\uninstall.exe"
Deathmatch Classic --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/40
Dedicated Server --> "C:\Program Files\Valve\Steam\steam.exe" steam://uninstall/5
Dziobas Rar Player 0.007PL --> "C:\Program Files\Dziobas Rar Player\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Exterminate It! --> C:\Program Files\Exterminate It!\ExterminateIt_Uninst.exe
ffdshow [rev 1900] [2008-03-15] --> "C:\Program Files\Film\unins000.exe"
Firebird SQL Server - MAGIX Edition 2.0.0.1 (US) --> C:\Program Files\MAGIX\Common\Database\uninstall.exe
Free Download Manager 2.5 --> "C:\Program Files\Free Download Manager\unins000.exe"
Gadu-Gadu 7.7 --> C:\Program Files\Gadu-Gadu\Setup.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
MAGIX Movie Edit Pro 12 e-version 6.5.4.2 (US) --> C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\instslct.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medieval CUE Splitter --> MsiExec.exe /I{E9A5B341-167D-4042-8854-46F671F94049}
Medieval II Total War --> C:\Program Files\InstallShield Installation Information\{C0698BDA-0D29-40EE-8570-A31106DF9AB1}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Americas --> C:\Program Files\InstallShield Installation Information\{75983B66-804C-40D1-BA13-64DAF652A6F1}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Britannia --> C:\Program Files\InstallShield Installation Information\{CEDDEE73-3D36-41C2-AA40-29355D9FBD63}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Crusades --> C:\Program Files\InstallShield Installation Information\{02A10468-2F1C-447C-AD8E-4DEDDEA25AE2}\setup.exe -runfromtemp -l0x0009 -removeonly
Medieval II Total War : Kingdoms : Teutonic --> C:\Program Files\InstallShield Installation Information\{7AEE1963-7001-4C37-BC20-2FAEB74AA41C}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Access MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0015-0415-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0016-0415-0000-0000000FF1CE}
Microsoft Office Groove MUI (Polish) 2007 --> MsiExec.exe /X{90120000-00BA-0415-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0044-0415-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Polish) 2007 --> MsiExec.exe /X{90120000-00A1-0415-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Polish) 2007 --> MsiExec.exe /X{90120000-001A-0415-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0018-0415-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (German) 2007 --> MsiExec.exe /X{90120000-001F-0407-0000-0000000FF1CE}
Microsoft Office Proof (Polish) 2007 --> MsiExec.exe /X{90120000-001F-0415-0000-0000000FF1CE}
Microsoft Office Proofing (Polish) 2007 --> MsiExec.exe /X{90120000-002C-0415-0000-0000000FF1CE}
Microsoft Office Publisher MUI (Polish) 2007 --> MsiExec.exe /X{90120000-0019-0415-0000-0000000FF1CE}
Microsoft Office Shared MUI (Polish) 2007 --> MsiExec.exe /X{90120000-006E-0415-0000-0000000FF1CE}
Microsoft Office Word MUI (Polish) 2007 --> MsiExec.exe /X{90120000-001B-0415-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# .NET Redistributable Package 1.1 --> MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Mozilla Firefox (3.0) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB927977) --> MsiExec.exe /I{5A710547-B58E-488B-828D-CA9A25A0533C}
Nero 7 Ultra Edition --> MsiExec.exe /I{235BBFC6-D863-4066-A01A-3BD504C31045}
NVIDIA Drivers --> C:\WINDOWS\system32\nvuninst.exe UninstallGUI
O&O Defrag Professional Edition --> MsiExec.exe /I{53480330-E1D1-41CA-B8F8-7F78644F7F50}
Poprawka dla systemu Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Poprawka systemu Windows XP - KB873339 --> C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB885835 --> C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB885836 --> C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB886185 --> C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB887472 --> C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB888302 --> C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Poprawka systemu Windows XP - KB890859 --> "C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Poprawka systemu Windows XP - KB891781 --> C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
Professional Registry Doctor v6.2.3.3 --> "C:\Program Files\Professional Registry Doctor\unins000.exe"
ProXmedia - Edytor Zdjęć --> MsiExec.exe /I{C18B4F4F-9C7D-45A8-A1EE-AAB1A4ADE4C2}
PunkBuster Services --> C:\WINDOWS\system32\pbsvc.exe -u
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\Setup.exe" -l0x15 -removeonly
Ricochet --> "C:\PROGRA~1\Valve\Steam\steam.exe" steam://uninstall/60
RocketDock 1.3.5 --> "C:\Program Files\RocketDock\unins000.exe"
SAGEM F@st 800-840 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\setup.exe" -l0x9
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SoulSeek Client 156c --> "C:\Program Files\Soulseek\uninstall.exe"
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Steam(TM) --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Presentation Foundation Language Pack (PLK) --> MsiExec.exe /X{2D43FD89-B225-4334-B4AA-0983400BE61B}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
Windows Workflow Foundation PL Language Pack --> MsiExec.exe /I{DB76863D-D4D9-4AB3-AFDC-26717BA1E11C}
Xilisoft DVD Ripper Platinum 4 --> C:\Program Files\Xilisoft\DVD Ripper Platinum 4\Uninstall.exe
XML Paper Specification Shared Components Language Pack 1.0 --> "C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
Your Uninstaller! 2008 Version 6.0 --> "C:\Program Files\Your Uninstaller 2008\unins000.exe"
-- Application Event Log
Event Record #/Type3198 / Error
Event Submitted/Written: 06/18/2008 01:13:27 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
Event Record #/Type3195 / Error
Event Submitted/Written: 06/18/2008 01:13:25 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
Event Record #/Type3194 / Error
Event Submitted/Written: 06/18/2008 01:13:24 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
Event Record #/Type3191 / Error
Event Submitted/Written: 06/18/2008 01:13:23 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
Event Record #/Type3190 / Error
Event Submitted/Written: 06/18/2008 01:13:23 PM
Event ID/Source: 11 / crypt32
Event Description:
Nie można wyodrębnić głównej listy innych firm z pliku cab automatycznej aktualizacji z: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>, wystąpił błąd: Nieprawidłowe dane.
-- Security Event Log
No Errors/Warnings found.
-- System Event Log
Event Record #/Type8200 / Error
Event Submitted/Written: 06/18/2008 01:07:00 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Usługa PnkBstrA niespodziewanie zakończyła pracę. Wystąpiło to razy: 1.
Event Record #/Type8198 / Error
Event Submitted/Written: 06/18/2008 01:06:57 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
Usługa a-squared Anti-Malware Service niespodziewanie zakończyła pracę. Wystąpiło to razy: 1. W przeciągu 0 milisekund zostanie podjęta następująca czynność korekcyjna: Uruchom usługę ponownie.
Event Record #/Type8197 / Error
Event Submitted/Written: 06/18/2008 01:06:55 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
Usługa Lavasoft Ad-Aware Service niespodziewanie zakończyła pracę. Wystąpiło to razy: 2. W przeciągu 10000 milisekund zostanie podjęta następująca czynność korekcyjna: Uruchom usługę ponownie.
Event Record #/Type8196 / Error
Event Submitted/Written: 06/18/2008 01:06:51 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Usługa NVIDIA Display Driver Service niespodziewanie zakończyła pracę. Wystąpiło to razy: 1.
Event Record #/Type8194 / Error
Event Submitted/Written: 06/18/2008 01:06:34 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
Usługa Usługa bramy warstwy aplikacji niespodziewanie zakończyła pracę. Wystąpiło to razy: 1.
-- End of Deckard's System Scanner: finished at 2008-06-18 13:13:45
There are some text in polish here, if u think it is important let me know and i will translate it.
Scan done at 13:15:57.00, 2008-06-18
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Wersja 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\Ulubione
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Moja bieľĄca strona gˆ˘wna"
»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!
IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!
VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!
404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"system"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Your computer may be victim of a DNS Hijack: 85.255.x.x detected !
Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 85.255.113.78
DNS Server Search Order: 85.255.112.36
HKLM\SYSTEM\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer=85.255.113.78 85.255.112.36
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
I am waiting for the next instructions!
Active autoloading worm infection here along with DNS issues, so let's start some repairs.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Go to Start – Settings – Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel.
BearShare - adware bundled
Go here and download Flash_Disinfector.exe and save it to your desktop.
Doubleclick on Flash_Disinfector.exe to run it and follow the prompts. Wait until it has finished scanning and then exit the program.
The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Especially the G drive device. Leave any of these installed now until all repairs are completed.
Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdtnn.exe] C:\WINDOWS\system32\kdtnn.exe
REGEDIT4 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "WMI Standard Event Consumer - Scripting"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{03f8e539-4d99-11dc-ad6b-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2708cd15-2bfb-11dd-bff5-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{6074756e-3052-11dc-a240-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{95051b54-4cbf-11dc-ad66-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{a7eb314c-b535-11dc-9002-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{b3b59ac6-324e-11dd-a603-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{e0a35061-ca86-11dc-9072-4d6564696130}]Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it fixer.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.Please download FixWareout from here
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish. The fix will begin, just follow the prompts. If your firewall sends an alert, please don't let your firewall block it, allow it (this tool will download an additional file from the internet). Note: You must must be online to run this utility
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load, this is normal.
Once your desktop loads, notepad will open a report.txt file. Close this, and allow the reboot to complete. On reboot you will also get notified about possible difficulties making a connection after the fix is run. If you do have net access difficulties double click the registry file dnsbak.reg located in the Fixwareout folder on the root of the drive windows is installed (normally c:\ as suggested).
Once your desktop loads, please post the contents of the logfile C:\fixwareout\report.txt back here in your next reply.
Then Download Malwarebytes' Anti-Malware from Here or Here.
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the Malwarebytes log and the C:\fixwareout\report.txt please.
Username "Administrator" - 2008-06-18 21:09:09 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}
"nameserver"="85.255.113.78" <Value cleared.
Pomyślnie opróżniono pamięć podręczną programu rozpoznawania nazw DNS.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"SoundMan"="SOUNDMAN.EXE"
"Ad Muncher"="\"C:\\Program Files\\Ad Muncher\\AdMunch.exe\" /bt"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="\"C:\\Program Files\\Gadu-Gadu\\gg.exe\" /tray"
"RocketDock"="\"C:\\Program Files\\RocketDock\\RocketDock.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
Report from dss:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-18 21:17:59
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:18:00, on 2008-06-18
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5927 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
-- File Associations
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Files created between 2008-05-18 and 2008-06-18
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:58 0 d
C:\Program Files\Spyware Doctor
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 15:55:43 0 d
C:\Program Files\Lavasoft
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
2008-05-22 21:10:50 0 d
C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 20:09:19 0 d
C:\Program Files\CCleaner
2008-05-22 17:28:17 0 d--h
C:\ckis
2008-05-22 16:35:50 96966 --a
C:\WINDOWS\system32\drivers\klin.dat
2008-05-22 16:35:50 88774 --a
C:\WINDOWS\system32\drivers\klick.dat
2008-05-22 16:35:16 0 d
C:\Program Files\Kaspersky Lab
2008-05-22 16:35:14 307232 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-22 16:35:14 8633888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 16:34:17 0 d
C:\kav
2008-05-21 23:41:44 0 d
C:\Program Files\kmp
2008-05-21 22:48:37 0 d
C:\WINDOWS\nvidia icons
2008-05-21 21:58:05 0 d
C:\Program Files\CD Catalog Expert
-- Find3M Report
2008-06-18 20:17:42 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-16 12:42:58 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\PC Tools
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
2008-04-30 18:05:08 0 d
C:\Program Files\Electronic Arts
2008-04-19 19:13:03 0 d
C:\Program Files\Audacity
2008-03-24 15:18:02 43537 --a
C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a
C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6074756e-3052-11dc-a240-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-18 21:18:44
Malwarebytes found no infections.
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
REGEDIT4 [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{03f8e539-4d99-11dc-ad6b-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2708cd15-2bfb-11dd-bff5-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{6074756e-3052-11dc-a240-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{95051b54-4cbf-11dc-ad66-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{a7eb314c-b535-11dc-9002-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{b3b59ac6-324e-11dd-a603-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{e0a35061-ca86-11dc-9072-4d6564696130}]Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it nextfix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.Close Internet Explorer and all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
Go here and run the Kaspersky online scan, and post back the log it creates (it requires IE).
To use the scan, accept the agreement and make sure you allow the ActiveX object to download and install (check the "yellow bar" at the top of IE if needed to allow this). Once the download has completed click Next, then Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click "My Computer" to begin the scan. Save the Report as a text file and post that back here.
To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".
My steps are no outdated, and actually have more steps than required. I haven't had a chance to update them, but you should be able to run the scan once you see the website requirements.
Then assuming you used it, click the dssrun.vbs again to start Deckards.
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that and the Kaspersky log back here please.
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-19 22:49:22
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:24, on 2008-06-19
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
--
End of file - 5814 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080619-144127-419 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
-- File Associations
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Files created between 2008-05-19 and 2008-06-19
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:58 0 d
C:\Program Files\Spyware Doctor
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 15:55:43 0 d
C:\Program Files\Lavasoft
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
2008-05-22 21:10:50 0 d
C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 20:09:19 0 d
C:\Program Files\CCleaner
2008-05-22 17:28:17 0 d--h
C:\ckis
2008-05-22 16:35:50 96966 --a
C:\WINDOWS\system32\drivers\klin.dat
2008-05-22 16:35:50 88774 --a
C:\WINDOWS\system32\drivers\klick.dat
2008-05-22 16:35:16 0 d
C:\Program Files\Kaspersky Lab
2008-05-22 16:35:14 318240 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-05-22 16:35:14 10160672 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 16:34:17 0 d
C:\kav
2008-05-21 23:41:44 0 d
C:\Program Files\kmp
2008-05-21 22:48:37 0 d
C:\WINDOWS\nvidia icons
2008-05-21 21:58:05 0 d
C:\Program Files\CD Catalog Expert
-- Find3M Report
2008-06-18 20:17:42 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-16 12:42:58 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\PC Tools
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
2008-04-30 18:05:08 0 d
C:\Program Files\Electronic Arts
2008-04-19 19:13:03 0 d
C:\Program Files\Audacity
2008-03-24 15:18:02 43537 --a
C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a
C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{212c95a6-a0c5-11dc-a8e6-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6074756e-3052-11dc-a240-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-19 22:50:17
Kaspersky:
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, June 19, 2008
Operating System: Microsoft Windows XP Professional Dodatek Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, June 19, 2008 15:17:52
Records in database: 879503
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 69567
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 00:38:50
File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Pulpit\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Av-test.txt Infected: EICAR-Test-File 1
C:\Downloads\appz\1\ariskkey.exe Infected: not-a-virus:PSWTool.Win32.Aster.55 2
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
The selected area was scanned.
Disable your antivirus program (remember to re-enable it once this scan is complete) and go here (be sure to re-enable it after the scan completes) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and take a break for a while.
When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export the scan report". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All. Then copy/paste that log back here please.
I don't know why but i could't run BitDefender on-line scan - i installed activex, opened it it IE, but "Scan" button was still inactive... So i downloaded trial version of BitDefender, installed it and made a scan: it detected 4 infected files, 3 of them were automaticly deleted, one couldn't be deleted. Here is a log:
BitDefender Log FileBitDefender Log File !!!!!
Product : BitDefender Total Security 2008 Version : BitDefender UIScanner v.11 Log date : 14:36:59 20/06/2008 Log path : C:\Documents and Settings\All Users\Dane aplikacji\BitDefender\Desktop\Profiles\Logs\full_scan\1213965419_1_02.xml
Scan Paths: Path0000: C:\ Path0001: E:\
Scan Options: Scan for viruses : Yes Scan for adware : Yes Scan for spyware : Yes Scan for applications : Yes Scan for dialers : Yes Scan for rootkits : Yes
Target selection options: Scan registry keys : Yes Scan cookies : Yes Scan boot sectors : Yes Scan memory processes : Yes Scan archives : No Scan runtime packers : Yes Scan emails : Yes Scan all files : Yes Heuristic Scan : Yes Scanned extensions : Excluded extensions :
Target Processing Default action for infected objects : Disinfect Default action for suspicious objects : None Default action for hidden objects : None
Scan engines summary Number of virus signatures : 1262238 Archive plugins : 42 Email plugins : 6 Scan plugins : 12 Archive plugins : 42 System plugins : 4 Unpack plugins : 7
Overall scan summary Scanned items : 147140 Infected items : 4 Suspicious items : 0 Resolved items : 3 Individual viruses found : 3 Scanned directories : 7175 Scanned boot sectors : 4 Scanned archives : 6720 Input-output errors : 37 Scan time : 00:01:06:37 Files per second : 36
Scanned processes summary Scanned : 27 Infected : 0
Scanned registry keys summary Scanned : 331 Infected : 0
Scanned cookies summary Scanned : 0 Infected : 0
Remaining issues: Object Name Threat Name Final Status C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\Av-test.txt EICAR-Test-File (not a virus) Disinfect Failed
Resolved issues: Object Name Threat Name Final Status C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP485\A0271239.exe IRC-Worm.Generic.3335 Deleted C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP463\A0266640.dll Trojan.Agent.ABFL Deleted C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP478\A0269710.dll Trojan.Agent.ABFL Deleted
First I have been made aware you posted this same request at other helping forums. You need to go to those request threads and post to let those good folks that you are already receiving help. All of us our fairly busy volunteers, so we do not want duplication of effort occurring.
Then do this temporary blocking action for autoruns, so we can maybe stop some of the worm activity for a moment.
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autostop.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
And let's see where some of the bad files might be still.
Go to Start - Run, type cmd (and Enter). At the prompt copy/paste the following, then press Enter.
(dir /s "c:\desktop*.*" & dir /s "c:\recycle*.*") >c:\find2.txt & start notepad c:\find2.txt
A quick scan will run and then notepad will open - copy/paste those contents back here please (these will also be located at c:\find2.txt)
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 787A-D614
Katalog: c:\Documents and Settings\Administrator\Dane aplikacji\BitDefender
2008-06-20 08:40 <DIR> Desktop
0 plik(˘w) 0 bajt˘w
Katalog: c:\Documents and Settings\All Users\Dane aplikacji\BitDefender
2008-06-20 08:40 <DIR> Desktop
0 plik(˘w) 0 bajt˘w
Katalog: c:\Program Files\BitDefender\BitDefender Backup\plugins\sys
2007-07-06 13:13 11,776 desktop.dll
2007-07-06 13:13 1,406 desktop.ico
2007-07-06 13:13 212 desktop.plugin
3 plik(˘w) 13,394 bajt˘w
Katalog: c:\Program Files\Common Files\Microsoft Shared\web server extensions\50\bin
2000-02-25 11:03 114 DESKTOP.INI
1 plik(˘w) 114 bajt˘w
Katalog: c:\Program Files\Microsoft Office\Office12\1045\DataServices
2000-07-27 13:30 70 DESKTOP.INI
1 plik(˘w) 70 bajt˘w
Katalog: c:\QooBox\BackEnv
2008-06-15 20:00 96 desktop.folder.dat
1 plik(˘w) 96 bajt˘w
Katalog: c:\WINDOWS
2001-07-22 00:36 2 desktop.ini
1 plik(˘w) 2 bajt˘w
Katalog: c:\WINDOWS\Help\Tours\htmlTour
2001-10-26 17:43 67,776 desktop_screen_shot.jpg
2001-10-26 17:43 4,232 desktop_up.jpg
2 plik(˘w) 72,008 bajt˘w
Katalog: c:\WINDOWS\PCHEALTH\HELPCTR\System\images\48x48
2007-07-11 00:29 9,270 desktop_icon_01.bmp
2007-07-11 00:29 9,270 desktop_icon_02.bmp
2007-07-11 00:29 9,270 desktop_icon_03.bmp
2007-07-11 00:29 9,270 desktop_icon_04.bmp
2007-07-11 00:29 9,270 desktop_icon_generic.bmp
5 plik(˘w) 46,350 bajt˘w
Katalog: c:\WINDOWS\system32
2001-07-22 00:36 2 desktop.ini
1 plik(˘w) 2 bajt˘w
Katalog: c:\WINDOWS\system32\oobe\html\mouse\images
2001-07-22 00:17 17,486 desktop3.gif
1 plik(˘w) 17,486 bajt˘w
Razem wymienionych plik˘w:
16 plik(˘w) 149,522 bajt˘w
2 katalog(˘w) 76,858,245,120 bajt˘w wolnych
Wolumin w stacji C nie ma etykiety.
Numer seryjny woluminu: 787A-D614
Katalog: c:\Program Files\RocketDock\Icons
2007-01-01 19:24 43,574 Recycle Bin (full).png
2007-01-01 19:24 40,440 Recycle Bin.png
2 plik(˘w) 84,014 bajt˘w
Katalog: c:\WINDOWS\Help
2001-10-26 17:42 20,478 recycle.chm
1 plik(˘w) 20,478 bajt˘w
Katalog: c:\WINDOWS\Media
2006-11-12 13:39 111,788 recycle.wav
1 plik(˘w) 111,788 bajt˘w
Katalog: c:\WINDOWS\Media\XPBCKUP(2)
2001-07-22 00:30 25,434 recycle.wav
1 plik(˘w) 25,434 bajt˘w
Razem wymienionych plik˘w:
5 plik(˘w) 241,714 bajt˘w
0 katalog(˘w) 76,858,245,120 bajt˘w wolnych
For sure i will paste the solution for this problem on other forums i started the topic. I just want to finish with it with your help and then post final solution.
No infection items located in that last check. I think that either you did not quite do the fixer.reg correctly earlier (here) or your security software is blocking the Registry changes.
Follow those steps again to create a new fixer.reg. Then make sure your security software, such as Spyware Doctor, is completely disabled, and right click/Merge the fixer.reg with the Registry.
Reboot, and run and post back a new Deckards log please.
I have uninstalled all anti-virus appz from my computer because i could't close all the processes they run. Then I have created new fixer.reg and added it to registry and made scan by dss.
I firstly made a scan before i connected to the internet, and then a second scan being connected. There is one difference between the - when I connect to internet one more log appears:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
Here is this log:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-21 16:36:21
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:36:21, on 2008-06-21
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\różne\1\apteczka\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5287 bytes
-- Files created between 2008-05-21 and 2008-06-21
2008-06-20 08:22:10 0 d
C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
2008-05-22 21:10:50 0 d
C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 17:28:17 0 d--h
C:\ckis
2008-05-22 16:35:16 0 d
C:\Program Files\Kaspersky Lab
2008-05-22 16:34:17 0 d
C:\kav
2008-05-21 23:41:44 0 d
C:\Program Files\kmp
2008-05-21 22:48:37 0 d
C:\WINDOWS\nvidia icons
2008-05-21 21:58:05 0 d
C:\Program Files\CD Catalog Expert
-- Find3M Report
2008-06-21 16:30:25 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d
C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a
C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d
C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
2008-03-24 15:18:02 43537 --a
C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a
C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-21 16:36:45
To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.
Then you will want to print or have other access to a copy of the next steps, as some will be done without net access or in Safe Mode.
Download SDFix.exe and save it to your desktop.
Then disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line. This will keep infection from reinstalling right now.
===================================================
Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).
In Safe Mode, click the SDFix.exe and allow it to extract to it's own folder (C:\SDFix). Navigate to that folder and double click RunThis.bat to start the script.
Next type Y to begin the script. Once the fix has run it will prompt you to restart your computer. Press any key to restart at this time. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Then open the C:\SDFix folder and copy and paste the contents of the results file Report.txt back here.
=============================
After the reboot reconnect to net access and Download Malwarebytes' Anti-Malware from Here or Here.
Double Click mbam-setup.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.
============================
Then still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Temp Cleanup
Process Modules
Then under Extra Log, uncheck all the boxes except this one:
Security Center
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
Post that along with the Malwarebytes log and the SDFix report.txt log please.
SDFix: Version 1.195
Run by Administrator on 2008-06-22 at 13:00
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Pulpit\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\WINDOWS\system32\TFTP1288 - Deleted
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 13:04:15
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:83,01,1c,7b,b2,05,f8,a2,99,7e,19,48,80,72,29,bc,51,84,28,ef,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:5c,6f,21,38,4e,3a,dd,1e,7a,60,d8,6e,66,82,bc,61,88,52,99,74,a3,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:72,d0,b2,51,7d,11,a4,7d,3e,14,f4,2c,97,fd,83,80,27,c1,73,35,48,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:20,39,06,ca,56,b3,ca,7f,6e,78,00,be,23,de,be,e8,64,09,0d,ba,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,a9,01,f5,6f,41,81,29,f5,ab,5e,5a,78,86,54,17,6e,3b,db,0d,43,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:83,01,1c,7b,b2,05,f8,a2,99,7e,19,48,80,72,29,bc,51,84,28,ef,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:5c,6f,21,38,4e,3a,dd,1e,7a,60,d8,6e,66,82,bc,61,88,52,99,74,a3,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:f9,c8,fa,b7,f1,dd,98,4d,56,44,bf,de,1b,80,17,9e,f7,a8,9f,0d,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:94,c3,65,20,c9,d0,d7,9f,b2,3d,92,7f,9f,53,f6,ad,45,75,80,fb,8c,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:94,c3,65,20,c9,d0,d7,9f,b2,3d,92,7f,9f,53,f6,ad,45,75,80,fb,8c,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="0B65498EC5D57D496570DA3DA8125A1E426EB9DF26F7662C31CA476928EC02AC76EBC436B70C356F6121087A1DC1E83AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5C9DB7CE019D40AA5CA6A0AC4980AC7933DF28EBF58B51444BC56755B3746CC10CF23584AAAB75E7C2045257CFA1CB2B6C75017942870C8EE271788EC779AB603FC720F40C2CDF797DDBA10F37B0D917813BCB274FCA4BC15B2E42D9734D3E426CE67B94559043A84CBC93A81BF1626489F1EDE3796BEB67B6949F44AB3087E043E339B2B9622500A9CD4FD10A56B14DEFF8DFE049E21F0D6C5CFE229AC33C3C676F5CE21E0FE1100ADC8C02C8B3679211D6B112818F68C3E566E5099D10665572E17DFA9EE4A7EBCEDB1A6E4DC275F9C035853195B4232384B66952468164B4EEB7C9180A9A79AB535D571443A127CB4262913BAF78F9429A71B51DD96667E3DD907F98E0C62E6BE39CB9330BD0155452509FF12BE46E41EDE38A4AD2F1747132B1751F5B676F4941F44C51B7B6B0631E958DDA9768553FBA7BB981DC3CE671D480911364DB3E6AA068AB34111C3C50C6E9503DBAD657E4AF4BABAB5C416BF8A28BD19F9868EA752C9B08E812AFD1F1632EEA278D6470D8700BDC7763DE0422E800C534CB359D9500D6A7C0EA015B247EE0786A3B2C734A9315D9D73E58078DED34120484CFD0FC2C87E3CEFE0719C8142BA81C25AD03EB23E8C60269571D5D6A1E6E857D28D25DB7BE28EA65191F441855BC1460C919702028DC709666C5B787DA27F3A39247ED1AAFF8326AF6D50070CD8B7134C80114FA9AE4602B73D04667AA1ECE9C48A56B413669838C40F7E6F4A47E949D525E931E2B4055C0D2E4BA9D70455ABBE3B6160D4D238400FB94EA769213A1CDF723B161686014243C7CC4B2B4259B0D6699AF5495631DAC92128035EF5E02A82A9A319585CD28D74A631BA1A25C5F4FB4C2815ED4FB78AD51A52068BA85E346BF5FDE7D5922DE917E3E7ADA0B98B37318F6D569F35287D1E85CC6B815413873F2E1074F5F8FCAB93980A042E01F6CA2BA537DA5005EFD1EF094F446C4E033B162E97B37355642EE43F4CFB0BCC82135AFC44B38292E5448E0842FA0B4474F34100D11D31F4FDE0249B9CE715A81AB3A680D973B4563473E97B17D4FF06A4865E2BA223782E5FE7859BF69459949ACF4BF463DBA4B33559C56796E4C2C53A0DF25B18D6AEB99440DE54C6C5E7F34855B70591D37DAE6C339C08A10843DA19D74858733E6097B162CC87BAA66B1EB5F979C041A27335A9A1B61E9F9DB9C88C6A79524F89B2D369EF6BB38FB7AFDAA238947DA9B72B881A67CA56D4127694C69334D4649ECCF8249445E46BA27D242024259C30E76F55FF6CEDF430630"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"="C:\\Program Files\\BitSpirit\\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
File Backups: - C:\DOCUME~1\ADMINI~1\Pulpit\SDFix\backups\backups.zip
Files with Hidden Attributes :
Wed 31 Jul 2002 106 ..SH. --- "C:\WINDOWS\WSYS049.SYS"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09997411a62459b007c5b4c27727b812\BIT48.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1b4906af34b69bb3b3bff77c77c36269\BIT4D.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\238ea9fc36cfe91e6d8d2a057bf59e53\BIT53.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2ac354659614029836a3e6f43f478d68\BIT56.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\395a6b3cc3ef33ceb456d5772d320a49\BIT52.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3fb99568c483077faade564bf19fd5b1\BIT5E.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4982a61e2216973813f44f56425bf3d9\BIT4B.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\49de99a94f2b671fa314de00469bc9ee\BIT5D.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4a43476dc86b4dbe7da8acc0ef0e5c5f\BIT5C.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\504a292ad849178ad9c5188c7eecd6e6\BIT5F.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2D.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6adaf981e12b6d73d603b0b7cd1bd3b0\BIT58.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78670cbd6a90baaa408a8a72f52fdce2\BIT32.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\86e5b4dadbb28e067b72e96af284a2b0\BIT4E.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\90b64af20ec49650e48013f156470238\BIT50.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94af39a0130ee1aef6c5b5f008af01e9\BIT4C.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aff5d7c797f1e254b0042756b4877f70\BIT5B.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3785b22f905d6c0e99056e24099a0a7\BIT57.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b66e85416787cab176e98d4d637c4f81\BIT5A.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b8f841be0a4a9c344276ad0e6d2e6ef7\BIT49.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b9075ab76028414158858b84810726f9\BIT4F.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT35.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\becfb2439d7d5a97f7e2da7b1433c139\BIT51.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c6d686951b1308c6fd3d9343b47193cb\BIT4A.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d3c4aebdee35f35b6bda63780eafaf85\BIT62.tmp"
Sun 22 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edb846a7ab7add3b71d83f6a232086a3\BIT54.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edf69d5dc5cba73e15a467a90c9e07b0\BIT59.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ffdc7af41a0409dddb9ddefe4faf90de\BIT55.tmp"
Sat 17 Nov 2007 6,297 ...HR --- "C:\Documents and Settings\Administrator\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"
Finished!
Malwarebytes' Anti-Malware 1.17
Database version: 863
13:11:08 2008-06-22
mbam-log-6-22-2008 (13-11-08).txt
Scan type: Quick Scan
Objects scanned: 37905
Time elapsed: 2 minute(s), 38 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Then i made scan by DSS and as i can see 85.255.113.78 85.255.112.36 log is still there.... :
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:12:45, on 2008-06-22
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5232 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080619-144127-419 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080621-162516-565 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
backup-20080621-162516-855 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080621-162516-950 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080621-162517-652 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
backup-20080621-162517-830 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080621-162552-282 O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
-- File Associations
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
R3 catchme - c:\docume~1\admini~1\ustawi~1\temp\catchme.sys (file missing)
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys (file missing)
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys (file missing)
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
S3 Trufos - c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Files created between 2008-05-22 and 2008-06-22
2008-06-22 12:57:22 0 d
C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d
C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
2008-05-22 21:10:50 0 d
C:\WINDOWS\system32\oodag
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 17:28:17 0 d--h
C:\ckis
2008-05-22 16:35:16 0 d
C:\Program Files\Kaspersky Lab
2008-05-22 16:34:17 0 d
C:\kav
-- Find3M Report
2008-06-21 16:30:25 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d
C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a
C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d
C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-22 21:54:13 0 d
C:\Program Files\kmp
2008-05-21 21:58:51 0 d
C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
2008-03-24 15:18:02 43537 --a
C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a
C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-22 13:13:23
Again right click nextfix.reg and merge that information with your registry. Also again use HijackThis to remove that "O17 - HKLM\..." entry.
Then there is a file SDFix located to check.
Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"
Then go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select the file on your computer.
C:\WINDOWS\WSYS049.SYS
You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.
I see in web searches the infection showing here is most often showing on Polish systems, which suggests an autorun type malware passed through sharing flash drives. You haven't by chance been using then removing and flash drive during these repairs (basically reinfecting things)?
The logs show Ad-Aware's Ad-Watch. The services for that show as stopped, but I am not sure Ad-Watch may not have become corrupted somehow, and is involved in blocking these registry changes. The return of them, with no other infeciton showing, suggests an older nuisance behavior of older softwares like that and SpyBot's TeaTimer. You can always reinstall it later, but for now save any registration information needed for that and uninstall Ad-Watch please.
Then click to merge nextfix.reg again, and reboot and post back a new Deckards log for review.
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-24 09:56:18
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:56:19, on 2008-06-24
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\różne\1\apteczka\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5100 bytes
-- Files created between 2008-05-24 and 2008-06-24
2008-06-22 12:57:22 0 d
C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d
C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
-- Find3M Report
2008-06-21 16:30:25 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d
C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a
C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d
C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-22 21:54:13 0 d
C:\Program Files\kmp
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 17:32:48 0 d
C:\Program Files\Kaspersky Lab
2008-05-21 21:58:51 0 d
C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
2008-03-24 15:18:02 43537 --a
C:\WINDOWS\system32\unins000.dat
2008-03-24 15:17:40 684560 --a
C:\WINDOWS\system32\unins000.exe <Not Verified; ; Inno Setup>
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95051b54-4cbf-11dc-ad66-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-24 09:56:43
One driver only showing recently in threads, each with unknown issues involved. Let's take it out of the way for now. Go to Start > Run and type
cmd
and OK. At the prompt type (or copy\paste) the below commands and hit "Enter" after each line
sc config UTSCSI start= disabled
Type Exit to close.
Download OTScanIt.exe to your Desktop and doubleclick on it to extract the files. It will create a folder named OTScanIt on your Desktop.
Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
Close all open programs and open the OTScanIt folder. Doubleclick on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose "Run as Administrator").
In the Drivers section click on Non-Microsoft. Under Additional Scans click the checkboxes in front of the following items to select them. Do not change any other settings.
Reg - BotCheck
File - Additional Folder Scans
Next click the Run Scan button on the toolbar. Let it run unhindered until it finishes. When the scan is complete Notepad will open with the report file loaded in it. Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
This will be a very large log, so instead of posting it save it and zip a copy of it, and send it to [noparse]jintan@cfl.rr.com[/noparse] as an attachment. Please place "Submitted Files - mavplz otscanit" as the email Subject.
Open Notepad (Start - Run, type notepad and press Enter).
Copy/paste the above text into the open text box, then save this to your desktop as "cfgcheck.bat"
Be sure to include the "" quotes in the name. Then click on cfgcheck.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
Here is log of cfgcheck:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block frame with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block image with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block link with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Don't filter page with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&ksportuj do programu Microsoft Excel]
@="res://C:\\PROGRA~1\\MICROS~2\\Office12\\EXCEL.EXE/3000"
"Contexts"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@="res://C:\\PROGRA~1\\MICROS~2\\Office10\\EXCEL.EXE/3000"
"Contexts"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz plik wideo we Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlfvideo.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dllink.htm"
"Contexts"=dword:00000022
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz wszystkie pliki w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlall.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz z &BitSpirit]
@="C:\\Program Files\\BitSpirit\\bsurl.htm"
"Contexts"=dword:00000020
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz zaznaczone w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlselected.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Report page to the Ad Muncher developers]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ÓñČĚŘľ«ÁéĎÂÔŘ(&B)]
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it "oddfix.reg"
Be sure to include the quotes "" in the name. Then right click oddfix.reg and select Merge to allow it to merge with the Registry.
To confirm the change succeeded click cfgcheck.bat again and post that new log please.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block frame with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block image with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Block link with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Don't filter page with Ad Muncher]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude"
"Installed by Ad Muncher"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&ksportuj do programu Microsoft Excel]
@="res://C:\\PROGRA~1\\MICROS~2\\Office12\\EXCEL.EXE/3000"
"Contexts"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel]
@="res://C:\\PROGRA~1\\MICROS~2\\Office10\\EXCEL.EXE/3000"
"Contexts"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz plik wideo we Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlfvideo.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dllink.htm"
"Contexts"=dword:00000022
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz wszystkie pliki w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlall.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz z &BitSpirit]
@="C:\\Program Files\\BitSpirit\\bsurl.htm"
"Contexts"=dword:00000020
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Pobierz zaznaczone w Free Download Manager]
@="file://C:\\Program Files\\Free Download Manager\\dlselected.htm"
"Contexts"=dword:00000033
"Free Download Manager"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Report page to the Ad Muncher developers]
@="http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report"
"Installed by Ad Muncher"=""
Still making sure dss.exe is directly on your desktop, go to Start - Run, and copy/paste the following (then press OK):
"%userprofile%\desktop\dss.exe" /config
When the DSS Configuration display opens click the "Check All" button. Next, under Main Log, again uncheck the following:
System Restore
Then under Extra Log, uncheck all the boxes.
Don't make any other changes at this time. Then click the "Scan!" button to start the scan.
Once the scan has completed a textbox will appear - copy/paste those contents back here please (main.txt). (The logs can also be found in the C:\Deckard\System Scanner folder)
This one will include processes so may be a bit larger than others.