Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-27 09:36:27
Computer is in Normal Mode.
Performed disk cleanup.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:36:36, on 2008-06-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Until we locate where the active worm is there I sense more changes will not help. Pieces missing still.
Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool (scroll down the page to locate it). Type (or copy/paste) scrcons32 in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them back here please. Also do a search using the following, and post those results as well:
85.255.113.78
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\scrcons32*.*" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
; Registry search results for string "85.255.113.78" 2008-06-27 16:50:04
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
; Registry search results for string "scrcons32" 2008-06-27 16:51:15
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"WMI Standard Event Consumer - Scripting"="C:\\WINDOWS\\system32\\wbem\\scrcons32.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\wbem\\scrcons32.exe"="C:\\WINDOWS\\system32\\wbem\\scrcons32.exe:*:Enabled:WMI Standard Event Consumer - Scripting"
When i do a scan by cmd.exe, appears the message: "The file hasn't been found" and in notepad i have only 2 lines: Volume in drive C has no label
The last one indicates no files by that name located there. So no desktop.dll and no scrcons32.exe, the two active known parts of this worm infection. I'll have to review and determine our next moves there. Do you shut this system down frequently - have there been shutdowns that might bring things back? Those last registry items are an odd assortment of different control sets which we are going to check, but the differing numbers suggest changes have been made related to them. Did you do a System Restore after this infection started?
@ECHO OFF
if exist Regsearch3.txt del /q Regsearch3.txt
regedit /e Regsearch3.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"
Notepad Regsearch3.txt
Open Notepad (Start - Run, type notepad and press Enter).
Copy/paste the above text into the open text box, then save this to your desktop as "cslook.bat"
Be sure to include the "" quotes in the name. Then click on cslook.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
I don't know what exactly do u mean by "bring things back" but i shut down my system 2/3 times per day. The last restore i have done was before i posted this problem on this forum - i tried to remove it by resotre but didn't help.
Scan results:
Windows Registry Editor Version 5.00
Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it kubuntu.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.
Then reboot, reconnect to net access and again run and post back a new Deckards scan log please. BUT, when reconnecting to net access only open your browser to here, then wait a little, and run the Deckards scan. But no other surfing before that.
Not a very good sequence there. Why not create the kubuntu.reg file first, then make the IE changes, shut your browser and disconnect from net access, and then Merge the kubuntu.reg with your Registry. Then follow the rest of the steps as posted please.
I run IE very rarely, usually i use Mozilla Firefox. But i did like u wrote. I set a blank site, disconnected, run this reg file, reebot, connected again, and went straight to this page and run Dss. Unfortunately 85.xx.... log is still here. The problem is it appears with an act of connection to internet not after opening a browser...
Since you would recognize them by now, if you now run a Deckards scan and check the log, do those "currentversion\explorer\mountpoints 2" registry keys all show at the bottom again? No need to post it - just check to see if both these changes get made on connection there and let me know.
Sheesh - in doing a web search related to info here I came across one of your other request threads, and only then really noticed your proxy settings reference.
Disconnect from net access as you have done (completely - disconnect the cable/phone line while doing the repairs to assure no hidden contact made).
Right click and Merge the kubuntu.reg you created.
Close all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. I am assuming you do not use a proxy server in the People's Republic of China bound to your ports there.
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-30 11:53:24
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:26, on 2008-06-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
-- End of Deckard's System Scanner: finished at 2008-06-30 11:53:57
And after:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-30 11:55:34
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:34, on 2008-06-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
They all need to be completely disabled from any activity whatsoever. AdMuncher has functions to block change, and I suspect if connected may undo change made - here we are discussing positive change. If necessary uninstall it to remove it from the equation - you can reinstall it later if you choose. And if any of those are not from the vendor's own source, uninstall any like that now as well. Then redo the cleaning steps as before, and check after net access. Though I do not often suggest it just let me know if you see the same DNS bad setting and mountoints return for now - no need to post the same logs again yet.
GG is Polish well-known messenger, RocketDock is sth like Windows Vista top panel, all these appz are from legal sources. But i unchecked autorun in gg, RD and AddMuncher so during all scans they were closed. I have repeated all steps from your previous post and raports are exactly the same. These mountoins logs are still there. Sory, but i don't know were i can check "DNS bad setting"?
One more thing: during RunThis.bat scan, between 25 and 50%, 2 times appeared for few seconds a message like that (it were in Polish so in eng it may sound a bit different): "FINDSTR: Can not read from the list of files TextPatched3.txt". But the scan has been complited succesfully. btw after first scan of RunThis.bat, there is a reebot, and next scan. My question is after the rebot system shoud be run in safe of normal mode? I have run it in normal mode.
I can't be sure what SDFix had trouble reading - it can be creating it's own temp files in the processes. We should surely look though.
The softwares themselves are not necessarily suspect, and if you know their sources even better. At least AdMuncher has the abilities to block and undo, so it needs to be out of the way.
The bad DNS settings are the "85.255.113.78 85.255.112.36" 017 items that show again in HijackThis after you make a net connection. Since malware has changed them in rare occasions, do you use a router there?
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\patched*.*" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Like after first scan by cmd, there appeared a message "The file hasn't been found" and in notepad there are only 2 lines: Volume in drive C has no label
Serial number of volume: 787A-D614
You didn't say about the router - unfortunately if a router with a poor password is involved, and one specific and bad idea malware as well, slim chance your router firmware settings have been altered.
Download Dr.Web CureIt! from here to your Desktop.
When you have done this, boot into safe mode (restart your computer and tap F8 continuously as it restarts)
Doubleclick the drweb-cureit.exe file. Click on Start and Ok and allow it to run the express scan. This is a short scan and will scan all files currently running in memory. If something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, click on Custom Scan and choose the drives that you want to scan. Click on the drive to select it. A red dot shows which drives have been chosen. Click the green arrow > to the right and the scan will begin. At the first sign of infection, Select 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, click the "Select all" button and then click on the Move button. This will move any infected files to the %userprofile%\DoctorWeb\quarantine folder.
Next and this is important, from the main Dr.Web CureIt menu (top left), click File and choose save report list and save the report to your desktop. The report will be called DrWeb.csv and it can be opened in Notepad.
Close Cureit and restart your computer to completely remove any stubborn files. You may get a message saying "No operations performed with some objects in list. Exit program". If so, click "Yes" (You may get a popup offering you a discount if you purchase DrWeb AntiVirus. You may or may not wish to take advantage of this offer later but for now, just close the popup wait for the scan to finish).
I downloaded Polish version of DrWeb so i should give a little lesson of my language:
- Usuniety = Deleted
- Przeniesiony = Moved
- Archiwum zawierające zainfekowane obiekty - The archive contains infected objects
- Niewyleczalny = Incurable
- Prawdobodobnie = Probably
I am traveling until tomorrow so can only check in from a borrowed connection right now (so can only do some limited work for the moment).
I can sorta see in the Dr. Web log the infection, but in all honesty it is too backwards to work with (file, path, name and Polish language action). The keygen.exe System Restore find suggests the original infection source, so again if there is any installed software from the wrong source it needs to be gone from that system.
I see now in the SDFix log the constant bit binary info tranfsers occurring there, like this one:
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09997411a62459b007c5b4c27727b812\BIT48 .tmp"
A likely source of the recurring infection, so something still installed there has an active backdoor.
I appreciate your translation portion, but for now suggest you go ahead and have Dr. Web remove everything it found. This will include it's usual mistaken identity of our tools, but we can replace those handily. And perhaps some BitDefender installer files. But I can only do some quick checking here, so for now removing all will be fine. I will get back with you tomorrow and do some more detailed work.
I am back from my travels. The Dr Web log is tough - the logs place the file before the path. But as a guess I sense most of it is referring to a BitDefender install (liveserve.exe) and some of our tools we use. But the keygen is a reality, as far as undesirable and suggesting bad installed software:
As I have been implying, if we are going back and forth in repairs, yet there remains there software from an unauthorized source, we will get no where. I have to be forward in these type suggestions, as too many of the requests we get are related to the use of illegal software initially.
This is also an unknown - looks like related to a Half Life game, but D Web suggests it included infection bundled with it:
HLGL 3.exe;C:\Documents and Settings\Administrator\Moje dokumenty\Moje obrazy\zielona szkoła\HLGL 3;Trojan.MulDrop.origin;Niewyleczalny.Przeniesiony.;
Ok, i removed unauthorized software installed in last months. However i must admit i still have one or more unautorized appz but i have been using it for a long time (also on my old systems) and it never caused any problems, so i belive these appz are not infection source.
I don't have HL game installed but i have a legal Counter Strike, which i play on-line on authorized Steam servers, so this HL file comes from it for sure and i don't know why it's infected.
I made a Hijack scan few time since my previous reply, and sometimes i can see that this proxy server log appears again. Then i do completely nothing and it disappears itself...
Do u have any ideas what more can i do? Maybe i should try any ohter anty-spyware appz that could cure it or localize infection source?
btw how can i removed these files found by DrWeb? Should i make a scan again?
You have Kaspersky, and just used Dr. Web, among the good few we have already run there, so the system has had many apps assess things so far. One issue with the use of unauthorized software is it does run contrary to Icrontic forum rules - assistance ends if those become known or show in logs. As you so far only indicate your view of what "unauthorized" is I am not pushing that much further at this time. However, in that same frame of thought, I expect ALL illegal software I do not know is there is also actually not there after you read this. Or the steps are done to make that so. If not, I am not interested in continuing here. I hope that made sense.
Most of what D Web found it quarantined or deleted, and others that are just mistaken identity for tools we use it just shows as suspect, so not seeing any bad items left from it. Resetting the System Restore would remove any remnants there, those these are harmless unless an actual Restore is done.
In again weeding back through the logs posted, I see an worm startup item you removed with HijackThis that the logs do not account for, as far as an actual deletion of change.
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\mstmdm*.*" > c:\find3.txt & start notepad c:\find3.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Open Bobbi Flekman's Regsearch again. In the display panel, copy and paste the following into the upper box:
6B244BC7-1D9D-4B40-8243-D90107A30880
Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regearch.exe file you clicked).
I recall we used it - but if we did not, here is the download for the Regsearch.zip to unzip and use now.
ComboFix 08-07-08.7 - Administrator 2008-07-09 14:05:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1680 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.
Comments
Run by Administrator on 2008-06-27 09:36:27
Computer is in Normal Mode.
Performed disk cleanup.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:36:36, on 2008-06-27
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\kmp\KMPlayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.bearshare.com/pl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5229 bytes
-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\)
backup-20080615-123025-241 O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
backup-20080615-123025-637 O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
backup-20080615-123026-226 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-292 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-298 O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123026-430 O17 - HKLM\System\CCS\Services\Tcpip\..\{3E488EE0-1FEB-4A4D-BB7C-F2B19881498E}: NameServer = 85.255.113.78,85.255.112.36
backup-20080615-123026-629 O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-123452-582 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134100-830 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080615-134124-280 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-134356-213 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-154517-148 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080615-201914-122 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-110 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
backup-20080616-133545-267 O21 - SSODL: UpdateCheck - {6B244BC7-1D9D-4B40-8243-D90107A30880} - C:\WINDOWS\system32\mstmdm.dll
backup-20080616-133545-400 O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
backup-20080616-133545-577 O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
backup-20080616-133545-872 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080616-133545-965 O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
backup-20080616-144113-626 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080619-144127-419 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080621-162516-565 O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
backup-20080621-162516-855 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080621-162516-950 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
backup-20080621-162517-652 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
backup-20080621-162517-830 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080621-162552-282 O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
backup-20080623-095411-757 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
backup-20080626-232335-307 O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
-- File Associations
.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R0 ALLOW-IO - c:\windows\system32\drivers\allow-io.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R3 adiusbaw (USB ADSL WAN Adapter) - c:\windows\system32\drivers\adiusbaw.sys <Not Verified; Analog Devices Inc.; ADSL USB WAN Driver>
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 ADILOADER (General Purpose USB Driver (adildr.sys)) - c:\windows\system32\drivers\adildr.sys <Not Verified; Analog Deivces; ADI ADSL chipset loader>
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys (file missing)
S3 Ad-Watch Real-Time Scanner (AW Real-Time Scanner) - c:\windows\system32\drivers\awrtpd.sys (file missing)
S3 Ad-Watch Registry Filter (Ad-Watch Registry Kernel Filter) - c:\windows\system32\drivers\awrtrd.sys (file missing)
S3 catchme - c:\docume~1\admini~1\ustawi~1\temp\catchme.sys (file missing)
S3 ggsemc (Sony Ericsson USB Flash Driver) - c:\windows\system32\drivers\ggsemc.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>
S3 Profos - c:\program files\common files\bitdefender\bitdefender threat scanner\profos.sys (file missing)
S3 SANDRA - c:\program files\sisoftware\sisoftware sandra lite 2007\sandra.sys (file missing)
S3 Trufos - c:\program files\common files\bitdefender\bitdefender threat scanner\trufos.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S4 FirebirdServerMAGIXInstance (Firebird Server - MAGIX Instance) - c:\program files\magix\common\database\bin\fbserver.exe <Not Verified; MAGIX®; Firebird SQL Server - MAGIX Edition>
S4 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>
-- Device Manager: Disabled
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller #3
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&DD8FE83&2&01
Service: NVENETFD
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: BQ9305P PKA211J SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_BQ9305P&PROD_PKA211J&REV_1.0\5&36E5972&0&000
Service: cdrom
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: Stacja dysków CD-ROM
Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Manufacturer: (Standardowe stacje dysków CD-ROM)
Name: NERO IMAGEDRIVE2 SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_NERO&PROD_IMAGEDRIVE2&REV_2.26\2&2CA3B2A6&0&000
Service: cdrom
-- Process Modules
C:\WINDOWS\system32\winlogon.exe (pid 588)
2007-07-24 21:56:36 219648 --a
C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
C:\WINDOWS\system32\svchost.exe (pid 816)
2007-07-24 21:56:36 219648 --a
C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
C:\WINDOWS\system32\svchost.exe (pid 920)
2007-07-24 21:56:36 219648 --a
C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
C:\WINDOWS\system32\svchost.exe (pid 1352)
2007-07-24 21:56:36 219648 --a
C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
C:\WINDOWS\explorer.exe (pid 1672)
2007-07-24 21:56:36 219648 --a
C:\WINDOWS\system32\uxtheme.dll <Not Verified; Microsoft Corporation; System operacyjny Microsoft® Windows®>
2007-09-02 14:57:36 69632 --a
C:\Program Files\RocketDock\RocketDock.dll
2007-11-03 06:26:52 24576 --a
C:\Program Files\Ad Muncher\AM28140.dll
2006-09-14 00:20:24 126464 --a
C:\Program Files\WinRAR\RarExt.dll
2006-11-10 19:18:26 73728 --a
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBShell.dll <Not Verified; Nero AG; Nero BackItUp>
2006-12-21 14:30:44 102400 --a
C:\Program Files\Gadu-Gadu\ggwhook.dll <Not Verified; Gadu-Gadu S.A.; Gadu-Gadu>
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
-- Files created between 2008-05-27 and 2008-06-27
2008-06-22 12:57:22 0 d
C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d
C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
-- Find3M Report
2008-06-24 15:19:22 0 d
C:\Program Files\kmp
2008-06-21 16:30:25 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d
C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a
C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d
C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 17:32:48 0 d
C:\Program Files\Kaspersky Lab
2008-05-21 21:58:51 0 d
C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-27 09:37:22
Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool (scroll down the page to locate it). Type (or copy/paste) scrcons32 in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them back here please. Also do a search using the following, and post those results as well:
85.255.113.78
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\scrcons32*.*" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "85.255.113.78" 2008-06-27 16:50:04
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}]
"NameServer"="85.255.113.78 85.255.112.36"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}]
"NameServer"="85.255.113.78 85.255.112.36"
For scrcons32.exe:
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "scrcons32" 2008-06-27 16:51:15
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa]
"WMI Standard Event Consumer - Scripting"="C:\\WINDOWS\\system32\\wbem\\scrcons32.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\wbem\\scrcons32.exe"="C:\\WINDOWS\\system32\\wbem\\scrcons32.exe:*:Enabled:WMI Standard Event Consumer - Scripting"
When i do a scan by cmd.exe, appears the message: "The file hasn't been found" and in notepad i have only 2 lines:
Volume in drive C has no label
Serial number: 787A-D614
Open Notepad (Start - Run, type notepad and press Enter).
Copy/paste the above text into the open text box, then save this to your desktop as "cslook.bat"
Be sure to include the "" quotes in the name. Then click on cslook.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
Scan results:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=dword:00000000
"HideLogoffScripts"=dword:00000000
"RunLogonScriptSync"=dword:00000001
"RunStartupScriptSync"=dword:00000000
"HideStartupScripts"=dword:00000000
In IE, click on Tools -> Internet Options, then select Use Blank (and Apply/OK).
Disconnect from net access. If cable/dsl physically disconnect the modem cable, if dial-up disconnect the phone line.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Lsa] "WMI Standard Event Consumer - Scripting"=- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\\WINDOWS\\System32\\wbem\\scrcons32.exe"=- [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\Interfaces\{3C 08CBDB-2261-4A71-A965-34F67B93A9F9}] "NameServer"=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces \{3C08CBDB-2261-4A71-A965-34F67B93A9F9}] "NameServer"=- [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{03f8e539-4d99-11dc-ad6b-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{2708cd15-2bfb-11dd-bff5-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{a7eb314c-b535-11dc-9002-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{b3b59ac6-324e-11dd-a603-4d6564696130}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\{e0a35061-ca86-11dc-9072-4d6564696130}]Open Notepad (Start - Run, type notepad and OK) and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it kubuntu.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.Then reboot, reconnect to net access and again run and post back a new Deckards scan log please. BUT, when reconnecting to net access only open your browser to here, then wait a little, and run the Deckards scan. But no other surfing before that.
Disconnect from net access as you have done (completely - disconnect the cable/phone line while doing the repairs to assure no hidden contact made).
Right click and Merge the kubuntu.reg you created.
Close all running programs and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis. I am assuming you do not use a proxy server in the People's Republic of China bound to your ports there.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
(The reg merge may have removed the DNS entry).
Then reboot into Safe Mode, locate the C:\SDFix folder and click the RunThis.bat again to start that scan. Follow the prompts and allow the reboot.
After the reboot run a new Deckards scan, same steps you have been using. No net access yet.
Reconnect to net access, and run a second Deckards scan, then post both of those (sorry but yes, more posting) and the SDFix report.txt log please.
SDFix: Version 1.199
Run by Administrator on 2008-06-30 at 11:45
Microsoft Windows XP [Wersja 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Default Security Values
Restoring Default Hosts File
Rebooting
Checking Files :
No Trojan Files Found
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 11:49:44
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:83,01,1c,7b,b2,05,f8,a2,99,7e,19,48,80,72,29,bc,51,84,28,ef,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:5c,6f,21,38,4e,3a,dd,1e,7a,60,d8,6e,66,82,bc,61,88,52,99,74,a3,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:72,d0,b2,51,7d,11,a4,7d,3e,14,f4,2c,97,fd,83,80,27,c1,73,35,48,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:20,39,06,ca,56,b3,ca,7f,6e,78,00,be,23,de,be,e8,64,09,0d,ba,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:c0,a9,01,f5,6f,41,81,29,f5,ab,5e,5a,78,86,54,17,6e,3b,db,0d,43,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:83,01,1c,7b,b2,05,f8,a2,99,7e,19,48,80,72,29,bc,51,84,28,ef,c2,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:5c,6f,21,38,4e,3a,dd,1e,7a,60,d8,6e,66,82,bc,61,88,52,99,74,a3,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:f9,c8,fa,b7,f1,dd,98,4d,56,44,bf,de,1b,80,17,9e,f7,a8,9f,0d,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s1"=dword:2df9c43f
"s2"=dword:110480d0
"h0"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:94,c3,65,20,c9,d0,d7,9f,b2,3d,92,7f,9f,53,f6,ad,45,75,80,fb,8c,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:94,c3,65,20,c9,d0,d7,9f,b2,3d,92,7f,9f,53,f6,ad,45,75,80,fb,8c,..
"p0"="C:\Program Files\DAEMON Tools\"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
"khjeh"=hex:eb,24,ed,22,9d,b1,bf,43,06,df,29,64,ed,e6,c6,9b,44,c0,c1,2c,5a,..
"a0"=hex:20,01,00,00,5f,37,19,18,e4,99,64,e9,33,d7,1a,95,e1,95,7b,00,81,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41]
"khjeh"=hex:94,da,1b,ae,a6,1e,2f,47,9a,f3,47,10,2a,d2,f3,ef,ee,5c,0e,9f,23,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43]
"khjeh"=hex:dd,66,9c,8a,23,12,24,f4,0b,88,4e,99,a6,93,56,1c,7c,e7,e4,64,f2,..
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\System]
"OODEFRAG10.00.00.01WORKSTATION"="0B65498EC5D57D496570DA3DA8125A1E426EB9DF26F7662C31CA476928EC02AC76EBC436B70C356F6121087A1DC1E83AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5C9DB7CE019D40AA5CA6A0AC4980AC7933DF28EBF58B51444BC56755B3746CC10CF23584AAAB75E7C2045257CFA1CB2B6C75017942870C8EE271788EC779AB603FC720F40C2CDF797DDBA10F37B0D917813BCB274FCA4BC15B2E42D9734D3E426CE67B94559043A84CBC93A81BF1626489F1EDE3796BEB67B6949F44AB3087E043E339B2B9622500A9CD4FD10A56B14DEFF8DFE049E21F0D6C5CFE229AC33C3C676F5CE21E0FE1100ADC8C02C8B3679211D6B112818F68C3E566E5099D10665572E17DFA9EE4A7EBCEDB1A6E4DC275F9C035853195B4232384B66952468164B4EEB7C9180A9A79AB535D571443A127CB4262913BAF78F9429A71B51DD96667E3DD907F98E0C62E6BE39CB9330BD0155452509FF12BE46E41EDE38A4AD2F1747132B1751F5B676F4941F44C51B7B6B0631E958DDA9768553FBA7BB981DC3CE671D480911364DB3E6AA068AB34111C3C50C6E9503DBAD657E4AF4BABAB5C416BF8A28BD19F9868EA752C9B08E812AFD1F1632EEA278D6470D8700BDC7763DE0422E800C534CB359D9500D6A7C0EA015B247EE0786A3B2C734A9315D9D73E58078DED34120484CFD0FC2C87E3CEFE0719C8142BA81C25AD03EB23E8C60269571D5D6A1E6E857D28D25DB7BE28EA65191F441855BC1460C919702028DC709666C5B787DA27F3A39247ED1AAFF8326AF6D50070CD8B7134C80114FA9AE4602B73D04667AA1ECE9C48A56B413669838C40F7E6F4A47E949D525E931E2B4055C0D2E4BA9D70455ABBE3B6160D4D238400FB94EA769213A1CDF723B161686014243C7CC4B2B4259B0D6699AF5495631DAC92128035EF5E02A82A9A319585CD28D74A631BA1A25C5F4FB4C2815ED4FB78AD51A52068BA85E346BF5FDE7D5922DE917E3E7ADA0B98B37318F6D569F35287D1E85CC6B815413873F2E1074F5F8FCAB93980A042E01F6CA2BA537DA5005EFD1EF094F446C4E033B162E97B37355642EE43F4CFB0BCC82135AFC44B38292E5448E0842FA0B4474F34100D11D31F4FDE0249B9CE715A81AB3A680D973B4563473E97B17D4FF06A4865E2BA223782E5FE7859BF69459949ACF4BF463DBA4B33559C56796E4C2C53A0DF25B18D6AEB99440DE54C6C5E7F34855B70591D37DAE6C339C08A10843DA19D74858733E6097B162CC87BAA66B1EB5F979C041A27335A9A1B61E9F9DB9C88C6A79524F89B2D369EF6BB38FB7AFDAA238947DA9B72B881A67CA56D4127694C69334D4649ECCF8249445E46BA27D242024259C30E76F55FF6CEDF430630"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"="C:\\Program Files\\BitSpirit\\BitSpirit.exe:*:Enabled:The powerful and easy-to-use BitTorrent Client"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Gadu-Gadu\\gg.exe"="C:\\Program Files\\Gadu-Gadu\\gg.exe:*:Enabled:Gadu-Gadu - program gˆ˘wny"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32"
"C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
Files with Hidden Attributes :
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09997411a62459b007c5b4c27727b812\BIT48.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1b4906af34b69bb3b3bff77c77c36269\BIT4D.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\238ea9fc36cfe91e6d8d2a057bf59e53\BIT53.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2ac354659614029836a3e6f43f478d68\BIT56.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\395a6b3cc3ef33ceb456d5772d320a49\BIT52.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3fb99568c483077faade564bf19fd5b1\BIT5E.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4982a61e2216973813f44f56425bf3d9\BIT4B.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\49de99a94f2b671fa314de00469bc9ee\BIT5D.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4a43476dc86b4dbe7da8acc0ef0e5c5f\BIT5C.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\504a292ad849178ad9c5188c7eecd6e6\BIT5F.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT2D.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6adaf981e12b6d73d603b0b7cd1bd3b0\BIT58.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\78670cbd6a90baaa408a8a72f52fdce2\BIT32.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\86e5b4dadbb28e067b72e96af284a2b0\BIT4E.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\90b64af20ec49650e48013f156470238\BIT50.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\94af39a0130ee1aef6c5b5f008af01e9\BIT4C.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aff5d7c797f1e254b0042756b4877f70\BIT5B.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3785b22f905d6c0e99056e24099a0a7\BIT57.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b66e85416787cab176e98d4d637c4f81\BIT5A.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b8f841be0a4a9c344276ad0e6d2e6ef7\BIT49.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b9075ab76028414158858b84810726f9\BIT4F.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f60df1b38218903dd0d40ce98\BIT35.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\becfb2439d7d5a97f7e2da7b1433c139\BIT51.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c6d686951b1308c6fd3d9343b47193cb\BIT4A.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d3c4aebdee35f35b6bda63780eafaf85\BIT62.tmp"
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edb846a7ab7add3b71d83f6a232086a3\BIT54.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\edf69d5dc5cba73e15a467a90c9e07b0\BIT59.tmp"
Sat 21 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ffdc7af41a0409dddb9ddefe4faf90de\BIT55.tmp"
Sat 17 Nov 2007 6,297 ...HR --- "C:\Documents and Settings\Administrator\Dane aplikacji\SecuROM\UserData\securom_v7_01.bak"
Finished!
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-30 11:53:24
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:26, on 2008-06-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 211.142.211.39:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5196 bytes
-- Files created between 2008-05-30 and 2008-06-30
2008-06-22 12:57:22 0 d
C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d
C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
-- Find3M Report
2008-06-24 15:19:22 0 d
C:\Program Files\kmp
2008-06-21 16:30:25 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d
C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a
C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d
C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 17:32:48 0 d
C:\Program Files\Kaspersky Lab
2008-05-21 21:58:51 0 d
C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-30 11:53:57
And after:
Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-30 11:55:34
Computer is in Normal Mode.
-- HijackThis (run as Administrator.exe)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:34, on 2008-06-30
Platform: Windows XP Dodatek SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Pulpit\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [Gadu-Gadu] "C:\Program Files\Gadu-Gadu\gg.exe" /tray
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA LOKALNA')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'USŁUGA SIECIOWA')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_exclude
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pobierz plik wideo we Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Pobierz w Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher.com/request_will_be_intercepted_by/Ad_Muncher/browserextensions.pl?exbrowser=ie&exversion=0.4&pass=K5PN70AI&id=menu_ie_report
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C08CBDB-2261-4A71-A965-34F67B93A9F9}: NameServer = 85.255.113.78 85.255.112.36
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 5213 bytes
-- Files created between 2008-05-30 and 2008-06-30
2008-06-22 12:57:22 0 d
C:\WINDOWS\ERUNT
2008-06-20 08:22:10 0 d
C:\WINDOWS\BDOSCAN8
2008-06-18 20:54:16 0 drahs---- C:\autorun.inf
2008-06-18 13:16:00 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15:34 25600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:15:34 289144 --a
C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-06-18 13:15:34 86528 --a
C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-06-18 13:15:34 288417 --a
C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-06-18 13:15:34 53248 --a
C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-06-18 13:15:34 82944 --a
C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-06-18 13:15:34 51200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15:34 81920 --a
C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; 404Fix>
2008-06-17 11:40:12 0 d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:10:31 212480 --a
C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-16 12:42:43 0 d
C:\Program Files\Common Files\Download Manager
2008-06-15 19:59:37 68096 --a
C:\WINDOWS\zip.exe
2008-06-15 19:59:37 49152 --a
C:\WINDOWS\VFind.exe
2008-06-15 19:59:37 136704 --a
C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-15 19:59:37 161792 --a
C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-15 19:59:37 98816 --a
C:\WINDOWS\sed.exe
2008-06-15 19:59:37 80412 --a
C:\WINDOWS\grep.exe
2008-06-15 19:59:37 89504 --a
C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-15 12:25:25 0 d
C:\Program Files\Trend Micro
2008-06-11 16:16:34 0 d
C:\Program Files\Free Download Manager
2008-06-07 20:09:49 0 d
C:\Program Files\AutoConnect
2008-06-07 20:04:13 0 d
C:\Program Files\Ad Muncher
-- Find3M Report
2008-06-24 15:19:22 0 d
C:\Program Files\kmp
2008-06-21 16:30:25 0 d
C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 16:18:02 0 d
C:\Program Files\Common Files
2008-06-20 21:52:19 669184 --a
C:\WINDOWS\system32\pbsvc.exe
2008-06-20 21:30:41 0 d
C:\Program Files\Electronic Arts
2008-06-17 11:40:14 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-16 12:44:19 494652 --a
C:\WINDOWS\system32\perfh015.dat
2008-06-16 12:44:19 87188 --a
C:\WINDOWS\system32\perfc015.dat
2008-06-15 13:47:00 0 d
C:\Program Files\FlashGet
2008-06-11 16:17:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
2008-06-06 21:57:23 0 d
C:\Program Files\Soulseek
2008-05-22 21:09:41 0 d
C:\Program Files\OO Software
2008-05-22 17:32:48 0 d
C:\Program Files\Kaspersky Lab
2008-05-21 21:58:51 0 d
C:\Program Files\CD Catalog Expert
2008-05-17 18:29:39 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 18:02:43 0 d
C:\Program Files\Ubisoft
2008-05-17 18:02:42 0 d--h
C:\Program Files\InstallShield Installation Information
2008-05-10 21:11:33 0 d
C:\Program Files\Dziobas Rar Player
2008-05-07 20:36:48 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\SolidDocuments
2008-05-07 15:36:10 279172 --a
C:\amt1
2008-05-05 21:12:59 0 d
C:\Documents and Settings\Administrator\Dane aplikacji\Media Player Classic
2008-05-03 05:46:00 1630208 --a
C:\WINDOWS\system32\nwiz.exe
2008-05-03 05:46:00 1019904 --a
C:\WINDOWS\system32\nvwimg.dll
2008-05-03 05:46:00 1703936 --a
C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-03 05:46:00 466944 --a
C:\WINDOWS\system32\nvshell.dll
2008-05-03 05:46:00 1486848 --a
C:\WINDOWS\system32\nview.dll
2008-05-03 05:46:00 1339392 --a
C:\WINDOWS\system32\nvdspsch.exe
2008-05-03 05:46:00 442368 --a
C:\WINDOWS\system32\nvappbar.exe
2008-05-03 05:46:00 425984 --a
C:\WINDOWS\system32\keystone.exe
2008-04-30 18:37:12 0 d
C:\Program Files\Medieval Software
-- Registry Dump
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 C:\WINDOWS\soundman.exe]
"Ad Muncher"="C:\Program Files\Ad Muncher\AdMunch.exe" [2007-11-03 06:48]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 14:58]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FrameWork 2.5]
FrameWork.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\TrayServer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zoneLINK MultiCore Optimizer]
"C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe" -TRAY
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
AutoRun\command- G:\
open\Command- rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
AutoRun\command- H:\
open\Command- rundll32.exe .\desktop.dll,InstallM
-- End of Deckard's System Scanner: finished at 2008-06-30 11:55:52
C:\Program Files\Ad Muncher\AdMunch.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\RocketDock\RocketDock.exe
They all need to be completely disabled from any activity whatsoever. AdMuncher has functions to block change, and I suspect if connected may undo change made - here we are discussing positive change. If necessary uninstall it to remove it from the equation - you can reinstall it later if you choose. And if any of those are not from the vendor's own source, uninstall any like that now as well. Then redo the cleaning steps as before, and check after net access. Though I do not often suggest it just let me know if you see the same DNS bad setting and mountoints return for now - no need to post the same logs again yet.
One more thing: during RunThis.bat scan, between 25 and 50%, 2 times appeared for few seconds a message like that (it were in Polish so in eng it may sound a bit different): "FINDSTR: Can not read from the list of files TextPatched3.txt". But the scan has been complited succesfully. btw after first scan of RunThis.bat, there is a reebot, and next scan. My question is after the rebot system shoud be run in safe of normal mode? I have run it in normal mode.
The softwares themselves are not necessarily suspect, and if you know their sources even better. At least AdMuncher has the abilities to block and undo, so it needs to be out of the way.
The bad DNS settings are the "85.255.113.78 85.255.112.36" 017 items that show again in HijackThis after you make a net connection. Since malware has changed them in rare occasions, do you use a router there?
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\patched*.*" > c:\find.txt & start notepad c:\find.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Volume in drive C has no label
Serial number of volume: 787A-D614
Download Dr.Web CureIt! from here to your Desktop.
When you have done this, boot into safe mode (restart your computer and tap F8 continuously as it restarts)
Doubleclick the drweb-cureit.exe file. Click on Start and Ok and allow it to run the express scan. This is a short scan and will scan all files currently running in memory. If something is found, click the Yes button when it asks you if you want to cure it.
Once the short scan has finished, click on Custom Scan and choose the drives that you want to scan. Click on the drive to select it. A red dot shows which drives have been chosen. Click the green arrow > to the right and the scan will begin. At the first sign of infection, Select 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, click the "Select all" button and then click on the Move button. This will move any infected files to the %userprofile%\DoctorWeb\quarantine folder.
Next and this is important, from the main Dr.Web CureIt menu (top left), click File and choose save report list and save the report to your desktop. The report will be called DrWeb.csv and it can be opened in Notepad.
Close Cureit and restart your computer to completely remove any stubborn files. You may get a message saying "No operations performed with some objects in list. Exit program". If so, click "Yes" (You may get a popup offering you a discount if you purchase DrWeb AntiVirus. You may or may not wish to take advantage of this offer later but for now, just close the popup wait for the scan to finish).
Please post the log in this thread.
- Usuniety = Deleted
- Przeniesiony = Moved
- Archiwum zawierające zainfekowane obiekty - The archive contains infected objects
- Niewyleczalny = Incurable
- Prawdobodobnie = Probably
stream023\livesrv.exe;C:\WINDOWS\Installer\2536ea.msi\stream023;Prawdopodobnie DLOADER.Trojan;;
stream023;C:\WINDOWS\Installer\2536ea.msi;Archiwum zawierające zainfekowane obiekty;;
2536ea.msi;C:\WINDOWS\Installer;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0256206.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP435;Trojan.KeyLogger.origin;Niewyleczalny.Przeniesiony.;
A0256209.exe\InstallUpdate.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP435\A0256209.exe;Trojan.KeyLogger.origin;;
A0256209.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP435;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0256219.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP436;Trojan.KeyLogger.origin;Niewyleczalny.Przeniesiony.;
A0256589.exe\InstallUpdate.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP436\A0256589.exe;Trojan.KeyLogger.origin;;
A0256589.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP436;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0267002.dll;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP469;Adware.SearchAid.40;Przeniesiony.;
A0267040.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP470;Trojan.StartPage.1505;Usunięty.;
A0267277.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP470;Trojan.StartPage.1505;Usunięty.;
A0267362.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP471;Trojan.StartPage.1505;Usunięty.;
A0267600.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP471;Trojan.StartPage.1505;Usunięty.;
A0267689.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP471;Trojan.StartPage.1505;Usunięty.;
A0267762.EXE;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP472;Program.PsExec.170;Przeniesiony.;
A0267772.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP472;Prawdopodobnie SCRIPT.Virus;Przeniesiony.;
A0267950.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473;Prawdopodobnie SCRIPT.Virus;Przeniesiony.;
A0267957.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473\A0267957.exe;Prawdopodobnie SCRIPT.Virus;;
A0267957.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473\A0267957.exe;Program.PsExec.171;;
A0267957.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0267983.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473;Trojan.StartPage.1505;Usunięty.;
A0268288.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP473;Prawdopodobnie SCRIPT.Virus;Przeniesiony.;
A0269379.reg;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP476;Trojan.StartPage.1505;Usunięty.;
A0269502.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP478;Prawdopodobnie SCRIPT.Virus;Przeniesiony.;
A0272239.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP485;Prawdopodobnie DLOADER.Trojan;Przeniesiony.;
stream023\livesrv.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP495\A0272990.msi\stream023;Prawdopodobnie DLOADER.Trojan;;
stream023;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP495\A0272990.msi;Archiwum zawierające zainfekowane obiekty;;
A0272990.msi;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP495;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0273534.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497\A0273534.exe;Tool.Prockill;;
A0273534.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0274708.exe\keygen.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497\A0274708.exe;Trojan.DownLoader.55602;;
A0274708.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0274749.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497;Tool.Prockill;Przeniesiony.;
A0278493.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278494.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278495.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278496.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Tool.Prockill;Przeniesiony.;
A0278497.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278497.exe;Tool.Prockill;;
A0278497.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0278498.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;BackDoor.IRC.Chazz.38;;
A0278498.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;BackDoor.IRC.Chazz.38;;
A0278498.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;BackDoor.IRC.Chazz.38;;
A0278498.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;BackDoor.IRC.Chazz.38;;
A0278498.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;Tool.Prockill;;
A0278498.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278498.exe;Tool.ShutDown.11;;
A0278498.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0278499.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278500.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278501.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278502.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;BackDoor.IRC.Chazz.38;Usunięty.;
A0278546.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278546.exe;Prawdopodobnie SCRIPT.Virus;;
A0278546.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504\A0278546.exe;Program.PsExec.171;;
A0278546.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
A0278550.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Tool.Prockill;Przeniesiony.;
A0278551.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Tool.ShutDown.11;Przeniesiony.;
A0278552.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP504;Program.Tcpip;Przeniesiony.;
stream023\livesrv.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP505\A0278640.msi\stream023;Prawdopodobnie DLOADER.Trojan;;
stream023;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP505\A0278640.msi;Archiwum zawierające zainfekowane obiekty;;
A0278640.msi;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP505;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
stream023\livesrv.exe;C:\WINDOWS\Installer\2536ea.msi\stream023;Prawdopodobnie DLOADER.Trojan;;
stream023;C:\WINDOWS\Installer\2536ea.msi;Archiwum zawierające zainfekowane obiekty;;
2536ea.msi;C:\WINDOWS\Installer;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
404Fix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Usunięty.;
IEDFix.C.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Usunięty.;
IEDFix.exe;C:\WINDOWS\system32;BackDoor.IRC.Chazz.38;Usunięty.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Niewyleczalny.Usunięty.;
HLGL 3.exe;C:\Documents and Settings\Administrator\Moje dokumenty\Moje obrazy\zielona szkoła\HLGL 3;Trojan.MulDrop.origin;Niewyleczalny.Przeniesiony.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Administrator\Pulpit\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Administrator\Pulpit;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
ComboFix.exe\327882R2FWJFW\FIND3M.bat;C:\Downloads\różne\1\apteczka\ComboFix.exe;Prawdopodobnie SCRIPT.Virus;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Downloads\różne\1\apteczka\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Downloads\różne\1\apteczka;Archiwum zawierające zainfekowane obiekty;;
SmitfraudFix.exe\SmitfraudFix\404Fix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\GenericRenosFix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.C.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\IEDFix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;Tool.Prockill;;
SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix.exe;Tool.ShutDown.11;;
SmitfraudFix.exe;C:\Downloads\różne\1\apteczka;Archiwum zawierające zainfekowane obiekty;Przeniesiony.;
404Fix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;BackDoor.IRC.Chazz.38;Usunięty.;
GenericRenosFix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;BackDoor.IRC.Chazz.38;Usunięty.;
IEDFix.C.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;BackDoor.IRC.Chazz.38;Usunięty.;
IEDFix.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;BackDoor.IRC.Chazz.38;Usunięty.;
Process.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;Tool.Prockill;;
restart.exe;C:\Downloads\różne\1\apteczka\SmitfraudFix;Tool.ShutDown.11;;
btw i tried a scan by Hijack and my favourite log is still there
I can sorta see in the Dr. Web log the infection, but in all honesty it is too backwards to work with (file, path, name and Polish language action). The keygen.exe System Restore find suggests the original infection source, so again if there is any installed software from the wrong source it needs to be gone from that system.
I see now in the SDFix log the constant bit binary info tranfsers occurring there, like this one:
Mon 30 Jun 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09997411a62459b007c5b4c27727b812\BIT48 .tmp"
A likely source of the recurring infection, so something still installed there has an active backdoor.
I appreciate your translation portion, but for now suggest you go ahead and have Dr. Web remove everything it found. This will include it's usual mistaken identity of our tools, but we can replace those handily. And perhaps some BitDefender installer files. But I can only do some quick checking here, so for now removing all will be fine. I will get back with you tomorrow and do some more detailed work.
A0274708.exe\keygen.exe;C:\System Volume Information\_restore{2BFD8F0F-83B0-4E64-B33C-4916D8E6694C}\RP497\A0274708.exe;Trojan.DownLoader.55602;;
As I have been implying, if we are going back and forth in repairs, yet there remains there software from an unauthorized source, we will get no where. I have to be forward in these type suggestions, as too many of the requests we get are related to the use of illegal software initially.
This is also an unknown - looks like related to a Half Life game, but D Web suggests it included infection bundled with it:
HLGL 3.exe;C:\Documents and Settings\Administrator\Moje dokumenty\Moje obrazy\zielona szkoła\HLGL 3;Trojan.MulDrop.origin;Niewyleczalny.Przeniesiony.;
I don't have HL game installed but i have a legal Counter Strike, which i play on-line on authorized Steam servers, so this HL file comes from it for sure and i don't know why it's infected.
I made a Hijack scan few time since my previous reply, and sometimes i can see that this proxy server log appears again. Then i do completely nothing and it disappears itself...
Do u have any ideas what more can i do? Maybe i should try any ohter anty-spyware appz that could cure it or localize infection source?
btw how can i removed these files found by DrWeb? Should i make a scan again?
Most of what D Web found it quarantined or deleted, and others that are just mistaken identity for tools we use it just shows as suspect, so not seeing any bad items left from it. Resetting the System Restore would remove any remnants there, those these are harmless unless an actual Restore is done.
In again weeding back through the logs posted, I see an worm startup item you removed with HijackThis that the logs do not account for, as far as an actual deletion of change.
Go to Start > Run and type:
cmd.exe
and ok. Copy and paste the below string after the prompt >
dir /s /a "c:\mstmdm*.*" > c:\find3.txt & start notepad c:\find3.txt
Your drive will be scanned and when finished, Notepad will pop up with some information. Copy and paste it in this thread.
Open Bobbi Flekman's Regsearch again. In the display panel, copy and paste the following into the upper box:
6B244BC7-1D9D-4B40-8243-D90107A30880
Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regearch.exe file you clicked).
I recall we used it - but if we did not, here is the download for the Regsearch.zip to unzip and use now.
Volume in drive C has no label
Serial number of volume: 787A-D614
Maybe this command should be different in Polish system?
RegSearch log:
Windows Registry Editor Version 5.00
; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0
; Results at 2008-07-08 08:43:35 for strings:
; '6b244bc7-1d9d-4b40-8243-d90107a30880'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1045.18.1680 [GMT 2:00]
Running from: C:\Documents and Settings\Administrator\Pulpit\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 )))))))))))))))))))))))))))))))
.
2008-07-03 09:48 . 2008-07-03 09:56 <DIR> d
C:\Documents and Settings\Administrator\DoctorWeb
2008-06-30 22:40 . 2008-06-30 22:40 <DIR> d
C:\Program Files\OE-Mail Recovery
2008-06-30 20:48 . 2008-06-30 20:48 <DIR> d
C:\Program Files\NAPI-PROJEKT
2008-06-30 11:39 . 2008-07-01 18:34 <DIR> d
C:\SDFix
2008-06-22 12:57 . 2008-06-22 12:57 <DIR> d
C:\WINDOWS\ERUNT
2008-06-21 10:18 . 2008-06-21 13:30 121 --a
C:\WINDOWS\bdagent.INI
2008-06-20 16:59 . 2008-07-07 12:15 54,156 --ah
C:\WINDOWS\QTFont.qfn
2008-06-20 16:59 . 2008-06-20 16:59 1,409 --a
C:\WINDOWS\QTFont.for
2008-06-20 08:22 . 2008-06-20 08:22 <DIR> d
C:\WINDOWS\BDOSCAN8
2008-06-18 13:16 . 2008-06-18 13:16 690 --a
C:\WINDOWS\system32\tmp.reg
2008-06-18 13:15 . 2007-09-06 00:22 289,144 --a
C:\WINDOWS\system32\VCCLSID.exe
2008-06-18 13:15 . 2006-04-27 17:49 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2008-06-18 13:15 . 2008-05-29 09:35 86,528 --a
C:\WINDOWS\system32\VACFix.exe
2008-06-18 13:15 . 2004-07-31 18:50 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2008-06-18 13:15 . 2007-10-04 00:36 25,600 --a
C:\WINDOWS\system32\WS2Fix.exe
2008-06-18 13:10 . 2008-06-18 13:10 <DIR> d
C:\Deckard
2008-06-17 12:43 . 2008-06-17 12:43 <DIR> d
C:\Documents and Settings\All Users\Dane aplikacji\SUPERAntiSpyware.com
2008-06-17 11:40 . 2008-06-17 11:40 <DIR> d
C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 11:40 . 2008-06-17 11:40 <DIR> d
C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
2008-06-17 11:40 . 2008-06-17 11:40 <DIR> d
C:\Documents and Settings\Administrator\Dane aplikacji\Malwarebytes
2008-06-17 11:40 . 2008-06-10 19:02 34,296 --a
C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 11:40 . 2008-06-10 19:02 15,864 --a
C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 12:55 . 2008-06-16 14:10 51,355 --a
C:\WINDOWS\system32\muzika.xm
2008-06-16 12:42 . 2008-06-16 12:42 <DIR> d
C:\Program Files\Common Files\Download Manager
2008-06-16 12:42 . 2005-09-23 07:29 626,688 --a
C:\WINDOWS\system32\msvcr80.dll
2008-06-15 16:18 . 2008-06-15 16:21 535 --a
C:\WINDOWS\wininit.ini
2008-06-15 16:01 . 2008-06-16 13:39 <DIR> d
C:\Documents and Settings\All Users\Dane aplikacji\Spybot - Search & Destroy
2008-06-15 14:57 . 2008-06-18 21:10 <DIR> d
C:\fixwareout
2008-06-15 12:25 . 2008-06-15 12:25 <DIR> d
C:\Program Files\Trend Micro
2008-06-11 16:16 . 2008-06-15 21:15 <DIR> d
C:\Program Files\Free Download Manager
2008-06-11 16:16 . 2008-06-11 16:16 <DIR> d
C:\Documents and Settings\All Users\Dane aplikacji\FreeDownloadManager.ORG
2008-06-11 16:16 . 2008-06-11 16:17 <DIR> d
C:\Documents and Settings\Administrator\Dane aplikacji\Free Download Manager
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 20:45 136,888 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-07-08 20:45 111,928 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-07-07 16:22
d
w C:\Program Files\AutoConnect
2008-07-07 07:05
d---a-w C:\Documents and Settings\All Users\Dane aplikacji\TEMP
2008-06-24 13:19
d
w C:\Program Files\kmp
2008-06-21 14:30
d
w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-21 14:11
d
w C:\Documents and Settings\All Users\Dane aplikacji\Kaspersky Lab
2008-06-20 19:52 669,184 ----a-w C:\WINDOWS\system32\pbsvc.exe
2008-06-20 19:52 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-06-20 19:52 22,328 ----a-w C:\Documents and Settings\Administrator\Dane aplikacji\PnkBstrK.sys
2008-06-20 19:30
d
w C:\Program Files\Electronic Arts
2008-06-15 13:55
d
w C:\Documents and Settings\All Users\Dane aplikacji\Lavasoft
2008-06-15 11:47
d
w C:\Program Files\FlashGet
2008-06-07 18:06
d
w C:\Program Files\Ad Muncher
2008-06-06 19:57
d
w C:\Program Files\Soulseek
2008-05-22 15:32
d
w C:\Program Files\Kaspersky Lab
2008-05-21 19:58
d
w C:\Program Files\CD Catalog Expert
2008-05-17 16:29
d
w C:\Documents and Settings\Administrator\Dane aplikacji\Ubisoft
2008-05-17 16:09
d
w C:\Documents and Settings\All Users\Dane aplikacji\Ubisoft
2008-05-17 16:02
d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 16:02
d
w C:\Program Files\Ubisoft
2008-05-10 19:11
d
w C:\Program Files\Dziobas Rar Player
2008-04-30 15:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-01-25 17:37 32 ----a-w C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
2001-02-23 17:22 299,008 ----a-w C:\Program Files\bestplayer1.0.exe
.
Sigcheck
2006-04-20 14:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2001-08-18 08:24 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2001-08-18 08:24 327168 e7774698bb0d14b0710a9a31e209f9b6 C:\WINDOWS\SoftwareDistribution\Download\43ab4310d3c682d7f669ad4db86a272d\backup\tcpip.sys
2006-04-20 13:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\system32\dllcache\tcpip.sys
2006-04-20 13:51 359808 b4e29943b4b04bd5e7381546848e6669 C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:44 15360]
"Gadu-Gadu"="C:\Program Files\Gadu-Gadu\gg.exe" [2008-01-23 22:29 2119104]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-03 05:46 13529088]
"SoundMan"="SOUNDMAN.EXE" [2006-06-20 23:42 577536 C:\WINDOWS\soundman.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:44 15360]
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programy^Autostart^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programy^Autostart^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeCall
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VoipCheapCom
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WengoPhoneNG
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a
2008-05-03 05:46 13529088 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a
2008-05-03 05:46 86016 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a
2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a
2007-07-12 04:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrayServer]
--a
2006-10-04 16:41 86016 C:\Program Files\MAGIX\Movie_Edit_Pro_12_e-version\Trayserver.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a
2008-05-03 05:46 1630208 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=3 (0x3)
"WebClient"=2 (0x2)
"TlntSvr"=3 (0x3)
"SharedAccess"=3 (0x3)
"seclogon"=2 (0x2)
"SCardSvr"=3 (0x3)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"idsvc"=3 (0x3)
"FirebirdServerMAGIXInstance"=3 (0x3)
"CryptSvc"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
"UTSCSI"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"O&O Defrag"=2 (0x2)
"ERSvc"=2 (0x2)
"AVP"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitSpirit\\BitSpirit.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Gadu-Gadu\\gg.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
R0 ALLOW-IO;ALLOW-IO;C:\WINDOWS\system32\Drivers\ALLOW-IO.sys [2005-06-21 16:47]
S4 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe [2005-11-17 15:18]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-24 14:39]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03f8e539-4d99-11dc-ad6b-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2708cd15-2bfb-11dd-bff5-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b0c8f62-1dcc-11dd-9277-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7eb314c-b535-11dc-9002-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3b59ac6-324e-11dd-a603-4d6564696130}]
\Shell\AutoRun\command - G:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a35061-ca86-11dc-9072-4d6564696130}]
\Shell\AutoRun\command - H:\
\Shell\open\Command - rundll32.exe .\desktop.dll,InstallM
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-zoneLINK MultiCore Optimizer - C:\Program Files\zoneLINK\MultiCore Optimizer\MultiCoreOptimizer.exe
MSConfigStartUp-FrameWork 2 - FrameWork.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-09 14:07:26
Windows 5.1.2600 Dodatek Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-07-09 14:08:11
ComboFix-quarantined-files.txt 2008-07-09 12:08:07
ComboFix2.txt 2008-06-15 18:07:46
Pre-Run: 100,144,889,856 bajtów wolnych
Post-Run: 100,235,923,456 bajtów wolnych
193
ComboFix2.txt 2008-06-15 18:07:46