Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Another Win32:Rootkit-gen [Rtk] [Solved]

Started by dzid , May 16 2010 04:40 AM

  • This topic is locked This topic is locked

#1
dzid
Posted 16 May 2010 - 04:40 AM

dzid

    Member

  • Member
  • PipPip
  • 15 posts
Hi,

My name is Jarek, I live in Germany though I'm Polish. Working in IT, but have had little to do with Windows world for years... There are no viruses (trojans, rootkits etc.) in my world :) Unfortunately I still run an XP PC at home, mainly for my wife. And here it is different... very different since Friday, when Avast reported Win32:Rootkit-gen [Rtk] detection.
The symptoms are very like in http://www.geekstogo...tk-t270702.html.
I need help in removing the stuff and estimating the danger - is it 'just' a spamer, backdoor or anything else?
Here are the reports from OTL and gmer, collected as decribed in the other post.

OTL.Txt

OTL logfile created on: 2010-05-15 23:32:17 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\wspolne\Moje dokumenty\Downloads
Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 76,00% Memory free
5,00 Gb Paging File | 4,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465,75 Gb Total Space | 393,87 Gb Free Space | 84,57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 372,61 Gb Total Space | 120,39 Gb Free Space | 32,31% Space Free | Partition Type: NTFS
Drive G: | 7,52 Gb Total Space | 3,22 Gb Free Space | 42,85% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DZIDKI
Current User Name: wspolne
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\wspolne\Moje dokumenty\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
PRC - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
PRC - C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe (D-Link)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\wspolne\Moje dokumenty\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (ServiceLayer) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (NMSAccessU) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (ANIWZCSdService) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)


========== Driver Services (SafeList) ==========

DRV - (MEMSWEEP2) -- File not found
DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)
DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (SAVRKBootTasks) -- C:\WINDOWS\system32\SAVRKBootTasks.sys (Sophos Plc)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (VIAHdAudAddService) -- C:\WINDOWS\system32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (JRAID) -- C:\WINDOWS\system32\DRIVERS\jraid.sys (JMicron Technology Corp.)
DRV - (L1e) -- C:\WINDOWS\system32\drivers\l1e51x86.sys (Atheros Communications, Inc.)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (usbaudio) Sterownik audio USB (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology, Corp.)
DRV - (monfilt) -- C:\WINDOWS\system32\drivers\monfilt.sys (Creative Technology Ltd.)
DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys (Alpha Networks Inc.)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (QCMerced) -- C:\WINDOWS\system32\drivers\lvcm.sys (Logitech Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://wyborcza.pl/0,0.html
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "http://wiadomosci.ga...mosci/0,0.html"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.8
FF - prefs.js..extensions.enabledItems: {472f4ef0-a825-11da-a746-0800200c9a66}:1.2
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: {62fe3c1e-482a-4498-bbea-1dc8bfd2d439}:2.0.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: [email protected]:3.6.14
FF - prefs.js..network.proxy.autoconfig_url: "http://inetprox.inet...e/rasproxy.pac"
FF - prefs.js..network.proxy.backup.ftp: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.backup.ftp_port: 8080
FF - prefs.js..network.proxy.backup.gopher: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.backup.gopher_port: 8080
FF - prefs.js..network.proxy.backup.socks: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.backup.socks_port: 8080
FF - prefs.js..network.proxy.backup.ssl: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.backup.ssl_port: 8080
FF - prefs.js..network.proxy.ftp: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.ssl_port: 8080

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-04-15 18:33:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-04-15 18:33:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010-04-15 18:33:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009-10-18 21:56:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Extensions
[2010-05-15 22:05:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions
[2010-05-08 14:20:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2010-05-08 14:20:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009-10-18 21:57:57 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2009-10-18 21:57:57 | 000,000,000 | ---D | M] (Tab Clicking Options) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{43520B8F-4107-4351-AC64-9BCC5EEA24B9}
[2009-10-18 21:57:57 | 000,000,000 | ---D | M] (FavLoc) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{472f4ef0-a825-11da-a746-0800200c9a66}
[2010-03-01 23:43:18 | 000,000,000 | ---D | M] (Snajper.net) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{62fe3c1e-482a-4498-bbea-1dc8bfd2d439}
[2009-10-18 21:57:55 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010-01-26 10:37:02 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2009-12-09 00:22:28 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010-05-08 14:20:10 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010-04-20 07:42:57 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009-10-18 21:57:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010-04-25 20:25:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\[email protected]
[2010-05-15 22:05:17 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009-08-24 21:19:13 | 000,002,767 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\allegro-pl.xml
[2009-08-24 21:19:13 | 000,001,406 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fbc-pl.xml
[2009-08-24 21:19:13 | 000,000,917 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\merlin-pl.xml
[2009-08-24 21:19:13 | 000,000,858 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\pwn-pl.xml
[2009-08-24 21:19:13 | 000,001,183 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-pl.xml
[2009-08-24 21:19:13 | 000,001,683 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wp-pl.xml

O1 HOSTS File: ([2009-10-19 21:04:18 | 000,000,765 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost adserver.gadu-gadu.pl
O2 - BHO: (IEPluginBHO Class) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll (GG Network S.A.)
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [D-Link AirPlus G DWL-G510] C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe (D-Link)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [ALLUpdate] C:\Program Files\ALLPlayer\ALLUpdate.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\wspolne\Menu Start\Programy\Autostart\Karen's Replicator.lnk = C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe (Karen Kenworthy)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1255879580890 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1257446468187 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 195.50.140.246 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\wspolne\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\wspolne\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {93994DE8-8239-4655-B1D1-5F4E91300429} - C:\Program Files\DVD Region+CSS Free\DVDShell.dll (Fengtao Software Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-10-18 15:30:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{aa7a376f-bc1b-11de-8596-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{aa7a376f-bc1b-11de-8596-806d6172696f}\Shell\AutoRun\command - "" = E:\.\Bin\ASSETUP.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009-10-18 23:18:19 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found


SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: sermouse.sys - Driver
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vds - Service
SafeBootMin: vga.sys - Driver
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: ip6fw.sys - Driver
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: sermouse.sys - Driver
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vga.sys - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices

ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {10072CEC-8CC1-11D1-986E-00A0C955B42F} - Renderowanie grafiki wektorowej (VML)
ActiveX: {2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} - NetShow
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 6.4
ActiveX: {283807B5-2C60-11D0-A31D-00AA00B92C03} - DirectAnimation
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {36f8ec70-c29a-11d1-b5c7-0000f8051515} - Powiązania danych dynamicznego HTML dla języka Java
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {3bf42070-b3b1-11d1-b5c5-0000f8051515} - Uniscribe
ActiveX: {4278c270-a269-11d1-b5bf-0000f8051515} - Autorstwo zaawansowane
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
ActiveX: {44BBA842-CC51-11CF-AAFA-00AA00B6015B} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
ActiveX: {44BBA848-CC51-11CF-AAFA-00AA00B6015C} - DirectShow
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f216970-c90c-11d1-b5c7-0000f8051515} - Klasy Java DirectAnimation
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.8
ActiveX: {5056b317-8d4c-43ee-8543-b9d1e234b8f4} - Aktualizacja zabezpieczeń dla systemu Windows XP (KB923789)
ActiveX: {5945c046-1e7d-11d1-bc44-00c04fd912be} - rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
ActiveX: {5A8D6EE0-3E18-11D0-821E-444553540000} - ICW
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7131646D-CD3C-40F4-97B9-CD9E4E6262EF} - .NET Framework
ActiveX: {73FA19D0-2D75-11D2-995D-00C04F98BBC9} - Foldery w sieci Web
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\WINDOWS\system32\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} - .NET Framework
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {CC2A9BA0-3BDD-11D0-821E-444553540000} - Harmonogram zadań
ActiveX: {CDD7975E-60F8-41d5-8149-19E51D6F71D0} - Windows Movie Maker v2.1
ActiveX: {D27CDB6E-AE6D-11cf-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: <{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} - C:\WINDOWS\system32\ieudinit.exe
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - C:\WINDOWS\inf\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS - RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
ActiveX: >{881dd1c5-3dcf-431b-b061-f3f88e8be88a} - %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

Drivers32: msacm.enc - C:\WINDOWS\System32\ITIG726.acm (Ingenient Technologies, Inc.)
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (54338281256517632)

========== Files/Folders - Created Within 30 Days ==========

[2010-05-15 23:29:26 | 000,018,816 | ---- | C] (Sophos Plc) -- C:\WINDOWS\System32\SAVRKBootTasks.sys
[2010-05-15 23:10:10 | 000,000,000 | ---D | C] -- C:\antivir_rootkit
[2010-05-15 22:58:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010-05-15 15:38:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wspolne\Dane aplikacji\Uniblue
[2010-05-15 15:38:04 | 000,000,000 | ---D | C] -- C:\Program Files\Uniblue
[2010-05-14 18:58:34 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010-05-14 18:58:34 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010-05-14 18:58:14 | 000,008,576 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i2omgmt.sys
[2010-05-14 18:57:43 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\changer.sys
[2010-05-14 18:57:43 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010-05-09 20:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wspolne\Dane aplikacji\Google
[2010-05-09 20:05:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Google
[2010-05-03 21:22:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wspolne\Citrix
[2010-04-20 16:41:04 | 000,000,000 | ---D | C] -- C:\Program Files\AidemMedia
[2010-04-19 08:47:57 | 000,293,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\browserchoice.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-05-15 23:35:09 | 000,755,200 | ---- | M] () -- C:\WINDOWS\System32\drivers\inhjklf.sys
[2010-05-15 23:35:02 | 000,001,140 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003UA.job
[2010-05-15 23:05:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010-05-15 22:35:38 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-05-15 22:35:36 | 000,000,008 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{627EE941-C74F-49D6-864C-875D05DA1D4B}
[2010-05-15 22:35:20 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010-05-15 22:35:17 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-05-15 22:34:33 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-05-15 22:34:32 | 000,167,952 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2010-05-15 21:36:24 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Safari.lnk
[2010-05-15 16:12:17 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\wspolne\NTUSER.DAT
[2010-05-15 16:12:17 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\wspolne\ntuser.ini
[2010-05-15 15:38:06 | 000,000,749 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\RegistryBooster.lnk
[2010-05-14 20:04:40 | 000,002,645 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010-05-14 18:57:08 | 000,000,016 | ---- | M] () -- C:\Documents and Settings\wspolne\Dane aplikacji\qvjsge.dat
[2010-05-13 17:09:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010-05-13 06:35:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003Core1cab63f4ae2f264.job
[2010-04-29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-04-29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-04-29 03:36:29 | 000,002,318 | ---- | M] () -- C:\Documents and Settings\wspolne\Pulpit\Google Chrome.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-05-15 15:38:06 | 000,000,749 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\RegistryBooster.lnk
[2010-05-14 20:08:22 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\drivers\inhjklf.sys
[2010-05-14 18:56:59 | 000,000,016 | ---- | C] () -- C:\Documents and Settings\wspolne\Dane aplikacji\qvjsge.dat
[2010-05-09 20:00:18 | 000,000,888 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010-05-09 20:00:17 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2009-10-28 22:49:36 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009-10-28 22:46:35 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\evrprop.dll
[2009-10-28 22:46:32 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\libFLAC.dll
[2009-10-28 22:46:22 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2009-10-28 22:46:22 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2009-10-21 22:06:46 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2009-10-19 20:45:12 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\wlanapp.dll
[2009-10-19 20:45:12 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009-10-19 20:10:47 | 000,014,938 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009-10-19 20:10:32 | 000,000,268 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009-10-19 19:58:30 | 000,000,556 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009-10-18 22:45:28 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009-10-18 21:46:37 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFree.INI
[2009-10-18 21:18:08 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2009-10-18 21:17:02 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-10-18 21:17:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009-10-18 16:12:41 | 000,001,701 | ---- | C] () -- C:\WINDOWS\ATICIM.INI
[2009-10-18 15:44:20 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2009-10-18 15:44:01 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009-10-18 15:43:52 | 000,030,988 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009-10-18 15:43:52 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008-07-29 21:10:04 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\evr.dll
[2008-07-29 21:10:04 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\dxva2.dll
[1999-01-27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997-06-13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1996-04-03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2007-08-02 14:00:00 | 018,789,127 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009-10-18 20:19:17 | 023,908,281 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009-10-18 20:19:17 | 023,908,281 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008-04-13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008-04-13 20:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys

< MD5 for: ATAPI.SYS >
[2007-08-02 14:00:00 | 018,789,127 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009-10-18 20:19:17 | 023,908,281 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009-10-18 20:19:17 | 023,908,281 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008-04-13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008-04-13 20:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004-08-03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2007-08-02 14:00:00 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
[2004-08-03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2007-08-02 14:00:00 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=05684DE2DA55A04C8AAAB5911AFE7643 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
[2008-04-14 19:20:31 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=35FCCFD093582FA9098762E6F84EE119 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008-04-14 19:20:31 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=35FCCFD093582FA9098762E6F84EE119 -- C:\WINDOWS\system32\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2007-08-02 14:00:00 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=8BE1BEBB1447EFFAF5F2135DC098431E -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
[2008-04-14 19:20:40 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=9858AD0A3FCD83C3B100EDD5852DE540 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008-04-14 19:20:40 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=9858AD0A3FCD83C3B100EDD5852DE540 -- C:\WINDOWS\system32\netlogon.dll

< MD5 for: SCECLI.DLL >
[2007-08-02 14:00:00 | 000,185,344 | ---- | M] (Microsoft Corporation) MD5=3609496AE18FF399920C494270C526F9 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008-04-14 19:20:45 | 000,186,368 | ---- | M] (Microsoft Corporation) MD5=3F74B6B4E2721272A117D25990141F73 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008-04-14 19:20:45 | 000,186,368 | ---- | M] (Microsoft Corporation) MD5=3F74B6B4E2721272A117D25990141F73 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009-04-29 04:18:06 | 000,442,368 | R--- | M] (Advanced Micro Devices, Inc.) Unable to obtain MD5 -- C:\WINDOWS\system32\ATIDEMGX.dll
[1 C:\WINDOWS\system32\*.tmp files -> C:\WINDOWS\system32\*.tmp -> ]

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010-05-15 23:37:20 | 000,755,200 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\inhjklf.sys
[1 C:\WINDOWS\system32\drivers\*.tmp files -> C:\WINDOWS\system32\drivers\*.tmp -> ]

< %systemroot%\System32\config\*.sav >
[2009-10-18 23:23:13 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009-10-18 23:23:13 | 000,663,552 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009-10-18 23:23:12 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >

Extras.Txt
OTL Extras logfile created on: 2010-05-15 23:32:17 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\wspolne\Moje dokumenty\Downloads
Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

3,00 Gb Total Physical Memory | 2,00 Gb Available Physical Memory | 76,00% Memory free
5,00 Gb Paging File | 4,00 Gb Available in Paging File | 84,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465,75 Gb Total Space | 393,87 Gb Free Space | 84,57% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 372,61 Gb Total Space | 120,39 Gb Free Space | 32,31% Space Free | Partition Type: NTFS
Drive G: | 7,52 Gb Total Space | 3,22 Gb Free Space | 42,85% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DZIDKI
Current User Name: wspolne
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{01F20556-47EA-501F-3C42-6466E8EFBD18}" = Catalyst Control Center HydraVision Full
"{0289B35E-DC07-4c7a-9710-BBD686EA4B7D}" = Status
"{03528A01-7E5E-4C5F-94DF-1D8012E969EF}" = Nokia Map Loader
"{0446DCC4-1C4B-1FDB-EE6A-CC85EC03B6D4}" = Catalyst Control Center Core Implementation
"{05373199-CBD8-6F0E-A4CE-6818C52F71F9}" = Catalyst Control Center Graphics Full New
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0C973594-7DDF-4BD0-84ED-3517F7622037}" = PC Connectivity Solution
"{0EABFEF6-6D10-4C12-8667-3029C481D355}" = Nokia Photos
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{10BCCCA6-0FDD-600C-D99B-D756CEDF58E2}" = CCC Help Greek
"{18669FF9-C8FE-407a-9F70-E674896B1DB4}" = GPBaseService
"{1B3D048E-17E3-04CB-4D9F-1029B96E0CCB}" = CCC Help Czech
"{1EA9AF24-7723-4C8C-88F0-6E8FDF731886}" = Domisie - Kolorowy Świat
"{209DF55F-5E5C-48A3-BC3D-A7CB1224458C}" = HP Print Diagnostic Utility
"{20D4A895-748C-4D88-871C-FDB1695B0169}" = Platform
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{2661DD63-57EF-7FDB-7D12-876FE6A3B0AA}" = CCC Help Turkish
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 19
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2D5E0A99-B781-CE3A-D2F7-9F223A355550}" = CCC Help Norwegian
"{2F14B9B4-C61B-2F39-B5F5-599B847BFE9F}" = CCC Help Swedish
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.® AR8121/AR8113/AR8114 Gigabit/Fast Ethernet Driver
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{350C9415-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3700194C-C5DD-439A-BE06-A66960CA4C70}" = MSVCSetup
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMicron JMB36X Driver
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HYDRAVISION
"{42B74521-4706-412A-9A27-AED12B83E886}" = Nokia Ovi Application Installer
"{48B5DAA4-D63A-A560-B3B9-B5B12CF759DF}" = Catalyst Control Center Graphics Previews Common
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4C590030-7469-453E-8589-D15DA9D03F52}" = ANIWZCS2 Service
"{52D02A2B-03D2-4E34-A358-DC5D951FD296}" = Nokia Connectivity Cable Driver
"{53714632-5AAD-0E8B-DD71-72BB8FA1AA20}" = CCC Help Polish
"{5412EFB0-65B8-94AC-1942-891095222840}" = CCC Help Spanish
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5DA6F06A-B389-407B-BF8C-1548767914D8}" = ATI Problem Report Wizard
"{63D3148E-8ECF-A665-AEE7-A35E59105F28}" = Catalyst Control Center Localization All
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{6442DEDF-AC2F-4CBA-85DE-42E459C5006C}" = Nokia Ovi Content Copier
"{64768886-46ED-8542-D895-CC6FB0D3C790}" = Catalyst Control Center Graphics Full Existing
"{6580EC1E-3DA8-9ED7-4D7B-63C6B9DE6B21}" = CCC Help Thai
"{65BD4E29-4D47-0485-18EE-35252113818B}" = CCC Help Korean
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B4862E4-DBA5-B7CB-CA97-92F6D5F51B43}" = CCC Help Japanese
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{721D85B3-DABD-B560-C1FB-E2869BFF9692}" = ccc-core-static
"{7988ba74-4a27-4685-991a-53f072f22808}" = F2200_Help
"{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}" = ANIO Service
"{7CE8384C-F522-6E9E-2F41-FE78687B9AE7}" = CCC Help Chinese Standard
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{818ABC3C-635C-4651-8183-D0E9640B7DD1}" = HP Update
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8B128562-681D-4FFA-BEBF-A825985B2CB9}" = AirPlus G DWL-G510
"{8B3F9FA4-F44B-6E12-AF77-54104504F857}" = CCC Help Italian
"{8BC53B23-81B9-8F7E-8B51-FF95DAEBD2D4}" = ccc-utility
"{90110415-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90280415-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional z programem FrontPage
"{961034C0-58DF-11DF-97FD-005056806466}" = Google Earth Plug-in
"{980A6789-F5BD-5919-54A2-41B846361A3A}" = ccc-core-preinstall
"{9829B8D6-69C6-6DA8-AADE-3950042EDACE}" = CCC Help Chinese Traditional
"{99F5C5F4-A6B2-5C8C-2469-19C5B3A46AED}" = CCC Help Danish
"{9BA23EC5-B474-E4E6-87D0-CE62118B720A}" = CCC Help German
"{9C2D4047-0E40-499a-AC7A-C4B9BB12FE03}" = TrayApp
"{9F59C3AE-81B0-4EF6-9762-D674BB079705}" = Nokia Software Updater
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3B7DDB1-4A0F-A1D1-F5AE-CAE0E8779320}" = CCC Help Hungarian
"{A3B7DFAF-3537-043C-903D-2DB8B07087B2}" = Catalyst Control Center Graphics Light
"{A488D63E-B3DD-4423-892F-2F2EC8909518}" = Logitech QuickCam
"{A67BB21E-D419-45BB-AB86-7D87D14BBCE2}" = Safari
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B34591F0-64E7-0015-58B6-77D9EBF6CFE4}" = CCC Help French
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{c6922d7f-c698-4d9e-9671-8b3de04d1511}" = DJ_AIO_03_F2200_Software_Min
"{CCB4E948-9B47-04BD-43AF-6B1847C9F936}" = CCC Help Russian
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D0127EC7-E022-3C4D-FE52-73AEBBF52D5B}" = CCC Help English
"{D3B1C799-CB73-42DE-BA0F-2344793A095C}" = Catalyst Control Center - Branding
"{D4C59A40-378A-4546-9ADE-984EB6FA72D3}" = KiSS PC-Link
"{D77D43B5-ED55-426b-B67B-E21F804F6102}" = HP Deskjet F2200 All-In-One Driver Software 10.0 Rel .3
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{db18dc72-cd20-4801-be82-f5d2caeec4d7}" = DJ_AIO_03_F2200_Software
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E3FED8DD-4690-4E7D-BC23-6C6494CC0443}" = Nokia Ovi Suite
"{E63E34A7-E552-412B-9E40-FD6FC5227ABA}_is1" = Uniblue RegistryBooster
"{e97a9fd7-2fa1-4474-820d-3f8893a5b78a}" = F2200
"{eca3039b-e429-420f-bd5e-7dec0683fc32}" = DJ_AIO_03_F2200_ProductContext
"{EE64D2D7-04E4-6F9B-5437-4CDFE5D93F9A}" = CCC Help Dutch
"{EF1ADA5A-0B1A-4662-8C55-7475A61D8B65}" = DeviceDiscovery
"{F1AF6CBE-B7B8-9F62-6BE7-48C4FE6EEEDD}" = CCC Help Portuguese
"{F42CD69D-E393-47c8-B2CD-B139C4ADA9A8}" = Copy
"{F9EA1C47-64A6-45E4-9A80-8CC1575B971D}" = Nokia Ovi System Utilities
"{FA237125-51FF-408C-8BB8-30C2B3DFFF9C}" = Windows Resource Kit Tools
"{FC8FCC14-23B7-CC7D-9C12-7F9111787E21}" = CCC Help Finnish
"504244733D18C8F63FF584AEB290E3904E791693" = Pakiet sterowników systemu Windows - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"All ATI Software" = Narzędzie Software Uninstall Utility firmy ATI
"ALLPlayer V2.1" = ALLPlayer V2.1
"ALLPlayer_is1" = ALLPlayer V4.X
"ATI Display Driver" = ATI Display Driver
"avast!" = avast! Antivirus
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"DVD Region+CSS Free_is1" = DVD Region+CSS Free 5.9.1.0
"Exact Audio Copy_is1" = Exact Audio Copy v0.9 beta 4
"ffdshow_is1" = ffdshow [rev 2527] [2008-12-19]
"FreePDF_XP" = FreePDF (Remove only)
"Gadu-Gadu" = Gadu-Gadu 7.0
"GPL Ghostscript 8.70" = GPL Ghostscript 8.70
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPOCR" = OCR Software by I.R.I.S. 10.0
"ie8" = Windows Internet Explorer 8
"InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169}" = VIA Platforma Menedżera urządzeń
"IrfanView" = IrfanView (remove only)
"Karen's Replicator" = Karen's Replicator
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NapiProjekt_is1" = NapiProjekt 1.0.6.5
"NAVIGON Fresh" = NAVIGON Fresh 2.0.2
"Nokia Ovi Application Installer" = Nokia Ovi Application Installer 6.85.3011
"Nokia Ovi Content Copier" = Nokia Ovi Content Copier 6.85.3011
"Nokia Ovi System Utilities" = Nokia Ovi System Utilities 6.85.3018
"Nowe Gadu-Gadu" = Nowe Gadu-Gadu
"Picasa 3" = Picasa 3
"QcDrv" = Camera Driver
"RealAlt_is1" = Real Alternative 2.0.1 Lite
"Redirection Port Monitor" = RedMon - Redirection Port Monitor
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"uTorrent" = µTorrent
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = Archiwizator WinRAR
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 2010-04-28 16:13:25 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Temp\scoped_dir26976\TEMP_INSTALL\jquery-ui\js\jquery-ui-1.8rc1.custom.min.js
failed, 00000005.

Error - 2010-04-28 16:13:25 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Temp\scoped_dir26976\TEMP_INSTALL\manifest.json
failed, 00000005.

Error - 2010-04-28 16:13:25 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Temp\scoped_dir26976\TEMP_INSTALL\options.html
failed, 00000005.

Error - 2010-04-28 16:13:25 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Temp\scoped_dir26976\TEMP_INSTALL\popup.html
failed, 00000005.

Error - 2010-05-05 02:03:11 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Temp\scoped_dir400\TEMP_INSTALL\background.html
failed, 00000005.

Error - 2010-05-05 02:03:11 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Temp\scoped_dir400\TEMP_INSTALL\fbphotozoom.css
failed, 00000005.

Error - 2010-05-05 02:03:11 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Temp\scoped_dir400\TEMP_INSTALL\fbphotozoom.js
failed, 00000005.

Error - 2010-05-05 02:03:12 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Temp\scoped_dir400\TEMP_INSTALL\manifest.json
failed, 00000005.

Error - 2010-05-15 17:33:15 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User
Data\Default\databases\chrome-extension_ajpgkpeckebdhofmmjfgcjjiiejpodla_0\1-journal
failed, 00000005.

Error - 2010-05-15 17:33:16 | Computer Name = DZIDKI | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\Documents and Settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User
Data\Default\databases\chrome-extension_ajpgkpeckebdhofmmjfgcjjiiejpodla_0\1-journal
failed, 00000005.

[ Application Events ]
Error - 2010-03-11 18:11:02 | Computer Name = DZIDKI | Source = Application Hang | ID = 1002
Description = Aplikacja zawieszająca chrome.exe, wersja 0.0.0.0, moduł zawieszenia
hungapp, wersja 0.0.0.0, adres zawieszenia 0x00000000.

Error - 2010-03-11 23:24:00 | Computer Name = DZIDKI | Source = Application Error | ID = 1000
Description = Aplikacja powodująca błąd chrome.exe, wersja 0.0.0.0, moduł powodujący
błąd npswf32.dll, wersja 10.0.45.2, adres błędu 0x001f6df1.

Error - 2010-03-12 16:26:35 | Computer Name = DZIDKI | Source = Application Hang | ID = 1002
Description = Aplikacja zawieszająca ALLPlayer.exe, wersja 3.7.6.5, moduł zawieszenia
hungapp, wersja 0.0.0.0, adres zawieszenia 0x00000000.

Error - 2010-03-15 05:36:54 | Computer Name = DZIDKI | Source = Microsoft Office 10 | ID = 1000
Description = Faulting application winword.exe, version 10.0.2627.0, faulting module
user32.dll, version 5.1.2600.5512, fault address 0x00018ea0.

Error - 2010-04-20 11:33:24 | Computer Name = DZIDKI | Source = Application Error | ID = 1000
Description = Aplikacja powodująca błąd AidemMediaSplash.exe, wersja 0.0.0.0, moduł
powodujący błąd AidemMediaSplash.exe, wersja 0.0.0.0, adres błędu 0x000d8790.

Error - 2010-05-14 14:25:11 | Computer Name = DZIDKI | Source = PerfNet | ID = 2005
Description = Nie można odczytać danych wydajności z usługi Server. W tej próbce
nie zostaną zwrócone dane wydajności usługi Server. Zwrócony kod stanu to dane DWORD
0, IOSB.Status to dane DWORD 1 a IOSB.Information to dane DWORD 2.

Error - 2010-05-14 14:25:11 | Computer Name = DZIDKI | Source = PerfNet | ID = 2006
Description = Nie można odczytać danych wydajności z usługi Server Queue. W tej próbce
nie zostaną zwrócone dane wydajności usługi Server Queue. Zwrócony kod stanu to
dane DWORD 0, IOSB.Status to dane DWORD 1 a IOSB.Information to dane DWORD 2.

Error - 2010-05-15 04:46:00 | Computer Name = DZIDKI | Source = PerfNet | ID = 2005
Description = Nie można odczytać danych wydajności z usługi Server. W tej próbce
nie zostaną zwrócone dane wydajności usługi Server. Zwrócony kod stanu to dane DWORD
0, IOSB.Status to dane DWORD 1 a IOSB.Information to dane DWORD 2.

Error - 2010-05-15 04:46:00 | Computer Name = DZIDKI | Source = PerfNet | ID = 2006
Description = Nie można odczytać danych wydajności z usługi Server Queue. W tej próbce
nie zostaną zwrócone dane wydajności usługi Server Queue. Zwrócony kod stanu to
dane DWORD 0, IOSB.Status to dane DWORD 1 a IOSB.Information to dane DWORD 2.

Error - 2010-05-15 16:35:30 | Computer Name = DZIDKI | Source = PerfNet | ID = 2004
Description = Nie można otworzyć usługi Server. Dane wydajności usługi Server nie
zostaną zwrócone. Zwrócony kod stanu to dane DWORD 0.

[ System Events ]
Error - 2010-05-15 15:23:31 | Computer Name = DZIDKI | Source = DCOM | ID = 10005
Description = Model DCOM odebrał błąd „%1058” podczas próby uruchomienia usługi
hpqddsvc z argumentami „” w celu uruchomienia serwera: {2C82180E-8C3C-4A1B-BEB1-B9140713E701}

Error - 2010-05-15 15:34:24 | Computer Name = DZIDKI | Source = DCOM | ID = 10005
Description = Model DCOM odebrał błąd „%1058” podczas próby uruchomienia usługi
hpqddsvc z argumentami „” w celu uruchomienia serwera: {2C82180E-8C3C-4A1B-BEB1-B9140713E701}

Error - 2010-05-15 15:40:37 | Computer Name = DZIDKI | Source = DCOM | ID = 10005
Description = Model DCOM odebrał błąd „%1058” podczas próby uruchomienia usługi
hpqddsvc z argumentami „” w celu uruchomienia serwera: {2C82180E-8C3C-4A1B-BEB1-B9140713E701}

Error - 2010-05-15 16:35:50 | Computer Name = DZIDKI | Source = DCOM | ID = 10005
Description = Model DCOM odebrał błąd „%1058” podczas próby uruchomienia usługi
hpqddsvc z argumentami „” w celu uruchomienia serwera: {2C82180E-8C3C-4A1B-BEB1-B9140713E701}

Error - 2010-05-15 17:10:25 | Computer Name = DZIDKI | Source = SideBySide | ID = 16842784
Description = Nie można odnaleźć zestawu zależnego Microsoft.VC90.CRT; ostatni błąd:
Odnośny zestaw nie jest zainstalowany w tym systemie.

Error - 2010-05-15 17:10:25 | Computer Name = DZIDKI | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly nie powiodło się dla Microsoft.VC90.CRT. Odpowiedni
komunikat o błędzie: Odnośny zestaw nie jest zainstalowany w tym systemie. .

Error - 2010-05-15 17:10:25 | Computer Name = DZIDKI | Source = SideBySide | ID = 16842811
Description = Generate Activation Context nie powiodło się dla C:\antivir_rootkit\avirarkd.exe.
Odpowiedni
komunikat o błędzie: Operacja ukończona pomyślnie. .

Error - 2010-05-15 17:10:31 | Computer Name = DZIDKI | Source = SideBySide | ID = 16842784
Description = Nie można odnaleźć zestawu zależnego Microsoft.VC90.CRT; ostatni błąd:
Odnośny zestaw nie jest zainstalowany w tym systemie.

Error - 2010-05-15 17:10:31 | Computer Name = DZIDKI | Source = SideBySide | ID = 16842811
Description = Resolve Partial Assembly nie powiodło się dla Microsoft.VC90.CRT. Odpowiedni
komunikat o błędzie: Odnośny zestaw nie jest zainstalowany w tym systemie. .

Error - 2010-05-15 17:10:31 | Computer Name = DZIDKI | Source = SideBySide | ID = 16842811
Description = Generate Activation Context nie powiodło się dla C:\antivir_rootkit\avirarkd.exe.
Odpowiedni
komunikat o błędzie: Operacja ukończona pomyślnie. .


< End of report >

gmer.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-16 12:28:43
Windows 5.1.2600 Dodatek Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\wspolne\USTAWI~1\Temp\uxtdapob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xACB636B8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xACB63574] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xACB63A52] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xACB6314C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xACB6364E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xACB6308C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xACB630F0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xACB6376E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xACB6372E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xACB638AE] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A4D6F48

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] inhjklf <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\inhjklf@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\inhjklf@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\inhjklf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\inhjklf@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\inhjklf@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\inhjklf@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\inhjklf@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\inhjklf@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----
  • 0

Advertisements

#2
hammerman
Posted 16 May 2010 - 05:17 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hello dzid and welcome to GeeksToGo :)
I'm hammerman and I'm going to help you fix your problem.

Before we begin, here are some guidelines which will help us both in fixing your problem.
  • Malware removal is not instantaneous and will take a number of steps to complete. Please continue to carry out the steps requested until I let you know that your computer appears clean.
  • Please do no attach logs or post them in Quote/Code boxes unless requested.
  • I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop. If you need any help with this or further clarification, please let me know.
  • When posting logs, please ensure Word Wrap is turned off in Notepad. Open Notepad, select Format on the menu bar and make sure that Word Wrap is unchecked.
  • Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
  • If in doubt about anything, please ask.
I'm looking through your logs and will reply shortly.
  • 0

#3
hammerman
Posted 16 May 2010 - 05:36 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
  • 0

#4
dzid
Posted 16 May 2010 - 05:58 AM

dzid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Executing... I know ComboFix and I hope it will not disable many things like it did last time I used it.
I have a laptop so I can stay on-line.
  • 0

#5
dzid
Posted 16 May 2010 - 06:05 AM

dzid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
COMBOFIX.TXT:

ComboFix 10-05-15.03 - wspolne 2010-05-16 13:59:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.3327.2886 [GMT 2:00]
Uruchomiony z: c:\documents and settings\wspolne\Pulpit\Combo-Fix.exe
AV: avast! antivirus 4.8.1368 [VPS 100516-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\AbaleZip.dll

.
((((((((((((((((((((((((( Pliki utworzone od 2010-04-16 do 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-15 21:38 . 2010-05-15 21:38 -------- d-----w- C:\_OTL
2010-05-15 21:29 . 2009-06-18 10:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-15 21:10 . 2010-05-15 21:10 -------- d-----w- C:\antivir_rootkit
2010-05-15 20:58 . 2010-05-15 20:58 -------- d-----w- c:\program files\Sophos
2010-05-15 13:38 . 2010-05-15 13:38 -------- d-----w- c:\documents and settings\wspolne\Dane aplikacji\Uniblue
2010-05-15 13:38 . 2010-05-15 13:38 -------- d-----w- c:\program files\Uniblue
2010-05-14 16:58 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-14 16:58 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-14 16:58 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-05-14 16:58 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-05-14 16:57 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-14 16:57 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-09 18:05 . 2010-05-09 18:05 -------- d-----w- c:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Google
2010-05-03 19:22 . 2010-05-03 19:22 -------- d-----w- c:\documents and settings\wspolne\Citrix
2010-04-20 14:41 . 2010-04-20 14:41 -------- d-----w- c:\program files\AidemMedia
2010-04-19 06:47 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 13:35 . 2009-10-18 19:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-14 17:39 . 2009-10-18 21:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 16:57 . 2010-05-14 16:56 16 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\qvjsge.dat
2010-05-09 18:01 . 2009-10-18 20:17 -------- d-----w- c:\program files\Google
2010-04-29 13:39 . 2009-10-18 21:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-10-18 21:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:48 . 2009-10-18 20:45 -------- d-----w- c:\program files\ALLPlayer
2010-04-15 16:33 . 2010-04-15 16:32 -------- d-----w- c:\program files\QuickTime
2010-03-30 20:18 . 2010-03-30 20:18 503808 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-41e0aa8d-n\msvcp71.dll
2010-03-30 20:18 . 2010-03-30 20:18 499712 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-41e0aa8d-n\jmc.dll
2010-03-30 20:18 . 2010-03-30 20:18 348160 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-41e0aa8d-n\msvcr71.dll
2010-03-30 20:18 . 2010-03-30 20:18 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 20:18 . 2010-03-30 20:18 61440 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ab850b6-n\decora-sse.dll
2010-03-30 20:18 . 2010-03-30 20:18 12800 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ab850b6-n\decora-d3d.dll
2010-03-30 20:18 . 2009-11-07 17:04 -------- d-----w- c:\program files\Java
2010-03-30 20:18 . 2007-08-02 12:00 83880 ----a-w- c:\windows\system32\perfc015.dat
2010-03-30 20:18 . 2007-08-02 12:00 490628 ----a-w- c:\windows\system32\perfh015.dat
2010-03-26 07:11 . 2009-10-21 06:33 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\NOS
2010-03-26 07:10 . 2009-10-27 20:37 -------- d-----w- c:\program files\uTorrent
2010-03-25 06:53 . 2009-10-27 20:36 -------- d-----w- c:\documents and settings\wspolne\Dane aplikacji\uTorrent
2010-03-18 20:14 . 2009-10-18 20:40 -------- d-----w- c:\program files\Safari
2010-03-18 20:03 . 2010-03-18 20:03 79144 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-13 20:15 . 2010-03-13 20:15 1956656 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-03-10 06:17 . 2007-08-02 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:28 . 2009-11-07 17:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:19 . 2007-08-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2007-08-02 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 19:09 . 2007-08-02 12:00 2147840 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:09 . 2004-08-04 00:39 2025984 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2010-03-23 1432064]
"Google Update"="c:\documents and settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" [2010-02-10 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-04-06 33603584]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-03-09 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2009-03-09 1970176]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2009-09-05 385024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-12-16 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-12-16 77824]
"D-Link AirPlus G DWL-G510"="c:\program files\D-Link\AirPlus G DWL-G510\AirGCFG.exe" [2008-10-20 1556480]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\wspolne\Menu Start\Programy\Autostart\
Karen's Replicator.lnk - c:\program files\Karen's Power Tools\Replicator\PTReplicator.exe [2008-11-19 1185264]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-18 114768]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-15 18816]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-18 20560]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-10-18 1086208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-09 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\75.tmp --> c:\windows\system32\75.tmp [?]
S4 inhjklf;inhjklf; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Zawartość folderu 'Zaplanowane zadania'

2010-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-09 05:30]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-09 05:30]

2010-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003Core1cab63f4ae2f264.job
- c:\documents and settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2010-02-10 19:25]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003UA.job
- c:\documents and settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2010-02-10 19:25]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://wyborcza.pl/0,0.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://wiadomosci.gazeta.pl/Wiadomosci/0,0.html
FF - component: c:\documents and settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll
FF - plugin: c:\documents and settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu\_userdata\nppl3260.dll
FF - plugin: c:\documents and settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu\_userdata\nprpjplug.dll
FF - plugin: c:\documents and settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 14:02
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\75.tmp"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll
.
Czas ukończenia: 2010-05-16 14:04:10
ComboFix-quarantined-files.txt 2010-05-16 12:04

Przed: 422 661 738 496 bajtów wolnych
Po: 424 055 205 888 bajtów wolnych

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 533546A5D1CC1705E09D392E208F91A2
  • 0

#6
hammerman
Posted 16 May 2010 - 08:44 AM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
c:\documents and settings\wspolne\Dane aplikacji\qvjsge.dat
C:\WINDOWS\System32\drivers\inhjklf.sys

Folder::

Registry::

Driver::
inhjklf


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  • 0

#7
dzid
Posted 16 May 2010 - 12:06 PM

dzid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
ComboFix 10-05-16.01 - wspolne 2010-05-16 19:52:38.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1045.18.3327.2891 [GMT 2:00]
Uruchomiony z: c:\documents and settings\wspolne\Pulpit\Combo-Fix.exe
Użyto następujących komend :: c:\documents and settings\wspolne\Pulpit\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100516-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\wspolne\Dane aplikacji\qvjsge.dat"
"c:\windows\System32\drivers\inhjklf.sys"
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\wspolne\Dane aplikacji\qvjsge.dat
c:\windows\system32\AbaleZip.dll

.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_INHJKLF
-------\Service_inhjklf


((((((((((((((((((((((((( Pliki utworzone od 2010-04-16 do 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-15 21:38 . 2010-05-15 21:38 -------- d-----w- C:\_OTL
2010-05-15 21:29 . 2009-06-18 10:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-15 21:10 . 2010-05-15 21:10 -------- d-----w- C:\antivir_rootkit
2010-05-15 20:58 . 2010-05-15 20:58 -------- d-----w- c:\program files\Sophos
2010-05-15 13:38 . 2010-05-15 13:38 -------- d-----w- c:\documents and settings\wspolne\Dane aplikacji\Uniblue
2010-05-14 16:58 . 2008-04-13 18:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-14 16:58 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-14 16:58 . 2008-04-13 18:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-05-14 16:58 . 2008-04-13 18:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-05-14 16:57 . 2008-04-13 18:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-05-14 16:57 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-09 18:05 . 2010-05-09 18:05 -------- d-----w- c:\documents and settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Google
2010-05-03 19:22 . 2010-05-03 19:22 -------- d-----w- c:\documents and settings\wspolne\Citrix
2010-04-20 14:41 . 2010-04-20 14:41 -------- d-----w- c:\program files\AidemMedia
2010-04-19 06:47 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-15 13:35 . 2009-10-18 19:07 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-14 17:39 . 2009-10-18 21:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-09 18:01 . 2009-10-18 20:17 -------- d-----w- c:\program files\Google
2010-04-29 13:39 . 2009-10-18 21:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 13:39 . 2009-10-18 21:37 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-20 05:48 . 2009-10-18 20:45 -------- d-----w- c:\program files\ALLPlayer
2010-04-15 16:33 . 2010-04-15 16:32 -------- d-----w- c:\program files\QuickTime
2010-03-30 20:18 . 2010-03-30 20:18 503808 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-41e0aa8d-n\msvcp71.dll
2010-03-30 20:18 . 2010-03-30 20:18 499712 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-41e0aa8d-n\jmc.dll
2010-03-30 20:18 . 2010-03-30 20:18 348160 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-41e0aa8d-n\msvcr71.dll
2010-03-30 20:18 . 2010-03-30 20:18 -------- d-----w- c:\program files\Common Files\Java
2010-03-30 20:18 . 2010-03-30 20:18 61440 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ab850b6-n\decora-sse.dll
2010-03-30 20:18 . 2010-03-30 20:18 12800 ----a-w- c:\documents and settings\wspolne\Dane aplikacji\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ab850b6-n\decora-d3d.dll
2010-03-30 20:18 . 2009-11-07 17:04 -------- d-----w- c:\program files\Java
2010-03-30 20:18 . 2007-08-02 12:00 83880 ----a-w- c:\windows\system32\perfc015.dat
2010-03-30 20:18 . 2007-08-02 12:00 490628 ----a-w- c:\windows\system32\perfh015.dat
2010-03-26 07:11 . 2009-10-21 06:33 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\NOS
2010-03-26 07:10 . 2009-10-27 20:37 -------- d-----w- c:\program files\uTorrent
2010-03-25 06:53 . 2009-10-27 20:36 -------- d-----w- c:\documents and settings\wspolne\Dane aplikacji\uTorrent
2010-03-18 20:14 . 2009-10-18 20:40 -------- d-----w- c:\program files\Safari
2010-03-18 20:03 . 2010-03-18 20:03 79144 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-13 20:15 . 2010-03-13 20:15 1956656 ----a-w- c:\documents and settings\All Users\Dane aplikacji\NOS\Adobe_Downloads\install_flash_player_ax.exe
2010-03-10 06:17 . 2007-08-02 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 02:28 . 2009-11-07 17:04 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:19 . 2007-08-02 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2007-08-02 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-16 19:09 . 2007-08-02 12:00 2147840 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 19:09 . 2004-08-04 00:39 2025984 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-05-16_12.02.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-16 17:36 . 2010-05-16 17:36 16384 c:\windows\Temp\Perflib_Perfdata_618.dat
+ 2010-05-16 17:56 . 2010-05-16 17:56 16384 c:\windows\Temp\Perflib_Perfdata_610.dat
- 2010-05-16 11:42 . 2010-05-16 11:42 16384 c:\windows\Temp\Perflib_Perfdata_610.dat
+ 2010-05-16 17:56 . 2010-05-16 17:56 16384 c:\windows\Temp\Perflib_Perfdata_474.dat
+ 2010-05-16 17:23 . 2010-05-16 17:23 25214 c:\windows\Installer\{34BFB099-07B2-4E95-A673-7362D60866A2}\ARPPRODUCTICON.exe
- 2009-10-18 19:15 . 2009-10-18 19:15 25214 c:\windows\Installer\{34BFB099-07B2-4E95-A673-7362D60866A2}\ARPPRODUCTICON.exe
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALLUpdate"="c:\program files\ALLPlayer\ALLUpdate.exe" [2010-03-23 1432064]
"Google Update"="c:\documents and settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe" [2010-02-10 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2009-04-06 33603584]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2009-03-09 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2009-03-09 1970176]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-04-28 61440]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"FreePDF Assistant"="c:\program files\FreePDF_XP\fpassist.exe" [2009-09-05 385024]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2003-12-16 188416]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2003-12-16 77824]
"D-Link AirPlus G DWL-G510"="c:\program files\D-Link\AirPlus G DWL-G510\AirGCFG.exe" [2008-10-20 1556480]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\wspolne\Menu Start\Programy\Autostart\
Karen's Replicator.lnk - c:\program files\Karen's Power Tools\Replicator\PTReplicator.exe [2008-11-19 1185264]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-10-18 114768]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-15 18816]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-10-18 20560]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2009-10-18 1086208]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-09 136176]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\75.tmp --> c:\windows\system32\75.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Zawartość folderu 'Zaplanowane zadania'

2010-05-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 10:34]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-09 05:30]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-09 05:30]

2010-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003Core1cab63f4ae2f264.job
- c:\documents and settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2010-02-10 19:25]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003UA.job
- c:\documents and settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Update\GoogleUpdate.exe [2010-02-10 19:25]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://wyborcza.pl/0,0.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://wiadomosci.gazeta.pl/Wiadomosci/0,0.html
FF - component: c:\documents and settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\documents and settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu\_userdata\npgg.1.dll
FF - plugin: c:\documents and settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu\_userdata\nppl3260.dll
FF - plugin: c:\documents and settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu\_userdata\nprpjplug.dll
FF - plugin: c:\documents and settings\wspolne\Ustawienia lokalne\Dane aplikacji\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 19:57
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\75.tmp"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2580)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Czas ukończenia: 2010-05-16 20:05:33 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2010-05-16 18:05
ComboFix2.txt 2010-05-16 12:04

Przed: 424 040 628 224 bajtów wolnych
Po: 423 920 246 784 bajtów wolnych

- - End Of File - - 10C2522381983A9E5CD8A50D335D50FB
  • 0

#8
hammerman
Posted 16 May 2010 - 01:53 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Please follow these steps and let me know how your computer's running.

-- Step 1 --

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

-- Step 2 --

Run Malwarebytes' Anti-Malware.
  • Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version.
  • Select the Scanner tab, select "Perform Quick Scan", then click Scan
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

-- Step 3 --
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Click the "Download JRE" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u20-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u20-windows-i586.exe and select "Run as an Administrator.")
-- Step 4 --

Run OTL and select Minimal Output. Use the Quick Scan button to start a scan.
Please post the OTL report in your reply.
  • 0

#9
dzid
Posted 16 May 2010 - 03:05 PM

dzid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
MBAM

Didn't find anything - but I'm not surpised, it hadn't find anything before either while avast was screaming about the infection. I use MBAM regularly.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Wersja bazy: 4107

Windows 5.1.2600 Dodatek Service Pack 3
Internet Explorer 8.0.6001.18702

2010-05-16 22:28:17
mbam-log-2010-05-16 (22-28-17).txt

Typ skanowania: Szybkie skanowanie
Przeskanowano obiektów: 121120
Upłynęło: 3 minut(y), 36 sekund(y)

Zainfekowanych procesów w pamięci: 0
Zainfekowanych modułów w pamięci: 0
Zainfekowanych kluczy rejestru: 0
Zainfekowanych wartości rejestru: 0
Zainfekowane informacje rejestru systemowego: 0
Zainfekowanych folderów: 0
Zainfekowanych plików: 0

Zainfekowanych procesów w pamięci:
(Nie znaleziono zagrożeń)

Zainfekowanych modułów w pamięci:
(Nie znaleziono zagrożeń)

Zainfekowanych kluczy rejestru:
(Nie znaleziono zagrożeń)

Zainfekowanych wartości rejestru:
(Nie znaleziono zagrożeń)

Zainfekowane informacje rejestru systemowego:
(Nie znaleziono zagrożeń)

Zainfekowanych folderów:
(Nie znaleziono zagrożeń)

Zainfekowanych plików:
(Nie znaleziono zagrożeń)


OTL:

OTL logfile created on: 2010-05-16 22:54:49 - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\wspolne\Moje dokumenty\Downloads
Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 86,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 91,00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465,75 Gb Total Space | 394,72 Gb Free Space | 84,75% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 372,61 Gb Total Space | 120,39 Gb Free Space | 32,31% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DZIDKI
Current User Name: wspolne
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\wspolne\Moje dokumenty\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
PRC - C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
PRC - C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe (Karen Kenworthy)
PRC - C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
PRC - C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe (D-Link)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
PRC - C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\wspolne\Moje dokumenty\Downloads\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (ServiceLayer) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (NMSAccessU) -- C:\Program Files\CDBurnerXP\NMSAccessU.exe ()
SRV - (ANIWZCSdService) -- C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe (Wireless Service)


========== Driver Services (SafeList) ==========

DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)
DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (VIAHdAudAddService) -- C:\WINDOWS\system32\drivers\viahduaa.sys (VIA Technologies, Inc.)
DRV - (JRAID) -- C:\WINDOWS\system32\DRIVERS\jraid.sys (JMicron Technology Corp.)
DRV - (L1e) -- C:\WINDOWS\system32\drivers\l1e51x86.sys (Atheros Communications, Inc.)
DRV - (pccsmcfd) -- C:\WINDOWS\system32\drivers\pccsmcfd.sys (Nokia)
DRV - (usbaudio) Sterownik audio USB (WDM) -- C:\WINDOWS\system32\drivers\USBAUDIO.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (RT61) -- C:\WINDOWS\system32\drivers\rt61.sys (Ralink Technology, Corp.)
DRV - (monfilt) -- C:\WINDOWS\system32\drivers\monfilt.sys (Creative Technology Ltd.)
DRV - (ANIO) -- C:\WINDOWS\system32\ANIO.sys (Alpha Networks Inc.)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (QCMerced) -- C:\WINDOWS\system32\drivers\lvcm.sys (Logitech Inc.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://wyborcza.pl/0,0.html
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.startup.homepage: "http://wiadomosci.ga...mosci/0,0.html"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {0545b830-f0aa-4d7e-8820-50a4629a56fe}:4.6
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.6.8
FF - prefs.js..extensions.enabledItems: {472f4ef0-a825-11da-a746-0800200c9a66}:1.2
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {37E4D8EA-8BDA-4831-8EA1-89053939A250}:3.0.0.1
FF - prefs.js..extensions.enabledItems: {62fe3c1e-482a-4498-bbea-1dc8bfd2d439}:2.0.0
FF - prefs.js..extensions.enabledItems: {dc572301-7619-498c-a57d-39143191b318}:0.3.8.2
FF - prefs.js..extensions.enabledItems: [email protected]:3.6.14
FF - prefs.js..network.proxy.autoconfig_url: "http://inetprox.inet...e/rasproxy.pac"
FF - prefs.js..network.proxy.backup.ftp: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.backup.ftp_port: 8080
FF - prefs.js..network.proxy.backup.gopher: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.backup.gopher_port: 8080
FF - prefs.js..network.proxy.backup.socks: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.backup.socks_port: 8080
FF - prefs.js..network.proxy.backup.ssl: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.backup.ssl_port: 8080
FF - prefs.js..network.proxy.ftp: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "prx-fraint-06.inet.cns.fra.dlh.de"
FF - prefs.js..network.proxy.ssl_port: 8080

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010-04-15 18:33:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010-05-16 22:53:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010-04-15 18:33:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2009-10-18 21:56:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Extensions
[2010-05-15 23:47:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions
[2010-05-08 14:20:11 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}
[2010-05-08 14:20:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009-10-18 21:57:57 | 000,000,000 | ---D | M] (PDF Download) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
[2009-10-18 21:57:57 | 000,000,000 | ---D | M] (Tab Clicking Options) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{43520B8F-4107-4351-AC64-9BCC5EEA24B9}
[2009-10-18 21:57:57 | 000,000,000 | ---D | M] (FavLoc) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{472f4ef0-a825-11da-a746-0800200c9a66}
[2010-03-01 23:43:18 | 000,000,000 | ---D | M] (Snajper.net) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{62fe3c1e-482a-4498-bbea-1dc8bfd2d439}
[2009-10-18 21:57:55 | 000,000,000 | ---D | M] (IE Tab) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}
[2010-01-26 10:37:02 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2009-12-09 00:22:28 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010-05-08 14:20:10 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010-04-20 07:42:57 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2009-10-18 21:57:50 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\{dc572301-7619-498c-a57d-39143191b318}
[2010-04-25 20:25:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Mozilla\Firefox\Profiles\f7leh3g1.default\extensions\[email protected]
[2010-05-16 22:53:51 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010-05-16 22:53:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010-05-16 22:53:39 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009-08-24 21:19:13 | 000,002,767 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\allegro-pl.xml
[2009-08-24 21:19:13 | 000,001,406 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\fbc-pl.xml
[2009-08-24 21:19:13 | 000,000,917 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\merlin-pl.xml
[2009-08-24 21:19:13 | 000,000,858 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\pwn-pl.xml
[2009-08-24 21:19:13 | 000,001,183 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia-pl.xml
[2009-08-24 21:19:13 | 000,001,683 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wp-pl.xml

O1 HOSTS File: ([2010-05-16 19:56:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (IEPluginBHO Class) - {F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D} - C:\Documents and Settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu\_userdata\ggbho.1.dll (GG Network S.A.)
O4 - HKLM..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe (JMicron Technology Corp.)
O4 - HKLM..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe (Wireless Service)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [D-Link AirPlus G DWL-G510] C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe (D-Link)
O4 - HKLM..\Run: [FreePDF Assistant] C:\Program Files\FreePDF_XP\fpassist.exe (shbox.de)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKCU..\Run: [ALLUpdate] C:\Program Files\ALLPlayer\ALLUpdate.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\wspolne\Menu Start\Programy\Autostart\Karen's Replicator.lnk = C:\Program Files\Karen's Power Tools\Replicator\PTReplicator.exe (Karen Kenworthy)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1255879580890 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1257446468187 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 195.50.140.246 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\wspolne\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\wspolne\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {93994DE8-8239-4655-B1D1-5F4E91300429} - C:\Program Files\DVD Region+CSS Free\DVDShell.dll (Fengtao Software Inc.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-10-18 15:30:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010-05-16 22:42:03 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\appmgmt
[2010-05-16 22:08:27 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010-05-16 22:07:16 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\wspolne\Pulpit\TFC.exe
[2010-05-16 19:49:53 | 000,000,000 | ---D | C] -- C:\Combo-Fix
[2010-05-16 13:58:43 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010-05-16 13:55:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010-05-16 13:55:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010-05-16 13:55:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010-05-16 13:55:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010-05-16 13:55:27 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010-05-16 13:55:18 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010-05-15 23:38:34 | 000,000,000 | ---D | C] -- C:\_OTL
[2010-05-15 23:10:10 | 000,000,000 | ---D | C] -- C:\antivir_rootkit
[2010-05-15 22:58:44 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2010-05-15 15:38:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wspolne\Dane aplikacji\Uniblue
[2010-05-09 20:18:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wspolne\Dane aplikacji\Google
[2010-05-09 20:05:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Ustawienia lokalne\Dane aplikacji\Google
[2010-05-03 21:22:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wspolne\Citrix
[2010-04-20 16:41:04 | 000,000,000 | ---D | C] -- C:\Program Files\AidemMedia
[2010-04-15 18:32:55 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010-03-30 22:18:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Sun
[2010-03-30 22:18:42 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010-03-27 18:51:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wspolne\Dane aplikacji\Real
[2010-03-13 22:07:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\wspolne\Moje dokumenty\NAVIGON
[2010-03-13 22:06:13 | 000,000,000 | ---D | C] -- C:\Program Files\NAVIGON

========== Files - Modified Within 90 Days ==========

[2010-05-16 22:51:29 | 001,087,636 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-05-16 22:51:29 | 000,490,628 | ---- | M] () -- C:\WINDOWS\System32\perfh015.dat
[2010-05-16 22:51:29 | 000,432,492 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-05-16 22:51:29 | 000,083,880 | ---- | M] () -- C:\WINDOWS\System32\perfc015.dat
[2010-05-16 22:51:29 | 000,067,448 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-05-16 22:44:50 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-05-16 22:44:49 | 000,000,008 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME{627EE941-C74F-49D6-864C-875D05DA1D4B}
[2010-05-16 22:44:34 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010-05-16 22:44:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-05-16 22:43:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-05-16 22:43:52 | 000,167,952 | ---- | M] () -- C:\WINDOWS\System32\ativvaxx.cap
[2010-05-16 22:42:57 | 004,194,304 | -H-- | M] () -- C:\Documents and Settings\wspolne\NTUSER.DAT
[2010-05-16 22:42:57 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\wspolne\ntuser.ini
[2010-05-16 22:35:00 | 000,001,140 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003UA.job
[2010-05-16 22:07:33 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\wspolne\Pulpit\TFC.exe
[2010-05-16 22:05:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010-05-16 19:57:07 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010-05-16 19:57:05 | 000,000,007 | ---- | M] () -- C:\WINDOWS\System32\ANIWZCSUSERNAME
[2010-05-16 19:56:36 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010-05-16 19:49:15 | 003,689,722 | R--- | M] () -- C:\Documents and Settings\wspolne\Pulpit\Combo-Fix.exe
[2010-05-16 13:58:47 | 000,000,281 | RHS- | M] () -- C:\boot.ini
[2010-05-16 09:59:37 | 000,000,645 | ---- | M] () -- C:\Documents and Settings\wspolne\Pulpit\OTL.lnk
[2010-05-16 09:57:25 | 000,000,582 | ---- | M] () -- C:\Documents and Settings\wspolne\Pulpit\gmer.lnk
[2010-05-15 21:36:24 | 000,002,187 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Safari.lnk
[2010-05-14 20:04:40 | 000,002,645 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010-05-13 17:09:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010-05-13 06:35:00 | 000,001,088 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003Core1cab63f4ae2f264.job
[2010-04-29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-04-29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-04-29 03:36:29 | 000,002,318 | ---- | M] () -- C:\Documents and Settings\wspolne\Pulpit\Google Chrome.lnk
[2010-04-26 15:58:12 | 000,256,512 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010-04-15 18:33:10 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\QuickTime Player.lnk
[2010-04-15 03:02:58 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010-03-13 22:06:17 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\NAVIGON Fresh.lnk
[2010-03-12 22:25:15 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\wspolne\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-03-10 23:35:28 | 000,000,597 | ---- | M] () -- C:\WINDOWS\win.ini

========== Files Created - No Company Name ==========

[2010-05-16 13:58:47 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010-05-16 13:58:44 | 000,262,400 | ---- | C] () -- C:\cmldr
[2010-05-16 13:55:30 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010-05-16 13:55:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010-05-16 13:55:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010-05-16 13:55:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010-05-16 13:55:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010-05-16 13:23:31 | 003,689,722 | R--- | C] () -- C:\Documents and Settings\wspolne\Pulpit\Combo-Fix.exe
[2010-05-16 09:59:37 | 000,000,645 | ---- | C] () -- C:\Documents and Settings\wspolne\Pulpit\OTL.lnk
[2010-05-16 09:57:25 | 000,000,582 | ---- | C] () -- C:\Documents and Settings\wspolne\Pulpit\gmer.lnk
[2010-05-09 20:00:18 | 000,000,888 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010-05-09 20:00:17 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010-04-15 18:33:10 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\QuickTime Player.lnk
[2010-03-13 22:06:17 | 000,000,798 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\NAVIGON Fresh.lnk
[2010-02-25 19:23:48 | 000,001,088 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-2025429265-1343024091-725345543-1003Core1cab63f4ae2f264.job
[2009-10-28 22:49:36 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2009-10-28 22:46:35 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\evrprop.dll
[2009-10-28 22:46:32 | 000,258,048 | ---- | C] () -- C:\WINDOWS\System32\libFLAC.dll
[2009-10-28 22:46:22 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\mkzlib.dll
[2009-10-28 22:46:22 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\mkunicode.dll
[2009-10-21 22:06:46 | 000,000,036 | ---- | C] () -- C:\WINDOWS\webica.ini
[2009-10-19 20:45:12 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\wlanapp.dll
[2009-10-19 20:45:12 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\JJAKEn.dll
[2009-10-19 20:10:47 | 000,014,938 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009-10-19 20:10:32 | 000,000,268 | ---- | C] () -- C:\WINDOWS\_delis32.ini
[2009-10-19 19:58:30 | 000,000,556 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009-10-18 22:45:28 | 000,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2009-10-18 21:46:37 | 000,000,067 | ---- | C] () -- C:\WINDOWS\DVDRegionFree.INI
[2009-10-18 21:18:08 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\redmonnt.dll
[2009-10-18 21:17:02 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-10-18 21:17:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009-10-18 16:12:41 | 000,001,701 | ---- | C] () -- C:\WINDOWS\ATICIM.INI
[2009-10-18 15:44:20 | 000,001,746 | ---- | C] () -- C:\WINDOWS\Language_trs.ini
[2009-10-18 15:44:01 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009-10-18 15:43:52 | 000,030,988 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009-10-18 15:43:52 | 000,010,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008-07-29 21:10:04 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\evr.dll
[2008-07-29 21:10:04 | 000,000,484 | ---- | C] () -- C:\WINDOWS\System32\dxva2.dll
[1999-01-27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997-06-13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1996-04-03 21:33:26 | 000,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== LOP Check ==========

[2010-01-26 22:20:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\FreePDF
[2009-10-18 22:18:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Karen's Power Tools
[2009-11-09 23:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Canneverbe_Limited
[2009-10-21 22:16:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\ICAClient
[2009-10-18 16:28:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\InterTrust
[2009-10-19 20:37:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Nokia
[2009-10-19 21:04:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Nowe Gadu-Gadu
[2009-10-18 21:37:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Thunderbird
[2010-05-15 15:38:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\Uniblue
[2010-03-25 08:53:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\wspolne\Dane aplikacji\uTorrent

========== Purity Check ==========


< End of report >

The PC seems to be runnig ok. Internet looks faster (just an impression). However, the 5 minutes delay at start-up after the desktop is shown, before WiFi is initialized, is still there (it was 10 minutes when the rootkit was active). It might be the old problem with HP driver (I had to re-install it after ComboFIX did it's job), I need to check configured services.

Thanks a lot for your help, you are the best! Seriously - I'm working in kind of customer-support myself and I can recognize a pro when I see him :)

Any hints if it was a backdoor or "just" spamer?
  • 0

#10
dzid
Posted 17 May 2010 - 12:16 AM

dzid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Yup, it's exactly 5 minutes - the clock freezes as well. The task bar is unavailable, but I can move icons on desktop and start programs from there - however they freeze quickly, seconds after starting, and block the desktop, too. Network is available (green D-Link icon confirms that) though Windows network-icons are not there yet. The last icon to appear down there before the freeze is the HP icon... which suggests it is the (in)famous problem with HP software.
  • 0

Advertisements

#11
hammerman
Posted 17 May 2010 - 12:31 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Which HP driver do you have to re-install?

Please do an online scan with Kaspersky WebScanner

Click on Accept

You may be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Settings
  • In the scan settings, select the following:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan spyware, adware, diallers and other riskware
    Scan Archives
    Scan E-mail databases
  • Click Save
  • Now under ScanSelect My Computer
  • This will start the scanning of your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on View Report and then Save Report
  • Save the file to your desktop as a text file.
  • Copy and paste that information in your next post.

  • 0

#12
dzid
Posted 17 May 2010 - 01:14 PM

dzid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
HP DeskJet F2280
But that's not the reason for the delay - I uninstalled all HP software and the freeze is still there. Downloading Kaspersky database right now...
  • 0

#13
dzid
Posted 17 May 2010 - 01:45 PM

dzid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hmm I got that at the end of downloading:
0 [ERROR: Anti-virus database is corrupted or has been updated manually]
I haven't run this scan before.
  • 0

#14
hammerman
Posted 17 May 2010 - 01:47 PM

hammerman

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,183 posts
Hi,

Try this scanner.

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

  • 0

#15
dzid
Posted 17 May 2010 - 01:49 PM

dzid

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I retried the Kaspersky's and it's running now.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP