Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32: Bubnix - J [Rtk], Win32:Bubak [Rtk]

Started by Rincewind84 , Aug 31 2010 12:10 PM

Please log in to reply

#1
Rincewind84

Posted 31 August 2010 - 12:10 PM

New Member

Member
6 posts

Hi guys, I'll be very thankfull for any help I can get, This is shortly what happened.

When browsing the net Avast alerted me with infections named- Win32: Bubnix - J [Rtk], Win32:Bubak [Rtk]. It was impossible to remove or quarantine them. I performed 2 scans before the boot. Both times Avast found them and said there are delated but syndroms stayed. I scanned and fixed registry with CCleaner. When windows starts the welcome music starts about 1-2 minutes after i see the desktop. If i do something before that time the system crashes. Besides that general symptoms are that everything takes light years to start, programs, browser etc. Sometimes Programs crash,cursor disapear. It also made Opera impossible to start like it was uninstalled.

This is what happened when I followed the guide:

1. TFC

I start the program and it says thats its stopping all running processes after that nothing happens. When I try to do anything after like 15min the program crashes there is no response and i need to reboot.

2.ERUNT

Done - I made a backup

3.MBAM

Im able to start a quick scan but when scanning process reaches HKEY_USERS\1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
scanning stops and doesnt go any further. It didnt find any infection till that time. Im able to turn off the program without rebooting. So i cant paste full log from MBAM as it can't finish the scan. Some txt appears when i stop, if its needed i can paste it.

4.GMER log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-31 18:16:09
Windows 5.1.2600 Dodatek Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\WIESIA\USTAWI~1\Temp\uxtdqpob.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwClose [0xA9CDBB2F]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwCreateDirectoryObject [0xA9CDBB5B]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwCreateFile [0xA9CDBB8F]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwDeleteKey [0xA9CDBC27]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA00FA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA00F14C]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwEnumerateKey [0xA9CDBC53]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwEnumerateValueKey [0xA9CDBC93]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwFlushKey [0xA9CDBCD3]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwMakeTemporaryObject [0xA9CDBCFF]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwMapViewOfSection [0xA9CDBD2B]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwOpenKey [0xA9CDBD7B]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwOpenSection [0xA9CDBDAF]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwQueryInformationFile [0xA9CDBDE3]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwQueryKey [0xA9CDBE1F]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwQueryValueKey [0xA9CDBE5B]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwReadFile [0xA9CDBE9B]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA00F72E]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwSetInformationFile [0xA9CDBEE7]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwSetInformationThread [0xA9CDBF23]
SSDT \??\C:\WINDOWS\system32\Drivers\Crypto.sys (SafeNet Crypto Driver/SafeNet) ZwWriteFile [0xA9CDBFCB]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[308] ntdll.dll!NtQueryDirectoryFile + 6 7C90D774 4 Bytes [90, 61, 26, 02]
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 4059F4B9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxIndirectParamW 7E382072 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 40712076 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 40711FF7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 4071203B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 40711F83 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 40711FBD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407120B1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 405C1772 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3636] ole32.dll!OleLoadFromStream 77519C85 5 Bytes JMP 40712273 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

5. OTL log:

A) scan.txt

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

B)OTL.txt

OTL logfile created on: 2010-08-31 18:23:35 - Run 2
OTL by OldTimer - Version 3.2.11.0 Folder = C:\Documents and Settings\WIESIA\Pulpit
Windows XP Home Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

1 014,00 Mb Total Physical Memory | 515,00 Mb Available Physical Memory | 51,00% Memory free
2,00 Gb Paging File | 2,00 Gb Available in Paging File | 79,00% Paging File free
Paging file location(s): c:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 39,06 Gb Total Space | 10,85 Gb Free Space | 27,78% Space Free | Partition Type: NTFS
Drive D: | 72,72 Gb Total Space | 2,99 Gb Free Space | 4,12% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: BIURO
Current User Name: WIESIA
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Minimal
Quick Scan

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\WIESIA\Pulpit\OTL.exe (OldTimer Tools)
PRC - C:\WINDOWS\NCLAUNCH.EXe (Northcode Inc.)
PRC - C:\Program Files\CryptoTech\CryptoCard\CCMonitor.exe (CryptoTech Sp. z o.o.)
PRC - C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
PRC - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\WIESIA\Ustawienia lokalne\Temp\RtkBtMnt.exe (Realtek Semiconductor Corp.)
PRC - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
PRC - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
PRC - C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe ()
PRC - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe (Broadcom Corporation)
PRC - C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe (SafeNet)
PRC - C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe (SafeNet)
PRC - C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe (SafeNet)
PRC - C:\Program Files\Thomson\SpeedTouch USB\dragdiag.exe (THOMSON Telecom Belgium)
PRC - C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
PRC - C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe ()

========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\WIESIA\Pulpit\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\wtsapi32.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\winsta.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\rtutils.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\onex.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msvcp60.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\iphlpapi.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\eappcfg.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\eappprxy.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\dot3api.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\dot3dlg.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\credui.dll (Microsoft Corporation)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)

========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia)
SRV - (avast! Antivirus) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (EvtEng) Intel® -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel Corporation)
SRV - (S24EventMonitor) Intel® -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Intel Corporation )
SRV - (RegSrvc) Intel® -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel Corporation)
SRV - (ASFIPmon) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe (Broadcom Corporation)
SRV - (IreIKE) -- C:\Program Files\ZyXEL\ZyWALL VPN Client\IreIKE.exe (SafeNet)
SRV - (IPSECMON) -- C:\Program Files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe (SafeNet)
SRV - (Pml Driver HPZ12) -- C:\WINDOWS\system32\hpzipm12.exe (HP)

========== Driver Services (SafeList) ==========

DRV - (WudfRd) -- C:\WINDOWS\System32\DRIVERS\wudfrd.sys File not found
DRV - (UIUSys) -- C:\WINDOWS\System32\DRIVERS\UIUSYS.SYS File not found
DRV - (Secdrv) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys File not found
DRV - (nmwcd) -- C:\WINDOWS\System32\drivers\ccdcmb.sys File not found
DRV - (HSFHWAZL) -- C:\WINDOWS\System32\DRIVERS\HSFHWAZL.sys File not found
DRV - (HSF_DPV) -- C:\WINDOWS\System32\DRIVERS\HSF_DPV.sys File not found
DRV - (aswMon2) -- C:\WINDOWS\System32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\System32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (aswTdi) -- C:\WINDOWS\System32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\System32\drivers\aswRdr.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\System32\drivers\aavmker4.sys (ALWIL Software)
DRV - (NSCIRDA) -- C:\WINDOWS\system32\drivers\nscirda.sys (National Semiconductor Corporation)
DRV - (Changer) -- C:\WINDOWS\System32\drivers\changer.sys (Microsoft Corporation)
DRV - (lbrtfdc) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys (Toshiba Corp.)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (ialm) -- C:\WINDOWS\system32\drivers\igxpmp32.sys (Intel Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (cxbu0wdm) -- C:\WINDOWS\system32\drivers\cxbu0wdm.sys (OMNIKEY)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (tifm21) -- C:\WINDOWS\system32\drivers\tifm21.sys (Texas Instruments)
DRV - (e4usbaw) -- C:\WINDOWS\system32\drivers\e4usbaw.sys (Analog Devices Inc.)
DRV - (E4LOADER) General Purpose USB Driver (e4ldr.sys) -- C:\WINDOWS\system32\drivers\e4ldr.sys (Analog Deivces)
DRV - (BASFND) -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys (Broadcom Corporation)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\bcmwl5.sys (Broadcom Corporation)
DRV - (IPSECDRV) -- C:\WINDOWS\system32\drivers\IpSecDrv.sys (SafeNet)
DRV - (DNE) -- C:\WINDOWS\system32\drivers\dne2000.sys (Deterministic Networks, Inc.)
DRV - (Crypto) -- C:\WINDOWS\system32\drivers\Crypto.sys (SafeNet)
DRV - (DniVap) SafeNet WAN Miniport (VA) -- C:\WINDOWS\system32\drivers\vap.sys (Deterministic Networks Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.wp.pl/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.search.defaulturl: "http://www.google.co...-8&oe=UTF-8&q="
FF - prefs.js..browser.search.selectedEngine: "Google"

[2009-07-25 11:22:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\Mozilla\Firefox\Profiles\5au2kfst.default\extensions
[2008-03-16 20:18:17 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\WIESIA\Dane aplikacji\Mozilla\Firefox\Profiles\5au2kfst.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009-07-25 11:22:26 | 000,000,000 | ---D | M] (BS Player Toolbar) -- C:\Documents and Settings\WIESIA\Dane aplikacji\Mozilla\Firefox\Profiles\5au2kfst.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}

O1 HOSTS File: ([2003-04-16 14:00:00 | 000,000,742 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (&Google) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\Program Files\Google\GoogleToolbar1.dll (Google Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [CryptoCard Suite Cert Monitor] C:\Program Files\CryptoTech\CryptoCard\CCMonitor.exe (CryptoTech Sp. z o.o.)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe (Intel Corporation)
O4 - HKLM..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe (THOMSON Telecom Belgium)
O4 - HKLM..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe (Hewlett-Packard)
O4 - HKLM..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe (Hewlett-Packard)
O4 - HKCU..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe (Northcode Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\ZyWALL VPN Client.lnk = C:\Program Files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe (SafeNet)
O4 - Startup: C:\Documents and Settings\WIESIA\Menu Start\Programy\Autostart\sysrda32.exe ()
O4 - Startup: C:\Documents and Settings\WIESIA\Menu Start\Programy\Autostart\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&ksportuj do programu Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Wyślij do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Wyślij &do programu OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe File not found
O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe File not found
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.micr...922/wmv9VCM.CAB (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1204032639921 (WUWebControl Class)
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} http://download.divx...owserPlugin.cab (Reg Error: Key error.)
O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.p...kanerOnline.cab (MksSkanerOnline Class)
O16 - DPF: {83AFB5CA-11D4-ED35-A452-0080C8D85045} http://cached.gamede...er_2_0_0_52.cab (GameDesire Poker Games)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 0.0.0.0
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\WIESIA\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\WIESIA\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008-02-22 22:31:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{09c6cf5b-a4e8-11dd-b1ff-001e4c65c15b}\Shell - "" = AutoRun
O33 - MountPoints2\{09c6cf5b-a4e8-11dd-b1ff-001e4c65c15b}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{1076aabc-3565-11de-b321-001e4c65c15b}\Shell - "" = AutoRun
O33 - MountPoints2\{1076aabc-3565-11de-b321-001e4c65c15b}\Shell\AutoRun\command - "" = F:\WM0453F.exe -- File not found
O33 - MountPoints2\{6196664a-9f60-11dd-b1f4-001e4c65c15b}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\dll32.exe
O33 - MountPoints2\{6196664a-9f60-11dd-b1f4-001e4c65c15b}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\dll32.exe
O33 - MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\Shell\AutoRun\command - "" = F:\oufddh.exe -- File not found
O33 - MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\Shell\explore\Command - "" = F:\oufddh.exe -- File not found
O33 - MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\Shell\open\Command - "" = F:\oufddh.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - C:\WINDOWS\System32\appmgmts.dll File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.WMV3 - C:\WINDOWS\System32\wmv9vcm.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (56027131116781568)

========== Files/Folders - Created Within 90 Days ==========

[2010-08-31 18:20:45 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\WIESIA\Pulpit\OTL.exe
[2010-08-31 15:48:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WIESIA\Pulpit\2010-08-31
[2010-08-31 15:46:23 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010-08-31 14:46:30 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\WIESIA\Pulpit\TFC.exe
[2010-08-30 16:18:23 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\WIESIA\Recent
[2010-08-30 16:16:33 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010-08-30 16:16:32 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010-08-30 16:16:32 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010-08-28 20:15:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WIESIA\Pulpit\OPEN SEASON-2006[DVDRIP][ENG]-KIDZCORNER&J.T.R
[2010-08-28 18:15:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WIESIA\Dane aplikacji\XnView
[2010-08-20 11:35:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WIESIA\Pulpit\ok
[2010-08-15 13:22:38 | 000,000,000 | ---D | C] -- C:\Program Files\CryptoTech
[2010-08-14 14:33:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WIESIA\Pulpit\Bassdrive - Worldwide Drum and Bass Radio
[2010-08-13 13:39:22 | 000,000,000 | ---D | C] -- C:\AcerWPGImages
[2010-08-12 22:52:07 | 000,000,000 | ---D | C] -- C:\Program Files\NAPI-PROJEKT
[2010-08-12 21:08:34 | 000,009,472 | ---- | C] (June Fabrics Technology) -- C:\WINDOWS\System32\drivers\pnetmdm.sys.bak
[2010-08-12 21:08:33 | 000,000,000 | ---D | C] -- C:\Program Files\PdaNet for Android
[2010-08-06 12:30:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\UMDF
[2010-08-06 12:25:10 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\WIESIA\Phone Browser
[2010-08-06 12:22:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WIESIA\Dane aplikacji\Nokia
[2010-08-06 12:22:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\WIESIA\Dane aplikacji\PC Suite
[2010-08-06 12:22:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
[2010-08-06 12:21:42 | 000,018,816 | ---- | C] (Nokia) -- C:\WINDOWS\System32\drivers\pccsmcfd.sys.bak
[2010-08-06 12:21:34 | 000,000,000 | ---D | C] -- C:\Program Files\PC Connectivity Solution
[2010-08-06 12:21:20 | 000,092,672 | ---- | C] (Nokia) -- C:\WINDOWS\System32\nmwcdcls.dll
[2010-08-06 12:21:19 | 000,000,000 | ---D | C] -- C:\Program Files\Nokia
[2010-08-06 12:20:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Installations
[2010-06-12 17:11:55 | 000,000,000 | ---D | C] -- C:\KPR_2003
[2010-06-12 17:11:51 | 000,000,000 | ---D | C] -- C:\KOREKTY
[2008-02-26 14:18:22 | 000,172,032 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll
[2008-02-26 14:18:22 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll
[2008-02-26 14:18:22 | 000,045,056 | ---- | C] ( ) -- C:\WINDOWS\PLFSet.dll
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010-08-31 18:20:58 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WIESIA\Pulpit\OTL.exe
[2010-08-31 15:46:24 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\WIESIA\Pulpit\NTREGOPT.lnk
[2010-08-31 15:46:24 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\WIESIA\Pulpit\ERUNT.lnk
[2010-08-31 15:31:34 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010-08-31 15:31:27 | 000,021,800 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-08-31 15:31:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-08-31 15:18:07 | 000,490,522 | ---- | M] () -- C:\WINDOWS\System32\perfh015.dat
[2010-08-31 15:18:07 | 000,432,554 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010-08-31 15:18:07 | 000,083,858 | ---- | M] () -- C:\WINDOWS\System32\perfc015.dat
[2010-08-31 15:18:07 | 000,067,510 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010-08-31 15:18:05 | 001,087,700 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010-08-31 14:46:39 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\WIESIA\Pulpit\TFC.exe
[2010-08-31 10:46:51 | 007,602,176 | ---- | M] () -- C:\Documents and Settings\WIESIA\ntuser.dat
[2010-08-30 19:55:26 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\WIESIA\ntuser.ini
[2010-08-30 16:16:36 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk
[2010-08-30 14:22:20 | 000,000,008 | ---- | M] () -- C:\Documents and Settings\WIESIA\Dane aplikacji\avdrn.dat
[2010-08-29 15:51:47 | 002,118,419 | ---- | M] () -- C:\Documents and Settings\WIESIA\Pulpit\20100821010.mp4
[2010-08-28 20:19:27 | 000,009,216 | ---- | M] () -- C:\Documents and Settings\WIESIA\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-08-16 23:52:50 | 000,002,653 | ---- | M] () -- C:\Documents and Settings\WIESIA\Pulpit\BassDrive.pls
[2010-08-15 12:18:18 | 000,002,021 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2010-08-12 21:10:07 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2010-08-12 13:08:03 | 000,209,696 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010-08-06 12:30:23 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010-08-06 12:23:28 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
[2010-08-06 12:23:27 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010-07-02 15:48:22 | 000,001,830 | -H-- | M] () -- C:\Documents and Settings\WIESIA\Moje dokumenty\Default.rdp
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-08-31 16:12:58 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\WIESIA\Pulpit\gmer.exe
[2010-08-31 15:46:24 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\WIESIA\Pulpit\NTREGOPT.lnk
[2010-08-31 15:46:24 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\WIESIA\Pulpit\ERUNT.lnk
[2010-08-30 16:16:36 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Pulpit\Malwarebytes' Anti-Malware.lnk
[2010-08-30 14:21:57 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\WIESIA\Dane aplikacji\avdrn.dat
[2010-08-29 15:51:47 | 002,118,419 | ---- | C] () -- C:\Documents and Settings\WIESIA\Pulpit\20100821010.mp4
[2010-08-16 23:52:50 | 000,002,653 | ---- | C] () -- C:\Documents and Settings\WIESIA\Pulpit\BassDrive.pls
[2010-08-12 21:10:07 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_WinUSB_01007.Wdf
[2010-08-06 12:30:23 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\UMDF\MsftWdf_user_01_00_00.Wdf
[2010-08-06 12:23:28 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
[2010-08-06 12:23:27 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2010-03-09 20:37:45 | 000,000,168 | ---- | C] () -- C:\WINDOWS\adidsl.ini
[2010-03-09 20:37:45 | 000,000,021 | ---- | C] () -- C:\WINDOWS\Fast800.ini
[2010-03-09 20:37:35 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\coclassfast.dll
[2010-03-09 20:37:34 | 000,046,892 | ---- | C] () -- C:\WINDOWS\System32\ADADIX16.DLL
[2010-03-09 20:09:20 | 000,000,990 | ---- | C] () -- C:\WINDOWS\adiras.ini
[2010-03-09 20:08:29 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\adinst32.dll
[2009-08-28 16:38:41 | 000,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009-08-14 10:11:23 | 000,000,012 | ---- | C] () -- C:\Documents and Settings\WIESIA\Dane aplikacji\wiaserva.log
[2008-06-28 09:15:53 | 000,018,237 | ---- | C] () -- C:\WINDOWS\hplj1010.ini
[2008-04-07 19:43:08 | 000,241,664 | R--- | C] () -- C:\WINDOWS\System32\cmabout.dll
[2008-04-07 19:43:08 | 000,010,229 | R--- | C] () -- C:\WINDOWS\System32\cmdiag.ini
[2008-04-07 19:43:08 | 000,000,142 | R--- | C] () -- C:\WINDOWS\System32\cmabout.ini
[2008-04-07 19:43:05 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\chksvrn.dll
[2008-03-11 12:37:36 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
[2008-03-05 21:38:35 | 000,000,032 | ---- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\ezsid.dat
[2008-03-05 20:14:14 | 000,002,021 | ---- | C] () -- C:\WINDOWS\wincmd.ini
[2008-02-26 15:17:36 | 000,005,606 | ---- | C] () -- C:\WINDOWS\System32\stci.dll
[2008-02-26 14:27:13 | 000,910,464 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2008-02-26 14:27:13 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4820.dll
[2008-02-26 14:18:22 | 001,729,152 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2008-02-26 10:57:40 | 000,000,008 | RHS- | C] () -- C:\WINDOWS\System32\Desktop_.ini
[2008-02-23 11:24:30 | 000,003,972 | ---- | C] () -- C:\WINDOWS\System32\drivers\PciBus.sys
[2008-02-22 22:56:12 | 000,009,216 | ---- | C] () -- C:\Documents and Settings\WIESIA\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2003-08-29 11:12:52 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL

========== LOP Check ==========

[2010-08-06 12:20:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Installations
[2010-08-06 12:22:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
[2009-03-19 16:46:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
[2008-11-05 22:52:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\.BitTornado
[2008-04-07 19:47:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\.szafir
[2010-06-01 20:20:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\BESTplayer
[2009-07-25 11:22:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\BSplayer Pro
[2010-02-28 16:29:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\FileZilla
[2008-08-05 18:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\Gadu-Gadu
[2008-08-23 17:26:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\GanymedeNet
[2009-07-14 23:28:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\gtk-2.0
[2010-08-06 12:36:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\Nokia
[2010-01-03 00:41:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\Opera
[2010-08-06 12:22:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\PC Suite
[2008-10-05 22:19:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\Publish Providers
[2008-10-05 22:18:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\Sony
[2008-10-05 21:23:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\Sony Setup
[2009-08-31 19:31:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\streamripper
[2010-08-28 18:18:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\WIESIA\Dane aplikacji\XnView

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2008-02-22 22:31:41 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2008-03-05 17:08:20 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2006-03-02 14:00:00 | 000,004,952 | RHS- | M] () -- C:\Bootfont.bin
[2008-02-22 22:31:41 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2008-02-22 22:31:41 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008-03-09 14:47:35 | 000,000,120 | ---- | M] () -- C:\KM.BAT
[2008-08-11 02:13:38 | 000,030,288 | ---- | M] () -- C:\mksbasel.cpp.log
[2008-02-22 22:31:41 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2006-03-02 14:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008-12-18 10:42:46 | 000,251,152 | RHS- | M] () -- C:\ntldr
[2010-08-31 15:31:22 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2008-02-26 10:58:15 | 000,000,215 | ---- | M] () -- C:\Setup.log
[2010-08-13 13:39:38 | 000,001,739 | ---- | M] () -- C:\wp_install.log

< %systemroot%\Fonts\*.com >
[2006-04-18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006-06-29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006-04-18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006-06-29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2008-03-05 17:12:52 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008-07-06 14:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2003-08-29 11:12:53 | 000,049,152 | ---- | M] (Zenographics, Inc.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\IMFPRINT.DLL
[2006-10-26 20:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll
[2008-07-06 12:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2010-02-04 00:06:31 | 009,931,703 | ---- | M] (E-Axis.com) -- C:\WINDOWS\LOST_screensaver.scr
[8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008-03-05 18:02:38 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008-03-05 16:53:59 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2008-03-05 18:02:38 | 011,272,192 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008-03-05 18:02:38 | 002,883,584 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2008-03-05 17:26:39 | 000,000,183 | -HS- | M] () -- C:\Documents and Settings\WIESIA\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2008-02-22 22:36:35 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\WIESIA\Dane aplikacji\Microsoft\Internet Explorer\Quick Launch\Pokaż pulpit.scf

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010-08-15 12:46:36 | 000,000,067 | -HS- | M] () -- C:\Documents and Settings\WIESIA\Cookies\desktop.ini
[2010-08-31 15:35:42 | 000,032,768 | -HS- | M] () -- C:\Documents and Settings\WIESIA\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-08-12 08:02:24

========== Alternate Data Streams ==========

@Alternate Data Stream - 157 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:DFC5A2B2
@Alternate Data Stream - 110 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:888AFB86
< End of report >

Lots of good karma for any help;)

#2
emeraldnzl

Posted 31 August 2010 - 04:41 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello Rincewind84,

Welcome to Geekstogo.

Please run OTL.exe

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - Startup: C:\Documents and Settings\WIESIA\Menu Start\Programy\Autostart\sysrda32.exe ()
O33 - MountPoints2\{09c6cf5b-a4e8-11dd-b1ff-001e4c65c15b}\Shell - "" = AutoRun
O33 - MountPoints2\{09c6cf5b-a4e8-11dd-b1ff-001e4c65c15b}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O33 - MountPoints2\{1076aabc-3565-11de-b321-001e4c65c15b}\Shell - "" = AutoRun
O33 - MountPoints2\{1076aabc-3565-11de-b321-001e4c65c15b}\Shell\AutoRun\command - "" = F:\WM0453F.exe -- File not found
O33 - MountPoints2\{6196664a-9f60-11dd-b1f4-001e4c65c15b}\Shell\AutoRun\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\dll32.exe
O33 - MountPoints2\{6196664a-9f60-11dd-b1f4-001e4c65c15b}\Shell\open\command - "" = RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\dll32.exe
O33 - MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\Shell\AutoRun\command - "" = F:\oufddh.exe -- File not found
O33 - MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\Shell\explore\Command - "" = F:\oufddh.exe -- File not found
O33 - MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\Shell\open\Command - "" = F:\oufddh.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

:Commands
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot when it is done
It will produce a log for you on reboot, please post that log in your next reply.

Next

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#3
Rincewind84

Posted 01 September 2010 - 06:32 AM

New Member

Topic Starter
Member
6 posts

Thank You for quick reply.

After OTL scan and reboot system seems to work a bit better.

Here are the logs:

-OTL-

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Alcmtr deleted successfully.
C:\WINDOWS\Alcmtr.exe moved successfully.
File move failed. C:\Documents and Settings\WIESIA\Menu Start\Programy\Autostart\sysrda32.exe scheduled to be moved on reboot.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09c6cf5b-a4e8-11dd-b1ff-001e4c65c15b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c6cf5b-a4e8-11dd-b1ff-001e4c65c15b}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09c6cf5b-a4e8-11dd-b1ff-001e4c65c15b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c6cf5b-a4e8-11dd-b1ff-001e4c65c15b}\ not found.
File F:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1076aabc-3565-11de-b321-001e4c65c15b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1076aabc-3565-11de-b321-001e4c65c15b}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{1076aabc-3565-11de-b321-001e4c65c15b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1076aabc-3565-11de-b321-001e4c65c15b}\ not found.
File F:\WM0453F.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6196664a-9f60-11dd-b1f4-001e4c65c15b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6196664a-9f60-11dd-b1f4-001e4c65c15b}\ not found.
File C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\dll32.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6196664a-9f60-11dd-b1f4-001e4c65c15b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6196664a-9f60-11dd-b1f4-001e4c65c15b}\ not found.
File C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\dll32.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\ not found.
File F:\oufddh.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\ not found.
File F:\oufddh.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{904a3d90-ef57-11dc-95d1-001e4c65c15b}\ not found.
File F:\oufddh.exe not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session manager\\BootExecute:autocheck autochk * deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 194302 bytes

User: WIESIA
->Temp folder emptied: 4977499 bytes
->Temporary Internet Files folder emptied: 12885449 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 3137890 bytes
->Opera cache emptied: 73735207 bytes
->Flash cache emptied: 405 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 3268359 bytes
%systemroot%\System32 .tmp files removed: 2596 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 54895 bytes
RecycleBin emptied: 1653030 bytes

Total Files Cleaned = 95,00 mb

OTL by OldTimer - Version 3.2.11.0 log created on 09012010_122138

Files\Folders moved on Reboot...
C:\Documents and Settings\WIESIA\Menu Start\Programy\Autostart\sysrda32.exe moved successfully.

Registry entries deleted on Reboot...

-ComboFix-

ComboFix.txt

Edited by Rincewind84, 01 September 2010 - 06:40 AM.

#4
emeraldnzl

Posted 01 September 2010 - 01:30 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello Rincewind84,

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.

Now

You have used Malwarebytes before. If you still have it on your machine please update and run. Post the scan report back here.

If you no-longer have Malwarebytes please download from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

Kaspersky on line scanner is very thorough. It can take a long time and for periods may seem not to be working. Just be patient and let it do its job.

Kaspersky works with Internet Explorer and Firefox 3.

Go to Kaspersky website and perform an online antivirus scan.

Note: you will need to turn off your security programs to allow Kaspersky to do its job.

Read through the requirements and privacy statement and click on Accept button.
It will start dowanloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Copy and paste that information in your next post.

So when you return please post
MBAM log
Kaspersky scan results
and tell me how your computer is performing now

#5
Rincewind84

Posted 02 September 2010 - 10:25 AM

New Member

Topic Starter
Member
6 posts

Hi. My computer is working very good now, everything seems to be just fine

Here are the logs:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Wersja bazy: 4525

Windows 5.1.2600 Dodatek Service Pack 3
Internet Explorer 7.0.5730.13

2010-09-01 22:43:41
mbam-log-2010-09-01 (22-43-41).txt

Typ skanowania: Szybkie skanowanie
Przeskanowano obiektów: 128783
Upłynęło: 5 minut(y), 43 sekund(y)

Zainfekowanych procesów w pamięci: 0
Zainfekowanych modułów w pamięci: 0
Zainfekowanych kluczy rejestru: 0
Zainfekowanych wartości rejestru: 0
Zainfekowane informacje rejestru systemowego: 0
Zainfekowanych folderów: 0
Zainfekowanych plików: 0

Zainfekowanych procesów w pamięci:
(Nie znaleziono zagrożeń)

Zainfekowanych modułów w pamięci:
(Nie znaleziono zagrożeń)

Zainfekowanych kluczy rejestru:
(Nie znaleziono zagrożeń)

Zainfekowanych wartości rejestru:
(Nie znaleziono zagrożeń)

Zainfekowane informacje rejestru systemowego:
(Nie znaleziono zagrożeń)

Zainfekowanych folderów:
(Nie znaleziono zagrożeń)

Zainfekowanych plików:
(Nie znaleziono zagrożeń)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, September 2, 2010
Operating system: Microsoft Windows XP Home Edition Dodatek Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, September 01, 2010 15:43:03
Records in database: 4173897
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 114299
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:15:47

File name / Threat / Threats count
C:\Program Files\podatki.pl\vzm\msg.dll Infected: Trojan-Downloader.Win32.Homa.clr 1
C:\_OTL\MovedFiles\09012010_122138\C_Documents and Settings\WIESIA\Menu Start\Programy\Autostart\sysrda32.exe Infected: Backdoor.Win32.Bredolab.hlc 1
D:\BIURO\PEN-dre\podatki.pl\vzm\msg.dll Infected: Trojan-Downloader.Win32.Homa.clr 1
D:\BIURO\podatki.pl\vzm\msg.dll Infected: Trojan-Downloader.Win32.Homa.clr 1

Selected area has been scanned.

#6
emeraldnzl

Posted 02 September 2010 - 03:20 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello Rincewind84,

Kaspersky is showing this one as infected. However as that file can also be legitimate I think it would make sense to get a second opinion.

Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

C:\Program Files\podatki.pl\vzm\msg.dll

Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

#7
Rincewind84

Posted 02 September 2010 - 04:18 PM

New Member

Topic Starter
Member
6 posts

Ok here is the log. The file is located in the folder with program that count's tax. Its not very important I think It's ok to remove it if You tell me how, and if You think its possible infection.

VirSCAN.org Scanned Report :
Scanned time : 2010/09/03 00:02:20 (CEST)
Scanner results: 36% skanerów(1336) znalazło szkodliwe oprogramowanie!
File Name : msg.dll
File Size : 193024 byte
File Type : PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bi
MD5 : f3935e6de36092756e74052b16b1f9e9
SHA1 : 6d89791896bf5bf877f005e77148fe9429869034
Online report : http://virscan.org/r...5a8e593796.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.19 20100903050742 2010-09-03 21.85 Trojan-Downloader.Win32.Homa!IK
AhnLab V3 2010.08.28.00 2010.08.28 2010-08-28 1.45 -
AntiVir 8.2.4.46 7.10.11.73 2010-09-02 0.26 TR/Dldr.Homa.clr
Antiy 2.0.18 20100902.5068010 2010-09-02 0.02 -
Arcavir 2009 201006281601 2010-06-28 0.00 -
Authentium 5.1.1 201009021249 2010-09-02 1.31 -
AVAST! 4.7.4 100902-0 2010-09-02 0.05 -
AVG 8.5.793 271.1.1/3110 2010-09-03 1.15 -
BitDefender 7.90123.6305719 7.33698 2010-09-03 4.51 -
ClamAV 0.96.1 11783 2010-09-03 0.17 -
Comodo 4.0 5948 2010-09-02 1.58 Heur.Packed.Unknown
CP Secure 1.3.0.5 2010.09.03 2010-09-03 0.17 -
Dr.Web 5.0.2.3300 2010.09.03 2010-09-03 9.31 -
F-Prot 4.4.4.56 20100902 2010-09-02 1.32 -
F-Secure 7.02.73807 2010.09.02.10 2010-09-02 0.18 Trojan-Downloader.Win32.Homa.clr [AVP]
Fortinet 4.1.143 12.308 2010-09-02 0.39 W32/Homa.CLR!tr.dldr
GData 21.765/21.301 20100902 2010-09-02 8.31 Trojan-Downloader.Win32.Homa.clr [Engine:A]
ViRobot 20100902 2010.09.02 2010-09-02 0.38 -
Ikarus T3. 2010.09.02.76658 2010-09-02 4.66 Trojan-Downloader.Win32.Homa
JiangMin 13.0.900 2010.08.30 2010-08-30 1.95 -
Kaspersky 5.5.10 2010.09.02 2010-09-02 0.07 Trojan-Downloader.Win32.Homa.clr
KingSoft 2009.2.5.15 2010.9.2.21 2010-09-02 0.74 -
McAfee 5400.1158 6093 2010-09-02 18.28 -
Microsoft 1.6103 2010.09.02 2010-09-02 5.41 -
Norman 6.05.11 6.05.00 2010-09-02 8.01 -
Panda 9.05.01 2010.09.02 2010-09-02 6.96 -
Trend Micro 9.120-1004 7.432.06 2010-09-02 0.06 -
Quick Heal 11.00 2010.09.02 2010-09-02 2.19 TrojanDownloader.Homa.clr
Rising 20.0 22.63.03.03 2010-09-02 1.78 -
Sophos 3.11.2 4.57 2010-09-03 3.85 -
Sunbelt 3.9.2439.2 6826 2010-09-02 11.34 -
Symantec 1.3.0.24 20100902.004 2010-09-02 0.11 -
nProtect 20100901.01 9008842 2010-09-01 9.56 Trojan-Downloader/W32.Homa.193024
The Hacker 6.5.2.1 v00361 2010-09-01 0.33 Trojan/Downloader.Homa.clr
VBA32 3.12.14.0 20100902.0832 2010-09-02 3.10 Trojan-Downloader.Win32.Homa.clr
VirusBuster 4.5.11.10 10.127.71/2015998 2010-09-03 2.36 Trojan.DL.Homa.AZF

#8
emeraldnzl

Posted 02 September 2010 - 04:57 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Its not very important I think It's ok to remove it if You tell me how, and if You think its possible infection.

Still not conclusive but at 36% of anti-virus programs identifying it as a possible infection it's getting to a point where, to be on the safe side, it would be good to remove.

Up to you really.

Here is how

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\Program Files\podatki.pl\vzm\msg.dll
D:\BIURO\PEN-dre\podatki.pl\vzm\msg.dll
D:\BIURO\podatki.pl\vzm\msg.dll

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt. Please post that here for further review.

#9
Rincewind84

Posted 03 September 2010 - 10:34 AM

New Member

Topic Starter
Member
6 posts

OK done

here's the log:

ComboFix 10-09-02.01 - WIESIA 2010-09-03 11:12:38.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.48.1045.18.1014.583 [GMT 2:00]
Uruchomiony z: c:\documents and settings\WIESIA\Pulpit\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\WIESIA\Pulpit\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 100902-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\program files\podatki.pl\vzm\msg.dll"
"d:\biuro\PEN-dre\podatki.pl\vzm\msg.dll"
"d:\biuro\podatki.pl\vzm\msg.dll"
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\podatki.pl\vzm\msg.dll
d:\biuro\PEN-dre\podatki.pl\vzm\msg.dll
d:\biuro\podatki.pl\vzm\msg.dll

.
((((((((((((((((((((((((( Pliki utworzone od 2010-08-03 do 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-09-01 12:11 . 2008-04-13 18:57 14336 -c--a-w- c:\windows\system32\dllcache\asyncmac.sys
2010-09-01 12:11 . 2008-04-13 18:57 14336 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2010-09-01 09:51 . 2010-09-01 09:51 -------- d-----w- C:\_OTL
2010-08-31 13:46 . 2010-08-31 13:46 -------- d-----w- c:\program files\ERUNT
2010-08-30 14:16 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-30 14:16 . 2010-08-30 14:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-30 14:16 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-30 12:48 . 2008-04-13 17:45 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2010-08-30 12:48 . 2008-04-13 17:45 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-08-30 12:47 . 2008-04-13 17:40 34688 -c--a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-08-30 12:47 . 2008-04-13 17:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-08-30 12:47 . 2008-04-13 17:41 8576 -c--a-w- c:\windows\system32\dllcache\i2omgmt.sys
2010-08-30 12:47 . 2008-04-13 17:41 8576 ----a-w- c:\windows\system32\drivers\i2omgmt.sys
2010-08-30 12:46 . 2008-04-13 17:40 8192 -c--a-w- c:\windows\system32\dllcache\changer.sys
2010-08-30 12:46 . 2008-04-13 17:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-08-30 12:45 . 2001-08-17 19:52 18688 -c--a-w- c:\windows\system32\dllcache\cdaudio.sys
2010-08-28 16:15 . 2010-08-28 16:18 -------- d-----w- c:\documents and settings\WIESIA\Dane aplikacji\XnView
2010-08-15 11:22 . 2010-08-15 11:22 -------- d-----w- c:\program files\CryptoTech
2010-08-13 11:39 . 2010-08-13 11:39 -------- d-----w- C:\AcerWPGImages
2010-08-12 20:52 . 2010-08-12 20:52 -------- d-----w- c:\program files\NAPI-PROJEKT
2010-08-12 19:08 . 2009-11-08 00:41 581192 ----a-w- c:\windows\system32\WinUSBCoInstaller.dll
2010-08-12 19:08 . 2009-11-08 00:41 1112288 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll
2010-08-12 19:08 . 2010-08-15 11:37 -------- d-----w- c:\program files\PdaNet for Android
2010-08-12 19:07 . 2008-04-13 17:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2010-08-12 19:07 . 2008-04-13 17:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-08-06 10:30 . 2010-08-06 10:31 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-08-06 10:25 . 2010-08-06 10:25 -------- d-sh--w- c:\documents and settings\WIESIA\Phone Browser
2010-08-06 10:23 . 2008-11-07 16:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2010-08-06 10:22 . 2010-08-06 10:36 -------- d-----w- c:\documents and settings\WIESIA\Dane aplikacji\Nokia
2010-08-06 10:22 . 2010-08-06 10:22 -------- d-----w- c:\documents and settings\WIESIA\Dane aplikacji\PC Suite
2010-08-06 10:22 . 2010-08-06 10:22 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\PC Suite
2010-08-06 10:21 . 2010-08-06 10:21 -------- d-----w- c:\program files\PC Connectivity Solution
2010-08-06 10:21 . 2010-02-26 12:32 92672 ----a-w- c:\windows\system32\nmwcdcls.dll
2010-08-06 10:21 . 2010-08-06 10:38 -------- d-----w- c:\program files\Nokia
2010-08-06 10:20 . 2010-08-06 10:20 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Installations

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-02 21:55 . 2010-01-20 12:52 -------- d-----w- c:\program files\Full Tilt Poker
2010-09-02 20:19 . 2010-01-02 22:41 -------- d-----w- c:\program files\Opera
2010-09-01 10:22 . 2003-04-16 12:00 83858 ----a-w- c:\windows\system32\perfc015.dat
2010-09-01 10:22 . 2003-04-16 12:00 490522 ----a-w- c:\windows\system32\perfh015.dat
2010-08-30 12:22 . 2010-08-30 12:22 16 ----a-w- c:\windows\system32\config\systemprofile\Dane aplikacji\hngmfc.dat
2010-08-15 09:21 . 2008-03-05 18:38 -------- d-----w- c:\program files\PITy
2010-08-12 19:10 . 2010-08-12 19:10 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2010-08-12 07:55 . 2008-03-05 17:24 -------- d-----w- c:\documents and settings\All Users\Dane aplikacji\Microsoft Help
2010-08-06 10:23 . 2010-08-06 10:23 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01009.Wdf
2010-08-06 10:23 . 2010-08-06 10:23 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-08-06 10:22 . 2008-02-26 08:54 -------- d-----w- c:\program files\DIFX
2010-08-06 10:20 . 2010-08-06 10:20 95232 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Installer\CommonCustomActions\pcswpcsi.exe
2010-08-06 10:20 . 2010-08-06 10:20 8192 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Installer\CommonCustomActions\UninstCCD.exe
2010-08-06 10:20 . 2010-08-06 10:20 61440 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-08-06 10:20 . 2010-08-06 10:20 10240 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Installer\CommonCustomActions\UninstPCS.exe
2010-08-06 10:19 . 2010-08-06 10:20 36747456 ----a-w- c:\documents and settings\All Users\Dane aplikacji\Installations\{225DB4AA-3CFF-47E8-B3C8-6DAD713E986E}\Nokia_PC_Suite_pol_web.exe
2010-06-30 12:33 . 2006-03-02 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:17 . 2006-03-02 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 12:17 . 2010-01-26 19:19 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-06-24 12:17 . 2006-03-02 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-06-24 09:02 . 2006-03-02 12:00 1852160 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2006-03-02 12:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2006-03-02 12:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-02-22 20:29 744448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-06-14 07:43 . 2006-03-02 12:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-30 68856]
"NCLaunch"="c:\windows\NCLAUNCH.EXe" [2010-02-03 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-04-16 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-04-16 970752]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-04-21 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-04-21 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-04-21 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-29 16132608]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-12 53248]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"TomcatStartup"="c:\program files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe" [2003-03-31 155648]
"MP10_EnsureFileVer"="c:\windows\inf\unregmp2.exe" [2008-04-14 208896]
"CryptoCard Suite Cert Monitor"="c:\program files\CryptoTech\CryptoCard\CCMonitor.exe" [2009-11-06 233472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\WIESIA\Menu Start\Programy\Autostart\
Tworzenie wycink˘w ekranu i uruchamianie programu OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Menu Start\Programy\Autostart\
DSLMON.lnk - c:\program files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe [2010-3-9 1205840]
ZyWALL VPN Client.lnk - c:\program files\ZyXEL\ZyWALL VPN Client\SafeCfg.exe [2008-3-11 73780]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"c:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Streamripper\\wstreamripper.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Gadu-Gadu\\gg.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\ZyXEL\\ZyWALL VPN Client\\IreIKE.exe"=
"c:\program files\ZyXEL\ZyWALL VPN Client\ViewLog.exe"= c:\program files\ZyXEL\ZyWALL VPN Client\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\ZyXEL\ZyWALL VPN Client\CmonApp.exe"= c:\program files\ZyXEL\ZyWALL VPN Client\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\ZyXEL\ZyWALL VPN Client\vpn.exe"= c:\program files\ZyXEL\ZyWALL VPN Client\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-03-31 114768]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [2008-03-11 136760]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-03-31 20560]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [2008-03-11 536634]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [2008-03-11 36188]
S2 E4LOADER;General Purpose USB Driver (e4ldr.sys);c:\windows\system32\drivers\e4ldr.sys [2010-03-09 69656]
S3 cxbu0wdm;CardMan 6121;c:\windows\system32\drivers\cxbu0wdm.sys [2008-04-07 91008]
S3 e4usbaw;USB ADSL2 WAN Adapter;c:\windows\system32\drivers\e4usbaw.sys [2010-03-09 104344]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.wp.pl/
uInternet Settings,ProxyOverride = <local>
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {83AFB5CA-11D4-ED35-A452-0080C8D85045} - hxxp://cached.gamedesire.com/g_bin/pl/poker_2_0_0_52.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 11:19
Windows 5.1.2600 Dodatek Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(912)
c:\windows\system32\WININET.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\ZyXEL\ZyWALL VPN Client\IPSecMon.exe
c:\program files\ZyXEL\ZyWALL VPN Client\IreIKE.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\SCardSvr.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\docume~1\WIESIA\USTAWI~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Czas ukończenia: 2010-09-03 11:24:58 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2010-09-03 09:24

Przed: 11 233 816 576 bajtów wolnych
Po: 11 544 473 600 bajtów wolnych

- - End Of File - - 4DB87C044ECD78D790D03DF14DFE840A

#10
emeraldnzl

Posted 03 September 2010 - 01:23 PM

GeekU Instructor

GeekU Moderator
20,051 posts

Hello again Rincewind84,

I think your machine is clean.

We have a couple of last steps to perform and then you're all set. Posted Image

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.

Click START then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Step 2

Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
Click on the CleanUp! button
Click Yes to begin the Cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep. Erunt can also be uninstalled via the add/remove programs utility, for some though, it may be a useful backup program to hold on to.

Next, we need to clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.

Download from here Java Runtime Environment (JDK) Update
Scroll to where it says "Windows XP/Vista/2000/2003/2008 online" and download and follow the instructions to install.

Reboot your computer.
You also need to uininstall older versions of Java.
Click Start > Control Panel > Add or Remove Programs
Remove all Java updates except the latest one you have just installed.

--------------------------------------------------------------------------------------------------------------------

Be sure and give the Temp folders a cleaning out now and then. This helps with security and your computer will run more efficiently. I clean mine once a week.

For ease of use, you might consider the following free program:

TFC.exe

--------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

Adblock Plus is a good Add-on for Firefox that helps prevent those annoying pop ups.
-----------------------------------------------------------------------------------------------------------------------

Startuplite is a tool to help you stop some programs not needed when you start your computer from loading. They will begin automatically only when needed.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future here are some free programs you can look at:

It is recommended that you do set Windows to check, download and install your updates automatically.

* Click Start > Control Panel > Automatic Updates
* Set the day and time for the update check. Set this to a time when your computer will normally be on and connected to the internet.
* Click Apply then OK.

And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
Malwarebytes
SuperAntiSpyWare

Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!