Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Can't connect to IRC protected by EFnetRBL. [Closed]

Started by TuxPL , Nov 02 2011 01:56 PM

This topic is locked

#1
TuxPL

Posted 02 November 2011 - 01:56 PM

New Member

Member
7 posts

Hey. I got a problem... Sorry for about laungage mistakes, i am from Poland.
Lemme start. On this year i was using a lot of IRC. On the turn of July and August i got some weird blocks from EFnetBRL. Something that i am infected by Girlbot Trojan... Alt names of it are Golember and Rosya. Ok, it was on August... I got quiet time, then on october those block messages "revisited" me. ONE site says i am infected by Cutwail (totally no symptomes), ONE site says i am infected by Girlbot (totally no symptomes too) and lots of sites says nothing. What is most weird? EFnet says just one site blocks me (irc.eversible or something)... Can anyone help me?

What i am getting when i want connect to IRC? - 20:35:10 -mancubus.skulltag.net- *** You have been banned from connecting to this server. As most bans are temporary, please wait it out. Evading a ban will result in it being made permanant. If this is a mistake, use the Skulltag forums or e-mail [email protected] to contact an administrator. Please include the ERROR line below in your report.
20:35:10 Closing link: ([email protected]) [Z-Lined: This host (91.220.205.198) is listed in the EFnet blacklist. Please read http://efnetrbl.org for more information. Access from this host will be denied for at least one day.]
20:35:10 * Disconnected -

Also, can You enter there? efnetrbl.org/?i=91.220.205.198

Edited by TuxPL, 06 November 2011 - 01:00 PM.

#2
TuxPL

Posted 02 November 2011 - 02:37 PM

New Member

Topic Starter
Member
7 posts

OTL file log

OTL logfile created on: 2011-11-02 21:20:16 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\krystian\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,15 Gb Available Physical Memory | 57,39% Memory free
4,00 Gb Paging File | 2,80 Gb Available in Paging File | 70,15% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 93,53 Gb Total Space | 23,76 Gb Free Space | 25,40% Space Free | Partition Type: NTFS
Drive D: | 92,77 Gb Total Space | 80,08 Gb Free Space | 86,32% Space Free | Partition Type: NTFS
Drive E: | 603,24 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive F: | 931,51 Gb Total Space | 51,19 Gb Free Space | 5,50% Space Free | Partition Type: NTFS

Computer Name: DOM | User Name: krystian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011-11-02 21:19:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\krystian\Desktop\OTL.exe
PRC - [2011-10-24 18:48:28 | 002,078,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2011-09-27 20:34:02 | 000,894,304 | ---- | M] (Spigot, Inc.) -- C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe
PRC - [2011-08-30 14:15:48 | 000,858,112 | ---- | M] () -- C:\Users\krystian\Desktop\IDE\Ide.exe
PRC - [2011-03-29 16:18:35 | 000,399,736 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2010-11-25 19:44:26 | 000,725,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2010-09-20 16:44:21 | 000,621,920 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2010-07-21 08:11:49 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2010-06-23 09:50:15 | 000,515,424 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2010-06-23 09:50:10 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2010-06-23 09:48:42 | 001,101,152 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2010-06-23 09:48:41 | 000,842,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgam.exe
PRC - [2010-04-01 10:16:20 | 000,357,696 | ---- | M] (DT Soft Ltd) -- C:\Program Files\DAEMON Tools Lite\DTLite.exe
PRC - [2009-07-14 02:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009-07-14 02:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2011-08-30 14:15:48 | 000,858,112 | ---- | M] () -- C:\Users\krystian\Desktop\IDE\Ide.exe
MOD - [2011-06-09 01:05:56 | 000,738,304 | ---- | M] () -- C:\Users\krystian\Desktop\IDE\ip2c.dll
MOD - [2011-04-11 12:36:54 | 000,528,384 | ---- | M] () -- C:\Users\krystian\Desktop\IDE\zrc.dll
MOD - [2010-04-21 12:35:02 | 000,126,976 | ---- | M] () -- C:\Users\krystian\Desktop\IDE\getwad.dll
MOD - [2009-12-12 14:12:03 | 000,141,824 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll

========== Win32 Services (SafeList) ==========

SRV - [2011-09-27 19:08:40 | 000,745,880 | ---- | M] (Spigot, Inc.) [Auto | Stopped] -- C:\Program Files\Application Updater\ApplicationUpdater.exe -- (Application Updater)
SRV - [2011-03-28 14:41:12 | 001,242,504 | ---- | M] (LogMeIn Inc.) [Auto | Stopped] -- C:\Program Files\LogMeIn Hamachi\hamachi-2.exe -- (Hamachi2Svc)
SRV - [2011-03-18 07:11:02 | 000,947,528 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe -- (AVG Security Toolbar Service)
SRV - [2010-07-21 08:11:49 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2010-06-23 09:50:10 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009-07-14 02:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009-07-14 02:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009-07-14 02:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - [2011-10-17 16:07:55 | 000,278,984 | ---- | M] () [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\atksgt.sys -- (atksgt)
DRV - [2011-10-17 15:43:17 | 000,025,416 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\lirsgt.sys -- (lirsgt)
DRV - [2011-09-13 18:40:16 | 000,029,712 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\Drivers\avgmfx86.sys -- (AvgMfx86)
DRV - [2011-05-06 22:29:32 | 000,024,848 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\lmvac.sys -- (LTXMD_VAC) Litex Media Virtual Audio Cable (WDM)
DRV - [2011-05-05 19:01:42 | 000,243,152 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgtdix.sys -- (AvgTdiX)
DRV - [2010-07-09 23:37:00 | 011,008,040 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2010-06-23 09:48:43 | 000,216,400 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\Drivers\avgldx86.sys -- (AvgLdx86)
DRV - [2010-04-24 22:07:28 | 000,052,872 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\Drivers\avgrkx86.sys -- (AvgRkx86)
DRV - [2010-04-24 10:52:42 | 000,691,696 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009-07-14 02:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009-07-14 02:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009-07-14 02:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009-07-14 00:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009-07-14 00:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009-07-13 23:02:52 | 000,043,008 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2009-03-18 16:35:40 | 000,026,176 | -H-- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\hamachi.sys -- (hamachi)
DRV - [2004-08-09 12:33:26 | 000,114,016 | ---- | M] (Protection Technology) [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\prohlp02.sys -- (prohlp02)
DRV - [2004-08-09 12:29:28 | 000,053,920 | ---- | M] (Protection Technology) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\prodrv06.sys -- (prodrv06)
DRV - [2004-07-19 15:49:54 | 000,007,040 | ---- | M] (Protection Technology) [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\prosync1.sys -- (prosync1)
DRV - [2003-12-01 16:20:52 | 000,004,832 | ---- | M] (Protection Technology) [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\sfhlp01.sys -- (sfhlp01)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
IE - HKCU\..\URLSearchHook: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\4.7\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&type=937811&ilc=12"
FF - prefs.js..browser.search.selectedEngine: "Yahoo"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.google.pl"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:9.0.0.872
FF - prefs.js..extensions.enabledItems: avg@igeared:6.010.006.004
FF - prefs.js..extensions.enabledItems: {3d7eb24f-2740-49df-8937-200b1cc08f8a}:1.5.14.2
FF - prefs.js..extensions.enabledItems: [email protected]:3.5
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.6.2
FF - prefs.js..extensions.enabledItems: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.9.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}:1.2.0.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.19.1
FF - prefs.js..extensions.enabledItems: [email protected]:5.0.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..keyword.URL: "http://search.yahoo....type=937811&p="

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@idsoftware.com/QuakeLive: C:\ProgramData\id Software\QuakeLive\npquakezero.dll (id Software Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Users\krystian\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Aurora 9.0a2\extensions\\Components: C:\Program Files\Aurora\components [2011-11-02 19:03:21 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Aurora 9.0a2\extensions\\Plugins: C:\Program Files\Aurora\plugins
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2011-09-13 18:41:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files\AVG\AVG9\Toolbar\Firefox\avg@igeared [2011-06-20 21:38:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011-06-23 17:21:18 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011-05-02 16:43:27 | 000,000,000 | ---D | M]

[2010-04-24 09:53:13 | 000,000,000 | ---D | M] (No name found) -- C:\Users\krystian\AppData\Roaming\mozilla\Extensions
[2011-10-07 09:53:39 | 000,000,000 | ---D | M] (No name found) -- C:\Users\krystian\AppData\Roaming\mozilla\Firefox\Profiles\won3vv6d.default\extensions
[2011-09-08 12:35:21 | 000,000,000 | ---D | M] (Greasemonkey) -- C:\Users\krystian\AppData\Roaming\mozilla\Firefox\Profiles\won3vv6d.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
[2011-02-16 21:26:49 | 000,000,000 | ---D | M] (British English Dictionary) -- C:\Users\krystian\AppData\Roaming\mozilla\Firefox\Profiles\won3vv6d.default\extensions\[email protected]
[2011-02-16 21:26:49 | 000,000,000 | ---D | M] (United States English Spellchecker) -- C:\Users\krystian\AppData\Roaming\mozilla\Firefox\Profiles\won3vv6d.default\extensions\[email protected]
[2011-03-13 23:35:07 | 000,000,000 | ---D | M] (Personas) -- C:\Users\krystian\AppData\Roaming\mozilla\Firefox\Profiles\won3vv6d.default\extensions\[email protected]
[2010-04-24 10:53:50 | 000,002,059 | ---- | M] () -- C:\Users\krystian\AppData\Roaming\Mozilla\Firefox\Profiles\won3vv6d.default\searchplugins\daemon-search.xml
[2010-06-06 18:37:08 | 000,002,377 | ---- | M] () -- C:\Users\krystian\AppData\Roaming\Mozilla\Firefox\Profiles\won3vv6d.default\searchplugins\kongregate.xml
[2010-07-15 17:43:27 | 000,000,666 | ---- | M] () -- C:\Users\krystian\AppData\Roaming\Mozilla\Firefox\Profiles\won3vv6d.default\searchplugins\nightwood-pl.xml
[2010-08-18 19:31:45 | 000,005,600 | ---- | M] () -- C:\Users\krystian\AppData\Roaming\Mozilla\Firefox\Profiles\won3vv6d.default\searchplugins\nonsensopedia-pl.xml
[2010-06-16 19:51:09 | 000,003,483 | ---- | M] () -- C:\Users\krystian\AppData\Roaming\Mozilla\Firefox\Profiles\won3vv6d.default\searchplugins\szukaj-na-jm.xml
[2011-10-17 19:15:36 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010-06-21 16:03:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010-08-25 15:26:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010-12-22 15:10:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011-03-07 20:34:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011-06-11 19:39:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
() (No name found) -- C:\USERS\KRYSTIAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\WON3VV6D.DEFAULT\EXTENSIONS\{3D7EB24F-2740-49DF-8937-200B1CC08F8A}.XPI
() (No name found) -- C:\USERS\KRYSTIAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\WON3VV6D.DEFAULT\EXTENSIONS\[email protected]
() (No name found) -- C:\USERS\KRYSTIAN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\WON3VV6D.DEFAULT\EXTENSIONS\[email protected]
[2011-06-23 17:21:17 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011-05-04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2011-06-23 17:21:09 | 000,002,767 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\allegro-pl.xml
[2011-06-23 17:21:09 | 000,001,406 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fbc-pl.xml
[2011-06-23 17:21:09 | 000,000,917 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\merlin-pl.xml
[2011-06-23 17:21:09 | 000,000,858 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\pwn-pl.xml
[2011-06-23 17:21:09 | 000,001,183 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-pl.xml
[2011-06-23 17:21:09 | 000,001,683 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wp-pl.xml

O1 HOSTS File: ([2009-06-10 22:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O2 - BHO: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\4.7\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKLM\..\Toolbar: (ImageShack Toolbar) - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll (ImageShack Corp.)
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O3 - HKLM\..\Toolbar: (YouTube Downloader Toolbar) - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\4.7\youtubedownloaderToolbarIE.dll (Spigot, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [LogMeIn Hamachi Ui] C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe (LogMeIn Inc.)
O4 - HKLM..\Run: [PrzyspieszKomputer] C:\Program Files\Przyspiesz Komputer\przyspieszkomputer.exe File not found
O4 - HKLM..\Run: [SearchSettings] C:\Program Files\Common Files\Spigot\Search Settings\SearchSettings.exe (Spigot, Inc.)
O4 - HKCU..\Run: [1] C:\Users\krystian\AppData\Roaming\d.exe File not found
O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\DTLite.exe (DT Soft Ltd)
O4 - HKCU..\Run: [svchost] C:\Users\krystian\AppData\Roaming\svchost.exe File not found
O4 - HKCU..\Run: [svchost.exe] C:\Users\krystian\Desktop\d.exe File not found
O4 - HKCU..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Users\krystian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk = C:\Users\krystian\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Post Image to Blog - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll (ImageShack Corp.)
O8 - Extra context menu item: Tag This Image - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll (ImageShack Corp.)
O8 - Extra context menu item: Transload Image to ImageShack - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll (ImageShack Corp.)
O8 - Extra context menu item: Upload All Images to ImageShack - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll (ImageShack Corp.)
O8 - Extra context menu item: Upload Image to ImageShack - C:\Program Files\ImageShackToolbar\ImageShackToolbar.dll (ImageShack Corp.)
O13 - gopher Prefix: missing
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} http://toolbar.image...hackToolbar.cab (ImageShack Toolbar)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.176.177.78 8.8.8.8 217.17.34.10
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{611CD6AF-EE13-4514-BA4F-5E6BE68E85CB}: NameServer = 91.220.205.210 91.220.205.211
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{7952EB2E-F9D9-4DFB-9001-EC5254A65ACB}: DhcpNameServer = 10.176.177.78 8.8.8.8 217.17.34.10
O18 - Protocol\Handler\avgsecuritytoolbar {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll ()
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O20 - AppInit_DLLs: (avgrsstx.dll) -C:\Windows\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) -C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-06-10 22:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2010-04-24 07:55:19 | 000,000,000 | ---- | M] () - D:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2000-01-13 16:04:18 | 000,000,066 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O32 - AutoRun File - [2010-04-24 04:01:41 | 000,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{5847328d-539c-11df-9efb-00a1b00013dc}\Shell - "" = AutoRun
O33 - MountPoints2\{5847328d-539c-11df-9efb-00a1b00013dc}\Shell\AutoRun\command - "" = J:\autorun.exe
O33 - MountPoints2\{6f9a7e05-4f71-11df-9673-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{6f9a7e05-4f71-11df-9673-806e6f6e6963}\Shell\AutoRun\command - "" = E:\_AUTORUN\Autorun.exe -- [2000-02-07 12:20:10 | 000,036,864 | R--- | M] (New World Computing)
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011-11-02 21:18:46 | 000,584,192 | ---- | C] (OldTimer Tools) -- C:\Users\krystian\Desktop\OTL.exe
[2011-10-21 18:17:03 | 000,000,000 | ---D | C] -- C:\Users\krystian\Desktop\screen
[2011-10-19 18:51:33 | 000,000,000 | R--D | C] -- C:\Users\krystian\Documents\Notes
[2011-10-17 19:15:35 | 000,000,000 | ---D | C] -- C:\Program Files\Application Updater
[2011-10-17 19:15:34 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader Toolbar
[2011-10-16 21:37:01 | 000,000,000 | ---D | C] -- C:\Users\krystian\Desktop\IDE
[2011-10-14 12:30:07 | 000,000,000 | ---D | C] -- C:\Users\krystian\AppData\Local\MDK2HD
[2011-10-14 12:29:21 | 000,000,000 | ---D | C] -- C:\Users\krystian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\MDK2 HD
[2011-10-11 18:59:42 | 000,000,000 | ---D | C] -- C:\Users\krystian\Desktop\Mus
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Users\krystian\AppData\Local\*.tmp files -> C:\Users\krystian\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011-11-02 21:19:06 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\krystian\Desktop\OTL.exe
[2011-11-02 21:10:03 | 000,001,040 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011-11-02 19:16:54 | 088,426,382 | ---- | M] () -- C:\Windows\System32\drivers\Avg\incavi.avm
[2011-11-02 19:08:32 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011-11-02 19:08:32 | 000,014,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011-11-02 19:01:25 | 000,001,036 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011-11-02 19:00:50 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011-11-02 19:00:47 | 1608,880,128 | -HS- | M] () -- C:\hiberfil.sys
[2011-11-01 10:30:48 | 000,737,242 | ---- | M] () -- C:\Windows\System32\perfh015.dat
[2011-11-01 10:30:48 | 000,655,534 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011-11-01 10:30:48 | 000,157,964 | ---- | M] () -- C:\Windows\System32\perfc015.dat
[2011-11-01 10:30:48 | 000,128,166 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011-10-31 17:26:20 | 181,892,369 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011-10-17 16:07:55 | 000,278,984 | ---- | M] () -- C:\Windows\System32\drivers\atksgt.sys
[2011-10-17 15:43:17 | 000,025,416 | ---- | M] () -- C:\Windows\System32\drivers\lirsgt.sys
[2011-10-14 19:25:01 | 000,000,541 | ---- | M] () -- C:\Users\krystian\Desktop\MDK2 HD.lnk
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\Users\krystian\AppData\Local\*.tmp files -> C:\Users\krystian\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011-10-28 16:49:08 | 002,887,197 | ---- | C] () -- C:\Users\krystian\Desktop\Helltheme2.wad
[2011-10-17 15:43:17 | 000,278,984 | ---- | C] () -- C:\Windows\System32\drivers\atksgt.sys
[2011-10-17 15:43:16 | 000,025,416 | ---- | C] () -- C:\Windows\System32\drivers\lirsgt.sys
[2011-10-14 12:29:21 | 000,000,541 | ---- | C] () -- C:\Users\krystian\Desktop\MDK2 HD.lnk
[2011-09-08 16:15:09 | 000,000,000 | ---- | C] () -- C:\Users\krystian\AppData\Local\{839E0E44-6FEC-4D1B-9E39-74E59F1CEF04}
[2011-08-29 12:03:16 | 000,027,246 | ---- | C] () -- C:\Windows\DIIUnin.dat
[2011-07-24 17:09:51 | 000,000,303 | ---- | C] () -- C:\Windows\doom3.ini
[2011-07-06 15:19:37 | 000,010,240 | ---- | C] () -- C:\Windows\System32\vidx16.dll
[2011-06-25 17:17:39 | 000,000,069 | ---- | C] () -- C:\Windows\drD3D.ini
[2011-04-14 12:59:58 | 000,000,539 | ---- | C] () -- C:\Windows\H2_Setup.INI
[2010-12-17 19:44:59 | 000,819,200 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2010-12-17 19:44:59 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2010-11-25 17:30:41 | 000,007,629 | ---- | C] () -- C:\Users\krystian\AppData\Local\Resmon.ResmonCfg
[2010-09-08 21:52:30 | 000,040,960 | R--- | C] () -- C:\Windows\System32\psfind.dll
[2010-06-14 17:51:44 | 000,000,033 | ---- | C] () -- C:\Windows\lg.ini
[2010-06-05 07:50:03 | 000,000,000 | ---- | C] () -- C:\Users\krystian\AppData\Local\prvlcl.dat
[2010-05-08 14:47:05 | 000,021,840 | ---- | C] () -- C:\Windows\System32\SIntfNT.dll
[2010-05-08 14:47:05 | 000,017,212 | ---- | C] () -- C:\Windows\System32\SIntf32.dll
[2010-05-08 14:47:05 | 000,012,067 | ---- | C] () -- C:\Windows\System32\SIntf16.dll
[2010-04-27 20:18:26 | 000,138,784 | ---- | C] () -- C:\Windows\System32\drivers\PnkBstrK.sys
[2010-04-27 13:23:03 | 000,202,008 | ---- | C] () -- C:\Windows\System32\PnkBstrB.exe
[2010-04-27 13:23:00 | 002,373,712 | ---- | C] () -- C:\Windows\System32\pbsvc.exe
[2010-04-27 13:23:00 | 000,075,064 | ---- | C] () -- C:\Windows\System32\PnkBstrA.exe
[2010-04-09 21:08:26 | 000,094,208 | ---- | C] () -- C:\Windows\System32\zmbv.dll
[2009-11-06 09:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009-07-14 09:07:57 | 000,737,242 | ---- | C] () -- C:\Windows\System32\perfh015.dat
[2009-07-14 09:07:57 | 000,337,158 | ---- | C] () -- C:\Windows\System32\perfi015.dat
[2009-07-14 09:07:57 | 000,157,964 | ---- | C] () -- C:\Windows\System32\perfc015.dat
[2009-07-14 09:07:57 | 000,038,710 | ---- | C] () -- C:\Windows\System32\perfd015.dat
[2009-07-14 05:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009-07-14 05:33:53 | 000,420,888 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009-07-14 03:05:48 | 000,655,534 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009-07-14 03:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009-07-14 03:05:48 | 000,128,166 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009-07-14 03:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009-07-14 03:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009-07-14 03:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009-07-14 01:19:49 | 000,066,048 | ---- | C] () -- C:\Windows\System32\PrintBrmUi.exe
[2009-07-14 00:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009-07-14 00:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009-07-14 00:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009-06-10 22:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2005-02-05 20:46:00 | 000,004,608 | ---- | C] () -- C:\Windows\fgexec.dll

< End of report >

Extras file log

OTL Extras logfile created on: 2011-11-02 21:20:16 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\krystian\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

2,00 Gb Total Physical Memory | 1,15 Gb Available Physical Memory | 57,39% Memory free
4,00 Gb Paging File | 2,80 Gb Available in Paging File | 70,15% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 93,53 Gb Total Space | 23,76 Gb Free Space | 25,40% Space Free | Partition Type: NTFS
Drive D: | 92,77 Gb Total Space | 80,08 Gb Free Space | 86,32% Space Free | Partition Type: NTFS
Drive E: | 603,24 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive F: | 931,51 Gb Total Space | 51,19 Gb Free Space | 5,50% Space Free | Partition Type: NTFS

Computer Name: DOM | User Name: krystian | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Aurora\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}" = Battlefield 2™
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 3.3
"{1DF5019A-68B5-4ba1-8E59-E185C7B7FF11}" = Komunikator WTW 0.8.16.2818
"{1F77C418-2C90-459C-BD33-B56A4182B9FA}" = System Requirements Lab CYRI
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Narzędzie do przekazywania usługi Windows Live
"{20D9C678-A895-4F76-8AC2-22EDFF5F9C91}" = American McGee presents Scrapland
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java™ 6 Update 26
"{2BFC7AA0-544C-4E3A-8796-67F3BE655BE9}" = Microsoft XNA Framework Redistributable 4.0
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{2E517BBB-916F-4AB6-80E0-D4A292513F7A}_is1" = Odamex 0.5.3
"{2F95D723-72D2-425C-A238-367FF157B6EE}" = Heroes of Might and Magic III - Złota Edycja
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{321320E1-0E5A-36CB-9E52-F3B201B8C4D4}" = Microsoft .NET Framework 4 Client Profile PLK Language Pack
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F2B3914-A927-4D1E-8417-E7B7C3339434}" = YouTube Downloader Toolbar v4.7
"{412B69AF-C352-4F6F-A318-B92B3CB9ACC6}" = Titan Quest
"{47BF68F4-D0C5-462E-B8A0-87B030458D71}" = Dark Messiah of Might and Magic
"{491DFBAA-77EF-4B06-8676-2FC66EEE049A}" = LogMeIn Hamachi
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A05CCFA-A447-485B-85E7-92D9C66620BE}" = Thief II: The Metal Age
"{4D5219EC-BFF8-4B7F-AB92-6D827BB37CB0}" = Windows Live Messenger
"{51958BA7-21E4-4A8B-9098-CD8375BD17B2}" = Asystent rejestracji usługi Windows Live
"{52A4E146-A102-4ED0-970F-6B1715EB3C86}" = Quake Live Mozilla Plugin
"{53415463-511C-43B8-AF5A-28B1E449A575}" = Terrafirma
"{5454085C-840F-4070-8FAA-441000028301}" = BioShock 2
"{5454085C-840F-4070-8FAA-441000028302}" = BioShock 2
"{5454085C-840F-4070-8FAA-441000028303}" = BioShock 2
"{59E4B0EE-C17B-4197-99D2-6F0DBD6C6DC2}" = Heroes of Might and Magic IV - Złota Edycja
"{5C19E2DC-4CCF-3114-B40A-6E565987025F}" = Microsoft .NET Framework 4 Extended PLK Language Pack
"{5F055711-2CAF-4323-8443-BEE4913FC7E6}" = Shade: Gniew Aniołów
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{79E37F9C-9330-42BA-9F49-4237A2F1C1C1}" = ImageShack Toolbar for Internet Explorer
"{7C503E58-B2BC-11D5-978A-0050BA84F5F7}" = Neverwinter Nights
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{8661249D-8825-43D2-B467-64B218933B8E}_is1" = Postal 10th Anniversary
"{8A809006-C25A-4A3A-9DAB-94659BCDB107}" = NVIDIA PhysX
"{90120000-0015-0415-0000-0000000FF1CE}" = Microsoft Office Access MUI (Polish) 2007
"{90120000-0015-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0016-0415-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Polish) 2007
"{90120000-0016-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0415-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Polish) 2007
"{90120000-0018-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0019-0415-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Polish) 2007
"{90120000-0019-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001A-0415-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Polish) 2007
"{90120000-001A-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0415-0000-0000000FF1CE}" = Microsoft Office Word MUI (Polish) 2007
"{90120000-001B-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0407-0000-0000000FF1CE}" = Microsoft Office Proof (German) 2007
"{90120000-001F-0407-0000-0000000FF1CE}_ENTERPRISE_{A0516415-ED61-419A-981D-93596DA74165}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0415-0000-0000000FF1CE}" = Microsoft Office Proof (Polish) 2007
"{90120000-001F-0415-0000-0000000FF1CE}_ENTERPRISE_{E9EA2604-8AC9-47D2-8F4B-6BF60787A357}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0415-0000-0000000FF1CE}" = Microsoft Office Proofing (Polish) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0044-0415-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Polish) 2007
"{90120000-0044-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-006E-0415-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Polish) 2007
"{90120000-006E-0415-0000-0000000FF1CE}_ENTERPRISE_{D45F91DE-F0FC-4D5F-9A0C-FDE5B251AAC6}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0415-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Polish) 2007
"{90120000-00A1-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00BA-0415-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Polish) 2007
"{90120000-00BA-0415-0000-0000000FF1CE}_ENTERPRISE_{79EB535E-76E4-4356-8146-A24EE55AB69D}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{92C0EEE0-EA16-4B95-84B6-A060B589081B}" = Disciples II - Bunt Elfów
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9DF0196F-B6B8-4C3A-8790-DE42AA530101}" = SPORE™
"{A4AD4CBF-D102-49FA-BE8D-0C233106994B}_is1" = Chicken Invaders 4 - Ultimate Omelette version 4.00ra
"{A724605D-B399-4304-B8C7-33B3EF7D4677}" = Bully Scholarship Edition
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA2B8B96-BD4A-4C21-8C7B-DE97C5052BB5}" = Thief GOLD
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.4
"{B0DC2DA9-2AF9-422A-88E0-1B84E0F65DB5}" = Speed-Link SL-6535 USB Pad
"{B3FED300-806C-11E0-A0D0-B8AC6F97B88E}" = Google Earth
"{B5C5C17E-FEF6-4062-8151-A427AE8AF9D7}" = Titan Quest Immortal Throne
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C0086B27-8E52-42D4-8393-236391EF18F6}" = Heroes of Might and Magic V
"{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"{C5096D00-8B9C-41DB-8472-9D721E982DF0}" = Podstawowe programy Windows Live
"{CE0900ED-C76A-40C0-8DB4-0F68D825B283}_is1" = Stranded II 1.0.0.1
"{D39C5977-5E82-49B5-8220-CBF508892621}" = Heroes of Might and Magic V - Kuźnia Przeznaczenia
"{D5395E5F-4D45-4665-8F00-234FA33678AF}" = SlimDX Redistributable (March 2009)
"{D7B3493D-766C-40AA-9AA9-053B896D76DE}" = Angry Birds Rio
"{E3E71D07-CD27-46CB-8448-16D4FB29AA13}" = Microsoft WSE 3.0 Runtime
"{E52D32A0-0005-11D7-928D-000ACD006A23}" = The Elder Scrolls III - Morrowind Złota Edycja
"{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}" = Doom 3
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F138762F-5A1F-4CF0-A5E1-1588EF6088A4}" = Wiedźmin
"{F20C1251-1D0A-4944-B2AE-678581B33B19}" = Neverwinter Nights 2
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Activision_H2UninstallKey" = Hexen II
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Aurora 9.0a2 (x86 pl)" = Aurora 9.0a2 (x86 pl)
"AVG9Uninstall" = AVG 9.0
"Classic Doom 3" = Classic Doom 3 1.3.1
"DeusEx_is1" = Deus Ex
"D-Fend Reloaded" = D-Fend Reloaded 1.1.0 (odinstaluj)
"Diablo II" = Diablo II
"Doom Builder 2_is1" = Doom Builder 2.1
"Doom Builder_is1" = Doom Builder
"Dungeon Keeper 2 Power Pack PL_is1" = Dungeon Keeper 2 Power Pack 1.7 PL
"DXIW_is1" = Deus Ex - Invisible War
"EADM" = EA Download Manager
"ENTERPRISE" = Microsoft Office Enterprise 2007
"foobar2000" = foobar2000 v1.0.3
"Gadu-Gadu 10" = Gadu-Gadu 10
"hedgewars" = Hedgewars
"InstallShield_{4A05CCFA-A447-485B-85E7-92D9C66620BE}" = Thief II: The Metal Age
"InstallShield_{A724605D-B399-4304-B8C7-33B3EF7D4677}" = Bully Scholarship Edition
"InstallShield_{AA2B8B96-BD4A-4C21-8C7B-DE97C5052BB5}" = Thief GOLD
"InstallShield_{C3C9EB3D-24FA-4462-B784-0EC6AAFCD2DD}" = Fable - The Lost Chapters
"InstallShield_{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}" = Doom 3
"Jazz Jackrabbit 2" = Jazz Jackrabbit 2
"Jazz Jackrabbit 2 Christmas Chronicles 99" = Jazz Jackrabbit 2 Christmas Chronicles 99
"Jazz Jackrabbit 2 Holiday Hare 98" = Jazz Jackrabbit 2 Holiday Hare 98
"Jazz Jackrabbit 2 Secret Files" = Jazz Jackrabbit 2 Secret Files
"LogMeIn Hamachi" = LogMeIn Hamachi
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Client Profile PLK Language Pack" = Polski pakiet językowy dla programu Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft .NET Framework 4 Extended PLK Language Pack" = Polski pakiet językowy dla programu Microsoft .NET Framework 4 Extended
"Mortyr" = Mortyr
"Mozilla Firefox 5.0 (x86 pl)" = Mozilla Firefox 5.0 (x86 pl)
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"Protected Music Converter_is1" = Protected Music Converter version 1.9.7.2
"PunkBusterSvc" = PunkBuster Services
"Skulltag" = Skulltag
"Spring Up Harmony_is1" = Spring Up Harmony 1.0
"SShockDeinstallKey" = System Shock2
"Unreal Tournament 2004_is1" = Unreal Tournament 2004
"uTorrent" = µTorrent
"Viva Pinata_is1" = 1.0
"WinDjView" = WinDjView 1.0.2
"WinLiveSuite_Wave3" = Podstawowe programy Windows Live
"WinRAR archiver" = WinRAR archiver
"ZDaemon" = ZDaemon (remove only)
"ZMBV" = Zip Motion Block Video codec (Remove Only)

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

#3
SweetTech

Posted 07 November 2011 - 03:01 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. :yes:

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

VirusTotal File Scan
Please go to: VirusTotal

Click the Choose File button and search for the following file: C:\Users\krystian\Desktop\IDE\Ide.exe
Click Open
Then click Send File

If it says already scanned -- click "reanalyze now"

Please be patient while the file is scanned.
Once the scan results appear, please click on the Compact button.
A new window should appear with a bunch of tabs at the top. Please click on the BBCode tab.
Copy and Paste the contents of the text in the BBCode into your next reply for me to review.

Please post the results in your next reply

NEXT:

OTL Fix

We need to run an OTL Fix

Please reopen on your desktop.

Copy and Paste the following code into the Posted Image

textbox.

:Services
:Processes
KILLALLPROCESSES
:OTL
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
[2010-06-21 16:03:34 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010-08-25 15:26:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010-12-22 15:10:29 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011-03-07 20:34:12 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011-06-11 19:39:55 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [PrzyspieszKomputer] C:\Program Files\Przyspiesz Komputer\przyspieszkomputer.exe File not found
O4 - HKCU..\Run: [1] C:\Users\krystian\AppData\Roaming\d.exe File not found
O4 - HKCU..\Run: [svchost] C:\Users\krystian\AppData\Roaming\svchost.exe File not found
O4 - HKCU..\Run: [svchost.exe] C:\Users\krystian\Desktop\d.exe File not found
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O33 - MountPoints2\{5847328d-539c-11df-9efb-00a1b00013dc}\Shell - "" = AutoRun
O33 - MountPoints2\{5847328d-539c-11df-9efb-00a1b00013dc}\Shell\AutoRun\command - "" = J:\autorun.exe
O33 - MountPoints2\{6f9a7e05-4f71-11df-9673-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{6f9a7e05-4f71-11df-9673-806e6f6e6963}\Shell\AutoRun\command - "" = E:\_AUTORUN\Autorun.exe -- [2000-02-07 12:20:10 | 000,036,864 | R--- | M] (New World Computing)

:Reg

:Files
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]

Push
OTL may ask to reboot the machine. Please do so if asked.
Click the OK button.
A report will open. Copy and Paste that report in your next reply.
If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Download GMER Rootkit Scanner from here or here.

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

Click the image to enlarge it
In the right panel, you will see several boxes that have been checked. Uncheck the following ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

NEXT:

What issues are you currently experiencing with your computer?

#4
TuxPL

Posted 10 November 2011 - 03:41 AM

New Member

Topic Starter
Member
7 posts

Hey, sorry for long no-respond time...

IDE is 100% safe. It is Internet Doom Explorer, used to connect with skulltag.Also, that d.exe and svchost.exxe in roaming are weird, i removed d.exe and one more file that i dont remember long time ago. Svchost stayed until i heard from one buddy that svchosts are ONLY safe in system32. http://imageshack.us...6/36492690.png/

IDE. <Antivirus results
AhnLab-V3 - 2011.11.09.00 - 2011.11.09 - -
AntiVir - 7.11.17.113 - 2011.11.10 - -
Antiy-AVL - 2.0.3.7 - 2011.11.09 - -
Avast - 6.0.1289.0 - 2011.11.09 - -
AVG - 10.0.0.1190 - 2011.11.09 - -
BitDefender - 7.2 - 2011.11.10 - -
ByteHero - 1.0.0.1 - 2011.11.04 - -
CAT-QuickHeal - 11.00 - 2011.11.10 - -
ClamAV - 0.97.3.0 - 2011.11.10 - -
Commtouch - 5.3.2.6 - 2011.11.10 - -
Comodo - 10733 - 2011.11.10 - -
DrWeb - 5.0.2.03300 - 2011.11.10 - -
Emsisoft - 5.1.0.11 - 2011.11.10 - -
eSafe - 7.0.17.0 - 2011.11.09 - -
eTrust-Vet - 36.1.8666 - 2011.11.09 - -
F-Prot - 4.6.5.141 - 2011.11.09 - -
F-Secure - 9.0.16440.0 - 2011.11.10 - -
Fortinet - 4.3.370.0 - 2011.11.10 - -
GData - 22 - 2011.11.10 - -
Ikarus - T3.1.1.109.0 - 2011.11.10 - -
Jiangmin - 13.0.900 - 2011.11.09 - -
K7AntiVirus - 9.119.5423 - 2011.11.09 - -
Kaspersky - 9.0.0.837 - 2011.11.10 - -
McAfee - 5.400.0.1158 - 2011.11.10 - -
McAfee-GW-Edition - 2010.1D - 2011.11.09 - -
Microsoft - 1.7801 - 2011.11.10 - -
NOD32 - 6617 - 2011.11.10 - -
Norman - 6.07.13 - 2011.11.08 - -
nProtect - 2011-11-10.01 - 2011.11.10 - -
Panda - 10.0.3.5 - 2011.11.09 - -
PCTools - 8.0.0.5 - 2011.11.10 - -
Prevx - 3.0 - 2011.11.10 - -
Rising - 23.83.01.01 - 2011.11.08 - Suspicious
Sophos - 4.71.0 - 2011.11.10 - Mal/Generic-L
SUPERAntiSpyware - 4.40.0.1006 - 2011.11.10 - -
Symantec - 20111.2.0.82 - 2011.11.10 - -
TheHacker - 6.7.0.1.341 - 2011.11.09 - -
TrendMicro - 9.500.0.1008 - 2011.11.10 - -
TrendMicro-HouseCall - 9.500.0.1008 - 2011.11.10 - -
VBA32 - 3.12.16.4 - 2011.11.09 - -
VIPRE - 11009 - 2011.11.10 - -
ViRobot - 2011.11.10.4766 - 2011.11.10 - -
VirusBuster - 14.1.55.1 - 2011.11.09 - -
File info:
MD5: 53b340a4aaaf360dc68df31b14fddcc3
SHA1: 6c9d8e123b9c2dc3088bc14ebc479ce081d6074c
SHA256: 0bc940a7924a695b6e408999a5f4139102e9353cf2fe45d3d6d95c346a6bbec7
File size: 858112 bytes
Scan date: 2011-11-10 09:20:09 (UTC)>

Strange OTL issues. It freezes on e:_autorun... Must be closed and explorer must be opened... e: is my DVD station, also, there is almost always HoMM3 cd.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-10 11:28:15
Windows 6.1.7600 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-3 WDC_WD2000JD-00HBB0 rev.08.02D08
Running: gmer.exe; Driver: C:\Users\krystian\AppData\Local\Temp\pxldapow.sys

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C8A8E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82CAA3B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spcr.sys System nie może odnaleźć określonej ścieżki. !
.text USBPORT.SYS!DllUnload 90EADCA0 5 Bytes JMP 86A861D8
.text azcob16t.SYS 90EED000 12 Bytes [44, 38, C2, 82, EE, 36, C2, ...]
.text azcob16t.SYS 90EED00D 9 Bytes [17, C2, 82, 48, 3B, C2, 82, ...] {POP SS; RET 0x4882; CMP EAX, EDX; ADD BYTE [EAX], 0x0}
.text azcob16t.SYS 90EED017 85 Bytes [00, DE, 07, B1, 89, E6, 05, ...]
.text azcob16t.SYS 90EED06D 84 Bytes [70, C8, 82, 50, 91, CA, 82, ...]
.text azcob16t.SYS 90EED0C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text ...
.text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9371A300, 0x1B7E, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\Explorer.EXE[1864] SHELL32.dll!SHFileOperationW 76B696B8 5 Bytes JMP 02D31102 C:\Program Files\Unlocker\UnlockerHook.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 850961F8
Device \Driver\volmgr \Device\VolMgrControl 850921F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{7952EB2E-F9D9-4DFB-9001-EC5254A65ACB} 868971F8
Device \Driver\usbuhci \Device\USBPDO-0 866ED1F8
Device \Driver\usbuhci \Device\USBPDO-1 866ED1F8
Device \Driver\usbuhci \Device\USBPDO-2 866ED1F8
Device \Driver\usbuhci \Device\USBPDO-3 866ED1F8
Device \Driver\usbehci \Device\USBPDO-4 86A9D500

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume1 850921F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\volmgr \Device\HarddiskVolume2 850921F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\NetBT \Device\NetBT_Tcpip_{611CD6AF-EE13-4514-BA4F-5E6BE68E85CB} 868971F8
Device \Driver\cdrom \Device\CdRom0 868181F8
Device \Driver\volmgr \Device\HarddiskVolume3 850921F8

AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 850941F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 850941F8
Device \Driver\atapi \Device\Ide\IdePort0 850941F8
Device \Driver\atapi \Device\Ide\IdePort1 850941F8
Device \Driver\atapi \Device\Ide\IdePort2 850941F8
Device \Driver\atapi \Device\Ide\IdePort3 850941F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 850941F8
Device \Driver\cdrom \Device\CdRom1 868181F8
Device \Driver\cdrom \Device\CdRom2 868181F8
Device \Driver\cdrom \Device\CdRom3 868181F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{94909114-8E6E-4365-A732-E7D3E5FFCB5A} 868971F8
Device \Driver\cdrom \Device\CdRom4 868181F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 868971F8

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_PNP3120 \Device\0000005f spcr.sys
Device \Driver\usbuhci \Device\USBFDO-0 866ED1F8
Device \Driver\usbuhci \Device\USBFDO-1 866ED1F8
Device \Driver\usbuhci \Device\USBFDO-2 866ED1F8
Device \Driver\usbuhci \Device\USBFDO-3 866ED1F8
Device \Driver\usbehci \Device\USBFDO-4 86A9D500
Device \Driver\sptd \Device\3105299370 spcr.sys
Device \Driver\azcob16t \Device\Scsi\azcob16t1Port4Path0Target2Lun0 86FD4500
Device \Driver\azcob16t \Device\Scsi\azcob16t1Port4Path0Target0Lun0 86FD4500
Device \Driver\azcob16t \Device\Scsi\azcob16t1 86FD4500
Device \Driver\azcob16t \Device\Scsi\azcob16t1Port4Path0Target3Lun0 86FD4500
Device \Driver\azcob16t \Device\Scsi\azcob16t1Port4Path0Target1Lun0 86FD4500
Device \FileSystem\cdfs \Cdfs 8680C1F8

---- Threads - GMER 1.0.15 ----

Thread System [4:1352] A2502F2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 13156
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 16257
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{79936BA6-5CB9-4F52-9B4E-787C66B1C91D} v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=58|ICMP6=128:*|App=System|[email protected],-502|[email protected],-28547|[email protected],-25000|
Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@{A21C35B2-1BCD-4CD0-BEE6-D5F3FEF9D053} v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=58|ICMP6=128:*|[email protected],-503|[email protected],-28547|[email protected],-25000|
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC9 0x3D 0xA6 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE7 0x3A 0xCD 0xA5 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x33 0x25 0x3F 0x37 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x28 0x1A 0x15 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x88 0x59 0x60 0x96 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0xE1 0xD6 0xF0 0x0E ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC9 0x3D 0xA6 0x5B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE7 0x3A 0xCD 0xA5 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x33 0x25 0x3F 0x37 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x28 0x1A 0x15 0x36 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x88 0x59 0x60 0x96 ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0xE1 0xD6 0xF0 0x0E ...

---- EOF - GMER 1.0.15 ----

My computer seems slower, Aurora skins are removed, Flashblock whitelist sites are removed...

Edited by TuxPL, 10 November 2011 - 04:34 AM.

#5
SweetTech

Posted 10 November 2011 - 10:54 AM

Sir SpamAlot

Retired Staff
7,671 posts

Hi!

IDE is 100% safe. It is Internet Doom Explorer, used to connect with skulltag.Also, that d.exe and svchost.exxe in roaming are weird, i removed d.exe and one more file that i dont remember long time ago. Svchost stayed until i heard from one buddy that svchosts are ONLY safe in system32. http://imageshack.us...6/36492690.png/

Okay, thanks for that information regarding IDE. The d.exe and svchost.exe are both malicious. svchost.exe is usually a legitimate process in the System32 folder.

Well lets see what this scan finds:

Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

#6
TuxPL

Posted 11 November 2011 - 05:35 AM

New Member

Topic Starter
Member
7 posts

Also, my computer seems really slower, also, when i ran computer, it wont boot up, musted restart it... Also, that AVG uninstall... Will be painful for again installing. Cant just disable it from boot up with msconfig?

Also, d.exe and svchost.exe was waaay too late-i got block messages on july, they appeared on... early october.

Edited by TuxPL, 11 November 2011 - 03:34 PM.

#7
SweetTech

Posted 11 November 2011 - 11:30 PM

Sir SpamAlot

Retired Staff
7,671 posts

Hi!

Please don't worry about removing AVG for right now. I don't believe you have the version of it installed that conflicted with ComboFix, so you should be good to run it.

#8
TuxPL

Posted 12 November 2011 - 04:25 AM

New Member

Topic Starter
Member
7 posts

ComboFix 11-11-12.02 - krystian 2011-11-12 10:41:26.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1250.48.1045.18.2046.1366 [GMT 1:00]
Uruchomiony z: c:\users\krystian\Desktop\ComboFix.exe
AV: AVG Anti-Virus *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\IsUn0415.exe
F:\install.exe
.
.
((((((((((((((((((((((((( Pliki utworzone od 2011-10-12 do 2011-11-12 )))))))))))))))))))))))))))))))
.
.
2011-11-12 09:58 . 2011-11-12 09:59 -------- d-----w- c:\users\krystian\AppData\Local\temp
2011-11-12 09:58 . 2011-11-12 09:58 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-11 21:31 . 2011-11-11 21:31 -------- d-----w- c:\program files\Common Files\Java
2011-11-10 09:42 . 2011-11-10 09:42 -------- d-----w- C:\_OTL
2011-11-05 10:15 . 2011-11-05 10:52 -------- d-----w- C:\CM
2011-11-05 10:00 . 2011-11-05 10:00 -------- d-----w- C:\CyberMag
2011-11-03 14:53 . 2011-11-03 14:57 -------- d-----w- c:\program files\Unlocker
2011-10-17 18:15 . 2011-10-17 18:15 -------- d-----w- c:\program files\YouTube Downloader Toolbar
2011-10-17 14:43 . 2011-10-17 15:07 278984 ----a-w- c:\windows\system32\drivers\atksgt.sys
2011-10-17 14:43 . 2011-10-17 14:43 25416 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2011-10-14 11:30 . 2011-10-14 11:30 -------- d-----w- c:\users\krystian\AppData\Local\MDK2HD
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-03 04:06 . 2010-06-21 15:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-13 17:40 . 2010-04-24 08:58 29712 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2011-09-08 15:16 . 2011-09-08 15:16 0 ---ha-w- c:\users\krystian\AppData\Local\BITAFEF.tmp
2011-08-29 11:03 . 2011-08-29 11:03 2829 ----a-w- c:\windows\DIIUnin.pif
2011-08-29 11:03 . 2011-08-29 11:03 106496 ----a-w- c:\windows\DIIUnin.exe
2011-06-23 16:21 . 2011-03-24 14:14 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-03-18 06:11 2471240 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2011-03-18 2471240]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\krystian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\krystian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\krystian\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKLM\~\startupfolder\C:^Users^krystian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\krystian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^krystian^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk]
path=c:\users\krystian\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk
backup=c:\windows\pss\Tworzenie wycinków ekranu i uruchamianie programu OneNote 2007.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-20 21:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2011-10-24 17:48 2078048 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2010-04-01 09:16 357696 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 09:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn Hamachi Ui]
2011-03-28 13:41 1910152 ----a-w- c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2010-04-16 20:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-07-14 01:14 1173504 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 12:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost.exe]
c:\users\krystian\Desktop\d.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51 17408 ----a-w- c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-29 15:18 399736 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Usługa Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 136176]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [2011-03-28 1242504]
R3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG9\Toolbar\ToolbarBroker.exe [2011-03-18 947528]
R3 gupdatem;Usługa Google Update (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 136176]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-04-24 52872]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-04-24 691696]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-06-23 216400]
S1 AvgTdiX;AVG Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2011-05-05 243152]
S2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-21 921952]
S2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-06-23 308136]
S3 LTXMD_VAC;Litex Media Virtual Audio Cable (WDM);c:\windows\system32\drivers\lmvac.sys [2011-05-06 24848]
.
.
Zawartość folderu 'Zaplanowane zadania'
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 19:19]
.
2011-11-12 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-14 19:19]
.
.
------- Skan uzupełniający -------
.
uStart Page = hxxp://www.google.pl/
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Post Image to Blog - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Transload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5004
IE: Upload All Images to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\program files\ImageShackToolbar\ImageShackToolbar.dll/5001
TCP: DhcpNameServer = 10.176.177.78 8.8.8.8 217.17.34.10
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\users\krystian\AppData\Roaming\Mozilla\Firefox\Profiles\won3vv6d.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (pl)
FF - prefs.js: browser.startup.homepage - www.google.pl
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
MSConfigStartUp-1 - c:\users\krystian\AppData\Roaming\d.exe
MSConfigStartUp-PrzyspieszKomputer - c:\program files\Przyspiesz Komputer\przyspieszkomputer.exe
MSConfigStartUp-SearchSettings - c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe
MSConfigStartUp-svchost - c:\users\krystian\AppData\Roaming\svchost.exe
AddRemove-Mortyr - f:\mortyr\UNWISE.EXE
.
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,bc,be,bd,db,5c,87,4d,9d,07,94,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,bc,be,bd,db,5c,87,4d,9d,07,94,\
.
[HKEY_USERS\S-1-5-21-1799785401-3565640932-2583400741-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:71,de,e7,f2,2e,b1,ce,02,5a,5f,b2,b5,55,6f,c6,e2,77,88,cd,d7,19,65,d9,
f5,c8,5f,eb,4d,f2,6f,e3,db,99,62,fa,93,a2,7f,ca,1c,b4,dc,d3,8d,35,66,a7,76,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50
.
[HKEY_USERS\S-1-5-21-1799785401-3565640932-2583400741-1001\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:f6,a2,82,d6,ab,ec,a7,75,aa,f8,89,3c,8a,d4,ba,5f,2d,4c,cf,ce,7b,
d2,a4,6e,95,1a,b6,a8,cf,60,de,fa,b0,b6,13,c4,3b,7c,7f,fb,b0,e2,c4,3f,d5,30,\
"rkeysecu"=hex:72,c2,37,db,54,6c,8c,25,e0,cd,9c,9a,d2,3f,aa,7f
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Czas ukończenia: 2011-11-12 11:06:09
ComboFix-quarantined-files.txt 2011-11-12 10:06
.
Przed: 26 604 515 328 bajtów wolnych
Po: 29 470 175 232 bajtów wolnych
.
- - End Of File - - 0B69EEC0C5F197BAA1BFD57C69EDCAE7

Story about d.exe.....
I had legal in other ways game... There was no crack or keygen.. Uploader uploaded that d.exe on zip...
I unzipped it, ran... "Do you want replace file?" window appeared from nowhere... It was on desktop.
Deleted all the malicious files<i musted terminate task, when i want close its window it still appears> from desktop.

When i wanted manually put WAD files to folder in roaming-Suprise! Svchost, d.exe and... something that i forgot. Ok, whats weirdest? svchost is renamed from vbc.exe.

Edit: My computer looks very very faster!

Edited by TuxPL, 12 November 2011 - 08:45 AM.

#9
SweetTech

Posted 13 November 2011 - 11:09 AM

Sir SpamAlot

Retired Staff
7,671 posts

Hi!

Please run this script:

ComboFix Script

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::
Driver::
Application Updater
File::
c:\program files\Application Updater\ApplicationUpdater.exe
c:\users\krystian\Desktop\d.exe
c:\users\krystian\AppData\Local\BITAFEF.tmp
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svchost.exe]
DirLook::
C:\CM
C:\CyberMag
c:\users\krystian\AppData\Local\MDK2HD

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT:

Scanning with MalwareBytes' Anti-Malware

Please download Malwarebytes' Anti-Malware (v1.51.0.1200) and save it to your desktop.
Download Link 1
Download Link 2Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to this Guide.
When the installation begins, follow the prompts and do not make any changes to default settings.
Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
If an update is found, the program will automatically update itself. Press the OK button and continue.
If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
Click on the Scan button.
When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
Make sure that everything is checked and then click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.

NEXT:

What issues are you currently experiencing with your computer?

#10
TuxPL

Posted 13 November 2011 - 03:04 PM

New Member

Topic Starter
Member
7 posts

Hey... I don't know what i would do...
CM, CyberMag and CyberMage are diffrent versions of same game, just forgot to delete.
I can bet - MDK2HD is that "Legal in other ways" game. EDIT- Lol,it isn't on my roaming folder<yeah, i have hidden folders option on>

Those names from EFnetRBL are caused ONLY by girlbot... I don't have it.No files that it creates... Same as cutwail.
I know that pepole on web have my ip <banned ip from games that i don't play, like counter strike, meh...>, so maybe they have dirty computer... Also, hours of blocking from efnet where i am not in computer...

But just ONE site blocks me, that irc.eversible...

SECOND EDIT:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.

What about my AVG? I don't want mess my computer.

Edited by TuxPL, 13 November 2011 - 03:08 PM.

#11
SweetTech

Posted 14 November 2011 - 03:25 PM

Sir SpamAlot

Retired Staff
7,671 posts

Don't worry about disabling AVG before running MBAM.

#12
SweetTech

Posted 29 November 2011 - 03:01 AM

Sir SpamAlot

Retired Staff
7,671 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.