Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

System Cleanup after Redirector Infection - help appreciated [Closed]


  • This topic is locked This topic is locked

#1
gefertz

gefertz

    New Member

  • Member
  • Pip
  • 4 posts
I recently encountered an infection with some kind of a redirecting virus. It all begun by an alert triggered by the AVG antivirus at 2012-02-28, 12:53:02, reporting that a trojan was detected in C:\WINDOWS\system32\drivers\acpi.sys followed by the same alert for C:\Documents and Settings\oles\Ustawienia lokalne\Temp\q55c55-3122.exe. I attach the relevant part of logs.

What I then did was:

1. Deleted the contents of the Temp folder (although the offending file q55c55-3122.exe was there not anymore)

2. Restored the system to a previous state using System Restore.

A subsequent whole computer scan with AVG did not reveal any threats (except a malicious *.sys file in the System Restore folder, which was moved to Virus Vault).

In the following days, however, I have encountered some random site redirections. For example, when trying to follow a link from a legit site, I was redirected to a site containing the phrase "The document has moved, redirecting..." I did not follow these links, and my firewall reported an attempt of connection to 109.206.172.189 on port TCP:8180. System scans using TDSSKiller, MBAM, and AVG did not find anything suspicious.

Then, using OTL I discovered additional entries in the C:\WINDOWS\system32\drivers\etc\hosts file, which I managed to successfully reset using the Microsoft's fix. For your information, the appended content of the hosts file was the following:

O1 HOSTS File: ([2012-02-28 12:53:32 | 000,001,398 | RHS- | M]) - C:\Windows\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 67.215.245.19 www.google-analytics.com.
O1 - Hosts: 67.215.245.19 ad-emea.doubleclick.net.
O1 - Hosts: 67.215.245.19 www.statcounter.com.
O1 - Hosts: 108.163.215.51 www.google-analytics.com.
O1 - Hosts: 108.163.215.51 ad-emea.doubleclick.net.
O1 - Hosts: 108.163.215.51 www.statcounter.com.



The described redirection issues seem to be gone now. Nevertheless, I suspect that there might be still some leftovers of the infection and I would like to ensure that my system is now 100% clean and restored to the state before the infection.

Could someone please help me validate my system? :help:

Cheers!


OTL logfile created on: 2012-03-03 14:56:18 - Run 3
OTL by OldTimer - Version 3.2.35.0 Folder = C:\Documents and Settings\oles\Moje dokumenty\Pobieranie\removal
Windows XP Professional Edition Dodatek Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000415 | Country: Polska | Language: PLK | Date Format: yyyy-MM-dd

1,99 Gb Total Physical Memory | 1,23 Gb Available Physical Memory | 61,76% Memory free
3,84 Gb Paging File | 3,23 Gb Available in Paging File | 84,03% Paging File free
Paging file location(s): C:\pagefile.sys 2048 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 190,39 Gb Total Space | 12,68 Gb Free Space | 6,66% Space Free | Partition Type: NTFS
Drive E: | 10,26 Gb Total Space | 0,39 Gb Free Space | 3,81% Space Free | Partition Type: NTFS
Drive X: | 49,26 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: CDFS

Computer Name: GIGLIO | User Name: oles | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\oles\Moje dokumenty\Pobieranie\removal\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe ()
PRC - C:\Program Files\AVG\AVG8\avgrsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgnsx.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
PRC - C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
PRC - C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
PRC - C:\Program Files\CoreTemp32\Core Temp.exe ()
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe ()
PRC - C:\WINDOWS\V0330Mon.exe (Creative Technology Ltd.)
PRC - c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (SafeBoot International)
PRC - C:\WINDOWS\system32\IfxPsdSv.exe (Infineon Technologies AG)
PRC - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
PRC - C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe (Cognizance Corporation)
PRC - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
PRC - C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe (Infineon Technologies AG)
PRC - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
PRC - C:\WINDOWS\SMINST\Scheduler.exe ()
PRC - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe (Agnitum Ltd.)
PRC - C:\Program Files\HHVcdV7Sys\VC7Play.exe (H+H Software GmbH)
PRC - C:\Program Files\HHVcdV7Sys\VC7SecS.exe (H+H Software GmbH)
PRC - C:\Program Files\Virtual CD v7\System\vc7tray.exe (H+H Software GmbH)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe ()
MOD - C:\Program Files\Intel\WiFi\bin\iWMSProv.dll ()
MOD - C:\Program Files\CoreTemp32\Core Temp.exe ()
MOD - C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe ()
MOD - C:\WINDOWS\SMINST\naspp.dll ()
MOD - C:\WINDOWS\system32\btwicons.dll ()
MOD - C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll ()
MOD - C:\WINDOWS\SMINST\Scheduler.exe ()
MOD - C:\Program Files\Agnitum\Outpost Firewall\unrar.dll ()
MOD - C:\WINDOWS\system32\vc7upd.dll ()


========== Win32 Services (SafeList) ==========

SRV - (stllssvr) -- File not found
SRV - (Harmonogram automatycznej usługi LiveUpdate) -- File not found
SRV - (ScsiAccess) -- C:\Program Files\Photodex\ProShowProducer\scsiaccess.exe ()
SRV - (SwitchBoard) -- C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
SRV - (avg8emc) -- C:\Program Files\AVG\AVG8\avgemc.exe (AVG Technologies CZ, s.r.o.)
SRV - (avg8wd) -- C:\Program Files\AVG\AVG8\avgwdsvc.exe (AVG Technologies CZ, s.r.o.)
SRV - (EvtEng) Intel® -- C:\Program Files\Intel\WiFi\bin\EvtEng.exe (Intel® Corporation)
SRV - (S24EventMonitor) Intel® -- C:\Program Files\Intel\WiFi\bin\S24EvMon.exe (Intel® Corporation)
SRV - (RegSrvc) Intel® -- C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe (Intel® Corporation)
SRV - (HpFkCryptService) -- c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe (SafeBoot International)
SRV - (PersonalSecureDriveService) -- C:\WINDOWS\system32\IfxPsdSv.exe (Infineon Technologies AG)
SRV - (ServiceLayer) -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe (Nokia.)
SRV - (ASBroker) -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Cognizance Corporation)
SRV - (IviRegMgr) -- C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe (InterVideo)
SRV - (ASChannel) -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll (Cognizance Corporation)
SRV - (OutpostFirewall) -- C:\Program Files\Agnitum\Outpost Firewall\outpost.exe (Agnitum Ltd.)
SRV - (VC7SecS) -- C:\Program Files\HHVcdV7Sys\VC7SecS.exe (H+H Software GmbH)


========== Driver Services (SafeList) ==========

DRV - (WinRing0_1_2_0) -- File not found
DRV - (WDICA) -- File not found
DRV - (TVicPort64) -- File not found
DRV - (SANDRA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (cpuz130) -- File not found
DRV - (cpuz128) -- File not found
DRV - (Changer) -- File not found
DRV - (ALSysIO) -- File not found
DRV - (cpuz133) -- C:\WINDOWS\system32\drivers\cpuz133_x32.sys (Windows ® Win 7 DDK provider)
DRV - (AvgLdx86) -- C:\WINDOWS\System32\Drivers\avgldx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgMfx86) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys (AVG Technologies CZ, s.r.o.)
DRV - (AvgTdiX) -- C:\WINDOWS\System32\Drivers\avgtdix.sys (AVG Technologies CZ, s.r.o.)
DRV - (cpuz132) -- C:\WINDOWS\system32\drivers\cpuz132_x32.sys (Windows ® Codename Longhorn DDK provider)
DRV - (NETw5x32) Intel® -- C:\WINDOWS\system32\drivers\NETw5x32.sys (Intel Corporation)
DRV - (nhcDriverDevice) -- C:\WINDOWS\system32\drivers\nhcDriver.sys (pBUS-167 Software - http://www.pbus-167.com)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (RMCAST) -- C:\WINDOWS\system32\drivers\rmcast.sys (Microsoft Corporation)
DRV - (MQAC) -- C:\WINDOWS\system32\drivers\mqac.sys (Microsoft Corporation)
DRV - (ACEDRV07) -- C:\WINDOWS\system32\drivers\ACEDRV07.sys (Protect Software GmbH)
DRV - (pfc) -- C:\WINDOWS\system32\drivers\pfc.sys (Padus, Inc.)
DRV - (V0330VID) -- C:\WINDOWS\system32\drivers\V0330Vid.sys (Creative Technology Ltd.)
DRV - (RsvLock) -- C:\WINDOWS\System32\drivers\rsvlock.sys (SafeBoot International)
DRV - (SafeBoot) -- C:\WINDOWS\System32\drivers\SafeBoot.sys ()
DRV - (ATSWPDRV) (****DEBUG****) AuthenTec TruePrint USB Driver (SwipeSensor) -- C:\WINDOWS\system32\drivers\atswpdrv.sys (AuthenTec, Inc.)
DRV - (SbFsLock) -- C:\WINDOWS\System32\drivers\SbFsLock.sys (SafeBoot International)
DRV - (NETw4x32) Sterownik karty Intel® -- C:\WINDOWS\system32\drivers\NETw4x32.sys (Intel Corporation)
DRV - (b57w2k) Broadcom NetLink ™ -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (nmwcd) -- C:\WINDOWS\system32\drivers\nmwcd.sys (Nokia)
DRV - (nmwcdcm) -- C:\WINDOWS\system32\drivers\nmwcdcm.sys (Nokia)
DRV - (nmwcdcj) -- C:\WINDOWS\system32\drivers\nmwcdcj.sys (Nokia)
DRV - (nmwcdc) -- C:\WINDOWS\system32\drivers\nmwcdc.sys (Nokia)
DRV - (BTWUSB) -- C:\WINDOWS\system32\drivers\btwusb.sys (Broadcom Corporation.)
DRV - (BTKRNL) -- C:\WINDOWS\system32\drivers\btkrnl.sys (Broadcom Corporation.)
DRV - (BTDriver) -- C:\WINDOWS\system32\drivers\btport.sys (Broadcom Corporation.)
DRV - (btaudio) -- C:\WINDOWS\system32\drivers\btaudio.sys (Broadcom Corporation.)
DRV - (PersonalSecureDrive) -- C:\WINDOWS\System32\drivers\psd.sys (Infineon Technologies AG)
DRV - (IFXTPM) -- C:\WINDOWS\system32\drivers\ifxtpm.sys (Infineon Technologies AG)
DRV - (AgereSoftModem) -- C:\WINDOWS\system32\drivers\AGRSM.sys (Agere Systems)
DRV - (eabfiltr) -- C:\WINDOWS\system32\drivers\eabfiltr.sys (Hewlett-Packard Development Company, L.P.)
DRV - (HP24X) -- C:\WINDOWS\system32\drivers\HP24X.sys (Hewlett Packard)
DRV - (SbAlg) -- C:\WINDOWS\System32\drivers\SbAlg.sys (SafeBoot N.V.)
DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (Accelerometer) -- C:\WINDOWS\system32\drivers\Accelerometer.sys (Hewlett-Packard Corporation)
DRV - (hpdskflt) -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys (Hewlett-Packard Corporation)
DRV - (HBtnKey) -- C:\WINDOWS\system32\drivers\CPQBttn.sys (Hewlett-Packard Development Company, L.P.)
DRV - (ARP.DLL) Outpost Firewall PlugIn (ARP.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\arp.dll (Agnitum Ltd.)
DRV - (PROTECT.DLL) Outpost Firewall PlugIn (PROTECT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\protect.dll (Agnitum Ltd.)
DRV - (SECRET.DLL) Outpost Firewall PlugIn (SECRET.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\secret.dll (Agnitum Ltd.)
DRV - (FTPFILT.DLL) Outpost Firewall PlugIn (FTPFILT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\ftpfilt.dll (Agnitum Ltd.)
DRV - (IMAPFILT.DLL) Outpost Firewall PlugIn (IMAPFILT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\imapfilt.dll (Agnitum Ltd.)
DRV - (NNTPFILT.DLL) Outpost Firewall PlugIn (NNTPFILT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\nntpfilt.dll (Agnitum Ltd.)
DRV - (ADBLOCK.DLL) Outpost Firewall PlugIn (ADBLOCK.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\adblock.dll (Agnitum Ltd.)
DRV - (MAILFILT.DLL) Outpost Firewall PlugIn (MAILFILT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\mailfilt.dll (Agnitum Ltd.)
DRV - (HTMLFILT.DLL) Outpost Firewall PlugIn (HTMLFILT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\htmlfilt.dll (Agnitum Ltd.)
DRV - (POP3FILT.DLL) Outpost Firewall PlugIn (POP3FILT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\pop3filt.dll (Agnitum Ltd.)
DRV - (CONTENT.DLL) Outpost Firewall PlugIn (CONTENT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\content.dll (Agnitum Ltd.)
DRV - (DNSCACHE.DLL) Outpost Firewall PlugIn (DNSCACHE.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\dnscache.dll (Agnitum Ltd.)
DRV - (HTTPFILT.DLL) Outpost Firewall PlugIn (HTTPFILT.DLL) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\httpfilt.dll (Agnitum Ltd.)
DRV - (VFILT) -- C:\Program Files\Agnitum\Outpost Firewall\Kernel\filtnt.sys (Agnitum Ltd.)
DRV - (TVicPort) -- C:\WINDOWS\system32\drivers\TVicPort.sys (EnTech Taiwan)
DRV - (vdrv7000) -- C:\WINDOWS\system32\drivers\vdrv7000.sys (H+H Software GmbH)
DRV - (NSNDIS5) -- C:\WINDOWS\system32\nsndis5.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (PQNTDrv) -- C:\WINDOWS\System32\drivers\PQNTDRV.sys (PowerQuest Corporation)
DRV - (cvspydr2) -- C:\WINDOWS\system32\drivers\cvspydr2.sys (Colorvision Inc)
DRV - (SMCIRDA) -- C:\WINDOWS\system32\drivers\smcirda.sys (SMC)
DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...Box&Form=IE8SRC
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.0.61118.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@photodex.com/PhotodexPresenter: C:\Program Files\Photodex Presenter\npPxPlay.dll ( )
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@wolfram.com/Mathematica: C:\Program Files\Common Files\Wolfram Research\Browser\8.0.1.2063897\npmathplugin.dll (Wolfram Research, Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\oles\Dane aplikacji\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\oles\Dane aplikacji\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\oles\Ustawienia lokalne\Dane aplikacji\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\oles\Ustawienia lokalne\Dane aplikacji\Google\Update\1.3.21.99\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG8\Firefox [2009-12-21 21:17:44 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012-02-19 15:19:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2012-01-16 21:11:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\oles\Dane aplikacji\Mozilla\Extensions
[2012-02-19 15:20:04 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012-02-19 15:19:57 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011-12-21 06:04:32 | 000,002,767 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\allegro-pl.xml
[2011-12-21 06:04:32 | 000,001,406 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\fbc-pl.xml
[2011-12-21 06:04:32 | 000,000,917 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\merlin-pl.xml
[2011-12-21 06:04:32 | 000,000,858 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\pwn-pl.xml
[2011-12-21 06:04:32 | 000,001,183 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-pl.xml
[2011-12-21 06:04:32 | 000,001,683 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wp-pl.xml

O1 HOSTS File: ([2011-12-22 16:11:00 | 000,000,732 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Credential Manager for HP ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll (Bioscrypt Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AdobeAAMUpdater-1.0] C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS5ServiceManager] C:\Program Files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\Program Files\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [CognizanceTS] C:\Program Files\Hewlett-Packard\IAM\Bin\ASTSVCC.dll (Cognizance Corporation)
O4 - HKLM..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\PL\Programs\Registration.exe (Corel Corporation)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe (Intel® Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe (Intel® Corporation)
O4 - HKLM..\Run: [MsmqIntCert] C:\WINDOWS\System32\mqrt.dll (Microsoft Corporation)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe ()
O4 - HKLM..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe (Agnitum Ltd.)
O4 - HKLM..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe (Agnitum Ltd.)
O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [Recguard] C:\WINDOWS\SMINST\Recguard.exe ()
O4 - HKLM..\Run: [Reminder] C:\WINDOWS\CREATOR\Remind_XP.exe ()
O4 - HKLM..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe ()
O4 - HKLM..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [V0330Mon.exe] C:\WINDOWS\V0330Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe (H+H Software GmbH)
O4 - HKLM..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [ALLUpdate] "C:\Program Files\OpenSubtitlesPlayer\ALLUpdate.exe" "sleep" File not found
O4 - HKCU..\Run: [DriverScanner] "C:\Program Files\Uniblue\DriverScanner\launcher.exe" delay 20000 File not found
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\BTTray.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe (InterVideo Inc.)
O4 - Startup: C:\Documents and Settings\oles\Menu Start\Programy\Autostart\CoreTemp.lnk = C:\Program Files\CoreTemp32\Core Temp.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 36
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoUserNameInStartMenu = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoTrayItemsDisplay = [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = FF FF FF FF [binary data]
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://ccfiles.creat...15111/CTPID.cab (Creative Software AutoUpdate Support Package)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3D5AA252-1EBB-4C2B-A899-B67B1C991135}: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (APSHook.dll) - C:\WINDOWS\System32\APSHook.dll (Bioscrypt Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll) - C:\Program Files\Agnitum\Outpost Firewall\wl_hook.dll (Agnitum Ltd.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - (avgrsstx.dll) - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\OneCard: DllName - (C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll) - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Cognizance Corporation)
O24 - Desktop Components:0 (Moja bieżąca strona główna) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\oles\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\oles\Ustawienia lokalne\Dane aplikacji\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008-05-20 12:39:46 | 000,000,000 | -H-D | M] - C:\autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2001-07-28 00:07:00 | 000,000,000 | -HS- | M] () - E:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2004-04-30 16:01:00 | 000,000,053 | RHS- | M] () - E:\Autorun.inf -- [ NTFS ]
O32 - AutoRun File - [2003-07-12 12:32:48 | 000,000,043 | R--- | M] () - X:\Autorun.inf -- [ CDFS ]
O33 - MountPoints2\{1b290660-8ebe-11e0-9333-0022645a022d}\Shell - "" = AutoRun
O33 - MountPoints2\{1b290660-8ebe-11e0-9333-0022645a022d}\Shell\AutoRun\command - "" = X:\Welcome.exe -- [2003-07-16 20:37:24 | 000,385,536 | R--- | M] ()
O33 - MountPoints2\{68c25323-1040-11dd-befa-001a4b72a472}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
O33 - MountPoints2\{68c25323-1040-11dd-befa-001a4b72a472}\Shell\Open(&0)\command - "" = I:\Recycled\ctfmon.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012-03-02 20:51:53 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
[2012-03-02 20:49:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\Dane aplikacji\Malwarebytes
[2012-03-02 20:49:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dane aplikacji\Malwarebytes
[2012-03-02 19:41:29 | 009,502,424 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\oles\Pulpit\mbam--setup-1.60.1.1000.exe
[2012-03-02 00:29:10 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight
[2012-02-29 13:01:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft File Checksum Integrity Verifier
[2012-02-29 12:53:29 | 000,000,000 | ---D | C] -- C:\!Recover
[2012-02-28 14:21:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\Ustawienia lokalne\Dane aplikacji\SoftThinks
[2012-02-25 15:23:20 | 000,000,000 | ---D | C] -- C:\!To_be_deleted
[2012-02-25 13:42:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\Adobe
[2012-02-24 22:13:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\Pulpit\thermalization_trees
[2012-02-24 02:06:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\Pulpit\mobiperl-win-0.0.43
[2012-02-24 02:03:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\unpacked
[2012-02-24 00:49:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\Pulpit\Do przeczytania
[2012-02-22 14:03:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\Pulpit\!przejzyj
[2012-02-19 15:22:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programy\NX Client for Windows 3.5
[2012-02-19 15:22:22 | 000,000,000 | ---D | C] -- C:\Program Files\NX Client for Windows 3.5
[2012-02-05 13:49:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\Pulpit\ostrowski
[2012-02-03 23:13:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\oles\Pulpit\thesis_writing
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\Dane aplikacji\*.tmp files -> C:\Documents and Settings\All Users\Dane aplikacji\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012-03-03 14:46:19 | 000,001,128 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-580707188-2679588096-2740826050-1005UA.job
[2012-03-03 14:43:19 | 000,001,032 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012-03-03 14:36:07 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012-03-03 14:36:04 | 000,001,028 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012-03-03 14:35:32 | 000,000,049 | ---- | M] () -- C:\WINDOWS\transp.gif
[2012-03-03 14:35:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012-03-03 14:35:14 | 2138,361,856 | -HS- | M] () -- C:\hiberfil.sys
[2012-03-03 12:46:00 | 000,001,076 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-580707188-2679588096-2740826050-1005Core.job
[2012-03-03 11:07:05 | 090,894,685 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2012-03-03 03:22:03 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\oles\winscp.RND
[2012-03-03 02:45:47 | 000,006,568 | ---- | M] () -- C:\Documents and Settings\oles\.Xauthority
[2012-03-02 23:06:33 | 000,003,255 | ---- | M] () -- C:\WINDOWS\wincmd.ini
[2012-03-02 22:41:05 | 000,617,570 | ---- | M] () -- C:\WINDOWS\System32\perfh015.dat
[2012-03-02 22:41:05 | 000,549,860 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012-03-02 22:41:05 | 000,135,862 | ---- | M] () -- C:\WINDOWS\System32\perfc015.dat
[2012-03-02 22:41:05 | 000,108,390 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012-03-02 19:41:29 | 009,502,424 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\oles\Pulpit\mbam--setup-1.60.1.1000.exe
[2012-03-02 12:21:18 | 000,000,546 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2012-02-29 02:08:18 | 000,103,424 | ---- | M] () -- C:\Documents and Settings\oles\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2012-02-29 01:58:31 | 000,000,530 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\RecoveryISO.lnk
[2012-02-28 12:53:32 | 000,001,398 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.old
[2012-02-25 17:51:56 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\oles\Ustawienia lokalne\Dane aplikacji\PUTTY.RND
[2012-02-25 14:30:29 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012-02-25 12:16:14 | 003,630,168 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012-02-25 09:37:47 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012-02-24 12:28:58 | 000,037,016 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\image.pdf
[2012-02-24 00:53:12 | 000,000,439 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\10.1002%2Frsa.3240040303.bib
[2012-02-23 20:54:23 | 000,037,116 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\Power Calculator.pdf
[2012-02-21 02:29:23 | 000,320,801 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\Comparison ACTMethods.pdf
[2012-02-21 02:16:59 | 002,015,474 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\[Binder_K.,_Heermann_D.W.]_Monte_Carlo_Simulation_(BookFi.org).pdf
[2012-02-20 17:45:57 | 000,000,529 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\citation.bib
[2012-02-20 10:39:39 | 000,000,043 | ---- | M] () -- C:\WINDOWS\gswin32.ini
[2012-02-19 15:22:25 | 000,000,729 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\NX Client for Windows.lnk
[2012-02-19 15:05:50 | 000,795,141 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\plugin-1105.0373.pdf
[2012-02-18 00:48:28 | 002,879,659 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\Automatic Autocorrelation and Spectral Analysis.pdf
[2012-02-05 20:35:45 | 000,061,497 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\nobibliography.pdf
[2012-02-05 14:04:34 | 021,675,010 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\vdham-phdthesis.pdf
[2012-02-03 22:38:57 | 000,001,779 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\alphetna.lnk
[2012-02-02 15:18:08 | 000,220,458 | ---- | M] () -- C:\Documents and Settings\oles\Pulpit\[18] Exotic trees - Burda 03.pdf
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[3 C:\Documents and Settings\All Users\Dane aplikacji\*.tmp files -> C:\Documents and Settings\All Users\Dane aplikacji\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012-03-02 22:36:14 | 2138,361,856 | -HS- | C] () -- C:\hiberfil.sys
[2012-03-02 00:29:16 | 000,001,984 | ---- | C] () -- C:\Documents and Settings\All Users\Menu Start\Programy\Microsoft Silverlight.lnk
[2012-02-28 18:01:32 | 000,000,530 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\RecoveryISO.lnk
[2012-02-24 12:28:58 | 000,037,016 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\image.pdf
[2012-02-24 00:53:12 | 000,000,439 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\10.1002%2Frsa.3240040303.bib
[2012-02-23 20:54:23 | 000,037,116 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\Power Calculator.pdf
[2012-02-21 02:29:23 | 000,320,801 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\Comparison ACTMethods.pdf
[2012-02-21 02:16:57 | 002,015,474 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\[Binder_K.,_Heermann_D.W.]_Monte_Carlo_Simulation_(BookFi.org).pdf
[2012-02-20 20:44:12 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012-02-20 17:45:57 | 000,000,529 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\citation.bib
[2012-02-20 10:39:39 | 000,000,043 | ---- | C] () -- C:\WINDOWS\gswin32.ini
[2012-02-20 10:35:25 | 000,000,729 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\NX Client for Windows.lnk
[2012-02-19 15:05:50 | 000,795,141 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\plugin-1105.0373.pdf
[2012-02-18 00:48:28 | 002,879,659 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\Automatic Autocorrelation and Spectral Analysis.pdf
[2012-02-15 14:51:49 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012-02-15 14:51:49 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\dllcache\iacenc.dll
[2012-02-05 20:35:45 | 000,061,497 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\nobibliography.pdf
[2012-02-05 14:04:11 | 021,675,010 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\vdham-phdthesis.pdf
[2012-02-03 22:38:57 | 000,001,779 | ---- | C] () -- C:\Documents and Settings\oles\Pulpit\alphetna.lnk
[2011-10-06 19:46:04 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\Bass Amp
[2011-10-06 19:46:04 | 000,000,268 | RH-- | C] () -- C:\Documents and Settings\oles\Dane aplikacji\Basic Synth
[2011-10-06 19:46:04 | 000,000,012 | RH-- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\Funk Animals
[2011-10-06 17:55:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\Spacious
[2011-10-06 17:47:51 | 000,000,020 | -H-- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLbx.DAT
[2011-10-06 17:23:21 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLes.DAT
[2011-10-06 17:22:26 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLev.DAT
[2011-10-06 17:22:26 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\All Users\Dane aplikacji\PKP_DLet.DAT
[2011-10-06 17:22:26 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\oles\Dane aplikacji\SupportPrinters
[2011-06-04 16:19:55 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\vc7upd.dll
[2011-05-27 14:17:24 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\oles\Dane aplikacji\Preferencje Adobe CS5 dla formatu PNG
[2011-05-27 13:45:16 | 000,000,054 | ---- | C] () -- C:\WINDOWS\JascCmdFile.INI
[2011-01-31 23:23:27 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010-07-22 10:07:32 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2010-03-29 12:34:14 | 022,316,128 | ---- | C] () -- C:\Program Files\NX Client for Windows org.rar
[2010-03-20 00:03:28 | 000,000,004 | ---- | C] () -- C:\WINDOWS\System32\proc-1037709799.bin

========== LOP Check ==========

[2007-12-08 22:22:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\ACD Systems
[2011-10-06 17:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\EnterNHelp
[2009-08-23 22:30:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\FileOpen
[2009-03-06 02:51:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Infineon
[2008-11-02 00:07:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Installations
[2007-12-02 13:24:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\LightScribe
[2011-10-06 23:08:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Nikon
[2008-11-08 02:24:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Nokia
[2008-11-08 02:07:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\PACE Anti-Piracy
[2008-11-08 02:32:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\PC Suite
[2010-11-13 14:49:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Photodex
[2010-08-29 11:57:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\regid.1986-12.com.adobe
[2011-10-30 12:00:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\TEMP
[2011-10-06 17:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dane aplikacji\Ultima_T15
[2007-12-08 22:22:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\ACD Systems
[2011-02-23 20:23:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Artisteer
[2009-01-13 20:34:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Barak's SignMe!
[2012-01-24 23:14:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\BESTplayer
[2009-03-31 12:00:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Bullzip
[2009-05-16 23:37:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Canon
[2008-11-04 16:16:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\DxO Labs
[2008-06-12 08:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\EditPlus 2
[2009-08-23 22:30:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\FileOpen
[2010-03-20 00:03:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\GanymedeNet
[2009-04-28 08:38:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\gtk-2.0
[2010-08-29 12:47:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\HDRsoft
[2009-03-06 02:51:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Infineon
[2009-04-08 21:33:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\InterVideo
[2008-03-19 14:19:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Leadertech
[2010-04-08 18:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Morpheus Software
[2010-11-12 23:43:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Netscape
[2011-10-06 19:46:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Nikon
[2008-11-08 02:22:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Nokia
[2008-11-02 00:18:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\NSeries
[2011-06-03 17:30:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\oald8
[2010-03-29 21:55:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\ocoll2e
[2008-11-01 23:39:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\OpenOffice.org
[2009-04-19 14:50:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Opera
[2011-08-08 13:49:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\OwnRooms
[2008-11-04 16:15:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\PACE Anti-Piracy
[2008-11-08 02:07:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\PC Suite
[2010-11-13 13:28:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Photodex
[2011-02-11 18:12:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\PTAssembler
[2007-11-08 03:20:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\SampleView
[2011-03-05 18:05:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\StageManager.BD092818F67280F4B42B04877600987F0111B594.1
[2010-08-04 21:35:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\Uniblue
[2012-02-28 16:39:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\WinEdt
[2011-04-25 18:16:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\oles\Dane aplikacji\yWorks

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 169 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\TEMP:3EFB0FE0
@Alternate Data Stream - 1262 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\Microsoft:u7sSIZKAp2wvDFnUkpDKLi78QY
@Alternate Data Stream - 1259 bytes -> C:\Program Files\Outlook Express:kXQEcm72PSxTjuBf
@Alternate Data Stream - 1188 bytes -> C:\Documents and Settings\All Users\Dane aplikacji\Microsoft:IVN3fHxvYt0I0b1f1Ri8dDrPi

< End of report >

Attached Files


Edited by gefertz, 03 March 2012 - 02:34 PM.

  • 0

Advertisements


#2
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Hi and welcome to GeeksToGo! Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out :)

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just in case you are unable to access this site.

Please note:
  • Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply.
  • Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for us to analyse and fix your PC in the long run.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • Please tell me if you have your original Windows CD/DVD available
  • When in doubt, please stop and ask first. There's no harm in asking questions!

If you have since resolved the original problem you were having, I would appreciate you letting me know. If not please perform the following steps below so I can have a look at the current condition of your machine.

  • Please download aswMBR.exe to your desktop.
  • Double click the aswMBR.exe to run it.

    Posted Image
  • When asked if you want to download Avast's virus definitions please select Yes.
    Note: If avast! antivirus is already installed, just do the next step.
  • Click the Scan button to start scan.

    Posted Image
  • On completion of the scan click Save log, save it to your desktop and post in your next reply.
  • Also on Desktop there should be a file called MBR.dat after that, zip it and then attach it here

How to add an attachment to a new topic or reply
  • 0

#3
gefertz

gefertz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for feedback!

Here's the log:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-09 01:46:18
-----------------------------
01:46:18.390 OS Version: Windows 5.1.2600 Dodatek Service Pack 3
01:46:18.390 Number of processors: 2 586 0xF0A
01:46:18.390 ComputerName: GIGLIO UserName: oles
01:46:25.687 Initialize success
01:46:44.843 AVAST engine defs: 12030801
01:47:41.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
01:47:41.687 Disk 0 Vendor: ST925041 0005 Size: 238475MB BusType: 3
01:47:41.703 Disk 0 MBR read successfully
01:47:41.703 Disk 0 MBR scan
01:47:41.750 Disk 0 unknown MBR code
01:47:41.750 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 194960 MB offset 63
01:47:41.781 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10511 MB offset 466864965
01:47:41.781 Disk 0 Partition - 00 0F Extended LBA 32804 MB offset 399681135
01:47:41.796 Disk 0 Partition 3 00 83 Linux 196 MB offset 399279510
01:47:41.812 Disk 0 Partition 4 00 8E Linux LVM 32804 MB offset 399681198
01:47:41.828 Disk 0 scanning sectors +488392065
01:47:41.921 Disk 0 scanning C:\WINDOWS\system32\drivers
01:48:10.859 Service scanning
01:48:35.890 Service SafeBoot C:\WINDOWS\System32\Drivers\SafeBoot.sys **LOCKED** 32
01:48:41.875 Service vdrv7000 C:\WINDOWS\system32\DRIVERS\vdrv7000.sys **LOCKED**
01:48:46.109 Modules scanning
01:49:02.421 Disk 0 trace - called modules:
01:49:02.437
01:49:07.078 AVAST engine scan C:\WINDOWS
01:49:32.203 AVAST engine scan C:\WINDOWS\system32
01:53:35.421 AVAST engine scan C:\WINDOWS\system32\drivers
01:54:04.421 AVAST engine scan C:\Documents and Settings\oles
02:11:20.031 AVAST engine scan C:\Documents and Settings\All Users
02:15:50.984 Scan finished successfully
02:22:04.375 Disk 0 MBR has been saved successfully to "C:\!To_be_deleted\MBR.dat"
02:22:04.375 The log file has been saved successfully to "C:\!To_be_deleted\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   597bytes   26 downloads

  • 0

#4
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Then run aswMBR scan one more time and post the log.
  • 0

#5
gefertz

gefertz

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Contents of deffoger_disable.log:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 17:01 on 12/03/2012 (oles)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read SafeBoot.sys


-=E.O.F=-


=================================================================
Contents of aswMBR.txt:

aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-12 17:08:56
-----------------------------
17:08:56.703 OS Version: Windows 5.1.2600 Dodatek Service Pack 3
17:08:56.703 Number of processors: 2 586 0xF0A
17:08:56.718 ComputerName: GIGLIO UserName: oles
17:08:58.093 Initialize success
17:11:49.484 AVAST engine defs: 12031200
17:21:03.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:21:03.484 Disk 0 Vendor: ST925041 0005 Size: 238475MB BusType: 3
17:21:03.500 Disk 0 MBR read successfully
17:21:03.500 Disk 0 MBR scan
17:21:03.546 Disk 0 unknown MBR code
17:21:03.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 194960 MB offset 63
17:21:03.562 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10511 MB offset 466864965
17:21:03.562 Disk 0 Partition - 00 0F Extended LBA 32804 MB offset 399681135
17:21:03.578 Disk 0 Partition 3 00 83 Linux 196 MB offset 399279510
17:21:03.593 Disk 0 Partition 4 00 8E Linux LVM 32804 MB offset 399681198
17:21:03.609 Disk 0 scanning sectors +488392065
17:21:03.687 Disk 0 scanning C:\WINDOWS\system32\drivers
17:21:24.765 Service scanning
17:21:39.375 Service SafeBoot C:\WINDOWS\System32\Drivers\SafeBoot.sys **LOCKED** 32
17:21:42.671 Service vdrv7000 C:\WINDOWS\system32\DRIVERS\vdrv7000.sys **LOCKED**
17:21:44.703 Modules scanning
17:21:51.500 Disk 0 trace - called modules:
17:21:51.515 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys iaStor.sys
17:21:51.531 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a646030]
17:21:51.531 3 CLASSPNP.SYS[f74f7fd7] -> nt!IofCallDriver -> [0x8a650548]
17:21:51.531 5 hpdskflt.sys[f7518ffd] -> nt!IofCallDriver -> \Device\000000b4[0x8a6de6b0]
17:21:51.531 7 ACPI.sys[f735d620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a651030]
17:21:52.515 AVAST engine scan C:\WINDOWS
17:22:15.812 AVAST engine scan C:\WINDOWS\system32
17:26:17.312 AVAST engine scan C:\WINDOWS\system32\drivers
17:26:39.437 AVAST engine scan C:\Documents and Settings\oles
17:44:48.015 AVAST engine scan C:\Documents and Settings\All Users
17:49:01.265 Scan finished successfully
17:50:21.109 Disk 0 MBR has been saved successfully to "C:\!To_be_deleted\MBR.dat"
17:50:21.109 The log file has been saved successfully to "C:\!To_be_deleted\aswMBR.txt"

  • 0

#6
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Posted Image Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Notes:
  • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
  • Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  • CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  • If you are using personal certificates I recommend you to export them before running ComboFix and save them to external media.
Please carefully follow all steps below:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  • When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Give it at least 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofix. Use copy/paste.

Also please describe how your computer behaves at the moment.
  • 0

#7
Render

Render

    Trusted Helper

  • Malware Removal
  • 4,195 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP