View Full Version : Trojans in my PC-Win32/Rootkit.Agent.DP
Hi
Ja, i know i've got Trojans..My NOD32 told me that everytime when i run my PC. Cant't get rid of them.
-----------------------------------------------
Here's my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:54:13, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A401403-500F-4C57-B6BE-FDA1D08079A2}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
--
End of file - 7697 bytes
Thanks for help
M.
Hi Mateja
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.
Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post
Hi
I did Kaspersky online scanner....
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 23, 2007 8:19:33 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/10/2007
Kaspersky Anti-Virus database records: 442787
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 90346
Number of viruses found: 23
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 03:49:02
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\IH18.tmp Infected: Email-Worm.Win32.Zhelatin.gm skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\IH4F.tmp Infected: Email-Worm.Win32.Zhelatin.gm skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DF72EF.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFCF57.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFCF8F.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\A3DVCPBA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\FZTOB3AA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\GXD1GLDA.NQF Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\ESET\infected\KBAKXPBA.NQF Infected: Rootkit.Win32.Agent.dw skipped
C:\Program Files\ESET\infected\M4WZBMAA.NQF Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\ESET\infected\SUCGN3AA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\WPUKKCDA.NQF Infected: Rootkit.Win32.Agent.dp skipped
C:\Program Files\ESET\infected\Z3NIXIBA.NQF Infected: Trojan-Downloader.Win32.Agent.djt skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0287460.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0289439.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0290445.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0290447.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319502.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319503.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319504.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319507.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319508.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319509.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319510.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319511.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319512.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319513.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319514.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319515.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319516.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319517.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319518.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319519.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319520.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319521.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319522.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319523.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319524.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319525.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319526.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319527.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319528.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319529.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP429\A0325591.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP429\A0328594.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP430\A0336692.exe Infected: Trojan.Win32.Agent.bty skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP430\A0336693.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0435834.sys Object is locked skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0438830.exe Infected: Trojan.Win32.Agent.afg skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0438841.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{210C52A2-8130-4602-876C-03DF84A43881}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ip6fw.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\mstscex.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\WINDOWS\system32\ntkrnlmp.exe Object is locked skipped
C:\WINDOWS\system32\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\system32\ntkrpamp.exe Object is locked skipped
C:\WINDOWS\system32\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\oleauth32.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_148.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
How about answer to that backdoor thing? :)
I use PC for fun not for work.
We should try to clean it. I'll be a good student.:)
Although I would like to cry now. Is it really so bad with my PC?
Hi
Well there is at least one bot but we can continue cleaning , of course:
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- sdfix report
Hi
Thanks for help
I did it everything you want, except Combofix. When it run, i've got "death" blue screen. i tried again and again the same. I did it three times then i stopped.
Here's SDFix log:
SDFix: Version 1.111
Run by mateja on tor 10/23/2007 at 19:32
Microsoft Windows XP [razliźica 5.1.2600]
Running From: C:\SDFix\SDFix
Safe Mode:
Checking Services:
Name:
runtime
runtime
runtime2
ImagePath:
runtime - Deleted
runtime - Deleted
runtime2 - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Service asc3550v - Deleted after Reboot
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\2_exception.nls - Deleted
C:\WINDOWS\system32\mstscex.dll - Deleted
C:\WINDOWS\system32\oleauth32.dll - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted
Could Not Remove C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE
Could Not Remove C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE
Could Not Remove C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE
Could Not Remove C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Oddaljena pomoź - Windows Messenger in Voice"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE Found
C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE Found
C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE Found
C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE Found
File Backups: - C:\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes:
Tue 2 Jul 2002 16,208 A.SHR --- "C:\Program Files\IAS_3_0\rf32sa.dll"
Mon 30 Oct 2006 8 ..SHR --- "C:\WINDOWS\system32\FA6A3FAFCF.dll"
Thu 7 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 5 Nov 2006 3,584 A..H. --- "C:\Documents and Settings\mateja\Local Settings\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe"
Fri 11 Aug 2006 1,401,768 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa6a8b6ef758224c8bfe859aa426f0c7\BIT3.tmp"
Finished!
And HJT logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45, on 2007-10-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
--
End of file - 7628 bytes
Hi
Try to then run it in safe mode and let me know if it was successful there :)
Hi Shaba
I tried in Safe mode. It was the same.
Hi
Delete your copy of combofix and download new combofix from my link2, save it to desktop and try again, please :)
Hi
I tried, nothing new. It stopped again.
Blue screen and i noticed
STOP:0x0000008E (0xC0000008E, 0x80563CD6, 0xF9D30C20, 0x00000000)
if its useful information for you
Hi
Then we use this:
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
Hi
No blue screen..at last.
Deckard's System Scanner v20071014.68
Run by mateja on 2007-10-24 17:12:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
47: 2007-10-24 15:12:40 UTC - RP468 - Deckard's System Scanner Restore Point
46: 2007-10-23 18:16:58 UTC - RP467 - ComboFix created restore point
45: 2007-10-22 11:27:31 UTC - RP466 - Software Distribution Service 3.0
44: 2007-10-21 15:11:29 UTC - RP465 - Installed Windows Internet Explorer 7.
43: 2007-10-21 15:09:39 UTC - RP464 - Installed Windows IDNMitigationAPIs.
-- First Restore Point --
1: 2007-09-09 22:23:02 UTC - RP422 - Software Distribution Service 3.0
Backed up registry hives.
Performed disk cleanup.
Total Physical Memory: 256 MiB (512 MiB recommended).
-- HijackThis (run as mateja.exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:14, on 2007-10-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Namizje\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mateja.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
--
End of file - 7535 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 VIAPFD - c:\windows\system32\drivers\viapfd.sys <Not Verified; VIA Technologies. Inc.; VIA PFD driver>
R2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
R2 athsgt - c:\windows\system32\drivers\athsgt.sys
R2 limsgt - c:\windows\system32\drivers\limsgt.sys
R3 HRCMPA (ISDN Wan driver (Ver. 1.20.0029)) - c:\windows\system32\drivers\hrcmpa.sys <Not Verified; SIEMENS AG; ISDN Data Adapter>
R3 NTSPPPOE (Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver) - c:\windows\system32\drivers\ntspppoe.sys <Not Verified; Efficient Networks, Inc.; tango>
S3 catchme - c:\docume~1\mateja~1.mat\lokaln~1\temp\catchme.sys (file missing)
S3 DectEnum - c:\windows\system32\drivers\dectenum.sys <Not Verified; Siemens AG; >
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 Gigusb (Dect USB Driver) - c:\windows\system32\drivers\gigusb.sys <Not Verified; Siemens AG; Gigaset>
S3 IUAPIWDM (ISDN USB Interface (Ver. 1.20.0029)) - c:\windows\system32\drivers\iuapiwdm.sys <Not Verified; SIEMENS AG; ISDN Data Adapter>
S3 RAWESR - c:\program files\siol\adsl\app\rawesr.sys <Not Verified; Efficient Networks, Inc.; tango>
S3 siellif - c:\windows\system32\drivers\siellif.sys <Not Verified; Siemens AG; >
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 VNICPKT5 (VNICPKT5 Protocol Driver) - c:\windows\system32\vnicpkt5.sys <Not Verified; ; NIC Diagnostic Tool>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 PPPoEService (PPPoE Service) - c:\progra~1\siol\adsl\app\pppoeservice.exe
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Scheduled Tasks -------------------------------------------------------------
2007-10-24 15:39:00 262 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job
-- Files created between 2007-09-24 and 2007-10-24 -----------------------------
2007-10-23 19:45:47 0 -----n--- C:\WINDOWS\system32\ntkrpamp.exe
2007-10-23 19:45:47 0 -----n--- C:\WINDOWS\system32\ntkrnlmp.exe
2007-10-23 19:14:31 0 d-------- C:\WINDOWS\ERUNT
2007-10-22 20:53:33 0 d-------- C:\91abc3f5e86774baf905
2007-10-22 18:04:31 0 d-------- C:\Program Files\Trend Micro
2007-10-22 16:57:02 0 d-------- C:\Program Files\RegistryFix
2007-10-21 16:47:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 16:36:37 0 d-------- C:\47999ed27b6b3619973bc500e450a97a
2007-10-21 16:32:18 0 d-------- C:\7262a8ee43e7f36fa7edf0
2007-10-20 18:23:09 0 d-------- C:\WINDOWS\system32\SYSTEM32
2007-10-20 18:22:49 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\WINDOWS
2007-10-20 18:22:48 0 d-------- C:\WINDOWS\system32\Cache
2007-10-20 18:22:39 0 d-------- C:\WINDOWS\system32\Logfiles
2007-10-20 16:02:09 0 d-------- C:\Program Files\Support Tools
2007-10-20 14:29:53 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Lavasoft
2007-10-20 14:29:35 0 d-------- C:\Program Files\Lavasoft
2007-10-20 10:43:44 61952 --a------ C:\WINDOWS\system32\nabapi32.dll <Not Verified; Netscape Communications Corporation; Netscape Communications Address Book API>
2007-10-20 10:43:27 633555 --a------ C:\WINDOWS\cd32.exe
2007-10-20 10:42:48 0 d-------- C:\Program Files\Netscape
2007-10-20 10:41:59 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-10-20 09:58:38 0 d-------- C:\Inetpub
2007-10-19 13:29:35 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-09-30 00:13:22 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Empire XP
2007-09-29 12:06:04 0 d-------- C:\Program Files\TVUPlayer
2007-09-28 12:46:31 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\AdobeUM
-- Find3M Report ---------------------------------------------------------------
2007-10-20 22:08:07 33914 --a------ C:\WINDOWS\nsreg.dat
2007-10-20 18:26:34 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Adobe
2007-10-20 18:23:03 0 d-------- C:\Program Files\Maxis
2007-10-20 18:23:03 0 d-------- C:\Program Files\JoWooD
2007-10-20 18:23:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-20 18:23:03 0 d-------- C:\Program Files\Infogrames
2007-09-30 00:08:28 0 d-------- C:\Program Files\Common Files
2007-09-29 23:45:33 0 d-------- C:\Program Files\Red Storm Entertainment
2007-09-28 12:45:27 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Real
2007-09-22 16:22:26 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\SopCast
2007-09-19 20:55:49 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\TVU Networks
2007-09-19 17:17:15 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Skype
2007-09-16 09:49:15 33600 --a------ C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\GDIPFONTCACHEV1.DAT
2007-09-15 19:31:21 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Help
2007-09-15 17:37:14 274432 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-09-14 23:48:23 0 d-------- C:\Program Files\Office10
2007-09-14 21:54:26 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\DivX
2007-09-14 20:53:42 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Macromedia
2007-09-14 20:53:33 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Google
2007-09-14 20:50:23 0 dr-h----- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\yahoo!
2007-09-14 18:22:31 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Identities
2007-09-12 19:00:48 244448 --a------ C:\WINDOWS\system32\eb51704c.sys
2007-09-12 18:41:10 244448 --a------ C:\WINDOWS\system32\2ba079ec.sys
2007-09-12 17:08:53 244448 --a------ C:\WINDOWS\system32\c4a674d2.sys
2007-09-12 16:11:26 244448 --a------ C:\WINDOWS\system32\b4e8ede8.sys
2007-09-12 13:19:11 244448 --a------ C:\WINDOWS\system32\7714b2d6.sys
2007-09-12 11:18:03 244448 --a------ C:\WINDOWS\system32\8ea95e8a.sys
2007-09-12 10:39:10 244448 --a------ C:\WINDOWS\system32\1f17d506.sys
2007-09-12 00:07:26 244448 --a------ C:\WINDOWS\system32\42617506.sys
2007-09-10 01:03:08 0 d-------- C:\Program Files\MSN Messenger
2007-09-09 14:22:12 0 d-------- C:\Program Files\Messenger
2007-09-08 16:00:36 0 d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-08 14:37:47 0 d-------- C:\Program Files\RogueRemover PRO
2007-09-08 13:31:10 0 d-------- C:\Program Files\Movie Maker
2007-09-08 13:22:06 0 d-------- C:\Program Files\Windows NT
2007-08-31 20:32:00 0 d-------- C:\Program Files\MSECache
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFG1400U"="Cfg1400U.exe" []
"mouseElf"="C:\PROGRA~1\TWINTO~1\MouseElf.EXE" [2004-08-26 02:45]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]
"Audio Device Manager"="winfp.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2006-09-05 18:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-03 13:57]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-15 17:37]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B778645D-B2A0-48E5-8E43-04B02CA3EA9D}"= C:\WINDOWS\Help\425D8586.DLL [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
-- End of Deckard's System Scanner: finished at 2007-10-24 17:15:19 ------------
extra.txt
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English
CPU 0: Intel(R) Celeron(R) CPU 1.80GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 255.48 MiB / 67.35 MiB
Pagefile Memory (total/avail): 617.09 MiB / 344 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.19 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 29.3 GiB total, 14.58 GiB free.
D: is Fixed (FAT32) - 26.58 GiB total, 1.26 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - WDC WD600BB-00CAA1 - 55.9 GiB - 2 partitions
\PARTITION0 (bootable) - Namestljiv datotečni sistem (IFS) - 29.3 GiB - C:
\PARTITION1 - Razširjeno z/razširjeno prekinitvijo 13 - 26.6 GiB - D:
-- Security Center -------------------------------------------------------------
AUOptions is disabled.
Windows Internal Firewall is enabled.
AV: NOD32 protivirusni sistem 2.51 v2.51 (Eset)
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Oddaljena pomoč – Windows Messenger in Voice"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MATEJA-KNV8BCJW
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mateja.MATEJA-KNV8BCJW
LOGONSERVER=\\MATEJA-KNV8BCJW
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD;C:\Program Files\Support Tools;C:\BITWARE\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0103
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MATEJA~1.MAT\LOKALN~1\Temp
TMP=C:\DOCUME~1\MATEJA~1.MAT\LOKALN~1\Temp
USERDOMAIN=MATEJA-KNV8BCJW
USERNAME=mateja
USERPROFILE=C:\Documents and Settings\mateja.MATEJA-KNV8BCJW
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
mateja.MATEJA-KNV8BCJW (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adaptec ASPI XP v4.71.1 --> C:\PROGRA~1\ADAPTE~1.1\UNWISE.EXE C:\PROGRA~1\ADAPTE~1.1\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ADSL --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SiOL\ADSL\Uninst.isu" -c"C:\Program Files\SiOL\ADSL\NTSUninstall.dll"
Ahead Nero - Burning Rom --> C:\WINDOWS\UNNERO.exe /UNINSTALL
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
BSPlayer (remove only) --> "C:\Program Files\BSPlayer\uninstall-bsplay.EXE"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Debugging Tools for Windows --> MsiExec.exe /I{D59967FF-4DCC-4695-BCD9-FA47B94047D6}
DivX 5.0.2 Pro Bundle --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\uninstal.log
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Empire XP 4.1 --> MsiExec.exe /I{7E361A7F-F272-472F-8EA3-55F4318C530A}
Futuremark Measurement Services Client --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msc3.inf,DefaultUninstall,5
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IAS_3_0 --> C:\Program Files\IAS_3_0\UnInstal.exe
IL-2 Sturmovik --> C:\WINDOWS\UbiSoft\SetupUbi.exe -uninstall IL-2 Sturmovik
iTunes --> MsiExec.exe /I{885894A5-BA0A-460E-AB4C-96C5C9B2C5E2}
K-Lite Codec Pack 2.81 Basic --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Microsoft Office XP Professional --> MsiExec.exe /I{90110424-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Web Components --> MsiExec.exe /I{90260424-6000-11D3-8CFE-0050048383C9}
Microsoft PowerPoint Viewer 97 --> C:\Program Files\PowerPoint Viewer\setup\setup.exe
Microsoft Producer for Microsoft Office PowerPoint 2003 --> MsiExec.exe /I{155FBB0D-0EE9-42D1-9E41-E5E08F691033}
Mp3 To Wave Converter 1.19 --> C:\PROGRA~1\MP3TOW~1\UNWISE.EXE C:\PROGRA~1\MP3TOW~1\INSTALL.LOG
NOD32 FiX v1.9 --> "C:\Program Files\Eset\unins000.exe"
NOD32 protivirusni sistem --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Popotnik --> MsiExec.exe /I{FAB5BF39-0F99-4A5C-8998-6BBFEECDCB43}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegistryFix v6.2 --> "C:\Program Files\RegistryFix\unins000.exe"
SAGEM F@st 3344 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FC77CBA-4DFA-4C98-8AD7-F412E9BD46F7}\setup.exe" -l0x24
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 3.1 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype add-on for IE --> rundll32 "C:\Program Files\Skype\Phone\IEPlugin\SkypeIEPlugin.dll",FriendlyUnregisterServer 0
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SopCore 1.1.1 --> C:\Program Files\SopCast\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Telefonski imenik Slovenije Jesen 2003 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\TIS Jesen 2003\Uninstall\tsetup.dat"
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
TVUPlayer 2.3.2.52 --> C:\Program Files\TVUPlayer\uninst.exe
TwinTouch LuxeMate --> C:\Program Files\TwinTouch LuxeMate\Setup.exe /Uninstall
VIA NICSET --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\VIA\NICSET\Uninst_VNIC.isu" -c"C:\Program Files\VIA\NICSET\VNICu.dll"
VIA Vinyl Audio Codecs Driver Setup Program --> RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS\IsUninst.exe -y-f"C:\PROGRA~1\VIAudioi\SBASetup\Uninst.isu"
Windows Live Messenger --> MsiExec.exe /I{C8DA0188-480B-498D-BA6E-1C415B0458A3}
Windows Live Sign-in Assistant --> MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Windows Support Tools --> MsiExec.exe /I{8398B542-3CC4-44D9-83DF-696CCE70124B}
WinRAR arhiver --> C:\Program Files\WinRAR\uninstall.exe
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME) --> "C:\Program Files\XviD\UninstXviD.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
-- Application Event Log -------------------------------------------------------
Event Record #/Type283 / Warning
Event Submitted/Written: 10/24/2007 10:53:59 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
Parametra »TraceLevel« ni v registru;
Privzeta raven sledenja je 32.
Event Record #/Type282 / Warning
Event Submitted/Written: 10/24/2007 10:53:59 AM
Event ID/Source: 1003 / EvntAgnt
Event Description:
Parametra »TraceFileName« ni v registru;
Privzeta datoteka za sledenje je .
Event Record #/Type278 / Warning
Event Submitted/Written: 10/24/2007 10:37:46 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
Parametra »TraceLevel« ni v registru;
Privzeta raven sledenja je 32.
Event Record #/Type277 / Warning
Event Submitted/Written: 10/24/2007 10:37:46 AM
Event ID/Source: 1003 / EvntAgnt
Event Description:
Parametra »TraceFileName« ni v registru;
Privzeta datoteka za sledenje je .
Event Record #/Type273 / Warning
Event Submitted/Written: 10/24/2007 10:34:54 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
Parametra »TraceLevel« ni v registru;
Privzeta raven sledenja je 32.
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type2440 / Error
Event Submitted/Written: 10/23/2007 06:34:41 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
NVIDIA Display Driver Service storitev se je nepričakovano prekinila. To je storila 1 krat.
Event Record #/Type2439 / Error
Event Submitted/Written: 10/23/2007 06:34:41 PM
Event ID/Source: 7003 / Service Control Manager
Event Description:
Simple Mail Transfer Protocol (SMTP) storitev je odvisna od te neobstoječe storitve: IISADMIN
Event Record #/Type2437 / Warning
Event Submitted/Written: 10/23/2007 06:33:47 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Vaš računalnik je samodejno konfiguriral IP naslov za omrežno
kartico z omrežnim naslovom 444553547777. Uporabljen IP naslov je 169.254.47.253.
Event Record #/Type2430 / Warning
Event Submitted/Written: 10/23/2007 03:21:59 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP je dosegel varnostno omejitev za število poskusov vzpostavitve hkratne TCP povezave.
Event Record #/Type2429 / Warning
Event Submitted/Written: 10/23/2007 01:19:33 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP je dosegel varnostno omejitev za število poskusov vzpostavitve hkratne TCP povezave.
-- End of Deckard's System Scanner: finished at 2007-10-24 17:15:19 ------------
Hi
Press Start->Run, copy/paste the following command into the box and press OK:
Quote:
cmd /c dir C:\*.* /L /A /B /S|Find "C:\WINDOWS\system32\ntkrpamp.exe" >> "%userprofile%\desktop\look.txt"
After that:
Press Start->Run, copy/paste the following command into the box and press OK:
Quote:
cmd /c dir C:\*.* /L /A /B /S|Find "C:\WINDOWS\system32\ntkrnlmp.exe" >> "%userprofile%\desktop\look2.txt"
Files called look.txt and look2.txt should appear on your Desktop. Please post the contents of those files.
Shaba, thanks.
But i saw just black window without text. After few sec, it disappeared.
Hi
What is Desktop in your language?
Namizje?
If so, please replace Desktop with Namizje in my instructions and try again, please :)
I mean in here:
"%userprofile%\desktop\look.txt"
"%userprofile%\desktop\look2.txt"
Hi
Yes, desktop= namizje in Slovenian language:)
I tried with namizje but its still the same. Just black window.
Hi
I tried with Namizje again. Now i've got look.txt and look2. txt. But they are both empty.
Hi
Then do this:
Please do a search:
Go "Start">"Search">"All Files and Folders"
Enter ntkrpamp.exe in "All or part of file name"
Select "More advanced options"
Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders".
Click "Search".
Repeat step for ntkrnlmp.exe
Post back results :)
Hi Shaba
I don't know how to post results...sorry.
Hi
You can't just post results; you will have to write file paths down manually :)
:) Hi
I thought that I'm so stupid that i can't do it.
ntkrnlmp.exe C:\WINDOWS\$NtServicePackUnistall$ 1,856 KB
ntkrnlmp.exe C:\WINDOWS\system32 0 KB
ntkrnlmp.exe C:\WINDOWS\Driver Cache\i386 2,086 KB
ntkrnlmp.exe C:\WINDOWS\ServicePackFiles\386 2,098
Error Message Ntkrnlmp.exe Could Not Be Loaded Error Code7 C:\Documents and
Settings\mateja\Favorites\RAČUNALNIK 1 KB
ntkrnlmp.exe C:\WINDOWS\$hf_mig$\KB890859\SP2GDR 2,086 KB
ntkrnlmp.exe C:\WINDOWS\$hf_mig$\KB890859\SP2QFE 2,086 KB
ntkrnlmp.exe C:\WINDOWS\mui\FALLBACK\0424 19 KB
ntkrnlmp.exe backups 0
ntkrnlmp.exe
c:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2
gdr 2,086 KB
ntkrnlmp.exe
c:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2
qfe 2,086
__________________________________________
__________________________________________
ntkrpamp.exe C:\WINDOWS\$NtServicePackUnistall$ 1,884 KB
ntkrpamp.exe C:\WINDOWS\system32 0 KB
ntkrpamp.exe C:\WINDOWS\Driver Cache\i386 1,968 KB
ntkrnlmp.exe C:\WINDOWS\ServicePackFiles\386 1,968 KB
ntkrnlmp.exe C:\WINDOWS\$hf_mig$\KB890859\SP2GDR 1,968 KB
ntkrnlmp.exe C:\WINDOWS\$hf_mig$\KB890859\SP2QFE 1,968 KB
ntkrnlmp.exe C:\WINDOWS\mui\FALLBACK\0424 19 KB
ntkrnlmp.exe backups 0
ntkrnlmp.exe c:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr 1,969 KB
c:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe 1,970 KB
Thanks for your patience.
Hi
Then we try this:
Copy text below to Notepad and save it as movefiles.bat (save it as all files, *.*)
@ECHO OFF
copy /Y C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe C:\Windows\system32
copy /Y C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe C:\Windows\system32
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG
Doubleclick movefiles.bat; black dos windows will flash, that's normal.
(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)
Do another search and post back results, please :)
Hi
I think they are the same as in post before
ntkrnlmp.exe C:\WINDOWS\$NtServicePackUnistall$ 1,856 KB
ntkrnlmp.exe C:\WINDOWS\system32 0 KB
ntkrnlmp.exe C:\WINDOWS\Driver Cache\i386 2,086 KB
ntkrnlmp.exe C:\WINDOWS\ServicePackFiles\386 2,098
Error Message Ntkrnlmp.exe Could Not Be Loaded Error Code7 C:\Documents and
Settings\mateja\Favorites\RAČUNALNIK 1 KB
ntkrnlmp.exe C:\WINDOWS\$hf_mig$\KB890859\SP2GDR 2,086 KB
ntkrnlmp.exe C:\WINDOWS\$hf_mig$\KB890859\SP2QFE 2,086 KB
ntkrnlmp.exe C:\WINDOWS\mui\FALLBACK\0424 19 KB
ntkrnlmp.exe backups 0
ntkrnlmp.exe
c:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2
gdr 2,086 KB
ntkrnlmp.exe
c:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2
qfe 2,086
__________________________________________
__________________________________________
ntkrpamp.exe C:\WINDOWS\$NtServicePackUnistall$ 1,884 KB
ntkrpamp.exe C:\WINDOWS\system32 0 KB
ntkrpamp.exe C:\WINDOWS\Driver Cache\i386 1,968 KB
ntkrpamp.exe C:\WINDOWS\ServicePackFiles\386 1,968 KB
ntkrpamp.exe C:\WINDOWS\$hf_mig$\KB890859\SP2GDR 1,968 KB
ntkrpamp.exe C:\WINDOWS\$hf_mig$\KB890859\SP2QFE 1,968 KB
ntkrpamp.exe C:\WINDOWS\mui\FALLBACK\0424 19 KB
ntkrpamp.exe backups 0
ntkrpamp.exe c:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr 1,969 KB
c:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe 1,970 KB
Hi
Yes it failed.
Download WinPFind3U.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft
Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
Good evening
WinPFind3 logfile created on: 2007-10-25 21:06:21
WinPFind3U by OldTimer - Version 1.0.42 Folder = C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Namizje\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.13)
255.48 Mb Total Physical Memory | 45.29 Mb Available Physical Memory | 17.73% Memory free
617.09 Mb Paging File | 154.03 Mb Available in Paging File | 24.96% Paging File free
Paging file location(s): c:\pagefile.sys 384 768;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 29.30 Gb Total Space | 14.41 Gb Free Space | 49.18% Space Free
Drive D: | 26.58 Gb Total Space | 1.26 Gb Free Space | 4.74% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: MATEJA-KNV8BCJW
Current User Name: mateja
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
emouse.exe -> %ProgramFiles%\TwinTouch LuxeMate\EMouse.exe -> [Ver = | Size = 98304 bytes | Modified Date = 2004-02-17 12:31:12 | Attr = ]
ipodservice.exe -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.0.70 | Size = 451136 bytes | Modified Date = 2006-09-12 01:58:50 | Attr = ]
ituneshelper.exe -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.0.70 | Size = 229952 bytes | Modified Date = 2006-09-12 01:58:54 | Attr = ]
mouseelf.exe -> %ProgramFiles%\TwinTouch LuxeMate\MouseElf.exe -> [Ver = 1.00.00 | Size = 192512 bytes | Modified Date = 2004-08-26 02:45:18 | Attr = ]
nod32krn.exe -> %ProgramFiles%\ESET\nod32krn.exe -> Eset [Ver = 2, 51, 30 | Size = 507904 bytes | Modified Date = 2007-09-15 17:37:10 | Attr = ]
nod32kui.exe -> %ProgramFiles%\ESET\nod32kui.exe -> Eset [Ver = 2, 51, 30 | Size = 921600 bytes | Modified Date = 2007-09-15 17:37:10 | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 159810 bytes | Modified Date = 2006-10-22 12:22:00 | Attr = ]
pppoeservice.exe -> %ProgramFiles%\SiOL\ADSL\app\pppoeservice.exe -> [Ver = | Size = 49152 bytes | Modified Date = 2000-07-11 10:48:36 | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.42.0 | Size = 322560 bytes | Modified Date = 2007-09-04 10:47:26 | Attr = ]
[Win32 Services - Non-Microsoft Only]
(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Adobe Systems Shared\Service\Adobelmsvc.exe -> [Ver = 2.41.000 | Size = 68096 bytes | Modified Date = 2007-08-15 19:43:04 | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 2004-08-04 09:56:48 | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 2007-01-25 19:51:02 | Attr = ]
(iPod Service) iPod Service [Win32_Own | On_Demand | Running] -> %ProgramFiles%\iPod\bin\iPodService.exe -> Apple Computer, Inc. [Ver = 7.0.0.70 | Size = 451136 bytes | Modified Date = 2006-09-12 01:58:50 | Attr = ]
(NOD32krn) NOD32 Kernel Service [Win32_Own | Auto | Running] -> %ProgramFiles%\ESET\nod32krn.exe -> Eset [Ver = 2, 51, 30 | Size = 507904 bytes | Modified Date = 2007-09-15 17:37:10 | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 159810 bytes | Modified Date = 2006-10-22 12:22:00 | Attr = ]
(PPPoEService) PPPoE Service [Win32_Own | Auto | Running] -> %ProgramFiles%\SiOL\ADSL\app\pppoeservice.exe -> [Ver = | Size = 49152 bytes | Modified Date = 2000-07-11 10:48:36 | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Audio Device Manager -> winfp.exe -> File not found
AudioDeck -> %ProgramFiles%\VIAudioi\SBADeck\ADeck.exe -> VIA Technologies, Inc. [Ver = 6, 3, 2, 0 | Size = 540672 bytes | Modified Date = 2006-09-05 18:28:00 | Attr = R ]
CFG1400U -> Cfg1400U.exe -> File not found
iTunesHelper -> %ProgramFiles%\iTunes\iTunesHelper.exe -> Apple Computer, Inc. [Ver = 7.0.0.70 | Size = 229952 bytes | Modified Date = 2006-09-12 01:58:54 | Attr = ]
mouseElf -> %ProgramFiles%\TwinTouch LuxeMate\MouseElf.exe -> [Ver = 1.00.00 | Size = 192512 bytes | Modified Date = 2004-08-26 02:45:18 | Attr = ]
nod32kui -> %ProgramFiles%\ESET\nod32kui.exe -> Eset [Ver = 2, 51, 30 | Size = 921600 bytes | Modified Date = 2007-09-15 17:37:10 | Attr = ]
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 7700480 bytes | Modified Date = 2006-10-22 12:22:00 | Attr = ]
NvMediaCenter -> %System32%\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.10.9371 | Size = 86016 bytes | Modified Date = 2006-10-22 12:22:00 | Attr = ]
nwiz -> %System32%\nwiz.exe -> [Ver = | Size = 1622016 bytes | Modified Date = 2006-10-22 12:22:00 | Attr = ]
TkBellExe -> %CommonProgramFiles%\Real\Update_OB\realsched.exe -> RealNetworks, Inc. [Ver = 0.1.0.3760 | Size = 185896 bytes | Modified Date = 2007-01-03 13:57:02 | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Yahoo! Pager -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe -> Yahoo! Inc. [Ver = 8,1,0,209 | Size = 4662776 bytes | Modified Date = 2006-11-30 22:49:04 | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{B778645D-B2A0-48E5-8E43-04B02CA3EA9D} [HKLM] -> %SystemRoot%\Help\425D8586.DLL [] -> File not found
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Bar -> http://home.netscape.com/home/winsearch200.html ->
HKLM: Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://www.google.com/ ->
HKCU: SearchAssistant -> http://www.google.com/ie ->
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 6, 6, 1 | Size = 439872 bytes | Modified Date = 2006-06-06 09:28:44 | Attr = ]
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< Trusted Sites > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
www_rtvslo.si [http] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{02478D38-C3F9-4EFB-9B51-7695ECA05670} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar Helper] -> Yahoo! Inc. [Ver = 2006, 6, 6, 1 | Size = 439872 bytes | Modified Date = 2006-06-06 09:28:44 | Attr = ]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> Adobe Systems Incorporated [Ver = 7.0.9.2006121800 | Size = 59032 bytes | Modified Date = 2006-12-18 04:16:42 | Attr = ]
{22BF413B-C6D2-4d91-82A9-A0F997BA588C} [HKLM] -> %ProgramFiles%\Skype\Phone\IEPlugin\SkypeIEPlugin.dll [Skype add-on (mastermind)] -> Skype Technologies S.A. [Ver = 2, 2, 0, 78 | Size = 722472 bytes | Modified Date = 2007-03-23 13:49:34 | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 2007-08-31 16:46:14 | Attr = ]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} [HKLM] -> %ProgramFiles%\Yahoo!\Common\yiesrvc.dll [Yahoo! IE Services Button] -> Yahoo! Inc. [Ver = 2006, 10, 31, 3 | Size = 198136 bytes | Modified Date = 2006-10-31 16:29:16 | Attr = ]
{AA58ED58-01DD-4d91-8333-CF10577473F7} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [Google Toolbar Helper] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 2007-01-20 00:55:32 | Attr = R ]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> %ProgramFiles%\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 2, 0, 301, 7164 | Size = 325048 bytes | Modified Date = 2007-07-04 20:23:38 | Attr = ]
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\ ->
{32683183-48a0-441b-a342-7c2a440a9478} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 2007-01-20 00:55:32 | Attr = R ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 6, 6, 1 | Size = 439872 bytes | Modified Date = 2006-06-06 09:28:44 | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 2007-01-20 00:55:32 | Attr = R ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 2007-01-20 00:55:32 | Attr = R ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 6, 6, 1 | Size = 439872 bytes | Modified Date = 2006-06-06 09:28:44 | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [MenuText: Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 2007-08-31 16:46:14 | Attr = ]
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\ ->
I&zvoz v Microsoft Excel -> -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{3DF3FFA9-BB8C-4CD5-91B6-2680F0C6609B} -> (ADI USB Remote NDIS Network Device) ->
{5358E709-C60F-4CA0-8D95-CED99C005FE1} -> () ->
{7CF347F7-061D-4802-B61F-144D72A99B6F} -> () ->
{93927A6B-A601-4A07-A89C-21109F118D3D} -> (VIA PCI 10/100Mb Fast Ethernet Adapter) ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ ->
Protocol_Catalog9\Catalog_Entries\000000000001 -> %System32%\imon.dll -> Eset [Ver = 2, 51, 30 | Size = 274432 bytes | Modified Date = 2007-09-15 17:37:16 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %System32%\imon.dll -> Eset [Ver = 2, 51, 30 | Size = 274432 bytes | Modified Date = 2007-09-15 17:37:16 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000003 -> %System32%\imon.dll -> Eset [Ver = 2, 51, 30 | Size = 274432 bytes | Modified Date = 2007-09-15 17:37:16 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000004 -> %System32%\imon.dll -> Eset [Ver = 2, 51, 30 | Size = 274432 bytes | Modified Date = 2007-09-15 17:37:16 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000005 -> %System32%\imon.dll -> Eset [Ver = 2, 51, 30 | Size = 274432 bytes | Modified Date = 2007-09-15 17:37:16 | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000032 -> %System32%\imon.dll -> Eset [Ver = 2, 51, 30 | Size = 274432 bytes | Modified Date = 2007-09-15 17:37:16 | Attr = ]
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
skype4com -> %CommonProgramFiles%\Skype\Skype4COM.dll -> Skype Technologies [Ver = 1, 0, 27, 0 | Size = 1828440 bytes | Modified Date = 2007-01-12 12:50:48 | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{00000055-9980-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/fhg.CAB ->
{00000161-0000-0010-8000-00AA00389B71} -> - CodeBase = http://codecs.microsoft.com/codecs/i386/msaudio.cab ->
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -> - CodeBase = http://www.apple.com/qtactivex/qtplugin.cab ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
{30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -> YInstStarter Class - CodeBase = C:\Program Files\Yahoo!\Common\yinsthelper.dll ->
{31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} -> Cult3D ActiveX Player - CodeBase = http://www.cult3d.com/download/cult.cab ->
{33564D57-0000-0010-8000-00AA00389B71} -> - CodeBase = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB ->
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -> Office Update Installation Engine - CodeBase = http://office.microsoft.com/officeupdate/content/opuc3.cab ->
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} -> - CodeBase = http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab ->
{56393399-041A-4650-94C7-13DFCB1F4665} -> PSFormX Control - CodeBase = http://ca.com/us/securityadvisor/pestscan/pestscan.cab ->
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -> MUWebControl Class - CodeBase = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476 ->
{7B297BFD-85E4-4092-B2AF-16A91B2EA103} -> WScanCtl Class - CodeBase = http://ca.com/us/securityadvisor/virusinfo/webscan.cab ->
{8E0D4DE5-3180-4024-A327-4DFAD1796A8D} -> MessengerStatsClient Class - CodeBase = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab ->
{917623D1-D8E5-11D2-BE8B-00104B06BDE3} -> CamImage Class - CodeBase = http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab ->
{D1E7CBDA-E60E-4970-A01C-37301EF7BF98} -> Measurement Services Client v.3.11 - CodeBase = http://advisor.futuremark.com/global/msc311.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab ->
{E8F628B5-259A-4734-97EE-BA914D7BE941} -> Driver Agent ActiveX Control - CodeBase = http://driveragent.com/files/driveragent.cab ->
{F6BF0D00-0B2A-4A75-BF7B-F385591623AF} -> Solitaire Showdown Class - CodeBase = http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab ->
DirectAnimation Java Classes -> - CodeBase = file://C:\WINDOWS\Java\classes\dajava.cab ->
Microsoft XML Parser for Java -> - CodeBase = file://C:\WINDOWS\Java\classes\xmldso.cab ->
[Files/Folders - Created Within 30 days]
47999ed27b6b3619973bc500e450a97a -> %SystemDrive%\47999ed27b6b3619973bc500e450a97a -> [Folder | Created Date = 2007-10-21 15:36:37 | Attr = ]
7262a8ee43e7f36fa7edf0 -> %SystemDrive%\7262a8ee43e7f36fa7edf0 -> [Folder | Created Date = 2007-10-21 15:32:18 | Attr = ]
91abc3f5e86774baf905 -> %SystemDrive%\91abc3f5e86774baf905 -> [Folder | Created Date = 2007-10-22 19:53:33 | Attr = ]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Created Date = 2007-10-23 19:11:22 | Attr = ]
Deckard -> %SystemDrive%\Deckard -> [Folder | Created Date = 2007-10-24 16:11:48 | Attr = ]
DNS.EXE.MU_ -> %SystemDrive%\DNS.EXE.MU_ -> [Ver = | Size = 14748 bytes | Created Date = 2007-10-21 12:08:24 | Attr = ]
DNSAPI.DL_ -> %SystemDrive%\DNSAPI.DL_ -> [Ver = | Size = 73669 bytes | Created Date = 2007-10-21 12:07:16 | Attr = ]
DNSMGMT.MS_ -> %SystemDrive%\DNSMGMT.MS_ -> [Ver = | Size = 3688 bytes | Created Date = 2007-10-21 12:07:38 | Attr = ]
DNSMGR.CH_ -> %SystemDrive%\DNSMGR.CH_ -> [Ver = | Size = 19421 bytes | Created Date = 2007-10-21 12:06:02 | Attr = ]
DNSMGR.DLL.MU_ -> %SystemDrive%\DNSMGR.DLL.MU_ -> [Ver = | Size = 24785 bytes | Created Date = 2007-10-21 12:06:02 | Attr = ]
DNSRSLVR.DLL.MU_ -> %SystemDrive%\DNSRSLVR.DLL.MU_ -> [Ver = | Size = 1133 bytes | Created Date = 2007-10-21 12:09:37 | Attr = ]
DNSRSLVR.DL_ -> %SystemDrive%\DNSRSLVR.DL_ -> [Ver = | Size = 22771 bytes | Created Date = 2007-10-21 12:07:59 | Attr = ]
HANDNS.AN_ -> %SystemDrive%\HANDNS.AN_ -> [Ver = | Size = 495 bytes | Created Date = 2007-10-21 12:08:12 | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 267964416 bytes | Created Date = 1601-01-02 23:00:00 | Attr = HS]
Inetpub -> %SystemDrive%\Inetpub -> [Folder | Created Date = 2007-10-20 08:58:38 | Attr = ]
liprefs.js -> %SystemDrive%\liprefs.js -> [Ver = | Size = 151 bytes | Created Date = 2007-10-20 09:53:46 | Attr = ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 2007-10-23 19:17:01 | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Created Date = 2007-10-23 18:02:50 | Attr = ]
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ -> [Folder | Created Date = 2007-10-21 16:09:32 | Attr = H ]
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ -> [Folder | Created Date = 2007-10-21 16:08:36 | Attr = H ]
$NtUninstallKB915865$ -> %SystemRoot%\$NtUninstallKB915865$ -> [Folder | Created Date = 2007-10-21 15:35:32 | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Created Date = 2007-10-19 13:52:23 | Attr = H ]
$NtUninstallKB939653$ -> %SystemRoot%\$NtUninstallKB939653$ -> [Folder | Created Date = 2007-10-19 13:51:12 | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Created Date = 2007-10-19 13:48:02 | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Created Date = 2007-10-23 19:11:42 | Attr = ]
cd32.exe -> %SystemRoot%\cd32.exe -> [Ver = | Size = 633555 bytes | Created Date = 2007-10-20 09:43:27 | Attr = ]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Created Date = 2007-10-24 16:12:40 | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 2007-10-23 18:14:31 | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Created Date = 2007-10-21 16:10:11 | Attr = H ]
Netscape.INI -> %SystemRoot%\Netscape.INI -> [Ver = | Size = 0 bytes | Created Date = 2007-10-20 14:36:08 | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> [Ver = | Size = 51200 bytes | Created Date = 2007-10-23 19:16:32 | Attr = ]
uninst.exe -> %SystemRoot%\uninst.exe -> InstallShield Corporation, Inc. [Ver = 2.20.926.0 | Size = 299520 bytes | Created Date = 2007-10-20 09:41:59 | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Created Date = 2007-10-21 16:12:01 | Attr = ]
axctrnm.h -> %System32%\axctrnm.h -> [Ver = | Size = 2024 bytes | Created Date = 2007-10-20 08:59:11 | Attr = ]
axperf.ini -> %System32%\axperf.ini -> [Ver = | Size = 10225 bytes | Created Date = 2007-10-20 08:59:11 | Attr = ]
Cache -> %System32%\Cache -> [Folder | Created Date = 2007-10-20 17:22:48 | Attr = ]
en-US -> %System32%\en-US -> [Folder | Created Date = 2007-10-21 16:12:00 | Attr = ]
infoctrs.h -> %System32%\infoctrs.h -> [Ver = | Size = 3276 bytes | Created Date = 2007-10-20 08:59:06 | Attr = ]
infoctrs.ini -> %System32%\infoctrs.ini -> [Ver = | Size = 11435 bytes | Created Date = 2007-10-20 08:59:06 | Attr = ]
Logfiles -> %System32%\Logfiles -> [Folder | Created Date = 2007-10-20 17:22:39 | Attr = ]
nabapi32.dll -> %System32%\nabapi32.dll -> Netscape Communications Corporation [Ver = 4.70.0.27 | Size = 61952 bytes | Created Date = 2007-10-20 09:43:44 | Attr = ]
ntfsdrct.h -> %System32%\ntfsdrct.h -> [Ver = | Size = 773 bytes | Created Date = 2007-10-20 09:01:20 | Attr = ]
ntfsdrct.ini -> %System32%\ntfsdrct.ini -> [Ver = | Size = 1037 bytes | Created Date = 2007-10-20 09:01:20 | Attr = ]
ntkrnlmp.exe -> %System32%\ntkrnlmp.exe -> [Ver = | Size = 0 bytes | Created Date = 2007-10-23 18:45:47 | Attr = ]
ntkrpamp.exe -> %System32%\ntkrpamp.exe -> [Ver = | Size = 0 bytes | Created Date = 2007-10-23 18:45:47 | Attr = ]
NvApps.xml -> %System32%\NvApps.xml -> [Ver = | Size = 0 bytes | Created Date = 2007-10-19 12:29:34 | Attr = ]
smtpctrs.h -> %System32%\smtpctrs.h -> [Ver = | Size = 8002 bytes | Created Date = 2007-10-20 09:01:21 | Attr = ]
smtpctrs.ini -> %System32%\smtpctrs.ini -> [Ver = | Size = 21791 bytes | Created Date = 2007-10-20 09:01:21 | Attr = ]
swreg.exe -> %System32%\swreg.exe -> [Ver = | Size = 139776 bytes | Created Date = 2007-10-23 19:11:41 | Attr = ]
swsc.exe -> %System32%\swsc.exe -> [Ver = | Size = 370688 bytes | Created Date = 2007-10-23 19:11:41 | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> [Ver = | Size = 212480 bytes | Created Date = 2007-10-23 19:11:41 | Attr = ]
SYSTEM32 -> %System32%\SYSTEM32 -> [Folder | Created Date = 2007-10-20 17:23:09 | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 2007-10-23 19:11:41 | Attr = ]
w3ctrs.h -> %System32%\w3ctrs.h -> [Ver = | Size = 5379 bytes | Created Date = 2007-10-20 08:59:12 | Attr = ]
w3ctrs.ini -> %System32%\w3ctrs.ini -> [Ver = | Size = 38576 bytes | Created Date = 2007-10-20 08:59:12 | Attr = ]
Files/Folders - Modified Within 30 days]
47999ed27b6b3619973bc500e450a97a -> %SystemDrive%\47999ed27b6b3619973bc500e450a97a -> [Folder | Modified Date = 2007-10-21 16:36:38 | Attr = ]
7262a8ee43e7f36fa7edf0 -> %SystemDrive%\7262a8ee43e7f36fa7edf0 -> [Folder | Modified Date = 2007-10-21 16:32:40 | Attr = ]
91abc3f5e86774baf905 -> %SystemDrive%\91abc3f5e86774baf905 -> [Folder | Modified Date = 2007-10-22 20:54:08 | Attr = ]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 2007-10-24 10:47:58 | Attr = RHS]
ComboFix -> %SystemDrive%\ComboFix -> [Folder | Modified Date = 2007-10-25 13:41:24 | Attr = ]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 2007-10-20 16:02:36 | Attr = ]
Deckard -> %SystemDrive%\Deckard -> [Folder | Modified Date = 2007-10-24 17:11:50 | Attr = ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 267964416 bytes | Modified Date = 2007-10-25 13:45:26 | Attr = HS]
Inetpub -> %SystemDrive%\Inetpub -> [Folder | Modified Date = 2007-10-20 18:22:50 | Attr = ]
liprefs.js -> %SystemDrive%\liprefs.js -> [Ver = | Size = 151 bytes | Modified Date = 2007-10-20 15:32:36 | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 2007-10-22 23:23:18 | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 2007-10-24 10:48:24 | Attr = ]
SDFix -> %SystemDrive%\SDFix -> [Folder | Modified Date = 2007-10-23 19:02:52 | Attr = ]
Slovarji -> %SystemDrive%\Slovarji -> [Folder | Modified Date = 2007-09-30 00:06:58 | Attr = ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm -> [Ver = | Size = 292 bytes | Modified Date = 2007-09-30 21:59:22 | Attr = H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm -> [Ver = | Size = 244 bytes | Modified Date = 2007-09-30 21:59:22 | Attr = H ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 2007-10-25 13:45:24 | Attr = ]
$hf_mig$ -> %SystemRoot%\$hf_mig$ -> [Folder | Modified Date = 2007-10-21 16:35:12 | Attr = H ]
$NtServicePackUninstallIDNMitigationAPIs$ -> %SystemRoot%\$NtServicePackUninstallIDNMitigationAPIs$ -> [Folder | Modified Date = 2007-10-21 17:09:34 | Attr = H ]
$NtServicePackUninstallNLSDownlevelMapping$ -> %SystemRoot%\$NtServicePackUninstallNLSDownlevelMapping$ -> [Folder | Modified Date = 2007-10-21 17:08:38 | Attr = H ]
$NtUninstallKB915865$ -> %SystemRoot%\$NtUninstallKB915865$ -> [Folder | Modified Date = 2007-10-21 16:35:34 | Attr = H ]
$NtUninstallKB933729$ -> %SystemRoot%\$NtUninstallKB933729$ -> [Folder | Modified Date = 2007-10-19 14:52:26 | Attr = H ]
$NtUninstallKB939653$ -> %SystemRoot%\$NtUninstallKB939653$ -> [Folder | Modified Date = 2007-10-19 14:51:22 | Attr = H ]
$NtUninstallKB941202$ -> %SystemRoot%\$NtUninstallKB941202$ -> [Folder | Modified Date = 2007-10-19 14:48:04 | Attr = H ]
Album -> %SystemRoot%\Album -> [Folder | Modified Date = 2007-10-20 18:23:04 | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 2007-10-25 13:45:38 | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Modified Date = 2007-10-20 06:03:32 | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 2007-10-24 17:13:54 | Attr = S]
ERDNT -> %SystemRoot%\ERDNT -> [Folder | Modified Date = 2007-10-24 17:12:42 | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 2007-10-23 19:14:48 | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 2007-10-21 17:14:30 | Attr = ]
ie7 -> %SystemRoot%\ie7 -> [Folder | Modified Date = 2007-10-21 17:11:22 | Attr = H ]
imsins.BAK -> %SystemRoot%\imsins.BAK -> [Ver = | Size = 1393 bytes | Modified Date = 2007-10-21 17:09:52 | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 2007-10-22 13:28:40 | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 2007-10-20 18:23:10 | Attr = HS]
Media -> %SystemRoot%\Media -> [Folder | Modified Date = 2007-10-21 17:11:50 | Attr = ]
MEMORY.DMP -> %SystemRoot%\MEMORY.DMP -> [Ver = | Size = 267993088 bytes | Modified Date = 2007-10-25 13:45:24 | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 2007-10-25 13:45:40 | Attr = ]
Netscape.INI -> %SystemRoot%\Netscape.INI -> [Ver = | Size = 0 bytes | Modified Date = 2007-10-20 15:36:10 | Attr = ]
nsreg.dat -> %SystemRoot%\nsreg.dat -> [Ver = | Size = 33914 bytes | Modified Date = 2007-10-20 22:08:08 | Attr = ]
ntsautodial.ini -> %SystemRoot%\ntsautodial.ini -> [Ver = | Size = 87 bytes | Modified Date = 2007-10-19 21:15:28 | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 2007-10-25 20:53:44 | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 2007-10-21 12:53:52 | Attr = ]
security -> %SystemRoot%\security -> [Folder | Modified Date = 2007-10-20 11:15:48 | Attr = ]
ShellNew -> %SystemRoot%\ShellNew -> [Folder | Modified Date = 2007-10-21 12:49:44 | Attr = H ]
system -> %SystemRoot%\system -> [Folder | Modified Date = 2007-10-20 18:23:04 | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 246 bytes | Modified Date = 2007-10-24 10:47:58 | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 2007-10-25 13:53:00 | Attr = ]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 2007-10-25 21:01:34 | Attr = ]
twain_32 -> %SystemRoot%\twain_32 -> [Folder | Modified Date = 2007-10-20 18:23:04 | Attr = ]
WBEM -> %SystemRoot%\WBEM -> [Folder | Modified Date = 2007-10-21 17:12:04 | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 1382 bytes | Modified Date = 2007-10-24 10:47:58 | Attr = ]
Disk Cleanup.job -> %SystemRoot%\tasks\Disk Cleanup.job -> [Ver = | Size = 262 bytes | Modified Date = 2007-10-25 15:39:02 | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 2007-10-25 13:45:50 | Attr = H ]
Cache -> %System32%\Cache -> [Folder | Modified Date = 2007-10-20 18:22:50 | Attr = ]
CatRoot -> %System32%\CatRoot -> [Folder | Modified Date = 2007-10-21 17:07:52 | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 2007-10-24 14:28:20 | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 2007-10-24 14:28:34 | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 2007-10-24 14:28:28 | Attr = ]
en-US -> %System32%\en-US -> [Folder | Modified Date = 2007-10-21 17:12:02 | Attr = ]
ias -> %System32%\ias -> [Folder | Modified Date = 2007-10-20 22:10:36 | Attr = ]
inetsrv -> %System32%\inetsrv -> [Folder | Modified Date = 2007-10-21 12:53:58 | Attr = ]
Logfiles -> %System32%\Logfiles -> [Folder | Modified Date = 2007-10-20 18:22:40 | Attr = ]
Microsoft -> %System32%\Microsoft -> [Folder | Modified Date = 2007-10-21 12:54:16 | Attr = S]
ntkrnlmp.exe -> %System32%\ntkrnlmp.exe -> [Ver = | Size = 0 bytes | Modified Date = 2007-10-23 19:45:48 | Attr = ]
ntkrpamp.exe -> %System32%\ntkrpamp.exe -> [Ver = | Size = 0 bytes | Modified Date = 2007-10-23 19:45:48 | Attr = ]
NvApps.xml -> %System32%\NvApps.xml -> [Ver = | Size = 0 bytes | Modified Date = 2007-10-25 13:47:32 | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 67306 bytes | Modified Date = 2007-10-21 12:53:50 | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 408144 bytes | Modified Date = 2007-10-21 12:53:50 | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 525134 bytes | Modified Date = 2007-10-20 10:06:16 | Attr = ]
SYSTEM32 -> %System32%\SYSTEM32 -> [Folder | Modified Date = 2007-10-20 18:23:12 | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 2007-10-22 16:49:14 | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 2007-10-23 19:34:44 | Attr = ]
[File String Scan - Non-Microsoft Only]
File scan skipped for file %SystemRoot%\MEMORY.DMP -> File size too big (267993088 bytes) ->
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 2001-08-23 14:00:00 | Attr = ]
PEC2 , PECompact2 , -> %System32%\DivX.dll -> DivX, Inc. [Ver = 6.5.0.53 | Size = 639066 bytes | Modified Date = 2007-03-27 09:49:00 | Attr = ]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2568 | Size = 185952 bytes | Modified Date = 2007-01-03 13:57:32 | Attr = ]
aspack , -> %System32%\Sase.ocx -> Sikander Soft [Ver = 2.3.6.1 | Size = 188416 bytes | Modified Date = 1999-12-23 00:42:42 | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> [Ver = | Size = 139776 bytes | Modified Date = 2007-04-02 14:21:28 | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 2001-08-23 14:00:00 | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 2001-08-23 14:00:00 | Attr = ]
PTech , -> %System32%\drivers\mtlstrm.sys -> Smart Link [Ver = 3.80.01MC15 | Size = 1309184 bytes | Modified Date = 2004-08-04 07:41:38 | Attr = ]
< End of report >
Hi
I will research that later and post back instructions after that :)
Hi
Ok, i will wait for your instruction.
Thanks for your time
Wish you nice day:)
Hi
Copy text below to Notepad and save it as delfiles.bat (save it as all files, *.*)
@ECHO OFF
attrib -h -r -s C:\Windows\system32\ntkrnlmp.exe
attrib -h -r -s C:\Windows\system32\ntkrpamp.exe
del /a /f /q C:\Windows\system32\ntkrnlmp.exe
del /a /f /q C:\Windows\system32\ntkrpamp.exe
copy /Y C:\WINDOWS\Driver Cache\i386\ntkrnlmp.exe C:\Windows\system32\ntkrnlmp.exe
copy /Y C:\WINDOWS\Driver Cache\i386\ntkrpamp.exe C:\Windows\system32\ntkrpamp.exe
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG
Doubleclick delfiles.bat; black dos windows will flash, that's normal.
(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)
Do another search and post back results, please :)
Hi
You mean do another search with WinPFind3U.exe?
Hi
No, with windows own search :)
Hi
Should i type there and look for ntkrpamp.exe and ntkrnlmp.exe?
Hi
Results are the same as in previous posts.
Hi
Also these?
ntkrnlmp.exe C:\WINDOWS\system32 0 KB
ntkrpamp.exe C:\WINDOWS\system32 0 KB
Hi
Please download Ntoskrnl_Check (http://download.bleepingcomputer.com/sUBs/Beta/ntoskrnl_check.exe)
Save to the Desktop.
Double click Ntoskrnl_check.exe and run it.
Please post the log produced in your reply.
Hi
=====================
"C:\WINDOWS\System32\ntoskrnl.exe" .... is present
"C:\WINDOWS\System32\ntoskrnl.exe" ... is patched
Files found ....
2007-09-12 10:41=2271722=C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 11:55=2182144=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2007-02-28 11:10=2180352=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2005-03-02 03:33=2040832=C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2005-03-02 03:04=2179456=C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2005-03-02 02:59=2179328=C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntoskrnl.exe
2005-03-02 02:59=2179328=C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2005-03-02 02:59=2179328=C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2004-08-04 08:19=2180992=C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows Publisher C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
ćtevilo prekopiranih datotek: 0
=====================
"C:\WINDOWS\System32\ntkrnlpa.exe" .... is present
"C:\WINDOWS\System32\ntkrnlpa.exe" ... is patched
Files found ....
2007-09-12 10:41=2149226=C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 11:15=2059392=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntkrnlpa.exe
2007-02-28 10:38=2057600=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
2005-03-02 02:36=2056832=C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2005-03-02 02:36=1955840=C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2005-03-02 02:34=2056832=C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
2005-03-02 02:34=2056832=C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2005-03-02 02:34=2056832=C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2004-08-04 07:58=2056832=C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows Publisher C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
ćtevilo prekopiranih datotek: 0
Hi
Yes, ntoskrnl.exe is patched too as expected.
Copy text below to Notepad and save it as listfiles.bat (save it as all files, *.*)
@ECHO OFF
dir %WinDir%\system32\nt*.*, sno.* /a h /s > files2.txt
start notepad files2.txt
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG
Doubleclick listfiles.bat; black dos windows will flash, that's normal.
(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)
Post contents of opening files2.txt file.
Hi
Nosilec v pogonu C nima oznake.
Serijska çtevilka nosilca je DC7D-B29B
Imenik: C:\WINDOWS\system32
04.08.2004 09:56 1.200.128 ntbackup.exe
04.08.2004 09:56 708.096 ntdll.dll
23.08.2001 14:00 27.866 ntdos.sys
23.08.2001 14:00 29.146 ntdos404.sys
23.08.2001 14:00 29.370 ntdos411.sys
23.08.2001 14:00 29.274 ntdos412.sys
23.08.2001 14:00 29.146 ntdos804.sys
04.08.2004 09:56 67.072 ntdsapi.dll
23.08.2001 14:00 26.112 ntdsbcli.dll
21.07.2001 14:23 773 ntfsdrct.h
21.07.2001 14:23 1.037 ntfsdrct.ini
23.08.2001 14:00 48.794 ntimage.gif
04.08.2004 07:45 33.840 ntio.sys
04.08.2004 07:45 34.560 ntio404.sys
04.08.2004 07:45 35.648 ntio411.sys
04.08.2004 07:45 35.424 ntio412.sys
04.08.2004 07:45 34.560 ntio804.sys
23.10.2007 19:45 0 ntkrnlmp.exe
12.09.2007 10:41 2.149.226 ntkrnlpa.exe
23.10.2007 19:45 0 ntkrpamp.exe
04.08.2004 09:56 43.520 ntlanman.dll
23.08.2001 14:00 57.856 ntlanui.dll
23.08.2001 14:00 14.336 ntlanui2.dll
04.08.2004 09:56 8.192 ntlsapi.dll
04.08.2004 09:56 118.784 ntmarta.dll
04.08.2004 09:56 40.960 ntmsapi.dll
13.08.2007 11:55 <DIR> NtmsData
04.08.2004 09:56 179.712 ntmsdba.dll
23.08.2001 14:00 36.864 ntmsevt.dll
04.08.2004 09:56 488.448 ntmsmgr.dll
23.08.2001 14:00 26.209 ntmsmgr.msc
23.08.2001 14:00 32.968 ntmsoprq.msc
04.08.2004 09:56 435.200 ntmssvc.dll
12.09.2007 10:41 2.271.722 ntoskrnl.exe
04.08.2004 09:56 91.136 ntprint.dll
23.08.2001 14:00 31.744 ntsd.exe
23.08.2001 14:00 36.864 ntsdexts.dll
04.08.2004 09:56 143.872 ntshrui.dll
12.09.2002 17:29 6.016 ntsim.sys
04.08.2004 09:56 419.840 ntvdm.exe
23.08.2001 14:00 13.312 ntvdmd.dll
40 datotek 9.017.627 bajtov
Imenik: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
04.08.2004 10:58 2.012.670 nt5.cat
23.08.2001 14:00 797.189 NT5IIS.CAT
04.08.2004 10:58 502.724 nt5inf.cat
04.08.2004 10:57 1.086.058 ntprint.cat
4 datotek 4.398.641 bajtov
Imenik: C:\WINDOWS\system32\config\systemprofile
23.07.2006 17:26 262.144 ntuser.dat
24.10.2007 10:49 1.024 ntuser.dat.LOG
2 datotek 263.168 bajtov
Imenik: C:\WINDOWS\system32\dllcache
23.08.2001 14:00 797.189 NT5IIS.CAT
23.08.2001 14:00 27.866 ntdos.sys
23.08.2001 14:00 29.146 ntdos404.sys
23.08.2001 14:00 29.370 ntdos411.sys
23.08.2001 14:00 29.274 ntdos412.sys
23.08.2001 14:00 29.146 ntdos804.sys
23.08.2001 14:00 26.112 ntdsbcli.dll
09.02.2007 13:10 574.464 ntfs.sys
23.08.2001 14:00 57.856 ntlanui.dll
23.08.2001 14:00 14.336 ntlanui2.dll
23.08.2001 14:00 36.864 ntmsevt.dll
23.08.2001 14:00 31.744 ntsd.exe
23.08.2001 14:00 36.864 ntsdexts.dll
23.08.2001 14:00 13.312 ntvdmd.dll
14 datotek 1.733.543 bajtov
Imenik: C:\WINDOWS\system32\drivers
09.02.2007 13:10 574.464 ntfs.sys
04.08.2004 07:41 180.360 ntmtlfax.sys
12.12.2001 16:28 161.512 ntspppoe.sys
3 datotek 916.336 bajtov
Imenik: C:\WINDOWS\system32\inetsrv
17.08.2001 22:36 38.912 ntfsdrv.dll
1 datotek 38.912 bajtov
Imenik: C:\WINDOWS\system32\NtmsData
13.08.2007 11:55 114.688 NTMSDATA
13.08.2007 11:55 114.688 NTMSDATA.BAK
13.08.2007 11:55 86.024 NTMSIDX
14.07.2006 21:55 816 NTMSREG
4 datotek 316.216 bajtov
Imenik: C:\WINDOWS\system32\Setup
04.08.2004 09:56 62.976 ntoc.dll
1 datotek 62.976 bajtov
Imenik: C:\WINDOWS\system32\spool\drivers\color
17.07.2002 02:15 556 NTSC1953.icc
1 datotek 556 bajtov
Imenik: C:\WINDOWS\system32\SYSTEM32
29.08.2002 05:40 668.672 NTDLL.DLL
1 datotek 668.672 bajtov
Imenik: C:\WINDOWS\system32\wbem
04.08.2004 09:56 212.992 ntevt.dll
23.08.2001 14:00 20.544 ntevt.mfl
23.08.2001 14:00 29.762 ntevt.mof
3 datotek 263.298 bajtov
Imenik: C:\WINDOWS\system32\wbem\Logs
22.07.2006 18:58 2 NTEVT.log
1 datotek 2 bajtov
Imenik: C:\WINDOWS\system32\wbem\MUI\0424
25.01.2002 17:26 20.232 ntevt.mfl
1 datotek 20.232 bajtov
Hi
Boot in safe mode
Go to Start > Run, and in the Open area, copy/paste the following:
C:\WINDOWS\SYSTEM32
Look for the file: ntoskrnl.exe
Right-click ntoskrnl.exe
Select: Rename
Rename the file to ntoskrnl.exe.nuk
Then, search for: C:\WINDOWS\Driver Cache\i386
Look for: ntoskrnl.exe, and right-click it
Select: Copy
Then paste the file to the following folder:
C:\WINDOWS\SYSTEM32
If you are able to do all of the above without any problems, then delete the following file:
C:\WINDOWS\SYSTEM32\ntoskrnl.exe.nuk
Reboot
Re-run Ntoskrnl_check.exe
Post Ntoskrnl_check.exe log here.
Hi
I did it without problems:)
=====================
"C:\WINDOWS\System32\ntoskrnl.exe" .... is present
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\System32\ntoskrnl.exe
"C:\WINDOWS\System32\ntoskrnl.exe" ... is authentic
=====================
"C:\WINDOWS\System32\ntkrnlpa.exe" .... is present
"C:\WINDOWS\System32\ntkrnlpa.exe" ... is patched
Files found ....
28.02.2007 11:15=2059392=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntkrnlpa.exe
28.02.2007 10:38=2057600=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
12.09.2007 10:41=2149226=C:\WINDOWS\system32\ntkrnlpa.exe
04.08.2004 07:58=2056832=C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
02.03.2005 02:36=2056832=C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
02.03.2005 02:36=1955840=C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
02.03.2005 02:34=2056832=C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
02.03.2005 02:34=2056832=C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
02.03.2005 02:34=2056832=C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
0x00000000 Microsoft Windows Publisher C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
ćtevilo prekopiranih datotek: 1
0x00000000 Microsoft Windows Publisher C:\WINDOWS\System32\ntkrnlpa.exe
Replacement is successful. File is authentic.
Hi
Looks good :)
Re-run dss
Post dss log.
Hi
Deckard's system scanner :)
Oh, sorry i found it. I have so many icons on my desktop that im a little confused:)
Deckard's System Scanner v20071014.68
Run by mateja on 2007-10-27 14:30:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------
Total Physical Memory: 256 MiB (512 MiB recommended).
-- HijackThis (run as mateja.exe) ----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:41, on 27.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Namizje\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mateja.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A401403-500F-4C57-B6BE-FDA1D08079A2}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
--
End of file - 7793 bytes
-- Files created between 2007-09-27 and 2007-10-27 -----------------------------
2007-10-23 20:16:32 51200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 19:45:47 0 -----n--- C:\WINDOWS\system32\ntkrpamp.exe
2007-10-23 19:45:47 0 -----n--- C:\WINDOWS\system32\ntkrnlmp.exe
2007-10-23 19:14:31 0 d-------- C:\WINDOWS\ERUNT
2007-10-22 20:53:33 0 d-------- C:\91abc3f5e86774baf905
2007-10-22 18:04:31 0 d-------- C:\Program Files\Trend Micro
2007-10-22 16:57:02 0 d-------- C:\Program Files\RegistryFix
2007-10-21 16:47:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 16:36:37 0 d-------- C:\47999ed27b6b3619973bc500e450a97a
2007-10-21 16:32:18 0 d-------- C:\7262a8ee43e7f36fa7edf0
2007-10-20 18:23:09 0 d-------- C:\WINDOWS\system32\SYSTEM32
2007-10-20 18:22:49 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\WINDOWS
2007-10-20 18:22:48 0 d-------- C:\WINDOWS\system32\Cache
2007-10-20 18:22:39 0 d-------- C:\WINDOWS\system32\Logfiles
2007-10-20 16:02:09 0 d-------- C:\Program Files\Support Tools
2007-10-20 14:29:53 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Lavasoft
2007-10-20 14:29:35 0 d-------- C:\Program Files\Lavasoft
2007-10-20 10:43:44 61952 --a------ C:\WINDOWS\system32\nabapi32.dll <Not Verified; Netscape Communications Corporation; Netscape Communications Address Book API>
2007-10-20 10:43:27 633555 --a------ C:\WINDOWS\cd32.exe
2007-10-20 10:42:48 0 d-------- C:\Program Files\Netscape
2007-10-20 10:41:59 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-10-20 09:58:38 0 d-------- C:\Inetpub
2007-10-19 13:29:35 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-09-30 00:13:22 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Empire XP
2007-09-29 12:06:04 0 d-------- C:\Program Files\TVUPlayer
2007-09-28 12:46:31 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\AdobeUM
-- Find3M Report ---------------------------------------------------------------
2007-10-20 22:08:07 33914 --a------ C:\WINDOWS\nsreg.dat
2007-10-20 18:26:34 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Adobe
2007-10-20 18:23:03 0 d-------- C:\Program Files\Maxis
2007-10-20 18:23:03 0 d-------- C:\Program Files\JoWooD
2007-10-20 18:23:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-20 18:23:03 0 d-------- C:\Program Files\Infogrames
2007-09-30 00:08:28 0 d-------- C:\Program Files\Common Files
2007-09-29 23:45:33 0 d-------- C:\Program Files\Red Storm Entertainment
2007-09-28 12:45:27 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Real
2007-09-22 16:22:26 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\SopCast
2007-09-19 20:55:49 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\TVU Networks
2007-09-19 17:17:15 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Skype
2007-09-16 09:49:15 33600 --a------ C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\GDIPFONTCACHEV1.DAT
2007-09-15 19:31:21 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Help
2007-09-15 17:37:14 274432 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-09-14 23:48:23 0 d-------- C:\Program Files\Office10
2007-09-14 21:54:26 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\DivX
2007-09-14 20:53:42 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Macromedia
2007-09-14 20:53:33 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Google
2007-09-14 20:50:23 0 dr-h----- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\yahoo!
2007-09-14 18:22:31 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Identities
2007-09-12 19:00:48 244448 --a------ C:\WINDOWS\system32\eb51704c.sys
2007-09-12 18:41:10 244448 --a------ C:\WINDOWS\system32\2ba079ec.sys
2007-09-12 17:08:53 244448 --a------ C:\WINDOWS\system32\c4a674d2.sys
2007-09-12 16:11:26 244448 --a------ C:\WINDOWS\system32\b4e8ede8.sys
2007-09-12 13:19:11 244448 --a------ C:\WINDOWS\system32\7714b2d6.sys
2007-09-12 11:18:03 244448 --a------ C:\WINDOWS\system32\8ea95e8a.sys
2007-09-12 10:39:10 244448 --a------ C:\WINDOWS\system32\1f17d506.sys
2007-09-12 00:07:26 244448 --a------ C:\WINDOWS\system32\42617506.sys
2007-09-10 01:03:08 0 d-------- C:\Program Files\MSN Messenger
2007-09-09 14:22:12 0 d-------- C:\Program Files\Messenger
2007-09-08 16:00:36 0 d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-08 14:37:47 0 d-------- C:\Program Files\RogueRemover PRO
2007-09-08 13:31:10 0 d-------- C:\Program Files\Movie Maker
2007-09-08 13:22:06 0 d-------- C:\Program Files\Windows NT
2007-08-31 20:32:00 0 d-------- C:\Program Files\MSECache
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFG1400U"="Cfg1400U.exe" []
"mouseElf"="C:\PROGRA~1\TWINTO~1\MouseElf.EXE" [26.08.2004 02:45]
"nwiz"="nwiz.exe" [22.10.2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [22.10.2006 12:22]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [22.10.2006 12:22]
"Audio Device Manager"="winfp.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12.09.2006 01:58]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [05.09.2006 18:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03.01.2007 13:57]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [15.09.2007 17:37]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 09:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [30.11.2006 22:49]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B778645D-B2A0-48E5-8E43-04B02CA3EA9D}"= C:\WINDOWS\Help\425D8586.DLL [ ]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
-- End of Deckard's System Scanner: finished at 2007-10-27 14:31:43 ------------
Hi
Open HijackThis, click do a system scan only and checkmark these:
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ce...p/RdxIE601.cab
Close all windows including browser and press fix checked.
Reboot.
Re-run Ntoskrnl_check.exe
Post Ntoskrnl_check.exe log here with a fresh HijackThis log.
Hi
=====================
"C:\WINDOWS\System32\ntoskrnl.exe" .... is present
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\System32\ntoskrnl.exe
"C:\WINDOWS\System32\ntoskrnl.exe" ... is authentic
=====================
"C:\WINDOWS\System32\ntkrnlpa.exe" .... is present
0x00000000 Microsoft Windows Publisher C:\WINDOWS\System32\ntkrnlpa.exe
"C:\WINDOWS\System32\ntkrnlpa.exe" ... is authentic
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:59:45, on 27.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
--
End of file - 7317 bytes
Hi
Re-run sdfix in safe mode.
Post:
- a fresh HijackThis log
- sdfix report
Hi
SDFix: Version 1.111
Run by mateja on sob 27.10.2007 at 15:30
Microsoft Windows XP [razliźica 5.1.2600]
Running From: C:\SDFix\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Oddaljena pomoź - Windows Messenger in Voice"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
File Backups: - C:\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes:
Tue 2 Jul 2002 16,208 A.SHR --- "C:\Program Files\IAS_3_0\rf32sa.dll"
Mon 30 Oct 2006 8 ..SHR --- "C:\WINDOWS\system32\FA6A3FAFCF.dll"
Thu 7 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 5 Nov 2006 3,584 A..H. --- "C:\Documents and Settings\mateja\Local Settings\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe"
Fri 11 Aug 2006 1,401,768 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa6a8b6ef758224c8bfe859aa426f0c7\BIT3.tmp"
Wed 24 Oct 2007 616,448 A.SH. --- "C:\Deckard\System Scanner\20071027143004\backup\WINDOWS\temp\i5u8c15r.TMP"
Finished!
and HJT log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:50:41, on 27.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
--
End of file - 7350 bytes
Hi
Looks good :)
Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
I already have ATF cleaner on my desktop. Is it ok? Can I do that with this one?
Hi Shaba
Here's a HJT logfile. Kaspersky txt file will be in next post
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:02, on 27.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A401403-500F-4C57-B6BE-FDA1D08079A2}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
--
End of file - 7396 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 27, 2007 9:30:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/10/2007
Kaspersky Anti-Virus database records: 447139
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 89930
Number of viruses found: 23
Number of infected objects: 52
Number of suspicious objects: 0
Duration of the scan process: 04:13:11
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\History\History.IE5\MSHist012007102720071028\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Temporary Internet Files\Content.IE5\GPP9PRM8\1192696824[1].swf Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFB085.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFB99E.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFB9AB.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\A3DVCPBA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\FZTOB3AA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\GXD1GLDA.NQF Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\ESET\infected\KBAKXPBA.NQF Infected: Rootkit.Win32.Agent.dw skipped
C:\Program Files\ESET\infected\M4WZBMAA.NQF Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\ESET\infected\SUCGN3AA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\WPUKKCDA.NQF Infected: Rootkit.Win32.Agent.dp skipped
C:\Program Files\ESET\infected\Z3NIXIBA.NQF Infected: Trojan-Downloader.Win32.Agent.djt skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\SDFix\SDFix\backups_old1\backups.zip/backups/mstscex.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\SDFix\SDFix\backups_old1\backups.zip/backups/oleauth32.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\SDFix\SDFix\backups_old1\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0287460.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0289439.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0290445.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0290447.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319502.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319503.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319504.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319507.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319508.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319509.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319510.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319511.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319512.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319513.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319514.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319515.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319516.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319517.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319518.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319519.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319520.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319521.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319522.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319523.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319524.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319525.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319526.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319527.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319528.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319529.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP429\A0325591.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP429\A0328594.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP430\A0336692.exe Infected: Trojan.Win32.Agent.bty skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP430\A0336693.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0438841.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0440916.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0440917.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0440922.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0440925.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP469\A0461039.exe Infected: Trojan.Win32.Patched.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP469\A0461049.exe Infected: Trojan.Win32.Patched.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP469\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5d0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP469\change.log Object is locked skipped
Scan process completed.
Hi
Empty these folders:
C:\Program Files\ESET\infected\
C:\SDFix\SDFix\backups_old1
Empty Recycle Bin
All other viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
Hi Shaba
Thank you so much for yor help
Those folders are empty now
What should i do now?
And what i have to do in future that i will avoid such kind of problems?
And another question...i think it would be good to upgrade my PC from 256 to 512. What's your opinion?
Because of that(just 256) i've got blue screen sometimes?
Although it's raining here in Ljubljana i feel great. Because of you and your help. Thank you again.
Hi
"And another question...i think it would be good to upgrade my PC from 256 to 512. What's your opinion?
Because of that(just 256) i've got blue screen sometimes?"
Yes I agree :)
Even upgrading to 1024 might be good, if possible
Just follow my instructions below:
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You can remove all tools we used.
Looking over your log, it seems you don't have any evidence of a third party firewall.
As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:
1) Comodo (http://www.personalfirewall.comodo.com/)
2) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
3) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
4) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.