PDA

View Full Version : Virus, popups, cws



ichigo333
2006-05-18, 18:22
Hi
Ive got this problem, it seems as it stick on my PC and dont wanna go way. Ive tried everything but its useless:S
I hope you can help me! Thanks in advance

Logfile of HijackThis v1.99.1
Scan saved at 17:10:58, on 2006-05-18
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\rpcc.exe
C:\WINDOWS\System32\??xplore.exe
C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Antyspyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} - C:\WINDOWS\System32\vhfrbik.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O2 - BHO: (no name) - {062644BA-AC0D-8CFE-2CF1-D4F88D93CF9C} - C:\WINDOWS\System32\jbbn.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} - C:\WINDOWS\System32\vhfrbik.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55270F8C-A658-9DA2-6371-9F02C0D180A2} - C:\WINDOWS\System32\zztszhod.dll (file missing)
O2 - BHO: (no name) - {6B60E31A-15CC-2269-A2AB-72FCDF53EAFD} - C:\WINDOWS\System32\thndcn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {85DCA3AA-0C27-6184-47F1-3788685B0FF7} - C:\WINDOWS\System32\kpiwel.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {A91D4970-B1F5-8002-9CAB-D766F60275F3} - C:\WINDOWS\System32\osyacx.dll (file missing)
O2 - BHO: (no name) - {C41FBDD4-100E-71FA-66E2-764CF4401DFD} - C:\WINDOWS\System32\pblxuocs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [Kssezxb] C:\WINDOWS\System32\??xplore.exe
O4 - HKCU\..\Run: [Enrs] "C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe" -vt mt
O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgame6.exe3584.exe "
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6394C0F1-9179-4B53-9D2F-0509BFF02A70}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll
O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

CalamityJane
2006-05-21, 03:00
Hi,

Are you still needing help? If so please reply here with a fresh HijackThis log.

I'll be happy to see you through :)

ichigo333
2006-05-21, 14:00
Hi :)
Yes i still need a help ;)
Here's my list...
Thanka again :)

Logfile of HijackThis v1.99.1
Scan saved at 12:47:18, on 2006-05-21
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\rpcc.exe
C:\WINDOWS\System32\??xplore.exe
C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Antyspyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://szukaj.wp.pl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neostrada.pl/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} - C:\WINDOWS\System32\vhfrbik.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
O2 - BHO: (no name) - {062644BA-AC0D-8CFE-2CF1-D4F88D93CF9C} - C:\WINDOWS\System32\jbbn.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} - C:\WINDOWS\System32\vhfrbik.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55270F8C-A658-9DA2-6371-9F02C0D180A2} - C:\WINDOWS\System32\zztszhod.dll (file missing)
O2 - BHO: (no name) - {6B60E31A-15CC-2269-A2AB-72FCDF53EAFD} - C:\WINDOWS\System32\thndcn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {85DCA3AA-0C27-6184-47F1-3788685B0FF7} - C:\WINDOWS\System32\kpiwel.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {A91D4970-B1F5-8002-9CAB-D766F60275F3} - C:\WINDOWS\System32\osyacx.dll (file missing)
O2 - BHO: (no name) - {C41FBDD4-100E-71FA-66E2-764CF4401DFD} - C:\WINDOWS\System32\pblxuocs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [Kssezxb] C:\WINDOWS\System32\??xplore.exe
O4 - HKCU\..\Run: [Enrs] "C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe" -vt mt
O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgame6.exe3584.exe "
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll
O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

CalamityJane
2006-05-21, 16:50
That's really a mess. Please go here:
http://forums.spybot.info/showthread.php?t=4015

Follow those steps, and then post back with the requested logs

ichigo333
2006-05-22, 23:42
Thanks. I'll do that and then let you know :)

ichigo333
2006-05-23, 23:54
ok so heres logs from ...

1:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 18:11:57, 2006-05-23
+ Report-Checksum: D2E9E445

+ Scan result:

[280] C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll -> Proxy.Xorpix.u : Error during cleaning
:mozilla.5:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\j6a3scow.default\cookies.txt -> TrackingCookie.Adocean : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\j6a3scow.default\cookies.txt -> TrackingCookie.Adocean : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\j6a3scow.default\cookies.txt -> TrackingCookie.Adocean : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\j6a3scow.default\cookies.txt -> TrackingCookie.Adocean : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\j6a3scow.default\cookies.txt -> TrackingCookie.Adocean : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\j6a3scow.default\cookies.txt -> TrackingCookie.Adocean : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Administrator\Dane aplikacji\Mozilla\Firefox\Profiles\j6a3scow.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\440B4DEC-54F1-4B55-B512-54F72F\224C4ADA-B004-4567-9875-3FEB0A -> Adware.IMAd : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\440B4DEC-54F1-4B55-B512-54F72F\424523B9-15EB-4F9F-83AC-519428 -> Adware.IMAd : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\440B4DEC-54F1-4B55-B512-54F72F\77093440-3CA6-4185-8E39-D33BBD -> Adware.Chiem : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\46DAC4FB-2AB0-43EC-8D8F-927DD7\26FAF3C7-99EE-494E-8A60-6E555C -> Adware.WinAD : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\734D315B-6590-49B0-A117-94C2CD\820C4B94-083F-4DC8-BA74-C29A39 -> Adware.Sahat : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\734D315B-6590-49B0-A117-94C2CD\9FDFA522-D349-475F-8F2F-BF6E74 -> Adware.Sahat : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\DE5E69DA-ACCC-42A8-B8EF-7D6C66\DCF74DF7-1994-4918-A558-EEFB35 -> Adware.180Solutions : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\DF9DAD99-AE0D-42E2-B963-07831B\41DC32F8-72E7-47E1-9A6E-1965E8 -> Adware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Sunbelt Software\CounterSpy\Quarantine\E01F4E7D-5442-4E71-BBED-0DA4A7\6B75E497-D6E7-4435-8EC1-BE7F77 -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Administrator\wind.exe -> Adware.WinAD : Cleaned with backup
C:\Program Files\Save -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\system32\oins.exe -> Downloader.PurityScan.au : Cleaned with backup
C:\WINDOWS\Temp\2003A94.tmp -> Trojan.Agent.oh : Cleaned with backup
C:\WINDOWS\Temp\2012055.tmp -> Proxy.Xorpix.u : Cleaned with backup
C:\WINDOWS\Temp\2025F86.tmp -> Proxy.Xorpix.u : Cleaned with backup
C:\WINDOWS\Temp\ASHeuristic\WINLOGON_EXE.vir -> Downloader.CWS.s : Cleaned with backup


::Report End


3:Logfile of HijackThis v1.99.1
Scan saved at 18:27:19, on 2006-05-23
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\rpcc.exe
C:\WINDOWS\System32\??xplore.exe
C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\bz_temp_0\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
R3 - URLSearchHook: (no name) - {2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} - C:\WINDOWS\System32\vhfrbik.dll (file missing)
O2 - BHO: (no name) - {062644BA-AC0D-8CFE-2CF1-D4F88D93CF9C} - C:\WINDOWS\System32\jbbn.dll (file missing)
O2 - BHO: (no name) - {2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} - C:\WINDOWS\System32\vhfrbik.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55270F8C-A658-9DA2-6371-9F02C0D180A2} - C:\WINDOWS\System32\zztszhod.dll (file missing)
O2 - BHO: (no name) - {6B60E31A-15CC-2269-A2AB-72FCDF53EAFD} - C:\WINDOWS\System32\thndcn.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {85DCA3AA-0C27-6184-47F1-3788685B0FF7} - C:\WINDOWS\System32\kpiwel.dll (file missing)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {A91D4970-B1F5-8002-9CAB-D766F60275F3} - C:\WINDOWS\System32\osyacx.dll (file missing)
O2 - BHO: (no name) - {C41FBDD4-100E-71FA-66E2-764CF4401DFD} - C:\WINDOWS\System32\pblxuocs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - HKCU\..\Run: [Kssezxb] C:\WINDOWS\System32\??xplore.exe
O4 - HKCU\..\Run: [Enrs] "C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe" -vt mt
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll
O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

ichigo333
2006-05-23, 23:57
2:

--- Search result list ---
SexList: Ustawienia (Wartość rejestru, fixed)
HKEY_USERS\S-1-5-21-73586283-706699826-725345543-500\Software\Microsoft\Internet Explorer\URLSearchHooks\_{CFBFAE00-17A6-11D0-99CB-00C04FD64497}


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-04-22 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-04-21 Includes\Cookies.sbi (*)
2006-04-21 Includes\Dialer.sbi (*)
2006-04-21 Includes\Hijackers.sbi (*)
2006-04-21 Includes\Keyloggers.sbi (*)
2006-04-21 Includes\Malware.sbi (*)
2006-04-21 Includes\PUPS.sbi (*)
2006-04-21 Includes\Revision.sbi (*)
2006-04-21 Includes\Security.sbi (*)
2006-04-21 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-04-21 Includes\Trojans.sbi (*)



--- System information ---
Windows XP (Build: 2600) Dodatek Service Pack. 1
/ Windows XP / SP2: Poprawka systemu Windows XP - KB823980
/ Windows XP / SP2: Poprawka systemu Windows XP - KB835732


--- Startup entries list ---
Located: HK_LM:Run, ATIPTA
command: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
file: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
size: 339968
MD5: 1950a97fc1f5e84c7bf8a260af568e3f

Located: HK_LM:Run, avgnt
command: "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
file: C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
size: 233512
MD5: 3fc2d66353de1e28b12a4924410edd0a

Located: HK_LM:Run, DAEMON Tools
command: "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
file: C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
size: 128920
MD5: 624e632328cedd3ace8636d6430628b0

Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 278528
MD5: cb21e01c16631b5f625149a860672ce3

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 9216
MD5: a627cd56e7a66c2de4539dc26a3504bc

Located: HK_LM:Run, NeroFilterCheck
command: C:\WINDOWS\system32\NeroCheck.exe
file: C:\WINDOWS\system32\NeroCheck.exe
size: 155648
MD5: 3e4c03cefad8de135263236b61a49c90

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 155648
MD5: d772c357e47a6817ac3b73f2426b3c10

Located: HK_LM:Run, RemoteControl
command: "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
file: C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
size: 32768
MD5: 915a106a2fb87292cef0ad4f36adf313

Located: HK_LM:Run, rpcc
command: rpcc.exe
file: C:\WINDOWS\system32\rpcc.exe
size: 12273
MD5: 16fb3697db846f6b27a7492e9b0d5810

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
file: C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
size: 36975
MD5: 61a3a9d5d98bf0331df5b716144a8100

Located: HK_LM:Run, SunServer
command: C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
file: C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
size: 282624
MD5: ff22f3304e7482674b32dd65fa3bf1aa

Located: HK_LM:Run, TkBellExe
command: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
file: C:\Program Files\Common Files\Real\Update_OB\realsched.exe
size: 180269
MD5: f9b47f830dd55fedd6ef27d063c29a42

Located: HK_LM:Run, WOOTASKBARICON
command: C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
file: C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
size: 45056
MD5: 53306e36e8858ae6e2ccd63bf3d58d8c

Located: HK_LM:Run, WOOWATCH
command: C:\PROGRA~1\Wanadoo\Watch.exe
file: C:\PROGRA~1\Wanadoo\Watch.exe
size: 20480
MD5: d8cd60b358b63d6d8a01aa3999264a96

Located: HK_CU:Run, Enrs
command: "C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe" -vt mt
file: C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe
size: 71168
MD5: 3689821776990ca9371fd185e99829ef

Located: HK_CU:Run, Komunikator
command: C:\Program Files\Tlen.pl\tlen.exe
file:

Located: HK_CU:Run, Kssezxb
command: C:\WINDOWS\System32\??xplore.exe
file: C:\WINDOWS\System32\??xplore.exe
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???

Located: Autostart (wspólny), DSLMON.lnk
command: C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
file: C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
size: 946247
MD5: ccebfeb79d71af95080cff36829cdbf5

Located: WinLogon, 2006reg
command: C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll
file: C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???

Located: WinLogon, 2014reg
command: C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll
file: C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???

Located: WinLogon, 20242402reg
command: C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll
file: C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll
size: 0
MD5: d41d8cd98f00b204e9800998ecf8427e ???

Located: WinLogon, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---
{062644BA-AC0D-8CFE-2CF1-D4F88D93CF9C} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: jbbn.dll

{2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: vhfrbik.dll

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\Program Files\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 2006-04-22 14:51:04
Date (last access): 2006-05-23 18:16:48
Date (last write): 2005-05-31 01:04:00
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{55270F8C-A658-9DA2-6371-9F02C0D180A2} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: zztszhod.dll

{6B60E31A-15CC-2269-A2AB-72FCDF53EAFD} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: thndcn.dll

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: ssv.dll
Short name:
Date (created): 2005-11-10 14:03:56
Date (last access): 2006-05-23 18:16:48
Date (last write): 2005-11-10 14:22:10
Filesize: 184423
Attributes: archive
MD5: F01726F7CA8538FDD4663C9DB8FEAEDC
CRC32: 0111B892
Version: 5.0.60.5

{85DCA3AA-0C27-6184-47F1-3788685B0FF7} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: kpiwel.dll

{A5366673-E8CA-11D3-9CD9-0090271D075B} (IeCatch2 Class)
BHO name:
CLSID name: IeCatch2 Class
description: FlashGet
classification: Open for discussion
known filename: Jccatch.dll
info link: http://www.amazesoft.com/
info source: TonyKlein
Path: C:\PROGRA~1\FlashGet\
Long name: Jccatch.dll
Short name:
Date (created): 2005-10-07 22:27:44
Date (last access): 2006-05-23 18:16:48
Date (last write): 2002-01-16 19:12:18
Filesize: 65536
Attributes: archive
MD5: F2FAFE3CB6412C89F43D88CCEBE308F3
CRC32: B1AEC78B
Version: 1.1.4.0

{A91D4970-B1F5-8002-9CAB-D766F60275F3} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: osyacx.dll

{C41FBDD4-100E-71FA-66E2-764CF4401DFD} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\System32\
Long name: pblxuocs.dll



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette)
DPF name:
CLSID name: GameDesire Roulette
Installer: C:\WINDOWS\Downloaded Program Files\Roulette.inf
Codebase: http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Roulette.dll
Short name:
Date (created): 2005-08-26 11:15:54
Date (last access): 2006-05-23 18:15:12
Date (last write): 2005-08-26 11:15:54
Filesize: 665368
Attributes: archive
MD5: 764020DF38057231CCC92F63DBEF5EA3
CRC32: AF0943BB
Version: 2.0.0.16

{1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games)
DPF name:
CLSID name: GameDesire Card Games
Installer: C:\WINDOWS\Downloaded Program Files\cardsV2.inf
Codebase: http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: cardsV2.dll
Short name:
Date (created): 2006-03-07 10:21:32
Date (last access): 2006-05-23 18:15:10
Date (last write): 2006-03-07 10:21:32
Filesize: 948000
Attributes: archive
MD5: 079275DBB8E61CA4D32AEDD63529B3A8
CRC32: 02413C94
Version: 2.0.0.68

{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control)
DPF name:
CLSID name: BDSCANONLINE Control
Installer: C:\WINDOWS\Downloaded Program Files\oscan8.inf
Codebase: http://download.bitdefender.com/resources/scan8/oscan8.cab
description:
classification: Legitimate
known filename: oscan8.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\DOWNLO~1\
Long name: oscan8.ocx
Short name:
Date (created): 2005-03-09 15:40:44
Date (last access): 2006-05-10 19:17:34
Date (last write): 2005-03-09 15:40:44
Filesize: 475136
Attributes: archive
MD5: 38F3695A3824342E29703D28404B121A
CRC32: AD9D0B16
Version: 1.0.0.1

{64311111-1111-1121-1111-111191113457} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\eied.inf
Codebase: file://c:\eied_s7.cab

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 2005-11-10 14:03:56
Date (last access): 2006-05-22 18:34:00
Date (last write): 2005-11-10 14:22:10
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)
DPF name:
CLSID name: ActiveScan Installer Class
Installer: C:\WINDOWS\Downloaded Program Files\asinst.inf
Codebase: http://acs.pandasoftware.com/activescan/as5free/asinst.cab
description:
classification: Open for discussion
known filename: ASINST.DLL
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: asinst.dll
Short name:
Date (created): 2005-12-19 13:35:32
Date (last access): 2006-05-23 18:15:10
Date (last write): 2005-12-19 13:35:32
Filesize: 135168
Attributes: archive
MD5: 20C07B231040B49AFCE82397BFC35F9C
CRC32: 9301377D
Version: 58.4.0.0

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class)
DPF name:
CLSID name: MsnMessengerSetupDownloadControl Class
Installer: C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.inf
Codebase: http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
description:
classification: Legitimate
known filename: MsnMessengerSetupDownloader.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MsnMessengerSetupDownloader.ocx
Short name: MSNMES~1.OCX
Date (created): 2005-03-17 14:48:34
Date (last access): 2006-05-10 19:17:34
Date (last write): 2005-03-17 14:48:34
Filesize: 113152
Attributes: archive
MD5: 92D24B6643919005213F60D5B537196A
CRC32: 31684779
Version: 1.0.0.2

{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.3.1_03)
DPF name: Java Runtime Environment 1.3.1_03
CLSID name: Java Plug-in 1.3.1_03
Installer: c:\winnt\Downloaded Program Files\jinstall_1_3_1_03.inf
Codebase: http://java.sun.com/products/plugin/1.3.1/jinstall-131_03-win.cab
description:
classification: Legitimate
known filename: NPJava131_03.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\JavaSoft\JRE\1.3.1_03\bin\
Long name: NPJava131_03.dll
Short name: NPJAVA~1.DLL
Date (created): 2005-08-17 15:44:40
Date (last access): 2006-04-22 14:03:30
Date (last write): 2002-02-21 09:19:06
Filesize: 53338
Attributes: archive
MD5: 644F73C19FFBDA3ABCAC6459B92F0F57
CRC32: 8A981348
Version: 1.3.1.3

{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.2)
DPF name: Java Runtime Environment 1.4.2
CLSID name: Java Plug-in 1.4.2_03
Installer:
Codebase: http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi142_03.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\j2re1.4.2_03\bin\
Long name: NPJPI142_03.dll
Short name: NPJPI1~1.DLL
Date (created): 2003-11-19 17:48:18
Date (last access): 2006-04-22 14:01:46
Date (last write): 2003-11-19 17:48:12
Filesize: 65650
Attributes: archive
MD5: 2AD31341BE41AC9B086128AD86A2B53F
CRC32: 081CFB35
Version: 1.4.2.30

{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 2005-11-10 14:03:56
Date (last access): 2006-05-23 18:23:44
Date (last write): 2005-11-10 14:22:10
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

ichigo333
2006-05-23, 23:58
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_06
Installer:
Codebase: http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Path: C:\Program Files\Java\jre1.5.0_06\bin\
Long name: NPJPI150_06.dll
Short name: NPJPI1~1.DLL
Date (created): 2005-11-10 14:03:56
Date (last access): 2006-05-23 18:23:44
Date (last write): 2005-11-10 14:22:10
Filesize: 69746
Attributes: archive
MD5: D2CF6BB5E9020E6707B62575F8083954
CRC32: 7F39DC54
Version: 5.0.60.5

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\Macromed\Flash\
Long name: Flash8.ocx
Short name:
Date (created): 2005-08-27 14:38:56
Date (last access): 2006-05-23 15:34:20
Date (last write): 2005-08-27 14:38:56
Filesize: 1435272
Attributes: archive
MD5: 900373C059C2B51CA91BF110DBDECB33
CRC32: F19599BC
Version: 8.0.22.0

{E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong)
DPF name:
CLSID name: GameDesire Mahjong
Installer: C:\WINDOWS\Downloaded Program Files\Mahjong.inf
Codebase: http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: Mahjong.dll
Short name:
Date (created): 2006-04-23 18:28:50
Date (last access): 2006-05-23 18:15:10
Date (last write): 2006-04-23 18:28:50
Filesize: 522008
Attributes: archive
MD5: 36C73E0A77D21C4B85EC33564D4B2B7E
CRC32: F0D721F2
Version: 2.0.0.23

{F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5)
DPF name:
CLSID name: MSN Chat Control 4.5
Installer: C:\WINDOWS\Downloaded Program Files\MsnChat45.inf
Codebase: http://chat.msn.com/controls/msnchat45.cab
description:
classification: Open for discussion
known filename: MSNChat45.ocx
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MSNChat45.ocx
Short name: MSNCHA~1.OCX
Date (created): 2003-10-27 11:35:44
Date (last access): 2006-05-02 16:41:02
Date (last write): 2003-10-27 11:35:44
Filesize: 510552
Attributes: archive
MD5: 60FED272BDBAFA8214E40AD376C9987E
CRC32: 5EE901FC
Version: 9.2.310.2401



--- Process list ---
PID: 0 ( 0) [System]
PID: 204 ( 4) \SystemRoot\System32\smss.exe
PID: 256 ( 204) \??\C:\WINDOWS\system32\csrss.exe
PID: 280 ( 204) \??\C:\WINDOWS\system32\winlogon.exe
PID: 328 ( 280) C:\WINDOWS\system32\services.exe
size: 101888
MD5: BF4CBEFDCE42A699389791647CB95CA2
PID: 340 ( 280) C:\WINDOWS\system32\lsass.exe
size: 11776 MD5: FA2C871F57352339F0A1802BB9AEA6E7
PID: 500 ( 328) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: B3C95BFEEF6781A82A1C429F466A3A11
PID: 524 ( 328) C:\WINDOWS\system32\svchost.exe
size: 12800
MD5: B3C95BFEEF6781A82A1C429F466A3A11
PID: 1524 ( 500) C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
size: 1089584
MD5: 9A22EC8FD150E7897C67243635E36596
PID: 1824 ( 500) C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
size: 819252
MD5: 909A4171953A033C2842BC7E85BDDDB3
PID: 1192 (1940) C:\WINDOWS\explorer.exe
size: 1005568
MD5: F4AF85D918E83D71341FCE2AA5318181
PID: 908 (1192) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 620 ( 280) C:\Program Files\Internet Explorer\iexplore.exe
size: 91136
MD5: A2C6EDD746E1C284C6F94023B44A3B52
PID: 1252 ( 280) C:\Program Files\Internet Explorer\iexplore.exe
size: 91136
MD5: A2C6EDD746E1C284C6F94023B44A3B52
PID: 1356 ( 280) C:\Program Files\Internet Explorer\iexplore.exe
size: 91136
MD5: A2C6EDD746E1C284C6F94023B44A3B52
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 2006-05-23 18:23:44

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://home.microsoft.com/access/autosearch.asp?p=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

ichigo333
2006-05-23, 23:59
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D36B355D-870A-42E2-B2AE-E46B96AC4FBB}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D36B355D-870A-42E2-B2AE-E46B96AC4FBB}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{047B93EF-D23E-423F-A6A3-5747D55827DB}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{047B93EF-D23E-423F-A6A3-5747D55827DB}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E4CE9AE1-B5A7-4AB3-9BEE-6FB77B4D35B8}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E4CE9AE1-B5A7-4AB3-9BEE-6FB77B4D35B8}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D5D92527-7E3F-4F35-B064-32C52AD86C82}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{D5D92527-7E3F-4F35-B064-32C52AD86C82}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6394C0F1-9179-4B53-9D2F-0509BFF02A70}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{6394C0F1-9179-4B53-9D2F-0509BFF02A70}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: TCP/IP
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Obszar nazw rozpoznawania lokalizacji w sieci (NLA)
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace



--- Uninstall list ---
"SubEdit-Player" ("SubEdit-Player")
uninstall cmd: C:\Program Files\SubEdit-Player\Odinstaluj.exe

Ad-Aware SE Personal (Ad-Aware SE Personal)
uninstall cmd: C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
publisher: Lavasoft
help link: http://www.lavasoft.de

(AddressBook)

Select CashBack (adtl5v3g)
uninstall cmd: C:\WINDOWS\adtl5v3g.exe

Avira AntiVir PersonalEdition Classic (AntiVir PersonalEdition Classic)
uninstall cmd: C:\Program Files\AntiVir PersonalEdition Classic\setup.exe /REMOVE
publisher: Avira GmbH
help link: http://www.free-av.com/support

ATI Display Driver 8.10-050119a-020581C-ATI (ATI Display Driver)
uninstall cmd: rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean

BitZipper 3.3 (BitZipper_is1)
uninstall cmd: "C:\Program Files\BitZipper\unins000.exe"
publisher: Bitberry Software

(Branding)

(Connection Manager)

Codec Pack - All In 1 6.0.0.0 (Cool's_Codec_pack_4.12)
uninstall cmd: C:\WINDOWS\iun6002.exe "C:\Program Files\Codec Pack - All In 1\irunin.ini"

DC++ 0.674 0.674 (DC++)
install location: C:\Program Files\DC++
uninstall cmd: "C:\Program Files\DC++\uninstall.exe"
publisher: Jacek Sieka
help link: http://dcplusplus.sourceforge.net/forum/

(DirectAnimation)

(DirectDrawEx)

DirectShow Pack (remove only) (DirectShowPack)
uninstall cmd: "C:\mp3\kodeki\DirectShow Pack\uninst-dshowpack.exe"

dsp2show (remove only) (dsp2dshow)
uninstall cmd: "C:\mp3\kodeki\dsp2dshow\uninstall.exe"

Neostrada Plus (EspaceWanadoo.exe)
uninstall cmd: C:\PROGRA~1\Wanadoo\Uninstall.exe

EVEREST Home Edition v2.01 2.01 (EVEREST Home Edition_is1)
install location: C:\Program Files\Lavalys\EVEREST Home Edition\
uninstall cmd: "C:\Program Files\Lavalys\EVEREST Home Edition\unins000.exe"
publisher: Lavalys Inc
help link: http://www.lavalys.com

ewido anti-malware (ewidoantimalware)
install location: C:\Program Files\ewido anti-malware
uninstall cmd: C:\Program Files\ewido anti-malware\Uninstall.exe
publisher: ewido networks
help link: http://www.ewido.net

ffdshow 20051201-gcc4.0.2-sse-x264.nl (ffdshow)
install location: C:\mp3\kodeki\ffdshow
uninstall cmd: "C:\mp3\kodeki\ffdshow\uninstall.exe"
publisher: Milan Cutka

FlashGet(JetCar) (FlashGet(JetCar))
uninstall cmd: C:\PROGRA~1\FlashGet\UNWISE.EXE C:\PROGRA~1\FlashGet\INSTALL.LOG

(Fontcore)

Gadu-Gadu 7.0 (Gadu-Gadu)
uninstall cmd: C:\Mateusz\Gadu-Gadu\Setup.exe

Heroes of Might and Magic® III The Shadow of Death(TM) (Heroes III The Shadow of Death)
uninstall cmd: C:\WINDOWS\IsUninst.exe -fE:\GRY\HEROES\Uninst.isu

Heroes of Might and Magic® IV (Heroes of Might and Magic IV)
uninstall cmd: C:\WINDOWS\IsUn0415.exe -f"e:\gry\heroes 4pl\Heroes of Might and Magic IV.isu" -c"C:\Program Files\Common Files\3DO Shared\3DOUnInst.dll

Heroes of Might and Magic(TM) III Armageddon's Blade (Heroes of Might and Magic(TM) III Armageddon's Blade)
uninstall cmd: C:\WINDOWS\IsUn0415.exe -fe:\gry\heroes\UnBlade.isu -c"e:\gry\heroes\unblade.dll

Heroes of Might and Magic® III (Heroes of Might and Magic® III)
uninstall cmd: C:\WINDOWS\IsUn0415.exe -fe:\gry\heroes\Uninst.isu -c"e:\gry\heroes\uninst.dll

HijackThis 1.99.1 1.99.1 (HijackThis)
uninstall cmd: C:\Antyspyware\HijackThis.exe /uninstall
publisher: Soeperman Enterprises Ltd.

(ICW)

(IE40)

(IE4Data)

(IE5BAKEX)

(IEData)

(InstallShield Uninstall Information)

QuickTime 7.0.3 (InstallShield_{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD})
version: 117440515
version (major): 7
estimated size: 63315
install date: 20051019
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\_isEB\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{0B69DA57-BC7D-461D-B7D6-2AA9F08869CD} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

Nokia Multimedia Player 6.00.001 (InstallShield_{0D09E359-0C98-4D93-B6F9-1FF68ED4B27C})
version: 100663297
version (major): 6
estimated size: 5050
install date: 20060303
install source: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\_is1C\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0D09E359-0C98-4D93-B6F9-1FF68ED4B27C}
publisher: Nokia
comments: Your Comments
contact: Dział obsługi klienta
help link: http://www.yourcompany.com/help
help telephone: 0
readme: Readme.txt

iTunes 6.0.0.18 (InstallShield_{13616DE2-9795-4910-8C93-80D45AF09658})
version: 100663296
version (major): 6
estimated size: 74308
install date: 20051019
install location: C:\Program Files\iTunes\
install source: C:\WINDOWS\Downloaded Installations\{13616DE2-9795-4910-8C93-80D45AF09658}\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{13616DE2-9795-4910-8C93-80D45AF09658} /l1033
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

Obscure 1.00.0000 (InstallShield_{95633EBE-216B-48B5-B103-0C9919787F46})
version: 16777216
version (major): 1
estimated size: 2707312
install date: 20060504
install location: E:\GRY\obscure\
install source: H:\
uninstall cmd: C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{95633EBE-216B-48B5-B103-0C9919787F46}
publisher: MC2

IrfanView (remove only) (IrfanView)
uninstall cmd: C:\Program Files\IrfanView\iv_uninstall.exe

Java 2 Runtime Environment Standard Edition v1.3.1_03 (JRE 1.3.1_03)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_03\Uninst.isu"

Poprawka systemu Windows XP - KB823980 20030705.121827 (KB823980)
uninstall cmd: C:\WINDOWS\$NtUninstallKB823980$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=823980

Poprawka systemu Windows XP - KB835732 20040329.180104 (KB835732)
uninstall cmd: C:\WINDOWS\$NtUninstallKB835732$\spuninst\spuninst.exe
publisher: Microsoft Corporation
help link: http://support.microsoft.com?kbid=835732

K-Lite Codec Pack 2.20 Full 2.20 (KLiteCodecPack_is1)
uninstall cmd: C:\mp3\unins000.exe

Macromedia Shockwave Player 10.1.0.11 (Macromedia Shockwave Player)
uninstall cmd: C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
publisher: Macromedia, Inc.
help link: http://www.macromedia.com/support/shockwave

Micro DVD Player (Micro DVD Player)
uninstall cmd: C:\Program Files\Micro DVD Player\uninstall.exe

(Microsoft NetShow Player 2.0)

(MobileOptionPack)

Mozilla Firefox (1.5.0.1) 1.5.0.1 (pl) (Mozilla Firefox (1.5.0.1))
install location: C:\Program Files\Mozilla Firefox
uninstall cmd: C:\WINDOWS\UninstallFirefox.exe /ua "1.5.0.1 (pl)"
publisher: Mozilla

(MPlayer2)

(MsJavaVM)

(Nero - Burning Rom!UninstallKey)
uninstall cmd: C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL

Nero Suite (NeroMultiInstaller!UninstallKey)
uninstall cmd: C:\Program Files\Common Files\Ahead\Uninstall\setup.exe /uninstall

(NeroVision!UninstallKey)
uninstall cmd: C:\WINDOWS\UNNeroVision.exe /UNINSTALL

(NetMeeting)

Niezbędnik CD (Niezbędnik CD_is1)
uninstall cmd: C:\WINDOWS\unins000.exe
publisher: Axel Springer Polska
help link: http://www.komputerswiat.pl

(NMPUninstallKey)
uninstall cmd: C:\WINDOWS\UNNMP.exe /UNINSTALL

(OutlookExpress)

Oxford Advanced Genie (Oxford Advanced Genie)
uninstall cmd: C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Oxford\GAS001OU\Uninst.isu"

Panda ActiveScan (Panda ActiveScan)
uninstall cmd: C:\WINDOWS\System32\ASUninst.exe Panda ActiveScan
publisher: Panda Software S.L.

(PCHealth)
uninstall cmd: rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

PowerGG (PowerGG)
uninstall cmd: C:\Program Files\Gadu-Gadu\Usun-PGG.exe

(RealJukebox 1.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

RealPlayer (RealPlayer 6.0)
uninstall cmd: C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0

(SchedulingAgent)

(Shockwave)

Macromedia Flash Player 8 8 (ShockwaveFlash)
uninstall cmd: RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
publisher: Macromedia
help link: http://www.macromedia.com/go/flashplayer_support/

Silent Hunter II (Silent Hunter II)
uninstall cmd: C:\WINDOWS\Silent Hunter II remove.exe remove

SiS Audio Driver (SiS7012)
uninstall cmd: C:\Program Files\SiS7012\Uninst\uninst2k.exe PCI\VEN_1039&DEV_7012

Skype 2.0 2.0 (Skype_is1)
install location: C:\Program Files\Skype\Phone\
uninstall cmd: "C:\Program Files\Skype\Phone\unins000.exe"
publisher: Skype Software S.A.
help link: http://ui.skype.com/ui/0/2.0.0.76/en/help

Spybot - Search & Destroy 1.4 1.4 (Spybot - Search & Destroy_is1)
install location: C:\Program Files\Spybot - Search & Destroy\
uninstall cmd: "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
publisher: Safer Networking Limited

System Process (Startup)

Total Commander (Remove or Repair) (Totalcmd)
uninstall cmd: C:\Program Files\totalcmd\tcuninst.exe

Windows Media Format Runtime (Windows Media Format Runtime)
uninstall cmd: "C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Player 10 (Windows Media Player)
uninstall cmd: "C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

XviD 1.1 final uninstall 1.1 (XviD_is1)
install location: C:\Program Files\XviD\
uninstall cmd: "C:\Program Files\XviD\unins000.exe"
publisher: XviD team (Koepi)
help link: http://forum.doom9.org/forumdisplay.php?f=52

SILENT HILL 4 1.00.000 ({00BD992A-D4C7-447D-8AA1-60B5759EA30D})
version: 16777216
install location: E:\GRY\H&D
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{00BD992A-D4C7-447D-8AA1-60B5759EA30D}\setup.exe" -l0x9

SendPhotos Gold 3.0.2.1 ({01053FC0-0D8E-4452-BAC3-A41E364D22EF})
version: 50331650
version (major): 3
estimated size: 13370
install date: 20060305
install source: C:\Program Files\Common Files\Wise Installation Wizard\
uninstall cmd: MsiExec.exe /X{01053FC0-0D8E-4452-BAC3-A41E364D22EF}
publisher: Novatix
help link: www.sendphotos.com/support

MSN Messenger 7.5 7.5.0322.0 ({04A56716-03EE-11DA-BFBD-00065BBDC0B5})
version: 117768514
version (major): 7
version (minor): 5
estimated size: 49645
install date: 20060123
install source: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\IXP000.TMP\
uninstall cmd: MsiExec.exe /I{04A56716-03EE-11DA-BFBD-00065BBDC0B5}
publisher: Microsoft Corporation

Sunbelt CounterSpy 1.5.77 ({0AD5AD99-6172-4385-8765-385FBE3A1013})
version: 17104973
version (major): 1
version (minor): 5
estimated size: 22800
install date: 20051116
install location: C:\Program Files\Sunbelt Software\CounterSpy\Consumer\
install source: C:\WINDOWS\Downloaded Installations\{947CE1EC-E178-4E36-B91A-D173F41B7AE2}\
uninstall cmd: MsiExec.exe /I{0AD5AD99-6172-4385-8765-385FBE3A1013}
publisher: Sunbelt Software, Inc.
contact: Sunbelt Software Customer Support
help link: http://support.sunbelt-software.com/scripts/rightnow.cfg/php.exe/enduser/std_alp.php
readme: C:\Program Files\Sunbelt Software\CounterSpy\Consumer\readme.txt

QuickTime 7.0.3 ({0B69DA57-BC7D-461D-B7D6-2AA9F08869CD})
version: 117440515
version (major): 7
estimated size: 63315
install date: 20051019
install location: C:\Program Files\QuickTime\
install source: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\_isEB\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

ATI Control Panel 6.14.10.5140 ({0BEDBD4E-2D34-47B5-9973-57E62B29307C})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"

ichigo333
2006-05-24, 00:00
Nokia Multimedia Player 6.00.001 ({0D09E359-0C98-4D93-B6F9-1FF68ED4B27C})
version: 100663297
version (major): 6
estimated size: 5050
install date: 20060303
install source: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\_is1C\
publisher: Nokia
comments: Your Comments
contact: Dział obsługi klienta
help link: http://www.yourcompany.com/help
help telephone: 0
readme: Readme.txt

iTunes 6.0.0.18 ({13616DE2-9795-4910-8C93-80D45AF09658})
version: 100663296
version (major): 6
estimated size: 74308
install date: 20051019
install location: C:\Program Files\iTunes\
install source: C:\WINDOWS\Downloaded Installations\{13616DE2-9795-4910-8C93-80D45AF09658}\
publisher: Apple Computer, Inc.
contact: AppleCare Support
help link: http://www.info.apple.com/
help telephone: 1-800-275-2273

Oblivion - Construction Set 1.00.0000 ({23D683DD-93C6-48E6-B84E-78B57778F126})
version: 16777216
install date: 20060322
install location: C:\Program Files\Bethesda Softworks\Oblivion
install source: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\bye8A.tmp\Disk1\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23D683DD-93C6-48E6-B84E-78B57778F126}\setup.exe" -l0x9 -removeonly
publisher: Bethesda Softworks
help link: http://support.bethsoft.com

FEAR 1.00.0000 ({2B653229-9854-4989-B780-D978F5F13EAB})
version: 16777216
install date: 20060513
install location: E:\GRY\FEAR
install source: I:\
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2B653229-9854-4989-B780-D978F5F13EAB}\setup.exe" -l0x15 -removeonly
publisher: Vivendi Universal Games, Inc.
readme: E:\GRY\FEAR\readme.txt

J2SE Runtime Environment 5.0 Update 6 1.5.0.60 ({3248F0A8-6813-11D6-A77B-00B0D0150060})
version: 17104896
version (major): 1
version (minor): 5
estimated size: 122301
install date: 20051228
install source: http://jdl.sun.com/webapps/download/GetFile/1.5.0_06-b05/windows-i586//
uninstall cmd: MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
publisher: Sun Microsystems, Inc.
contact: http://java.com
help link: http://java.com
readme: C:\Program Files\Java\jre1.5.0_06\README.txt

WebFldrs XP 9.50.6513 ({350C9415-3D7C-4EE8-BAA9-00BCB3D54227})
version: 154278257
version (major): 9
version (minor): 50
estimated size: 1884
install date: 20050817
install source: C:\WINDOWS\System32\
publisher: Microsoft Corporation
help link: http://www.microsoft.com/windows

SAGEM F@st 800-840 ({4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4AE3A0CB-87B0-4F51-BECD-3D1F8DFDD62F}\setup.exe" -l0x9

Football Manager 2006 6.0.0 ({52A8B5F2-6DB5-4ECA-8367-3F42D8CAACA9})
version: 100663296
version (major): 6
estimated size: 544500
install date: 20051225
install location: E:\GRY\fm6\
install source: I:\
uninstall cmd: MsiExec.exe /X{52A8B5F2-6DB5-4ECA-8367-3F42D8CAACA9}
publisher: SEGA
help link: http://www.sega.co.uk/
help telephone: 08700108002
readme: readme_English.txt

PowerDVD ({6811CAA0-BF12-11D4-9EA1-0050BAE317E1})
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall

Java 2 Runtime Environment, SE v1.4.2_03 1.4.2_03 ({7148F0A8-6813-11D6-A77B-00B0D0142030})
version (major): 1
version (minor): 4
estimated size: 109952
install date: 20050819
install source: C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\{7148F0A6-6813-11D6-A77B-00B0D0142030}\
uninstall cmd: MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142030}
publisher: Sun Microsystems, Inc.
comments: http://www.java.com
contact: http://www.java.com
help link: http://www.java.com
help telephone: http://www.java.com
readme: Readme.txt

GameJack 5 5.0.4.2 ({7739C506-74AE-48CF-991B-AB5E35A927FC})
version: 83886084
version (major): 5
estimated size: 8319
install date: 20051125
install source: C:\Program Files\Common Files\Wise Installation Wizard\
uninstall cmd: MsiExec.exe /I{7739C506-74AE-48CF-991B-AB5E35A927FC}
publisher: Engelmann Media
help link: http://www.gamejack.org/

Microsoft Office XP Professional 10.0.4330.0 ({90110415-6000-11D3-8CFE-0050048383C9})
version: 167776490
version (major): 10
estimated size: 438900
install date: 20050817
install location: INSTALLLOCATION
install source: H:\
uninstall cmd: MsiExec.exe /I{90110415-6000-11D3-8CFE-0050048383C9}
publisher: Microsoft Corporation
help link: http://www.microsoft.com/poland/support
readme: C:\Program Files\Microsoft Office\Office10\1045\OFREAD10.HTM

TOCA 2 Touring Car 1.00.000 ({9DCC5BCD-E794-445E-90FA-438D3B04D67F})
version: 16777216
install location: C:\Program Files\TOCA 2 Touring Car
uninstall cmd: RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9DCC5BCD-E794-445E-90FA-438D3B04D67F}\setup.exe" -l0x15

Adobe Reader 6.0.2 CE 006.000.002 ({AC76BA86-7AD7-1038-7B44-CEA000000001})
version: 100663298
version (major): 6
estimated size: 57742
install date: 20060224
install location: C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\
install source: C:\WINDOWS\Cache\Adobe Reader 6.0.1\POLBIG\
uninstall cmd: MsiExec.exe /I{AC76BA86-7AD7-1038-7B44-CEA000000001}
publisher: Adobe Systems Incorporated
comments:
contact: Biuro obsługi klienta
help link: http://www.adobe.com/support/main.html
help telephone:
readme: C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\\Readme.htm

ArtRage 3 ({CF72DC2F-F292-4D2B-B4E8-7D2060F095DA})
version: 50331648
version (major): 3
version (minor): 3
estimated size: 2582
install date: 20050826
install source: I:\#Uzytki\ArtRage 1.1\
uninstall cmd: MsiExec.exe /I{CF72DC2F-F292-4D2B-B4E8-7D2060F095DA}
publisher: Ambient Design Ltd.
comments: ArtRage 1.1
contact: Ambient Design Ltd.
help link: www.ambientdesign.com/artrage.html

GameShadow 1.91.0000 ({D98C9637-93DA-44DB-B73A-B11A1192AB26})
version: 22740992
version (major): 1
version (minor): 91
estimated size: 18988
install date: 20050908
install location: C:\Program Files\GameShadow\
install source: C:\WINDOWS\Downloaded Installations\{97F709BD-5B08-4007-B4AE-08C6277EDCC5}\
uninstall cmd: MsiExec.exe /I{D98C9637-93DA-44DB-B73A-B11A1192AB26}
publisher: Aardwork Software Ltd

CalamityJane
2006-05-25, 03:52
Hi, I'm sorry about the late reply. I missed seeing the email notice that you had posted.

1. Please go to the Control Panel and look in Add/Remove programs.

Locate this version of Sun Java:
Java 2 Runtime Environment, SE v1.4.2_03 1.4.2_03

Highlight it and press *remove*

That's an old vulnerable version of Sun Java that is being used by malware to install
You already have the newer version which is fine, you can leave that one but do get this older one off of your PC.

2. Download Please download the Killbox by Option^Explicit.
http://www.geekstogo.com/modules.php?modid=5&action=download&id=4

We're not going to run it now, but you will need it for later.

3. Copy these instructions since the next steps will be done in SAFE MODE, with all browser closed. You will not be able to see this page.

4. Reboot your PC into SAFE MODE

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam

5. Open HijackThis and choose to do a *scan only*
When it finishes, checkmark each of these items in the list. Then press the *fix checked* button

R3 - URLSearchHook: (no name) - {2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} - C:\WINDOWS\System32\vhfrbik.dll (file missing)

O2 - BHO: (no name) - {062644BA-AC0D-8CFE-2CF1-D4F88D93CF9C} - C:\WINDOWS\System32\jbbn.dll (file missing)

O2 - BHO: (no name) - {2C44B94F-04FE-0D5C-8F77-5A27B797E8CD} - C:\WINDOWS\System32\vhfrbik.dll (file missing)

O2 - BHO: (no name) - {55270F8C-A658-9DA2-6371-9F02C0D180A2} - C:\WINDOWS\System32\zztszhod.dll (file missing)

O2 - BHO: (no name) - {6B60E31A-15CC-2269-A2AB-72FCDF53EAFD} - C:\WINDOWS\System32\thndcn.dll (file missing)

O2 - BHO: (no name) - {85DCA3AA-0C27-6184-47F1-3788685B0FF7} - C:\WINDOWS\System32\kpiwel.dll (file missing)

O2 - BHO: (no name) - {A91D4970-B1F5-8002-9CAB-D766F60275F3} - C:\WINDOWS\System32\osyacx.dll (file missing)

O2 - BHO: (no name) - {C41FBDD4-100E-71FA-66E2-764CF4401DFD} - C:\WINDOWS\System32\pblxuocs.dll (file missing)

O4 - HKLM\..\Run: [rpcc] rpcc.exe

O4 - HKCU\..\Run: [Kssezxb] C:\WINDOWS\System32\??xplore.exe

O4 - HKCU\..\Run: [Enrs] "C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1\msconfig.exe" -vt mt

O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab

O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll

O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll

O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll

After you have pressed the *fix checked* button, close HijackThis.

6.
* Open Killbox by clicking on Killbox.exe

* Select "Delete on Reboot" in the left column.

* Copy the text all in bold below to the clipboard by highlighting ALL of them then press CTRL + C

C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1
C:\WINDOWS\System32\rpcc.exe
C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll
C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll
C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually (you can reboot to normal mode).

7. Download this tool called Filefind:
http://www.atribune.org/downloads/FileFind.zip

Unzip it and doubleclick on Filefind.exe to run it

Copy and paste into the *Directory* searchbox the following line:

C:\WINDOWS\System32

Then copy and paste into the *file* find search box:
??xplore.exe

Then press the *find* button. Wait for it to scan. Copy and paste the results found back here please.

8. Also please scan and make a log with HijackThis. Post the fresh log back here please :)

ichigo333
2006-05-25, 18:10
Hi :)
Don't be sorry, i am the one who should be, becouse i'm wasting your time!
Im really greatfull for your kindness :)

Ok, here is what the *filefind* found:

C:\WINDOWS\System32\??xplore.exe - 409600 Bytes
C:\WINDOWS\System32\dllcache\iexplore.exe - 91136 Bytes

And here is the result from hijackthis:


Logfile of HijackThis v1.99.1
Scan saved at 17:07:24, on 2006-05-25
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Program Files\BitZipper\BITZIPPER.EXE
C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\bz_temp_0\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll
O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

CalamityJane
2006-05-25, 22:02
Hmmm, some files did not get deleted by killbox and that may be my fault as my instructions on that were incorrect or not clear. We'll need to do some more steps here, and on the killbox steps I included some screenshots to help :) You can do these steps in normal mode.

First: Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.


Delete manually this file:

C:\WINDOWS\System32\??xplore.exe - 409600 Bytes

(those first two spaces that have a quesition mark, I'm not sure what letters they may appear to be.
That means they are wildcard characters...but often appear to mimic the english alphabet)
But, you can ID it for sure by the file size that FindFile gave us :)

Do not delete the valid iexplore.exe which resides in a different folder.
..................................
Next, You are running Hijackthis straight out of the zip file and that's not good. It won't make backups that way so you need to do the following first:

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine <I>other than your Desktop or the Temp folder</I>. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
http://russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.
Unzip/decompress the HijackThis.zip file and save the contents (HijackThis.exe) to the new folder you made and make sure you run it from there. You can make a shortcut to the desktop for HJT if you find that easier.

Go to the new folder you made and open HiackThis.exe.

Do a *scan only* and checkmark these items in the list. Then press the *fix checked* button

O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll

O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll

O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll

After clicking on the *fix checked* button you can close HijackThis

1. Open Killbox by clicking on Killbox.exe

2. Select *Delete on Reboot* in the first column

http://home.earthlink.net/~calamityjanefl/KillboxUsingClipboard/DeleteOnReboot.gif

3. Press the *All Files* button

http://home.earthlink.net/~calamityjanefl/KillboxUsingClipboard/AllFilesButton.gif

4. Copy the following text shown in bold below to clipboard by highlighting the bold text and press Control + C

C:\WINDOWS\System32\rpcc.exe
C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll
C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll
C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll


5. Select the "File" tab at the top

http://home.earthlink.net/~calamityjanefl/KillboxUsingClipboard/ClickonFileTabAtTop.gif

6. Choose "Paste from Clipboard" in the drop down menu

http://home.earthlink.net/~calamityjanefl/KillboxUsingClipboard/Paste%20from%20clipboard.gif

7. Press the red button with the white x in it.

http://home.earthlink.net/~calamityjanefl/KillboxUsingClipboard/RedButtonWhiteX.gif

8. You will receive a prompt stating that files will be deleted on next reboot. Do you want to reboot now?

http://home.earthlink.net/~calamityjanefl/KillboxUsingClipboard/PromptAsking%20ToReboot.gif

(Choose yes, if ready to reboot or no, if you need to close some other open items first.)

9. You can close all programs and any open windows.

10. Reboot your computer.

Note: Backups will be stored in the following directory created on the Hard-drive (usually C):
C:\!KillBox

11. Navigate to the Killbox backup folder:
C:\!KillBox

a. Right–click the file or folder

b. Point to Send To

c. Then click Compressed (zipped) Folder

This will make a compressed folder, identified by a zipper icon, which displays the same name as the file you compressed.
C:\!KillBox.zip

12. Go here to upload the file as attachments
http://www.thespykiller.co.uk/forum/index.php?board=1.0
Just press new topic (Make the subject: For CalamityJane from ichigo333 at Spybot ),
fill in a short message & then scroll down to the section that says: Attach press the browse button and then navigate to & select this file on your computer. Press Post to upload the files

Files to upload:

C:\!KillBox.zip

You DO NOT need to be a member to upload, anybody can upload the files.

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect it from there.

Post back here with a fresh HijackThis log after the reboot please


.........................................

ichigo333
2006-05-28, 14:43
heres the log list, but as i can see those files are still there :S
Maybe my PC is f***ed up??

ichigo333
2006-05-28, 14:44
heres the log list, but as i can see those files are still there :S
Maybe my PC is f***ed up??Logfile of HijackThis v1.99.1
Scan saved at 13:40:10, on 2006-05-28
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll (file missing)
O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll (file missing)
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

CalamityJane
2006-05-28, 16:03
Hi ichigo333,

The one file I got from your upload (rpcc.exe) is a new trojan of some sort (it should have been deleted by killbox). The 3 files now showing as missing weren't in the folder (so I have no idea, what that's about). These are all occuring in an odd looking folder so I'd like to try to get that.

The other files are also something new and I'm trying to get samples so I can submit them for detection by the AV companies.

Let's try something else:

Please download this free tool called Suspicious File Packer
http://www.safer-networking.org/files/sfp.zip

Unzip the zip and save to your desktop
Doubleclick on sfp.exe
Copy then paste the list below into it and hit continue.

C:\Documents and Settings\All Users\Dokumenty

That will create an archive file named requested-files(date).cab on your desktop
Please upload that file as an attachment as you did before, reply with attachment at this topic:
http://www.thespykiller.co.uk/forum/index.php?topic=1672.0

Hopefully this will also capture the illusive files we have been trying to kill and I can get them examined.

CalamityJane
2006-05-28, 16:57
Based on the results of some info received on the file you submitted earlier (rpcc.exe) , let's run this fix tool next

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
.....................................
eTrust was one of the few to detect that file already, so please go get an online AV scan (free) from eTrust. Please save the report at the end and post the results back here.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

ichigo333
2006-05-30, 18:29
Logfile of HijackThis v1.99.1
Scan saved at 17:26:52, on 2006-05-30
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\GokaDCek\GokaDCek.exe
C:\Mateusz\Gadu-Gadu\gg.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6394C0F1-9179-4B53-9D2F-0509BFF02A70}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll (file missing)
O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll (file missing)
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 2006-05-28 23:36:19


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administratorzy - Succeeded

CalamityJane
2006-05-30, 19:02
Open HijackThis and choose to do a *scan only*
When done, place a checkmark next to these entries, then press the *fix checked* button

O4 - HKLM\..\Run: [rpcc] rpcc.exe

O20 - Winlogon Notify: 2006reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll (file missing)

O20 - Winlogon Notify: 2014reg - C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll (file missing)

O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll (file missing)

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

After pressing the *fix checked* button you can close Hijackthis

Open Killbox, choose *Replace on Reboot*
Checkmark the box * Use Dummy*

http://home.earthlink.net/~calamityjanefl/images/ReplacewithDummy.gif

Copy and paste the following into the box for "Full Path of File to delete"

C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

Then press the red button with the white x to delete.

When asked if you want to reboot, answer *yes*

Allow the computer to reboot and after the reboot, please scan once more with HijackThis and post a fresh log please.

CalamityJane
2006-05-30, 19:25
Also, please Open Ewido. Press the *Update* button

Press *start update*. If any new updates are found wait while it downloads and installs them. Go back to the scanner and choose *full system scan*

Save the log at the end and post the results back here, please.

CalamityJane
2006-05-30, 19:32
Also, please Open Ewido. Press the *Update* button

Press *start update*. If any new updates are found wait while it downloads and installs them. Go back to the scanner and choose *full system scan*

Save the log at the end and post the results back here, please.

CalamityJane
2006-05-30, 19:38
One more thing, I want to check for hidden files. Run these two free tools to produce a log from each please.

Download Blacklight (free trial) from F-Secure
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Doubleclick on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new text file near blacklite.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet


Next.
Please download Rootkit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
(link is at the very bottom of the page)

Unzip it to your desktop.

Open the rootkitrevealer folder and double-click rootkitrevealer.exe

Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running - leave the PC idle while scanning)

When it's done, go up to File > Save. Choose to save it to your desktop.

Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

ichigo333
2006-05-31, 21:34
From blbeta.exe: the text file was named fsbl-20060530203651.log

05/30/06 22:36:51 [Info]: BlackLight Engine 1.0.37 initialized
05/30/06 22:36:51 [Info]: OS: 5.1 build 2600 (Dodatek Service Pack. 1)
05/30/06 22:36:51 [Note]: 7019 4
05/30/06 22:36:51 [Note]: 7005 0
05/30/06 22:37:18 [Note]: 7006 0
05/30/06 22:37:18 [Note]: 7011 1152
05/30/06 22:37:18 [Note]: 7026 0
05/30/06 22:37:18 [Note]: 7026 0
05/30/06 22:37:26 [Note]: FSRAW library version 1.7.1015
05/30/06 22:38:59 [Note]: 7007 0

From Rootkit...

HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s0 2005-11-26 12:18 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s1 2005-11-26 12:18 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\s2 2005-11-26 12:18 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\g0 2005-11-26 12:18 32 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\h0 2005-11-26 12:18 4 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 2005-11-26 14:28 0 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Recent\av_dtm02.gif.lnk 2006-05-04 23:23 549 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Recent\bez*tytu 2006-05-04 23:23 555 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\Administrator\Recent\Dysk lokalny (C).lnk 2006-05-31 20:23 293 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Recent\Export.txt.lnk 2006-05-31 20:23 403 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Recent\rapport1.txt.lnk 2006-05-31 20:23 415 bytes Hidden from Windows API.
C:\Documents and Settings\Administrator\Recent\Scan report_20060523.txt.txt.lnk 2006-05-23 22:50 582 bytes Visible in Windows API, but not in MFT or directory index.
C:\Export.txt 2006-05-25 17:04 106 bytes Visible in Windows API, but not in MFT or directory index.
C:\rapport.txt 2006-05-23 17:24 469 bytes Visible in Windows API, but not in MFT or directory index.
C:\rapport1.txt 2006-05-23 17:25 469 bytes Visible in Windows API, but not in MFT or directory index.
C:\RECYCLER\S-1-5-21-73586283-706699826-725345543-500\Dc1.txt 2006-05-31 20:23 469 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-73586283-706699826-725345543-500\Dc2.txt 2006-05-31 20:23 106 bytes Hidden from Windows API.
C:\RECYCLER\S-1-5-21-73586283-706699826-725345543-500\Dc3.txt 2006-05-31 20:23 469 bytes Hidden from Windows API.


And form hijackthis...


Logfile of HijackThis v1.99.1
Scan saved at 20:32:25, on 2006-05-31
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

CalamityJane
2006-05-31, 22:25
Were you able to successfully complete the steps in this post linked below?:
http://forums.spybot.info/showpost.php?p=27128&postcount=19

If not, please do that now. And then come back and follow these next steps following.
..........................................
Next step:
Make a new folder on your Hard-drive and name it BFU like so:
c:\BFU

Next, Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip).

Unzip/decompress and save the contents it to it’s own folder that you made above: c:\BFU

RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\alcanshorty.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to pop up and press OK.

click "save"

IN "filename" enter log.txt

click exit to exit the BFU program.

Please copy the contents of the log.txt back here in your next reply. The log.txt will be in the C:\BFU\ folder ...
............................................
Next, please open Killbox. click on *File* tab at the top and choose *Logs* from the drop down menu. Then choose *Actions History Log*. A notepad text file will popup. Please copy all of that text and post it back here with the log.txt from BFU in your next reply.

ichigo333
2006-05-31, 23:48
cket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ czwartek, maj 25, 2006, 4:56 PM

# 1 [Delete on Reboot]
Path = C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1


I Rebooted @ 4:58:08 PM
Killbox Closed(Exit) @ 4:58:09 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ niedziela, maj 28, 2006, 1:27 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\rpcc.exe


# 2 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll


# 3 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll


# 4 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll


I Rebooted @ 1:28:49 PM
Killbox Closed(Exit) @ 1:28:50 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ niedziela, maj 28, 2006, 1:32 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\rpcc.exe


I Rebooted @ 1:33:12 PM
Killbox Closed(Exit) @ 1:33:14 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ wtorek, maj 30, 2006, 10:32 PM

# 1 [Replace on Delete]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
*Replaced with C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\kbdummy.0

I Rebooted @ 10:33:48 PM
Killbox Closed(Exit) @ 10:33:49 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ środa, maj 31, 2006, 10:42 PM

Killbox Closed(Exit) @ 10:42:56 PM
__________________________________________________

ichigo333
2006-05-31, 23:49
and heres the log from BFU

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ środa, maj 31, 2006, 10:45 PM


BFU v1.00.9
Windows XP Dodatek SP. 1 (WinNT 5.01.2600 Dodatek SP. 1)
Script started at 22:41:41, on 2006-05-31

Script completed.

CalamityJane
2006-06-01, 00:46
Ok, not sure if that worked or not...might be a language problem with the tools I am using being in English and your PC in Polish (i think?). I'll ask some of the others to take here to see what they think.

Could you please reboot the PC and scan with HijackThis and post a fresh please?

ichigo333
2006-06-01, 17:25
Ok, here is the og from hijakcthis:

Logfile of HijackThis v1.99.1
Scan saved at 16:22:35, on 2006-06-01
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

CalamityJane
2006-06-05, 03:08
ichigo333,

One of our researchers thinks there may be a super hidden file that accompanies this infection. So let's do this on his advice (Thanks, LonnyRJones!)

Open Killbox.

Choose *Delete on Reboot*

http://home.earthlink.net/~calamityjanefl/KillboxUsingClipboard/DeleteOnReboot.gif

Copy and paste the following line into the white box that says "Full path of file to delete"

C:\WINDOWS\sysvx_.exe

Press the red button with the white X on it
http://home.earthlink.net/~calamityjanefl/KillboxUsingClipboard/RedButtonWhiteX.gif

Allow Killbox to reboot your computer.

After reboot, Scan with HijackThis and checkmark these two entries then press the *fix checked* button

O4 - HKLM\..\Run: [rpcc] rpcc.exe

O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

Delete these files (if found)

C:\WINDOWS\System32\rpcc.exe

C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll

Now please reboot your computer once more.

After reboot scan again with HijackThis to create a log and post the fresh log back here please.

I'd also like to see the Killbox log again. Open Killbox, and click on *File* tab at the top and choose *Logs* from the drop down menu. Then choose *Actions History Log*. A notepad text file will popup. Please copy all of that text and post it back here, along with the new Hijackthis log.

ichigo333
2006-06-05, 18:08
Logs from Hijack...

Logfile of HijackThis v1.99.1
Scan saved at 17:04:29, on 2006-06-05
Platform: Windows XP Dodatek SP. 1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Neostrada Plus wita Cie w Internecie
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Documents and Settings\Administrator\Moje dokumenty\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\tlen.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {18506D80-9B80-11D4-82C2-0080C8D7ED4A} (GameDesire Roulette) - http://67.15.101.3/g_bin/pl/roulette_2_0_0_16.cab
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/pl/cards_2_0_0_68.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {E23FABEE-12E3-33DA-DA12-195DAC123984} (GameDesire Mahjong) - http://67.15.101.3/g_bin/pl/mahjong_2_0_0_23.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6394C0F1-9179-4B53-9D2F-0509BFF02A70}: NameServer = 194.204.152.34 217.98.63.164
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe



and from Kilbox!\

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ czwartek, maj 25, 2006, 4:56 PM

# 1 [Delete on Reboot]
Path = C:\DOCUME~1\ADMINI~1\DANEAP~1\SCURIT~1


I Rebooted @ 4:58:08 PM
Killbox Closed(Exit) @ 4:58:09 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ niedziela, maj 28, 2006, 1:27 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\rpcc.exe


# 2 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\2006.dll


# 3 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\2014.dll


# 4 [Delete on Reboot]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\20242402.dll


I Rebooted @ 1:28:49 PM
Killbox Closed(Exit) @ 1:28:50 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ niedziela, maj 28, 2006, 1:32 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\System32\rpcc.exe


I Rebooted @ 1:33:12 PM
Killbox Closed(Exit) @ 1:33:14 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ wtorek, maj 30, 2006, 10:32 PM

# 1 [Replace on Delete]
Path = C:\Documents and Settings\All Users\Dokumenty\Settings\artm_new.dll
*Replaced with C:\Documents and Settings\Administrator\Ustawienia lokalne\Temp\kbdummy.0

I Rebooted @ 10:33:48 PM
Killbox Closed(Exit) @ 10:33:49 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ środa, maj 31, 2006, 10:42 PM

Killbox Closed(Exit) @ 10:42:56 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ środa, maj 31, 2006, 10:45 PM

Killbox Closed(Exit) @ 10:47:46 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ poniedziałek, czerwiec 05, 2006, 4:56 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\sysvx_.exe


Killbox Closed(Exit) @ 4:57:47 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ poniedziałek, czerwiec 05, 2006, 4:58 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\sysvx_.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:58:35 PM
# 2 [Delete on Reboot]
Path = C:\WINDOWS\sysvx_.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:59:17 PM
Pocket Killbox version 2.0.0.648
Running on Windows XP as Administrator(Administrator)
was started @ poniedziałek, czerwiec 05, 2006, 5:05 PM

CalamityJane
2006-06-05, 18:32
Very good! I think that finally got it :bigthumb:

How is your PC running now? Does everything look ok on your end?

ichigo333
2006-06-06, 00:03
Thank You !
Thank You!
Thank You!

I'd like to say Thank You :D
You've done more than you think... i guess it should work properly now... however, it works much much better...and the net.... it doesnt disconnect anytime it wants ;)
You deserve for a big hug or anything you want :]
Cheers :)

Thakns again :]

CalamityJane
2006-06-06, 00:17
Bless your heart, ichigo333 :heart:

I'm so glad to hear that everything is working ok again. We're glad we could help :)

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Put a Checkmark in the box next to "Turn off System Restore".
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
Go to Start and right-click on *My Computer*.
Click Properties.
Click the System Restore tab.
Remove the checkmark next to "Turn off System Restore".
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

"So, how did I get infected in the first place?" (by Tony Klein)
http://forums.spybot.info/showthread.php?t=279

You need to get Service Pack 2 for XP and all critical Windows Securtiy Updates as it will address numerous security issues in your Operating System and IE :)
http://v5.windowsupdate.microsoft.com/en/default.asp

ichigo333
2006-06-06, 23:41
Yeah, the PC is working now just perfect...im telling you.
Really... week ago the net connection was so slow...and it kept disconeccting billion times a day :sick:
And now...
God bless You Guys and all the things you have done :heart:
Ive just updated the WXP so i hope it wont get that bad as it was :blush:

Thanks:]