Recently I've got a lot of warnings @ teatimer about this registry change. I've read somewhere that it may be a backdoor attack.

It's annoying, because it pops everytime I turn on my computer no matter if I allow or disallow changes to registry. And if I want to disallow changes, it pops again in second or two. My computer started to work a little bit slower, not really a huge difference, but still annoys me a bit.
I've used combofix, spybot, ESET NOD scans on both normal and safe windows mode.
Edit
Please do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806)

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Teatimer logs: ("Odmówiono" means "denied" in my language)


2011-02-13 23:48:30 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-13 23:48:32 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-13 23:48:36 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-13 23:48:38 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-13 23:49:29 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-13 23:49:32 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-13 23:49:33 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-13 23:55:36 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-14 00:01:46 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-14 00:01:51 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-14 00:01:53 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-14 00:01:55 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-14 00:02:00 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-14 00:02:01 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
2011-02-14 00:03:58 Odmówiono (based on user decision) value "NoDriveTypeAutoRun" (new data: "hex:B1,00,00,") zmienione in System Startup user entry!
And I'm terribly sorry for bumping the topic again, I forgot about DDS logs, here are those:

DDS (Ver_10-12-12.02) - NTFS_AMD64
Run by Ja at 0:37:44,61 on 2011-02-14
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1250.48.1045.18.4094.2963 [GMT 1:00]

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Eset\nod32krn.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\WUDFHost.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\ESET\nod32kui.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\Ja\Downloads\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_framework.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Pomocnik rejestracji usługi Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
mRun: [nod32kui] "C:\Program Files (x86)\Eset\nod32kui.exe" /WAITSERVICE
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 0 (0x0)
mPolicies-system: EnableInstallerDetection = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&ksport do programu Microsoft Excel - C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Pobierz plik wideo we Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlfvideo.htm
IE: Pobierz w Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dllink.htm
IE: Pobierz wszystkie pliki w Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlall.htm
IE: Pobierz zaznaczone w Free Download Manager - file://C:\Program Files (x86)\Free Download Manager\dlselected.htm
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - C:\Program Files (x86)\HP\Smart Web Printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
LSP: C:\Windows\system32\imon.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files%20(x86)/Plants%20vs.%20Zombies/Images/stg_drm.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files%20(x86)/Plants%20vs.%20Zombies/Images/armhelper.ocx
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)

================= FIREFOX ===================

FF - ProfilePath - C:\Users\Ja\AppData\Roaming\Mozilla\Firefox\Profiles\0moqeuay.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2672188&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2672188&q=
FF - component: C:\Users\Ja\AppData\Roaming\Mozilla\Firefox\Profiles\0moqeuay.default\extensions\{0ed38a68-9a97-450a-a349-62d04f4cc940}\components\FFExternalAlert.dll
FF - component: C:\Users\Ja\AppData\Roaming\Mozilla\Firefox\Profiles\0moqeuay.default\extensions\{0ed38a68-9a97-450a-a349-62d04f4cc940}\components\RadioWMPCore.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: C:\ProgramData\Gadu-Gadu 10\_userdata\npgg.4.dll
FF - plugin: C:\ProgramData\Gadu-Gadu 10\_userdata\nppl3260.dll
FF - plugin: C:\ProgramData\Gadu-Gadu 10\_userdata\nprpjplug.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: dollarsgroup Toolbar: {0ed38a68-9a97-450a-a349-62d04f4cc940} - %profile%\extensions\{0ed38a68-9a97-450a-a349-62d04f4cc940}
FF - Ext: OneManga Manager: {bbeee172-6a96-6f83-cf0c-a3bf46b77f94} - %profile%\extensions\{bbeee172-6a96-6f83-cf0c-a3bf46b77f94}

============= SERVICES / DRIVERS ===============

R2 NOD32krn;NOD32 Kernel Service;C:\Program Files (x86)\ESET\nod32krn.exe [2008-1-1 552064]
S3 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe [2008-1-21 93696]

=============== Created Last 30 ================

2011-02-13 22:57:30 -------- d-----w- C:\Users\Ja\AppData\Local\temp
2011-02-13 22:55:02 -------- d-----w- C:\$RECYCLE.BIN
2011-02-13 22:45:45 388096 ----a-r- C:\Users\Ja\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-13 22:45:44 -------- d-----w- C:\Program Files (x86)\HJTTTT
2011-02-13 22:36:56 98816 ----a-w- C:\Windows\sed.exe
2011-02-13 22:36:56 89088 ----a-w- C:\Windows\MBR.exe
2011-02-13 22:36:56 256512 ----a-w- C:\Windows\PEV.exe
2011-02-13 22:36:56 161792 ----a-w- C:\Windows\SWREG.exe
2011-02-13 22:34:44 318976 ----a-w- C:\Windows\SysWow64\CF30696.exe
2011-02-13 22:28:26 318976 ----a-w- C:\Windows\SysWow64\CF23942.exe
2011-02-13 22:28:22 8704 ----a-w- C:\Windows\System32\drivers\PROCEXP90.SYS
2011-02-13 22:27:52 318976 ----a-w- C:\Windows\SysWow64\cmd.execf
2011-02-13 22:12:02 318976 ----a-w- C:\Windows\SysWow64\CF29190.exe
2011-02-11 13:12:40 -------- d-----w- C:\Users\Ja\AppData\Roaming\codeblocks
2011-02-11 11:12:42 -------- d-----w- C:\Users\Ja\WapSter
2011-02-11 11:12:21 -------- d-----w- C:\Program Files (x86)\WapSter
2011-02-09 10:11:11 -------- d-----w- C:\Users\Ja\AppData\Roaming\.minecraft server
2011-01-30 13:01:48 -------- d-----w- C:\Users\Ja\AppData\Roaming\.minecraft

==================== Find3M ====================


============= FINISH: 0:37:59,36 ===============



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft® Windows Vista™ Ultimate
Boot Device: \Device\HarddiskVolume1
Install Date: 2008-01-01 01:50:26
System Uptime: 2011-02-13 23:54:30 (1 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | P31-DS3L
Processor: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 2333/333mhz

==== Disk Partitions =========================

F: is CDROM ()
G: is CDROM ()
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

@BIOS Ver.2.03
18 Wheels of Steel Haulin
Adobe Flash Player 10 Plugin
Adobe Reader 8 - Polish
AIO_Scan
Archiwizator WinRAR
Ashampoo Burning Studio 9.20
Astroburn Lite
Asystent rejestracji usługi Windows Live
BEU Net 2006
Black and White
BufferChm
Carmageddon II Carpocalypse Now
CDBurnerXP
Copy
CustomerResearchQFolder
Destination Component
DeviceDiscovery
DeviceManagementQFolder
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
eSupportQFolder
EVEREST Ultimate Edition v5.02
F4100
F4100_doccd
F4100_Help
Fraps (remove only)
Free Download Manager 2.5
Free Mp3 Wma Converter V 1.91
Gadu-Gadu 10
Gadu-Gadu 7.7
GG Tools
GTAIII
Guitar Pro 5.2
HiJackThis
HijackThis 2.0.2
HP Photosmart Essential2.01
HP Smart Web Printing
HP Update
HPProductAssistant
HPSSupply
Java(TM) 6 Update 11
JDownloader
K-Lite Codec Pack 4.2.5 (Full)
Lineage II
MadOnion.com/3DMark2001 SE
Mafia II - Demo
MarketResearch
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Minecraft Beta 1.1_02
Mozilla Firefox (3.0.19)
Mozilla Firefox (3.5.16)
MP3 To Wave version 1.2
Nero 7 Premium
neroxml
NOD32 FiX
Nowe Gadu-Gadu
NVIDIA PhysX
Octoshape add-in for Adobe Flash Player
Outlive
Pando Media Booster
PhotoStage Slideshow Producer
PowerDVD
Pro Beach Soccer
PSSWCORE
Real Alternative 2.0.2
save2pc Light 3.56
Scan
Shaiya(POLAND)
Shockwave
Skoki Narciarskie 2002
Skype Toolbars
Skype™ 4.2
Smart MP3 Converter
Snikers4
Soldat 1.5.0
SolutionCenter
SpeedFan (remove only)
Spybot - Search & Destroy
Status
Steam
System Antywirusowy NOD32
t@b ZS4 Video Editor v0.958-686
The Movies(TM)
The Movies(TM) 1.1 Patch
The Sims
Tony Hawk's Pro Skater 3®
Toolbox
Total Commander (Remove or Repair)
TrayApp
UnloadSupport
VideoPad Video Editor
VideoToolkit01
WapSter AQQ
WebReg
Winamp (remove only)
Windows Live installer
Windows Live Messenger
Xvid 1.2.1 final uninstall
XviD MPEG-4 Codec

==== End Of File ===========================
(http://forums.spybot.info/showthread.php?t=16806)Last edited by tashi; Feb 13th, 2011 at 07:54 PM. Reason: Merged 3 posts, removed HJT and CF logs. :-)
-----------------------------------------------------
Updating topic, because now it gotten worse :( Processor usage is 100% all the time and it's impossible to work on the computer. If you guys can, please help me to resolve this problem, because the format is really the last thing i want :) You've helped me with other issue couple of years ago and it would be nice to get such an professional help and assistance again :)
-------------------------------------------------------
The Waiting Room: Post here if waiting for help four days (http://forums.spybot.info/forumdisplay.php?f=37)

Hi,

Look for c:\ComboFix.txt file and post back its contents, please.

Sorry for not responding, but I was away from this computer for couple of days and couldn't post anything :)

Here it is:


ComboFix 11-02-12.02 - Ja 2011-02-13 23:51:08.2.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1250.48.1045.18.4094.3150 [GMT 1:00]
Uruchomiony z: c:\users\Ja\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Pliki utworzone od 2011-01-13 do 2011-02-13 )))))))))))))))))))))))))))))))
.

2011-02-13 22:53 . 2011-02-13 22:55 -------- d-----w- c:\users\Ja\AppData\Local\temp
2011-02-13 22:53 . 2011-02-13 22:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-13 22:45 . 2011-02-13 22:45 388096 ----a-r- c:\users\Ja\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-13 22:45 . 2011-02-13 22:45 -------- d-----w- c:\program files (x86)\HJTTTT
2011-02-13 22:34 . 2011-02-13 22:34 318976 ----a-w- c:\windows\SysWow64\CF30696.exe
2011-02-13 22:28 . 2011-02-13 22:27 318976 ----a-w- c:\windows\SysWow64\CF23942.exe
2011-02-13 22:28 . 2011-02-13 22:34 8704 ----a-w- c:\windows\system32\drivers\PROCEXP90.SYS
2011-02-13 22:27 . 2011-02-13 22:34 318976 ----a-w- c:\windows\SysWow64\cmd.execf
2011-02-13 22:12 . 2011-02-13 22:10 318976 ----a-w- c:\windows\SysWow64\CF29190.exe
2011-02-11 13:12 . 2011-02-11 14:15 -------- d-----w- c:\users\Ja\AppData\Roaming\codeblocks
2011-02-11 11:12 . 2011-02-11 11:12 -------- d-----w- c:\users\Ja\WapSter
2011-02-11 11:12 . 2011-02-11 11:12 -------- d-----w- c:\program files (x86)\WapSter
2011-02-09 10:11 . 2011-02-09 10:11 -------- d-----w- c:\users\Ja\AppData\Roaming\.minecraft server
2011-01-30 13:01 . 2011-02-09 10:11 -------- d-----w- c:\users\Ja\AppData\Roaming\.minecraft

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------




[7] 2008-02-26 . C315E4CD537736E53D1F28A497FBE29B . 844288 . . [6.0.6000.20779] . . c:\windows\SoftwareDistribution\Download\6ceeb1728f18b8985878b55a3952e1e2\amd64_microsoft-windows-taskscheduler-service_31bf3856ad364e35_6.0.6000.20779_none_89806b606b87a06d\schedsvc.dll


c:\windows\system32\linkinfo.dll ... - brak elementu !!
c:\windows\system32\hnetcfg.dll ... - brak elementu !!
c:\windows\system32\regsvc.dll ... - brak elementu !!
c:\windows\system32\schedsvc.dll ... - brak elementu !!
c:\windows\SysWow64\linkinfo.dll ... - brak elementu !!
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files (x86)\Eset\nod32kui.exe" [2007-12-31 949376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R3 dump_wmimmc;dump_wmimmc;e:\filmy\L2OFF\system\GameGuard\dump_wmimmc.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-09 834544]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
AeLookupSvc
Themes
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
SENS
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
SessionEnv
winmgmt
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

--------- x86-64 -----------


NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
AeLookupSvc
Themes
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
SENS
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
MMCSS
hkmsvc
EapHost
winmgmt
SessionEnv
browser
ProfSvc
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
------- Skan uzupełniający -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Pobierz plik wideo we Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm
IE: Pobierz w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm
IE: Pobierz wszystkie pliki w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm
IE: Pobierz zaznaczone w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\users\Ja\AppData\Roaming\Mozilla\Firefox\Profiles\0moqeuay.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2672188&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2672188&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: dollarsgroup Toolbar: {0ed38a68-9a97-450a-a349-62d04f4cc940} - %profile%\extensions\{0ed38a68-9a97-450a-a349-62d04f4cc940}
FF - Ext: OneManga Manager: {bbeee172-6a96-6f83-cf0c-a3bf46b77f94} - %profile%\extensions\{bbeee172-6a96-6f83-cf0c-a3bf46b77f94}
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil9b.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil9b.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files (x86)\Eset\nod32krn.exe
.
**************************************************************************
.
Czas ukończenia: 2011-02-13 23:57:29 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2011-02-13 22:57
ComboFix2.txt 2011-02-13 22:44

Przed: 116*268*978*176 bajtów wolnych
Po: 116*244*271*104 bajtów wolnych

- - End Of File - - F36CDCDFCA789F5181E43406C43A81A8

Hi,

Look for ComboFix2.txt file in c:\qoobox or c:\combofix folder and post back its contents, please.

Is your NOD32 license legit one?

Thank you for your response :)

Afaik, my NOD32 license should be a legit one (not sure to be honest, but they installed it in computer store when I was buying the computer. I've got this since beginning and they told me at store that it's good, legit version.

It's something wrong with NOD32? Should I uninstall it and/or install other one? (I've got AVG free home edition somewhere on CD)

Here is the log of combofix2.txt :


ComboFix 11-02-12.02 - Ja 2011-02-13 23:37:45.1.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1250.48.1045.18.4094.3148 [GMT 1:00]
Uruchomiony z: c:\users\Ja\Downloads\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Ja\AppData\Roaming\Uninstall.exe
c:\users\Ja\DesktopPvs5Gt_save2pc.exe

.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_usnjsvc


((((((((((((((((((((((((( Pliki utworzone od 2011-01-13 do 2011-02-13 )))))))))))))))))))))))))))))))
.

2011-02-13 22:45 . 2011-02-13 22:45 388096 ----a-r- c:\users\Ja\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-13 22:45 . 2011-02-13 22:45 -------- d-----w- c:\program files (x86)\HJTTTT
2011-02-13 22:34 . 2011-02-13 22:34 318976 ----a-w- c:\windows\SysWow64\CF30696.exe
2011-02-13 22:28 . 2011-02-13 22:27 318976 ----a-w- c:\windows\SysWow64\CF23942.exe
2011-02-13 22:28 . 2011-02-13 22:34 8704 ----a-w- c:\windows\system32\drivers\PROCEXP90.SYS
2011-02-13 22:27 . 2011-02-13 22:34 318976 ----a-w- c:\windows\SysWow64\cmd.execf
2011-02-13 22:12 . 2011-02-13 22:10 318976 ----a-w- c:\windows\SysWow64\CF29190.exe
2011-02-11 13:12 . 2011-02-11 14:15 -------- d-----w- c:\users\Ja\AppData\Roaming\codeblocks
2011-02-11 11:12 . 2011-02-11 11:12 -------- d-----w- c:\users\Ja\WapSter
2011-02-11 11:12 . 2011-02-11 11:12 -------- d-----w- c:\program files (x86)\WapSter
2011-02-09 10:11 . 2011-02-09 10:11 -------- d-----w- c:\users\Ja\AppData\Roaming\.minecraft server
2011-01-30 13:01 . 2011-02-09 10:11 -------- d-----w- c:\users\Ja\AppData\Roaming\.minecraft

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------




[7] 2008-02-26 . C315E4CD537736E53D1F28A497FBE29B . 844288 . . [6.0.6000.20779] . . c:\windows\SoftwareDistribution\Download\6ceeb1728f18b8985878b55a3952e1e2\amd64_microsoft-windows-taskscheduler-service_31bf3856ad364e35_6.0.6000.20779_none_89806b606b87a06d\schedsvc.dll


c:\windows\system32\linkinfo.dll ... - brak elementu !!
c:\windows\system32\hnetcfg.dll ... - brak elementu !!
c:\windows\system32\regsvc.dll ... - brak elementu !!
c:\windows\system32\schedsvc.dll ... - brak elementu !!
c:\windows\SysWow64\linkinfo.dll ... - brak elementu !!
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files (x86)\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="c:\program files (x86)\Eset\nod32kui.exe" [2007-12-31 949376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R3 dump_wmimmc;dump_wmimmc;e:\filmy\L2OFF\system\GameGuard\dump_wmimmc.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-09 834544]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
AeLookupSvc
Themes
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
SENS
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
SessionEnv
winmgmt
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

--------- x86-64 -----------


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"combofix"="c:\combofix\CF10200.cfxxe" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0

NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
AeLookupSvc
Themes
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
SENS
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
MMCSS
hkmsvc
EapHost
winmgmt
SessionEnv
browser
ProfSvc
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
------- Skan uzupełniający -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Pobierz plik wideo we Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm
IE: Pobierz w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm
IE: Pobierz wszystkie pliki w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm
IE: Pobierz zaznaczone w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm
LSP: c:\windows\system32\imon.dll
FF - ProfilePath - c:\users\Ja\AppData\Roaming\Mozilla\Firefox\Profiles\0moqeuay.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2672188&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2672188&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: dollarsgroup Toolbar: {0ed38a68-9a97-450a-a349-62d04f4cc940} - %profile%\extensions\{0ed38a68-9a97-450a-a349-62d04f4cc940}
FF - Ext: OneManga Manager: {bbeee172-6a96-6f83-cf0c-a3bf46b77f94} - %profile%\extensions\{bbeee172-6a96-6f83-cf0c-a3bf46b77f94}
.
- - - - USUNIĘTO PUSTE WPISY - - - -

AddRemove-BEUNet2006_SINS - e:\beunet2006\UnInst.exe
AddRemove-Minecraft Beta 1.1_02 - c:\users\Ja\AppData\Roaming\Uninstall.exe
AddRemove-Nowe Gadu-Gadu - c:\program files (x86)\Nowe Gadu-Gadu\Uninstall.exe
AddRemove-Shockwave - c:\windows\System32\Macromed\SHOCKW~1\UNWISE.EXE
AddRemove-The Sims - e:\sims\UNWISE.EXE


.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil9b.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil9b.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\program files (x86)\Eset\nod32krn.exe
.
**************************************************************************
.
Czas ukończenia: 2011-02-13 23:44:28 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2011-02-13 22:44

Przed: 116*464*369*664 bajtów wolnych
Po: 116*245*516*288 bajtów wolnych

- - End Of File - - D73D6083777018C9C8E1D869EBAD0CC9

Hi,


Afaik, my NOD32 license should be a legit one (not sure to be honest, but they installed it in computer store when I was buying the computer. I've got this since beginning and they told me at store that it's good, legit version.

It's something wrong with NOD32? Should I uninstall it and/or install other one? (I've got AVG free home edition somewhere on CD)
Signs there indicate it's illegal version. Please uninstall the following entries:
NOD32 FiX
System Antywirusowy NOD32

Don't install any other antivirus protection yet.


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer


Then re-run ComboFix and post back its log. Do you have your Vista Ultimate DVD handy?

NOD32 uninstalled

I noticed that couple of shortcut 'icons' on the desktop are missing. The *.exe files of those shortcuts are also gone. This happened before using combofix.


Here is the Combofix Log:


ComboFix 11-02-23.01 - Ja 2011-02-23 18:58:19.3.2 - x64
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1250.48.1045.18.4094.3293 [GMT 1:00]
Uruchomiony z: c:\users\Ja\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Utworzono nowy punkt przywracania
.

((((((((((((((((((((((((( Pliki utworzone od 2011-01-23 do 2011-02-23 )))))))))))))))))))))))))))))))
.

2011-02-23 18:00 . 2011-02-23 18:02 -------- d-----w- c:\users\Ja\AppData\Local\temp
2011-02-23 18:00 . 2011-02-23 18:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-13 22:45 . 2011-02-13 22:45 388096 ----a-r- c:\users\Ja\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-02-13 22:45 . 2011-02-13 22:45 -------- d-----w- c:\program files (x86)\HJTTTT
2011-02-13 22:34 . 2011-02-13 22:34 318976 ----a-w- c:\windows\SysWow64\CF30696.exe
2011-02-13 22:28 . 2011-02-13 22:27 318976 ----a-w- c:\windows\SysWow64\CF23942.exe
2011-02-13 22:28 . 2011-02-13 22:34 8704 ----a-w- c:\windows\system32\drivers\PROCEXP90.SYS
2011-02-13 22:27 . 2011-02-13 22:34 318976 ----a-w- c:\windows\SysWow64\cmd.execf
2011-02-13 22:12 . 2011-02-13 22:10 318976 ----a-w- c:\windows\SysWow64\CF29190.exe
2011-02-11 13:12 . 2011-02-11 14:15 -------- d-----w- c:\users\Ja\AppData\Roaming\codeblocks
2011-02-11 11:12 . 2011-02-11 11:12 -------- d-----w- c:\users\Ja\WapSter
2011-02-11 11:12 . 2011-02-11 11:12 -------- d-----w- c:\program files (x86)\WapSter
2011-02-09 10:11 . 2011-02-09 10:11 -------- d-----w- c:\users\Ja\AppData\Roaming\.minecraft server
2011-01-30 13:01 . 2011-02-09 10:11 -------- d-----w- c:\users\Ja\AppData\Roaming\.minecraft

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------




[7] 2008-02-26 . C315E4CD537736E53D1F28A497FBE29B . 844288 . . [6.0.6000.20779] . . c:\windows\SoftwareDistribution\Download\6ceeb1728f18b8985878b55a3952e1e2\amd64_microsoft-windows-taskscheduler-service_31bf3856ad364e35_6.0.6000.20779_none_89806b606b87a06d\schedsvc.dll


c:\windows\system32\linkinfo.dll ... - brak elementu !!
c:\windows\system32\hnetcfg.dll ... - brak elementu !!
c:\windows\system32\regsvc.dll ... - brak elementu !!
c:\windows\system32\schedsvc.dll ... - brak elementu !!
c:\windows\SysWow64\linkinfo.dll ... - brak elementu !!
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files (x86)\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"DAEMON Tools Lite"="c:\program files (x86)\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 0 (0x0)
"EnableInstallerDetection"= 0 (0x0)
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R3 dump_wmimmc;dump_wmimmc;e:\filmy\L2OFF\system\GameGuard\dump_wmimmc.sys [x]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-08-09 834544]


[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
AeLookupSvc
Themes
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
SENS
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
SessionEnv
winmgmt
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.

--------- x86-64 -----------


NETSVCS WYMAGA NAPRAWY - pokazano aktualnie istniejące wpisy
AeLookupSvc
Themes
CertPropSvc
SCPolicySvc
lanmanserver
gpsvc
IKEEXT
AudioSrv
FastUserSwitchingCompatibility
Ias
Irmon
Nla
Ntmssvc
NWCWorkstation
Nwsapagent
SENS
SRService
Tapisrv
Wmi
WmdmPmSp
TermService
wuauserv
BITS
ShellHWDetection
LogonHours
PCAudit
helpsvc
uploadmgr
iphlpsvc
seclogon
AppInfo
MMCSS
hkmsvc
EapHost
winmgmt
SessionEnv
browser
ProfSvc
AppMgmt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
------- Skan uzupełniający -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = %SystemRoot%\system32\blank.htm
IE: E&ksport do programu Microsoft Excel - c:\progra~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
IE: Pobierz plik wideo we Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlfvideo.htm
IE: Pobierz w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dllink.htm
IE: Pobierz wszystkie pliki w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlall.htm
IE: Pobierz zaznaczone w Free Download Manager - file://c:\program files (x86)\Free Download Manager\dlselected.htm
FF - ProfilePath - c:\users\Ja\AppData\Roaming\Mozilla\Firefox\Profiles\0moqeuay.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2672188&SearchSource=3&q={searchTerms}
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2672188&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: dollarsgroup Toolbar: {0ed38a68-9a97-450a-a349-62d04f4cc940} - %profile%\extensions\{0ed38a68-9a97-450a-a349-62d04f4cc940}
FF - Ext: OneManga Manager: {bbeee172-6a96-6f83-cf0c-a3bf46b77f94} - %profile%\extensions\{bbeee172-6a96-6f83-cf0c-a3bf46b77f94}
.
- - - - USUNIĘTO PUSTE WPISY - - - -

Wow6432Node-HKLM-Run-nod32kui - c:\program files (x86)\Eset\nod32kui.exe


.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.9"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash9b.ocx, 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil9b.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil9b.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}]
@Denied: (A 2) (Everyone)
@="IFlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
Czas ukończenia: 2011-02-23 19:04:37 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2011-02-23 18:04
ComboFix2.txt 2011-02-13 22:57
ComboFix3.txt 2011-02-13 22:44

Przed: 116*284*121*088 bajtów wolnych
Po: 116*261*048*320 bajtów wolnych

- - End Of File - - 3C58EB1086EA029104FA7557CEC70A75



Do you have your Vista Ultimate DVD handy?

I don't understand what do you mean by "DVD handy"

handy = available

We may need the Vista Ultimate installation DVD to restore some files.

Well, in fact, I wanted to do a format/windows reinstall before even writing here, but I've lost the DVD somewhere in my house around january :S That's why I'm writing here to resolve the infestation problem other way than reinstall :)

I've got an email that someone tried to hack my other forums' account

Keylogger + Rootkit possibility?

Hi,


I've got an email that someone tried to hack my other forums' account

Keylogger + Rootkit possibility?
Hard to say for sure. If it was keylogger the hacker would likely had succeeded in accessing that other account instead of trying only though.


Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
Please post contents of that file in your next reply.

Malwarebytes' found nothing. But somehow, computer is still acting strangelly

Here is the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Wersja bazy: 5863

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

2011-02-24 08:46:55
mbam-log-2011-02-24 (08-46-55).txt

Typ skanowania: Pełne skanowanie (C:\|D:\|E:\|)
Przeskanowano obiektów: 317711
Upłynęło: 21 minut(y), 18 sekund(y)

Zainfekowanych procesów w pamięci: 0
Zainfekowanych modułów w pamięci: 0
Zainfekowanych kluczy rejestru: 0
Zainfekowanych wartości rejestru: 0
Zainfekowane informacje rejestru systemowego: 0
Zainfekowanych folderów: 0
Zainfekowanych plików: 0

Zainfekowanych procesów w pamięci:
(Nie znaleziono zagrożeń)

Zainfekowanych modułów w pamięci:
(Nie znaleziono zagrożeń)

Zainfekowanych kluczy rejestru:
(Nie znaleziono zagrożeń)

Zainfekowanych wartości rejestru:
(Nie znaleziono zagrożeń)

Zainfekowane informacje rejestru systemowego:
(Nie znaleziono zagrożeń)

Zainfekowanych folderów:
(Nie znaleziono zagrożeń)

Zainfekowanych plików:
(Nie znaleziono zagrożeń)

Hi,

Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
linkinfo.dll
hnetcfg.dll
regsvc.dll
schedsvc.dll
linkinfo.dll


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

The problem is, I cant run it :| Some error appears

Some error appears
What kind of error?

http://img691.imageshack.us/img691/4249/errorrrp.jpg

After my translation, something like:

"You cannot run this application, because its simultaneous configuration is improper/wrong"

The second sentence tells that I can find more details in application registry/log/diary, don't know how to translate.

Anyway, something like this

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
Pev -filelook %windir%\linkinfo.dll or %windir%\hnetcfg.dll or %windir%\regsvc.dll or %windir%\schedsvc.dll >LogIt.txt
START LogIt.txt
del %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.

Here it is:



---- C:\Windows\SoftwareDistribution\Download\6ceeb1728f18b8985878b55a3952e1e2\amd64_microsoft-windows-taskscheduler-service_31bf3856ad364e35_6.0.6000.20779_none_89806b606b87a06d\schedsvc.dll ----
Company: Microsoft Corporation
File Description: Task Scheduler Service
File Version: 6.0.6000.20779 (vista_ldr.080225-1533)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original file name: schedsvc.dll
File Size: 844288
Created Time: 2009-01-28 17:31:38
Modified Time: 2008-02-26 04:54:28
Accessed Time: 2009-01-28 17:31:38
MD5: C315E4CD537736E53D1F28A497FBE29B
SHA1: 81AC4685E05F3E6F98626B84695AE1D0939BABF8
SHA224: 0E9842EDAA39B1DE982906966FA61148DBB525E2077D775EE225B91C
SHA256: 80FC99B6208C836B5A913DC58143CB5CBA7C200F6F2A6204641023C5C9739EFB
SHA384: 929131821B8E5DC2B3C1313E57C7CE565DB174EBA8A22FBEC1515C919D362DFB34529741C1B4FB1D2ECA5BC416AA33AC
SHA512: B515AF3FF14361E22E153A630878B2A1A37CF10CADBE806E2D2BD6C75B7612DBB8481E7B24BBE67D6B92FBB71B97160284EA2D850613033CF0821921B0318101

Hi,

Vista Ultimate dvd is needed to replace a few missing files. Without it we can't make any progress in this case.

I'll search for it and if I find it I'll post here :)

:bigthumb:

Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.