Trojans in my PC-Win32/Rootkit.Agent.DP

M

Mateja

New member
Hi
Ja, i know i've got Trojans..My NOD32 told me that everytime when i run my PC. Cant't get rid of them.


-----------------------------------------------
Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:54:13, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A401403-500F-4C57-B6BE-FDA1D08079A2}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe

--
End of file - 7697 bytes


Thanks for help
M.
 
Hi Mateja

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
 
Hi
I did Kaspersky online scanner....

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 23, 2007 8:19:33 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/10/2007
Kaspersky Anti-Virus database records: 442787
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 90346
Number of viruses found: 23
Number of infected objects: 48
Number of suspicious objects: 0
Duration of the scan process: 03:49:02

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\IH18.tmp Infected: Email-Worm.Win32.Zhelatin.gm skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\IH4F.tmp Infected: Email-Worm.Win32.Zhelatin.gm skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DF72EF.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFCF57.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFCF8F.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\A3DVCPBA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\FZTOB3AA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\GXD1GLDA.NQF Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\ESET\infected\KBAKXPBA.NQF Infected: Rootkit.Win32.Agent.dw skipped
C:\Program Files\ESET\infected\M4WZBMAA.NQF Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\ESET\infected\SUCGN3AA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\WPUKKCDA.NQF Infected: Rootkit.Win32.Agent.dp skipped
C:\Program Files\ESET\infected\Z3NIXIBA.NQF Infected: Trojan-Downloader.Win32.Agent.djt skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0287460.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0289439.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0290445.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0290447.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319502.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319503.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319504.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319507.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319508.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319509.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319510.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319511.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319512.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319513.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319514.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319515.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319516.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319517.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319518.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319519.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319520.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319521.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319522.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319523.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319524.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319525.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319526.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319527.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319528.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319529.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP429\A0325591.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP429\A0328594.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP430\A0336692.exe Infected: Trojan.Win32.Agent.bty skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP430\A0336693.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0435834.sys Object is locked skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0438830.exe Infected: Trojan.Win32.Agent.afg skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0438841.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{210C52A2-8130-4602-876C-03DF84A43881}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\ip6fw.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\mstscex.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\WINDOWS\system32\ntkrnlmp.exe Object is locked skipped
C:\WINDOWS\system32\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\system32\ntkrpamp.exe Object is locked skipped
C:\WINDOWS\system32\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\system32\oleauth32.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_148.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
I use PC for fun not for work.
We should try to clean it. I'll be a good student.:)
Although I would like to cry now. Is it really so bad with my PC?
 
Hi

Well there is at least one bot but we can continue cleaning , of course:

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- sdfix report
 
Hi
Thanks for help
I did it everything you want, except Combofix. When it run, i've got "death" blue screen. i tried again and again the same. I did it three times then i stopped.
Here's SDFix log:

SDFix: Version 1.111

Run by mateja on tor 10/23/2007 at 19:32

Microsoft Windows XP [razliźica 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
runtime
runtime
runtime2

ImagePath:

runtime - Deleted
runtime - Deleted
runtime2 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Service asc3550v - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\2_exception.nls - Deleted
C:\WINDOWS\system32\mstscex.dll - Deleted
C:\WINDOWS\system32\oleauth32.dll - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted

Could Not Remove C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE
Could Not Remove C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE
Could Not Remove C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE
Could Not Remove C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE


Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Oddaljena pomoź - Windows Messenger in Voice"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------
C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE Found
C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE Found
C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE Found
C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE Found

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 2 Jul 2002 16,208 A.SHR --- "C:\Program Files\IAS_3_0\rf32sa.dll"
Mon 30 Oct 2006 8 ..SHR --- "C:\WINDOWS\system32\FA6A3FAFCF.dll"
Thu 7 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 5 Nov 2006 3,584 A..H. --- "C:\Documents and Settings\mateja\Local Settings\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe"
Fri 11 Aug 2006 1,401,768 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa6a8b6ef758224c8bfe859aa426f0c7\BIT3.tmp"

Finished!

And HJT logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:45, on 2007-10-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe

--
End of file - 7628 bytes
 
Hi

Try to then run it in safe mode and let me know if it was successful there :)
 
Hi

Delete your copy of combofix and download new combofix from my link2, save it to desktop and try again, please :)
 
Hi
I tried, nothing new. It stopped again.
Blue screen and i noticed
STOP:0x0000008E (0xC0000008E, 0x80563CD6, 0xF9D30C20, 0x00000000)
if its useful information for you
 
Hi

Then we use this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
 
Hi
No blue screen..at last.

Deckard's System Scanner v20071014.68
Run by mateja on 2007-10-24 17:12:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
47: 2007-10-24 15:12:40 UTC - RP468 - Deckard's System Scanner Restore Point
46: 2007-10-23 18:16:58 UTC - RP467 - ComboFix created restore point
45: 2007-10-22 11:27:31 UTC - RP466 - Software Distribution Service 3.0
44: 2007-10-21 15:11:29 UTC - RP465 - Installed Windows Internet Explorer 7.
43: 2007-10-21 15:09:39 UTC - RP464 - Installed Windows IDNMitigationAPIs.


-- First Restore Point --
1: 2007-09-09 22:23:02 UTC - RP422 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as mateja.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:14, on 2007-10-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Namizje\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mateja.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe

--
End of file - 7535 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 VIAPFD - c:\windows\system32\drivers\viapfd.sys <Not Verified; VIA Technologies. Inc.; VIA PFD driver>
R2 AMON - c:\windows\system32\drivers\amon.sys <Not Verified; Eset; NOD32 Antivirus System>
R2 athsgt - c:\windows\system32\drivers\athsgt.sys
R2 limsgt - c:\windows\system32\drivers\limsgt.sys
R3 HRCMPA (ISDN Wan driver (Ver. 1.20.0029)) - c:\windows\system32\drivers\hrcmpa.sys <Not Verified; SIEMENS AG; ISDN Data Adapter>
R3 NTSPPPOE (Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver) - c:\windows\system32\drivers\ntspppoe.sys <Not Verified; Efficient Networks, Inc.; tango>

S3 catchme - c:\docume~1\mateja~1.mat\lokaln~1\temp\catchme.sys (file missing)
S3 DectEnum - c:\windows\system32\drivers\dectenum.sys <Not Verified; Siemens AG; >
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 Gigusb (Dect USB Driver) - c:\windows\system32\drivers\gigusb.sys <Not Verified; Siemens AG; Gigaset>
S3 IUAPIWDM (ISDN USB Interface (Ver. 1.20.0029)) - c:\windows\system32\drivers\iuapiwdm.sys <Not Verified; SIEMENS AG; ISDN Data Adapter>
S3 RAWESR - c:\program files\siol\adsl\app\rawesr.sys <Not Verified; Efficient Networks, Inc.; tango>
S3 siellif - c:\windows\system32\drivers\siellif.sys <Not Verified; Siemens AG; >
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 VNICPKT5 (VNICPKT5 Protocol Driver) - c:\windows\system32\vnicpkt5.sys <Not Verified; ; NIC Diagnostic Tool>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PPPoEService (PPPoE Service) - c:\progra~1\siol\adsl\app\pppoeservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-10-24 15:39:00 262 --a------ C:\WINDOWS\Tasks\Disk Cleanup.job


-- Files created between 2007-09-24 and 2007-10-24 -----------------------------

2007-10-23 19:45:47 0 -----n--- C:\WINDOWS\system32\ntkrpamp.exe
2007-10-23 19:45:47 0 -----n--- C:\WINDOWS\system32\ntkrnlmp.exe
2007-10-23 19:14:31 0 d-------- C:\WINDOWS\ERUNT
2007-10-22 20:53:33 0 d-------- C:\91abc3f5e86774baf905
2007-10-22 18:04:31 0 d-------- C:\Program Files\Trend Micro
2007-10-22 16:57:02 0 d-------- C:\Program Files\RegistryFix
2007-10-21 16:47:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 16:36:37 0 d-------- C:\47999ed27b6b3619973bc500e450a97a
2007-10-21 16:32:18 0 d-------- C:\7262a8ee43e7f36fa7edf0
2007-10-20 18:23:09 0 d-------- C:\WINDOWS\system32\SYSTEM32
2007-10-20 18:22:49 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\WINDOWS
2007-10-20 18:22:48 0 d-------- C:\WINDOWS\system32\Cache
2007-10-20 18:22:39 0 d-------- C:\WINDOWS\system32\Logfiles
2007-10-20 16:02:09 0 d-------- C:\Program Files\Support Tools
2007-10-20 14:29:53 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Lavasoft
2007-10-20 14:29:35 0 d-------- C:\Program Files\Lavasoft
2007-10-20 10:43:44 61952 --a------ C:\WINDOWS\system32\nabapi32.dll <Not Verified; Netscape Communications Corporation; Netscape Communications Address Book API>
2007-10-20 10:43:27 633555 --a------ C:\WINDOWS\cd32.exe
2007-10-20 10:42:48 0 d-------- C:\Program Files\Netscape
2007-10-20 10:41:59 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-10-20 09:58:38 0 d-------- C:\Inetpub
2007-10-19 13:29:35 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-09-30 00:13:22 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Empire XP
2007-09-29 12:06:04 0 d-------- C:\Program Files\TVUPlayer
2007-09-28 12:46:31 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\AdobeUM


-- Find3M Report ---------------------------------------------------------------

2007-10-20 22:08:07 33914 --a------ C:\WINDOWS\nsreg.dat
2007-10-20 18:26:34 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Adobe
2007-10-20 18:23:03 0 d-------- C:\Program Files\Maxis
2007-10-20 18:23:03 0 d-------- C:\Program Files\JoWooD
2007-10-20 18:23:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-20 18:23:03 0 d-------- C:\Program Files\Infogrames
2007-09-30 00:08:28 0 d-------- C:\Program Files\Common Files
2007-09-29 23:45:33 0 d-------- C:\Program Files\Red Storm Entertainment
2007-09-28 12:45:27 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Real
2007-09-22 16:22:26 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\SopCast
2007-09-19 20:55:49 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\TVU Networks
2007-09-19 17:17:15 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Skype
2007-09-16 09:49:15 33600 --a------ C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\GDIPFONTCACHEV1.DAT
2007-09-15 19:31:21 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Help
2007-09-15 17:37:14 274432 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-09-14 23:48:23 0 d-------- C:\Program Files\Office10
2007-09-14 21:54:26 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\DivX
2007-09-14 20:53:42 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Macromedia
2007-09-14 20:53:33 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Google
2007-09-14 20:50:23 0 dr-h----- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\yahoo!
2007-09-14 18:22:31 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Identities
2007-09-12 19:00:48 244448 --a------ C:\WINDOWS\system32\eb51704c.sys
2007-09-12 18:41:10 244448 --a------ C:\WINDOWS\system32\2ba079ec.sys
2007-09-12 17:08:53 244448 --a------ C:\WINDOWS\system32\c4a674d2.sys
2007-09-12 16:11:26 244448 --a------ C:\WINDOWS\system32\b4e8ede8.sys
2007-09-12 13:19:11 244448 --a------ C:\WINDOWS\system32\7714b2d6.sys
2007-09-12 11:18:03 244448 --a------ C:\WINDOWS\system32\8ea95e8a.sys
2007-09-12 10:39:10 244448 --a------ C:\WINDOWS\system32\1f17d506.sys
2007-09-12 00:07:26 244448 --a------ C:\WINDOWS\system32\42617506.sys
2007-09-10 01:03:08 0 d-------- C:\Program Files\MSN Messenger
2007-09-09 14:22:12 0 d-------- C:\Program Files\Messenger
2007-09-08 16:00:36 0 d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-08 14:37:47 0 d-------- C:\Program Files\RogueRemover PRO
2007-09-08 13:31:10 0 d-------- C:\Program Files\Movie Maker
2007-09-08 13:22:06 0 d-------- C:\Program Files\Windows NT
2007-08-31 20:32:00 0 d-------- C:\Program Files\MSECache


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFG1400U"="Cfg1400U.exe" []
"mouseElf"="C:\PROGRA~1\TWINTO~1\MouseElf.EXE" [2004-08-26 02:45]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2006-10-22 12:22]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2006-10-22 12:22]
"Audio Device Manager"="winfp.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2006-09-05 18:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-03 13:57]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-09-15 17:37]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B778645D-B2A0-48E5-8E43-04B02CA3EA9D}"= C:\WINDOWS\Help\425D8586.DLL [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-10-24 17:15:19 ------------
 
extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Celeron(R) CPU 1.80GHz
Percentage of Memory in Use: 73%
Physical Memory (total/avail): 255.48 MiB / 67.35 MiB
Pagefile Memory (total/avail): 617.09 MiB / 344 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1937.19 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 29.3 GiB total, 14.58 GiB free.
D: is Fixed (FAT32) - 26.58 GiB total, 1.26 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD600BB-00CAA1 - 55.9 GiB - 2 partitions
\PARTITION0 (bootable) - Namestljiv datotečni sistem (IFS) - 29.3 GiB - C:
\PARTITION1 - Razširjeno z/razširjeno prekinitvijo 13 - 26.6 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AV: NOD32 protivirusni sistem 2.51 v2.51 (Eset)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Oddaljena pomoč – Windows Messenger in Voice"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MATEJA-KNV8BCJW
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\mateja.MATEJA-KNV8BCJW
LOGONSERVER=\\MATEJA-KNV8BCJW
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Ulead Systems\DVD;C:\Program Files\Support Tools;C:\BITWARE\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 1 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0103
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\MATEJA~1.MAT\LOKALN~1\Temp
TMP=C:\DOCUME~1\MATEJA~1.MAT\LOKALN~1\Temp
USERDOMAIN=MATEJA-KNV8BCJW
USERNAME=mateja
USERPROFILE=C:\Documents and Settings\mateja.MATEJA-KNV8BCJW
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

mateja.MATEJA-KNV8BCJW (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adaptec ASPI XP v4.71.1 --> C:\PROGRA~1\ADAPTE~1.1\UNWISE.EXE C:\PROGRA~1\ADAPTE~1.1\INSTALL.LOG
Adobe Acrobat 4.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
ADSL --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\SiOL\ADSL\Uninst.isu" -c"C:\Program Files\SiOL\ADSL\NTSUninstall.dll"
Ahead Nero - Burning Rom --> C:\WINDOWS\UNNERO.exe /UNINSTALL
Apple Software Update --> MsiExec.exe /I{55FA89BD-21D3-42F7-9249-C94C0094A83C}
BSPlayer (remove only) --> "C:\Program Files\BSPlayer\uninstall-bsplay.EXE"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Debugging Tools for Windows --> MsiExec.exe /I{D59967FF-4DCC-4695-BCD9-FA47B94047D6}
DivX 5.0.2 Pro Bundle --> C:\WINDOWS\unvise32.exe C:\Program Files\DivX\uninstal.log
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Empire XP 4.1 --> MsiExec.exe /I{7E361A7F-F272-472F-8EA3-55F4318C530A}
Futuremark Measurement Services Client --> RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msc3.inf,DefaultUninstall,5
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
IAS_3_0 --> C:\Program Files\IAS_3_0\UnInstal.exe
IL-2 Sturmovik --> C:\WINDOWS\UbiSoft\SetupUbi.exe -uninstall IL-2 Sturmovik
iTunes --> MsiExec.exe /I{885894A5-BA0A-460E-AB4C-96C5C9B2C5E2}
K-Lite Codec Pack 2.81 Basic --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Microsoft Office XP Professional --> MsiExec.exe /I{90110424-6000-11D3-8CFE-0050048383C9}
Microsoft Office XP Web Components --> MsiExec.exe /I{90260424-6000-11D3-8CFE-0050048383C9}
Microsoft PowerPoint Viewer 97 --> C:\Program Files\PowerPoint Viewer\setup\setup.exe
Microsoft Producer for Microsoft Office PowerPoint 2003 --> MsiExec.exe /I{155FBB0D-0EE9-42D1-9E41-E5E08F691033}
Mp3 To Wave Converter 1.19 --> C:\PROGRA~1\MP3TOW~1\UNWISE.EXE C:\PROGRA~1\MP3TOW~1\INSTALL.LOG
NOD32 FiX v1.9 --> "C:\Program Files\Eset\unins000.exe"
NOD32 protivirusni sistem --> C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
Popotnik --> MsiExec.exe /I{FAB5BF39-0F99-4A5C-8998-6BBFEECDCB43}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RegistryFix v6.2 --> "C:\Program Files\RegistryFix\unins000.exe"
SAGEM F@st 3344 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3FC77CBA-4DFA-4C98-8AD7-F412E9BD46F7}\setup.exe" -l0x24
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Skype 3.1 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype add-on for IE --> rundll32 "C:\Program Files\Skype\Phone\IEPlugin\SkypeIEPlugin.dll",FriendlyUnregisterServer 0
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SopCore 1.1.1 --> C:\Program Files\SopCast\uninst.exe
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Telefonski imenik Slovenije Jesen 2003 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\TIS Jesen 2003\Uninstall\tsetup.dat"
TVAnts 1.0 --> C:\PROGRA~1\TVAnts\UNWISE.EXE C:\PROGRA~1\TVAnts\INSTALL.LOG
TVUPlayer 2.3.2.52 --> C:\Program Files\TVUPlayer\uninst.exe
TwinTouch LuxeMate --> C:\Program Files\TwinTouch LuxeMate\Setup.exe /Uninstall
VIA NICSET --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\VIA\NICSET\Uninst_VNIC.isu" -c"C:\Program Files\VIA\NICSET\VNICu.dll"
VIA Vinyl Audio Codecs Driver Setup Program --> RunDll32.exe UnAudioNT.dll,UninstallAudio C:\WINDOWS\IsUninst.exe -y-f"C:\PROGRA~1\VIAudioi\SBASetup\Uninst.isu"
Windows Live Messenger --> MsiExec.exe /I{C8DA0188-480B-498D-BA6E-1C415B0458A3}
Windows Live Sign-in Assistant --> MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Windows Support Tools --> MsiExec.exe /I{8398B542-3CC4-44D9-83DF-696CCE70124B}
WinRAR arhiver --> C:\Program Files\WinRAR\uninstall.exe
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe
XviD Video Codec 04102002-1 (Koepi's build with EPSZ ME) --> "C:\Program Files\XviD\UninstXviD.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\System32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\System32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type283 / Warning
Event Submitted/Written: 10/24/2007 10:53:59 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
Parametra »TraceLevel« ni v registru;
Privzeta raven sledenja je 32.

Event Record #/Type282 / Warning
Event Submitted/Written: 10/24/2007 10:53:59 AM
Event ID/Source: 1003 / EvntAgnt
Event Description:
Parametra »TraceFileName« ni v registru;
Privzeta datoteka za sledenje je .

Event Record #/Type278 / Warning
Event Submitted/Written: 10/24/2007 10:37:46 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
Parametra »TraceLevel« ni v registru;
Privzeta raven sledenja je 32.

Event Record #/Type277 / Warning
Event Submitted/Written: 10/24/2007 10:37:46 AM
Event ID/Source: 1003 / EvntAgnt
Event Description:
Parametra »TraceFileName« ni v registru;
Privzeta datoteka za sledenje je .

Event Record #/Type273 / Warning
Event Submitted/Written: 10/24/2007 10:34:54 AM
Event ID/Source: 1015 / EvntAgnt
Event Description:
Parametra »TraceLevel« ni v registru;
Privzeta raven sledenja je 32.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2440 / Error
Event Submitted/Written: 10/23/2007 06:34:41 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
NVIDIA Display Driver Service storitev se je nepričakovano prekinila. To je storila 1 krat.

Event Record #/Type2439 / Error
Event Submitted/Written: 10/23/2007 06:34:41 PM
Event ID/Source: 7003 / Service Control Manager
Event Description:
Simple Mail Transfer Protocol (SMTP) storitev je odvisna od te neobstoječe storitve: IISADMIN

Event Record #/Type2437 / Warning
Event Submitted/Written: 10/23/2007 06:33:47 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Vaš računalnik je samodejno konfiguriral IP naslov za omrežno
kartico z omrežnim naslovom 444553547777. Uporabljen IP naslov je 169.254.47.253.

Event Record #/Type2430 / Warning
Event Submitted/Written: 10/23/2007 03:21:59 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP je dosegel varnostno omejitev za število poskusov vzpostavitve hkratne TCP povezave.

Event Record #/Type2429 / Warning
Event Submitted/Written: 10/23/2007 01:19:33 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP je dosegel varnostno omejitev za število poskusov vzpostavitve hkratne TCP povezave.



-- End of Deckard's System Scanner: finished at 2007-10-24 17:15:19 ------------
 
Hi

Press Start->Run, copy/paste the following command into the box and press OK:
Quote:
cmd /c dir C:\*.* /L /A /B /S|Find "C:\WINDOWS\system32\ntkrpamp.exe" >> "%userprofile%\desktop\look.txt"

After that:

Press Start->Run, copy/paste the following command into the box and press OK:
Quote:
cmd /c dir C:\*.* /L /A /B /S|Find "C:\WINDOWS\system32\ntkrnlmp.exe" >> "%userprofile%\desktop\look2.txt"

Files called look.txt and look2.txt should appear on your Desktop. Please post the contents of those files.
 
Hi

What is Desktop in your language?

Namizje?

If so, please replace Desktop with Namizje in my instructions and try again, please :)

I mean in here:

"%userprofile%\desktop\look.txt"

"%userprofile%\desktop\look2.txt"
 
Hi
Yes, desktop= namizje in Slovenian language:)

I tried with namizje but its still the same. Just black window.
 
Hi

Then do this:

Please do a search:
  • Go "Start">"Search">"All Files and Folders"
  • Enter ntkrpamp.exe in "All or part of file name"
  • Select "More advanced options"
  • Check-mark "Search System Folders", "Search hidden files and folders", and "Search subfolders".
  • Click "Search".
  • Repeat step for ntkrnlmp.exe

Post back results :)
 
You must log in or register to reply here.
Back
Top