Trojans in my PC-Win32/Rootkit.Agent.DP

Hi
=====================

"C:\WINDOWS\System32\ntoskrnl.exe" .... is present
"C:\WINDOWS\System32\ntoskrnl.exe" ... is patched

Files found ....
2007-09-12 10:41=2271722=C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 11:55=2182144=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntoskrnl.exe
2007-02-28 11:10=2180352=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntoskrnl.exe
2005-03-02 03:33=2040832=C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2005-03-02 03:04=2179456=C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2005-03-02 02:59=2179328=C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntoskrnl.exe
2005-03-02 02:59=2179328=C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2005-03-02 02:59=2179328=C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2004-08-04 08:19=2180992=C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe

0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows Publisher C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe

ćtevilo prekopiranih datotek: 0
=====================

"C:\WINDOWS\System32\ntkrnlpa.exe" .... is present
"C:\WINDOWS\System32\ntkrnlpa.exe" ... is patched

Files found ....
2007-09-12 10:41=2149226=C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 11:15=2059392=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntkrnlpa.exe
2007-02-28 10:38=2057600=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
2005-03-02 02:36=2056832=C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2005-03-02 02:36=1955840=C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2005-03-02 02:34=2056832=C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
2005-03-02 02:34=2056832=C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2005-03-02 02:34=2056832=C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2004-08-04 07:58=2056832=C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe

0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe

ćtevilo prekopiranih datotek: 0
0x00000000 Microsoft Windows Publisher C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe

ćtevilo prekopiranih datotek: 0
 
Hi

Yes, ntoskrnl.exe is patched too as expected.

Copy text below to Notepad and save it as listfiles.bat (save it as all files, *.*)

@ECHO OFF
dir %WinDir%\system32\nt*.*, sno.* /a h /s > files2.txt
start notepad files2.txt

It should look like this ->
bat.JPG


Doubleclick listfiles.bat; black dos windows will flash, that's normal.

(In case you are unsure how to create a bat file, take a look here with screenshots.)

Post contents of opening files2.txt file.
 
Hi

Nosilec v pogonu C nima oznake.
Serijska çtevilka nosilca je DC7D-B29B

Imenik: C:\WINDOWS\system32

04.08.2004 09:56 1.200.128 ntbackup.exe
04.08.2004 09:56 708.096 ntdll.dll
23.08.2001 14:00 27.866 ntdos.sys
23.08.2001 14:00 29.146 ntdos404.sys
23.08.2001 14:00 29.370 ntdos411.sys
23.08.2001 14:00 29.274 ntdos412.sys
23.08.2001 14:00 29.146 ntdos804.sys
04.08.2004 09:56 67.072 ntdsapi.dll
23.08.2001 14:00 26.112 ntdsbcli.dll
21.07.2001 14:23 773 ntfsdrct.h
21.07.2001 14:23 1.037 ntfsdrct.ini
23.08.2001 14:00 48.794 ntimage.gif
04.08.2004 07:45 33.840 ntio.sys
04.08.2004 07:45 34.560 ntio404.sys
04.08.2004 07:45 35.648 ntio411.sys
04.08.2004 07:45 35.424 ntio412.sys
04.08.2004 07:45 34.560 ntio804.sys
23.10.2007 19:45 0 ntkrnlmp.exe
12.09.2007 10:41 2.149.226 ntkrnlpa.exe
23.10.2007 19:45 0 ntkrpamp.exe
04.08.2004 09:56 43.520 ntlanman.dll
23.08.2001 14:00 57.856 ntlanui.dll
23.08.2001 14:00 14.336 ntlanui2.dll
04.08.2004 09:56 8.192 ntlsapi.dll
04.08.2004 09:56 118.784 ntmarta.dll
04.08.2004 09:56 40.960 ntmsapi.dll
13.08.2007 11:55 <DIR> NtmsData
04.08.2004 09:56 179.712 ntmsdba.dll
23.08.2001 14:00 36.864 ntmsevt.dll
04.08.2004 09:56 488.448 ntmsmgr.dll
23.08.2001 14:00 26.209 ntmsmgr.msc
23.08.2001 14:00 32.968 ntmsoprq.msc
04.08.2004 09:56 435.200 ntmssvc.dll
12.09.2007 10:41 2.271.722 ntoskrnl.exe
04.08.2004 09:56 91.136 ntprint.dll
23.08.2001 14:00 31.744 ntsd.exe
23.08.2001 14:00 36.864 ntsdexts.dll
04.08.2004 09:56 143.872 ntshrui.dll
12.09.2002 17:29 6.016 ntsim.sys
04.08.2004 09:56 419.840 ntvdm.exe
23.08.2001 14:00 13.312 ntvdmd.dll
40 datotek 9.017.627 bajtov

Imenik: C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

04.08.2004 10:58 2.012.670 nt5.cat
23.08.2001 14:00 797.189 NT5IIS.CAT
04.08.2004 10:58 502.724 nt5inf.cat
04.08.2004 10:57 1.086.058 ntprint.cat
4 datotek 4.398.641 bajtov

Imenik: C:\WINDOWS\system32\config\systemprofile

23.07.2006 17:26 262.144 ntuser.dat
24.10.2007 10:49 1.024 ntuser.dat.LOG
2 datotek 263.168 bajtov

Imenik: C:\WINDOWS\system32\dllcache

23.08.2001 14:00 797.189 NT5IIS.CAT
23.08.2001 14:00 27.866 ntdos.sys
23.08.2001 14:00 29.146 ntdos404.sys
23.08.2001 14:00 29.370 ntdos411.sys
23.08.2001 14:00 29.274 ntdos412.sys
23.08.2001 14:00 29.146 ntdos804.sys
23.08.2001 14:00 26.112 ntdsbcli.dll
09.02.2007 13:10 574.464 ntfs.sys
23.08.2001 14:00 57.856 ntlanui.dll
23.08.2001 14:00 14.336 ntlanui2.dll
23.08.2001 14:00 36.864 ntmsevt.dll
23.08.2001 14:00 31.744 ntsd.exe
23.08.2001 14:00 36.864 ntsdexts.dll
23.08.2001 14:00 13.312 ntvdmd.dll
14 datotek 1.733.543 bajtov

Imenik: C:\WINDOWS\system32\drivers

09.02.2007 13:10 574.464 ntfs.sys
04.08.2004 07:41 180.360 ntmtlfax.sys
12.12.2001 16:28 161.512 ntspppoe.sys
3 datotek 916.336 bajtov

Imenik: C:\WINDOWS\system32\inetsrv

17.08.2001 22:36 38.912 ntfsdrv.dll
1 datotek 38.912 bajtov

Imenik: C:\WINDOWS\system32\NtmsData

13.08.2007 11:55 114.688 NTMSDATA
13.08.2007 11:55 114.688 NTMSDATA.BAK
13.08.2007 11:55 86.024 NTMSIDX
14.07.2006 21:55 816 NTMSREG
4 datotek 316.216 bajtov

Imenik: C:\WINDOWS\system32\Setup

04.08.2004 09:56 62.976 ntoc.dll
1 datotek 62.976 bajtov

Imenik: C:\WINDOWS\system32\spool\drivers\color

17.07.2002 02:15 556 NTSC1953.icc
1 datotek 556 bajtov

Imenik: C:\WINDOWS\system32\SYSTEM32

29.08.2002 05:40 668.672 NTDLL.DLL
1 datotek 668.672 bajtov

Imenik: C:\WINDOWS\system32\wbem

04.08.2004 09:56 212.992 ntevt.dll
23.08.2001 14:00 20.544 ntevt.mfl
23.08.2001 14:00 29.762 ntevt.mof
3 datotek 263.298 bajtov

Imenik: C:\WINDOWS\system32\wbem\Logs

22.07.2006 18:58 2 NTEVT.log
1 datotek 2 bajtov

Imenik: C:\WINDOWS\system32\wbem\MUI\0424

25.01.2002 17:26 20.232 ntevt.mfl
1 datotek 20.232 bajtov
 
Hi

Boot in safe mode

Go to Start > Run, and in the Open area, copy/paste the following:
C:\WINDOWS\SYSTEM32
Look for the file: ntoskrnl.exe
Right-click ntoskrnl.exe
Select: Rename
Rename the file to ntoskrnl.exe.nuk

Then, search for: C:\WINDOWS\Driver Cache\i386
Look for: ntoskrnl.exe, and right-click it
Select: Copy
Then paste the file to the following folder:
C:\WINDOWS\SYSTEM32

If you are able to do all of the above without any problems, then delete the following file:
C:\WINDOWS\SYSTEM32\ntoskrnl.exe.nuk

Reboot

Re-run Ntoskrnl_check.exe

Post Ntoskrnl_check.exe log here.
 
Hi
I did it without problems:)


=====================

"C:\WINDOWS\System32\ntoskrnl.exe" .... is present
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\System32\ntoskrnl.exe

"C:\WINDOWS\System32\ntoskrnl.exe" ... is authentic

=====================

"C:\WINDOWS\System32\ntkrnlpa.exe" .... is present
"C:\WINDOWS\System32\ntkrnlpa.exe" ... is patched

Files found ....
28.02.2007 11:15=2059392=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2qfe\ntkrnlpa.exe
28.02.2007 10:38=2057600=C:\WINDOWS\SoftwareDistribution\Download\10e16e65c532d077de7c89a212bd8df8\sp2gdr\ntkrnlpa.exe
12.09.2007 10:41=2149226=C:\WINDOWS\system32\ntkrnlpa.exe
04.08.2004 07:58=2056832=C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
02.03.2005 02:36=2056832=C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
02.03.2005 02:36=1955840=C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
02.03.2005 02:34=2056832=C:\WINDOWS\SoftwareDistribution\Download\dc3b8fb011c281dea1cb7a45f880da78\sp2gdr\ntkrnlpa.exe
02.03.2005 02:34=2056832=C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
02.03.2005 02:34=2056832=C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe

0x00000000 Microsoft Windows Publisher C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe

ćtevilo prekopiranih datotek: 1
0x00000000 Microsoft Windows Publisher C:\WINDOWS\System32\ntkrnlpa.exe

Replacement is successful. File is authentic.
 
Oh, sorry i found it. I have so many icons on my desktop that im a little confused:)

Deckard's System Scanner v20071014.68
Run by mateja on 2007-10-27 14:30:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as mateja.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:41, on 27.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\CTFMON.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Namizje\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\mateja.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ceedb9c32ffb05/netzip/RdxIE601.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A401403-500F-4C57-B6BE-FDA1D08079A2}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe

--
End of file - 7793 bytes

-- Files created between 2007-09-27 and 2007-10-27 -----------------------------

2007-10-23 20:16:32 51200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 19:45:47 0 -----n--- C:\WINDOWS\system32\ntkrpamp.exe
2007-10-23 19:45:47 0 -----n--- C:\WINDOWS\system32\ntkrnlmp.exe
2007-10-23 19:14:31 0 d-------- C:\WINDOWS\ERUNT
2007-10-22 20:53:33 0 d-------- C:\91abc3f5e86774baf905
2007-10-22 18:04:31 0 d-------- C:\Program Files\Trend Micro
2007-10-22 16:57:02 0 d-------- C:\Program Files\RegistryFix
2007-10-21 16:47:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-21 16:36:37 0 d-------- C:\47999ed27b6b3619973bc500e450a97a
2007-10-21 16:32:18 0 d-------- C:\7262a8ee43e7f36fa7edf0
2007-10-20 18:23:09 0 d-------- C:\WINDOWS\system32\SYSTEM32
2007-10-20 18:22:49 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\WINDOWS
2007-10-20 18:22:48 0 d-------- C:\WINDOWS\system32\Cache
2007-10-20 18:22:39 0 d-------- C:\WINDOWS\system32\Logfiles
2007-10-20 16:02:09 0 d-------- C:\Program Files\Support Tools
2007-10-20 14:29:53 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Lavasoft
2007-10-20 14:29:35 0 d-------- C:\Program Files\Lavasoft
2007-10-20 10:43:44 61952 --a------ C:\WINDOWS\system32\nabapi32.dll <Not Verified; Netscape Communications Corporation; Netscape Communications Address Book API>
2007-10-20 10:43:27 633555 --a------ C:\WINDOWS\cd32.exe
2007-10-20 10:42:48 0 d-------- C:\Program Files\Netscape
2007-10-20 10:41:59 299520 --a------ C:\WINDOWS\uninst.exe <Not Verified; InstallShield Corporation, Inc.; InstallShield unInstaller>
2007-10-20 09:58:38 0 d-------- C:\Inetpub
2007-10-19 13:29:35 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-09-30 00:13:22 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Empire XP
2007-09-29 12:06:04 0 d-------- C:\Program Files\TVUPlayer
2007-09-28 12:46:31 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\AdobeUM


-- Find3M Report ---------------------------------------------------------------

2007-10-20 22:08:07 33914 --a------ C:\WINDOWS\nsreg.dat
2007-10-20 18:26:34 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Adobe
2007-10-20 18:23:03 0 d-------- C:\Program Files\Maxis
2007-10-20 18:23:03 0 d-------- C:\Program Files\JoWooD
2007-10-20 18:23:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-20 18:23:03 0 d-------- C:\Program Files\Infogrames
2007-09-30 00:08:28 0 d-------- C:\Program Files\Common Files
2007-09-29 23:45:33 0 d-------- C:\Program Files\Red Storm Entertainment
2007-09-28 12:45:27 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Real
2007-09-22 16:22:26 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\SopCast
2007-09-19 20:55:49 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\TVU Networks
2007-09-19 17:17:15 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Skype
2007-09-16 09:49:15 33600 --a------ C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\GDIPFONTCACHEV1.DAT
2007-09-15 19:31:21 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Help
2007-09-15 17:37:14 274432 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-09-14 23:48:23 0 d-------- C:\Program Files\Office10
2007-09-14 21:54:26 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\DivX
2007-09-14 20:53:42 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Macromedia
2007-09-14 20:53:33 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Google
2007-09-14 20:50:23 0 dr-h----- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\yahoo!
2007-09-14 18:22:31 0 d-------- C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Application Data\Identities
2007-09-12 19:00:48 244448 --a------ C:\WINDOWS\system32\eb51704c.sys
2007-09-12 18:41:10 244448 --a------ C:\WINDOWS\system32\2ba079ec.sys
2007-09-12 17:08:53 244448 --a------ C:\WINDOWS\system32\c4a674d2.sys
2007-09-12 16:11:26 244448 --a------ C:\WINDOWS\system32\b4e8ede8.sys
2007-09-12 13:19:11 244448 --a------ C:\WINDOWS\system32\7714b2d6.sys
2007-09-12 11:18:03 244448 --a------ C:\WINDOWS\system32\8ea95e8a.sys
2007-09-12 10:39:10 244448 --a------ C:\WINDOWS\system32\1f17d506.sys
2007-09-12 00:07:26 244448 --a------ C:\WINDOWS\system32\42617506.sys
2007-09-10 01:03:08 0 d-------- C:\Program Files\MSN Messenger
2007-09-09 14:22:12 0 d-------- C:\Program Files\Messenger
2007-09-08 16:00:36 0 d-------- C:\Program Files\Common Files\Ulead Systems
2007-09-08 14:37:47 0 d-------- C:\Program Files\RogueRemover PRO
2007-09-08 13:31:10 0 d-------- C:\Program Files\Movie Maker
2007-09-08 13:22:06 0 d-------- C:\Program Files\Windows NT
2007-08-31 20:32:00 0 d-------- C:\Program Files\MSECache


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFG1400U"="Cfg1400U.exe" []
"mouseElf"="C:\PROGRA~1\TWINTO~1\MouseElf.EXE" [26.08.2004 02:45]
"nwiz"="nwiz.exe" [22.10.2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [22.10.2006 12:22]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [22.10.2006 12:22]
"Audio Device Manager"="winfp.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12.09.2006 01:58]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [05.09.2006 18:28]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [03.01.2007 13:57]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [15.09.2007 17:37]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04.08.2004 09:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [30.11.2006 22:49]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B778645D-B2A0-48E5-8E43-04B02CA3EA9D}"= C:\WINDOWS\Help\425D8586.DLL [ ]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-10-27 14:31:43 ------------
 
Hi

Open HijackThis, click do a system scan only and checkmark these:

O4 - HKLM\..\Run: [Audio Device Manager] winfp.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/262623ce...p/RdxIE601.cab


Close all windows including browser and press fix checked.

Reboot.

Re-run Ntoskrnl_check.exe

Post Ntoskrnl_check.exe log here with a fresh HijackThis log.
 
Hi

=====================

"C:\WINDOWS\System32\ntoskrnl.exe" .... is present
0x00000000 Microsoft Windows XP Publisher C:\WINDOWS\System32\ntoskrnl.exe

"C:\WINDOWS\System32\ntoskrnl.exe" ... is authentic

=====================

"C:\WINDOWS\System32\ntkrnlpa.exe" .... is present
0x00000000 Microsoft Windows Publisher C:\WINDOWS\System32\ntkrnlpa.exe

"C:\WINDOWS\System32\ntkrnlpa.exe" ... is authentic

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:59:45, on 27.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe

--
End of file - 7317 bytes
 
Hi

SDFix: Version 1.111

Run by mateja on sob 27.10.2007 at 15:30

Microsoft Windows XP [razliźica 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\NTKRNLMP.EXE - Deleted
C:\WINDOWS\SYSTEM32\NTKRPAMP.EXE - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"="C:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe:*:Enabled:Oddaljena pomoź - Windows Messenger in Voice"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\Program Files\\TVAnts\\Tvants.exe"="C:\\Program Files\\TVAnts\\Tvants.exe:*:Enabled:TVAnts"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 2 Jul 2002 16,208 A.SHR --- "C:\Program Files\IAS_3_0\rf32sa.dll"
Mon 30 Oct 2006 8 ..SHR --- "C:\WINDOWS\system32\FA6A3FAFCF.dll"
Thu 7 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sun 5 Nov 2006 3,584 A..H. --- "C:\Documents and Settings\mateja\Local Settings\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe"
Fri 11 Aug 2006 1,401,768 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa6a8b6ef758224c8bfe859aa426f0c7\BIT3.tmp"
Wed 24 Oct 2007 616,448 A.SH. --- "C:\Deckard\System Scanner\20071027143004\backup\WINDOWS\temp\i5u8c15r.TMP"

Finished!

and HJT log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:50:41, on 27.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\TwinTouch LuxeMate\EMouse.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe

--
End of file - 7350 bytes
 
Hi

Looks good :)

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
Hi Shaba
Here's a HJT logfile. Kaspersky txt file will be in next post

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:02, on 27.10.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TWINTO~1\MouseElf.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [CFG1400U] Cfg1400U.exe -USB -REINIT
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\TWINTO~1\MouseElf.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: http://www.rtvslo.si
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177001410476
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.ville.orange.fr/CO/activex/AxisCamControl.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.11) - http://advisor.futuremark.com/global/msc311.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A401403-500F-4C57-B6BE-FDA1D08079A2}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\PROGRA~1\SiOL\ADSL\app\pppoeservice.exe

--
End of file - 7396 bytes
 
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 27, 2007 9:30:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/10/2007
Kaspersky Anti-Virus database records: 447139
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 89930
Number of viruses found: 23
Number of infected objects: 52
Number of suspicious objects: 0
Duration of the scan process: 04:13:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\History\History.IE5\MSHist012007102720071028\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Temporary Internet Files\Content.IE5\GPP9PRM8\1192696824[1].swf Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFB085.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFB99E.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\Lokalne nastavitve\Temp\~DFB9AB.tmp Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mateja.MATEJA-KNV8BCJW\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped
C:\Program Files\ESET\infected\A3DVCPBA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\FZTOB3AA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\GXD1GLDA.NQF Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\ESET\infected\KBAKXPBA.NQF Infected: Rootkit.Win32.Agent.dw skipped
C:\Program Files\ESET\infected\M4WZBMAA.NQF Infected: Trojan.Win32.Agent.afg skipped
C:\Program Files\ESET\infected\SUCGN3AA.NQF Infected: Rootkit.Win32.Agent.ey skipped
C:\Program Files\ESET\infected\WPUKKCDA.NQF Infected: Rootkit.Win32.Agent.dp skipped
C:\Program Files\ESET\infected\Z3NIXIBA.NQF Infected: Trojan-Downloader.Win32.Agent.djt skipped
C:\Program Files\ESET\logs\virlog.dat Object is locked skipped
C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped
C:\SDFix\SDFix\backups_old1\backups.zip/backups/mstscex.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\SDFix\SDFix\backups_old1\backups.zip/backups/oleauth32.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\SDFix\SDFix\backups_old1\backups.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0287460.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0289439.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0290445.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP426\A0290447.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319502.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319503.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319504.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319507.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319508.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319509.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319510.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319511.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319512.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319513.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319514.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319515.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319516.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319517.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319518.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319519.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319520.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319521.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319522.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319523.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319524.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319525.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319526.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319527.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319528.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP428\A0319529.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP429\A0325591.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP429\A0328594.exe Infected: Trojan-Downloader.Win32.Searcher.c skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP430\A0336692.exe Infected: Trojan.Win32.Agent.bty skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP430\A0336693.exe Infected: Trojan-Proxy.Win32.Wopla.ag skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0438841.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0440916.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0440917.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0440922.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP466\A0440925.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP469\A0461039.exe Infected: Trojan.Win32.Patched.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP469\A0461049.exe Infected: Trojan.Win32.Patched.au skipped
C:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP469\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\sam Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\security Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5d0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{C529C588-7E28-435D-B08E-8BE64A56E856}\RP469\change.log Object is locked skipped

Scan process completed.
 
Hi

Empty these folders:

C:\Program Files\ESET\infected\
C:\SDFix\SDFix\backups_old1

Empty Recycle Bin

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
 
Hi Shaba
Thank you so much for yor help
Those folders are empty now
What should i do now?
And what i have to do in future that i will avoid such kind of problems?

And another question...i think it would be good to upgrade my PC from 256 to 512. What's your opinion?
Because of that(just 256) i've got blue screen sometimes?

Although it's raining here in Ljubljana i feel great. Because of you and your help. Thank you again.
 
Back
Top