Tech Support Forum banner
Status
Not open for further replies.

cmd.exe process and blocked access to www

2K views 18 replies 2 participants last post by  sjpritch25 
#1 · (Edited)
Hi,

Hopefully I've made everything that I was supposed to do in first place.

1. Antivirus temporarely disabled.
2. Daemon uninstalled
3. Torrent uninstalled

I've also ran chkdsk (no errors) and sfc (no errors)
Additionally I've uninstalled all the programmes that Im not using currently

DDS:



DDS (Ver_10-11-01.01) - NTFSx86
Run by Jarekexe at 18:20:21,85 on 2010-11-02
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1033.18.3327.2779 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\ACSPMonitor\ASMonitor.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\AutoConnect\AutoConnect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\svchost77.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\Mozilla Firefox2\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
E:\Download\dds.scr

============== Pseudo HJT Report ===============

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [AutoConnect] c:\program files\autoconnect\AutoConnect.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [{C5B77C71-210A-5AF5-F622-78F6E94C2A79}] "c:\documents and settings\jarekexe\application data\othu\abreo.exe"
uRun: [windows ftp3] c:\documents and settings\jarekexe\application data\ft3.exe
uRun: [WindowsUpdateFTP] C:\svchost77.exe
uRun: [Bcazatiyuw] rundll32.exe "c:\windows\nvcmshpt.dll",Startup
uRun: [{C52FEE07-CB99-87E0-BA6E-9EB9C537D538}] "c:\documents and settings\jarekexe\application data\ixyhin\rihu.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
mExplorerRun: [application] c:\program files\acspmonitor\ASMonitor.exe hs
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: {A561FE8E-79C3-45A8-B861-7D4DCF1C24D1} = 62.233.233.233 87.204.204.204
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jarekexe\applic~1\mozilla\firefox\profiles\di1ek9ts.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - google.pl
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\operations\program\plugins\npdsplay.dll
FF - plugin: c:\program files\operations\program\plugins\NPOFF12.DLL
FF - plugin: c:\program files\operations\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\operations\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\operations\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\operations\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\operations\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\operations\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\operations\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\operations\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-6-20 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-6-20 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-6-20 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-6-20 60936]
R2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-3-18 172328]
R4 nltdi;nltdi;\??\c:\windows\system32\drivers\nltdi.sys --> c:\windows\system32\drivers\nltdi.sys [?]
S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2010-10-16 50704]

=============== Created Last 30 ================

2010-11-01 15:00:36 1409 ----a-w- c:\windows\QTFont.for
2010-11-01 14:40:54 -------- d-----w- c:\docume~1\jarekexe\applic~1\Ihuvdo
2010-11-01 14:40:54 -------- d-----w- c:\docume~1\jarekexe\applic~1\Botei
2010-11-01 09:48:31 197120 ----a-w- c:\windows\patchw32.dll
2010-11-01 09:48:31 -------- d-----w- c:\program files\common files\PocketSoft
2010-11-01 09:45:00 -------- d-----w- c:\docume~1\jarekexe\applic~1\Atari
2010-11-01 02:27:58 431104 ----a-w- C:\svchost77.exe
2010-10-29 12:05:45 269824 --sha-r- c:\docume~1\jarekexe\applic~1\ft3.exe
2010-10-28 14:30:16 -------- d-----w- c:\docume~1\jarekexe\applic~1\Othu
2010-10-28 14:30:16 -------- d-----w- c:\docume~1\jarekexe\applic~1\Hais
2010-10-27 05:30:35 -------- d-----w- c:\program files\TeamViewer
2010-10-23 16:46:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Komputerowa Gratka
2010-10-23 16:45:37 -------- d-----w- c:\program files\Pluszaki Rozrabiaki
2010-10-21 12:39:53 -------- d-----w- c:\docume~1\jarekexe\applic~1\Bitrix Security
2010-10-17 22:49:50 -------- d-----w- c:\docume~1\jarekexe\locals~1\applic~1\SKIDROW
2010-10-17 15:54:54 -------- d-----w- c:\docume~1\jarekexe\locals~1\applic~1\OtstoiSoft
2010-10-16 21:17:09 -------- d-----w- c:\docume~1\jarekexe\applic~1\Octoshape
2010-10-16 07:57:36 -------- d-----w- c:\docume~1\jarekexe\locals~1\applic~1\GHISLER
2010-10-16 05:12:44 -------- d-----w- c:\docume~1\jarekexe\locals~1\applic~1\Focus Home Interactive
2010-10-16 05:09:54 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2010-10-16 05:09:54 281104 ----a-w- c:\windows\system32\wpcap.dll
2010-10-16 05:09:54 100880 ----a-w- c:\windows\system32\Packet.dll
2010-10-15 06:36:47 -------- d-----w- c:\docume~1\jarekexe\applic~1\Jumb-O-Fun Games
2010-10-14 05:12:51 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 04:35:19 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 04:35:19 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 04:35:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-11 10:14:37 -------- d-----w- c:\docume~1\jarekexe\applic~1\OpenOffice.org
2010-10-11 10:10:46 -------- d-----w- c:\program files\OpenOffice.org 3
2010-10-10 19:31:25 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys

==================== Find3M ====================

2010-09-24 22:33:22 3777 ----a-w- C:\a.bat
2010-09-18 10:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-16 13:21:23 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 22:39:14 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-15 06:42:26 217180 ----a-w- c:\windows\system32\nvdrsdb0.bin
2010-08-15 06:42:26 1 ----a-w- c:\windows\system32\nvdrssel.bin
2010-08-15 06:41:47 217180 ----a-w- c:\windows\system32\nvdrsdb1.bin
2010-08-08 06:28:46 2828 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2010-08-08 06:28:35 88 --sh--r- c:\docume~1\alluse~1\applic~1\49A916B900.sys

============= FINISH: 18:21:23,68 ===============





Attach.zip attached.

Problem? There's only one. From time to time, access to www gets blocked. Whenever I open internet browser (I have 3 installed, checked all of them - same, or similliar, result) Im getting a blank page. When I type the address like www(.)google(.)com - ofc w/o brackets - and press enter, nothing happens. There's nothing loading, no errors, no popups, no nothing. No reaction at all (Mozilla). On IE, there's the same situation except that there's no blan page, but 404 page.

I've noticed that at that time, in my task manager, there's like 10-30 processes running named cmd.exe

Also, there are some suspect processes like:

svchost77.exe
rundll32.exe (few instances)
reg.exe
mmc.exe

sometimes more, right now I can't recall any others.

Killing them doesn't help. I need to reboot. Which is problematic, because sometimes I cant. When I press shutdown button, nothing happens. So I have to press power button for 5-7 secs to turn computer off. Sometimes it does turn off as it should.

Would that help if I attach printscreen of task manager?

That's it. Thanks in advance for any help.
 

Attachments

See less See more
#2 ·
Welcome to TSF :)

You will need to uninstall AVG because it will block certain aspects of ComboFix. Thanks

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
 
#3 ·
Hi. Thank you for quickc answer. Before I post, I'd like to mention that I had a visitor today, called "Thinking point". I had to take some actions as it did not allow me to use computer. I've removed some of the registery, following instructions from one of the sites instructing how to get rid of it, unfortunately I cannot find that www anymore.

Additionally, after the combo fix run, an error is popping up from time to time:



Edit: Should I install back Avira?

And here's combofix.txt

ComboFix 10-11-02.06 - Jarekexe 2010-11-04 3:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1033.18.3327.2989 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Jarekexe\Desktop\ComboFix.exe
* Utworzono nowy punkt przywracania
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\a.bat
c:\documents and settings\Jarekexe\Application Data\Bitrix Security
c:\documents and settings\Jarekexe\Application Data\Bitrix Security\fnrd
c:\documents and settings\Jarekexe\Application Data\completescan
c:\documents and settings\Jarekexe\Application Data\ft3.exe
c:\documents and settings\Jarekexe\Application Data\Ihuvdo
c:\documents and settings\Jarekexe\Application Data\Ihuvdo\syho.exe
c:\documents and settings\Jarekexe\Application Data\Othu
c:\documents and settings\Jarekexe\Application Data\Othu\abreo.exe
c:\windows\nvcmshpt.dll
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Temp\_ex-08.exe

.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Legacy_SSHNAS
-------\Service_NPF
-------\Service_SSHNAS


((((((((((((((((((((((((( Pliki utworzone od 2010-10-04 do 2010-11-04 )))))))))))))))))))))))))))))))
.

2010-11-03 02:41 . 2010-11-03 02:41 -------- d-----w- c:\program files\PragmaDigm
2010-11-03 02:39 . 2010-11-03 02:40 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\GetRightToGo
2010-11-02 18:40 . 2001-08-17 21:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-11-02 18:39 . 2001-08-17 21:36 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-11-02 18:38 . 2001-08-17 11:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-11-02 18:37 . 2001-08-17 12:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-11-02 18:36 . 2001-08-17 11:50 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2010-11-02 18:35 . 2001-08-17 11:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2010-11-02 18:34 . 2001-08-17 21:36 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2010-11-02 18:33 . 2001-08-17 13:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2010-11-02 18:32 . 2001-08-17 11:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-11-02 18:31 . 2001-08-17 21:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-11-02 18:30 . 2008-04-13 10:40 5504 -c--a-w- c:\windows\system32\dllcache\intelide.sys
2010-11-02 18:29 . 2001-08-17 12:28 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-11-02 18:28 . 2001-08-17 11:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2010-11-02 18:27 . 2001-08-17 11:12 19594 -c--a-w- c:\windows\system32\dllcache\e100isa4.sys
2010-11-02 18:26 . 2001-08-17 12:51 6656 -c--a-w- c:\windows\system32\dllcache\cmdide.sys
2010-11-02 18:25 . 2001-08-17 13:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-11-01 15:00 . 2010-11-01 15:00 1409 ----a-w- c:\windows\QTFont.for
2010-11-01 14:40 . 2010-11-01 14:40 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Botei
2010-11-01 09:48 . 2010-11-01 09:48 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Leadertech
2010-11-01 09:48 . 2010-11-01 09:48 -------- d-----w- c:\program files\Common Files\PocketSoft
2010-11-01 09:48 . 2002-02-27 17:50 197120 ----a-w- c:\windows\patchw32.dll
2010-11-01 09:45 . 2010-11-01 09:45 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Atari
2010-11-01 02:27 . 2010-11-01 02:27 431104 ----a-w- C:\svchost77.exe
2010-10-28 14:30 . 2010-11-04 01:51 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Hais
2010-10-27 05:30 . 2010-10-27 05:30 -------- d-----w- c:\program files\TeamViewer
2010-10-23 16:46 . 2010-10-30 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Komputerowa Gratka
2010-10-23 16:45 . 2010-10-25 04:52 -------- d-----w- c:\program files\Pluszaki Rozrabiaki
2010-10-17 22:49 . 2010-10-17 22:49 -------- d-----w- c:\documents and settings\Jarekexe\Local Settings\Application Data\SKIDROW
2010-10-17 15:54 . 2010-10-17 15:54 -------- d-----w- c:\documents and settings\Jarekexe\Local Settings\Application Data\OtstoiSoft
2010-10-16 21:17 . 2010-10-16 21:17 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Octoshape
2010-10-16 07:57 . 2010-10-16 07:57 -------- d-----w- c:\documents and settings\Jarekexe\Local Settings\Application Data\GHISLER
2010-10-16 05:12 . 2010-10-16 05:12 -------- d-----w- c:\documents and settings\Jarekexe\Local Settings\Application Data\Focus Home Interactive
2010-10-15 06:36 . 2010-10-15 06:36 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Jumb-O-Fun Games
2010-10-14 05:12 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 10:27 . 2010-10-13 10:27 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Media Player Classic
2010-10-11 10:14 . 2010-10-11 10:14 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\OpenOffice.org
2010-10-11 10:10 . 2010-11-02 17:18 -------- d-----w- c:\program files\OpenOffice.org 3
2010-10-10 19:31 . 2010-03-30 21:38 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 05:38 . 2010-09-23 05:38 30111555 ----a-w- C:\Multiplayer.zip
2010-09-18 10:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-16 13:21 . 2010-09-16 13:21 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 22:39 . 2010-09-09 22:39 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-06-20 13:35 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-08 06:28 . 2010-06-23 02:46 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-08 06:28 . 2010-06-23 02:46 88 --sh--r- c:\documents and settings\All Users\Application Data\49A916B900.sys
.

((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect"="c:\program files\AutoConnect\AutoConnect.exe" [2004-08-28 295424]
"WindowsUpdateFTP"="C:\svchost77.exe" [2010-11-01 431104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-08 13902440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-08 110696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 49152]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2007-03-21 16:23 1953792 ------r- c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 ----a-w- e:\programy\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 14:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-08-06 17:45 877568 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Tlen7\\tlen7.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Operations\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"e:\\Programy\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"e:\\Programy\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Gry\\StarCraft II\\StarCraft II.exe"=
"e:\\Gry\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"e:\\Gry\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"c:\\Documents and Settings\\Jarekexe\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"e:\\Gry\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-06-20 691696]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-03-18 172328]
.
Zawartość folderu 'Zaplanowane zadania'

2010-11-04 c:\windows\Tasks\New Task.job
- c:\windows\system32\wscript.exe [2004-08-04 11:24]
.
.
------- Skan uzupełniający -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {A561FE8E-79C3-45A8-B861-7D4DCF1C24D1} = 62.233.233.233 87.204.204.204
DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
FF - ProfilePath - c:\documents and settings\Jarekexe\Application Data\Mozilla\Firefox\Profiles\di1ek9ts.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - google.pl
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Operations\program\plugins\npdsplay.dll
FF - plugin: c:\program files\Operations\program\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Operations\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox2\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - USUNIĘTO PUSTE WPISY - - - -

HKCU-Run-windows ftp3 - c:\documents and settings\Jarekexe\Application Data\ft3.exe
HKCU-Run-Bcazatiyuw - c:\windows\nvcmshpt.dll
HKCU-Run-{C5B77C71-210A-5AF5-F622-78F6E94C2A79} - c:\documents and settings\Jarekexe\Application Data\Othu\abreo.exe
HKLM-Run-nwiz - c:\program files\NVIDIA Corporation\nView\nwiz.exe
HKLM-Explorer_Run-application - c:\program files\ACSPMonitor\ASMonitor.exe
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
MSConfigStartUp-Corel File Shell Monitor - e:\gry\Corel\CorelIOMonitor.exe
MSConfigStartUp-DAEMON Tools Lite - c:\program files\DAEMON Tools Lite\DTLite.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe
AddRemove-NVIDIA nView Desktop Manager - c:\program files\NVIDIA Corporation\nView\nViewSetup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-04 03:10
Windows 5.1.2600 Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------

- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Pozostałe uruchomione procesy ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Czas ukończenia: 2010-11-04 03:11:43 - komputer został uruchomiony ponownie
ComboFix-quarantined-files.txt 2010-11-04 02:11

Przed: 11*086*110*720 bytes free
Po: 11*632*889*856 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-PLK.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7F989504EA7ADEE8C84DEEC25EB34D83
 
#4 ·
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/f50/cmd-exe-process-and-blocked-access-to-www-525913.html#post2968368

Collect::[70]
C:\svchost77.exe
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WindowsUpdateFTP"=-
Save this as CFScript.txt, in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.



===========================================


Please download Malwarebytes' Anti-Malware from Here.



Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.


============================================


Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • [*]Spyware, adware, dialers, and other riskware
      [*]Archives
      [*]E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.



  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply


In your next reply, please include the comboFix log, mbam log and kaspersky logs. Thanks
 
#5 ·
Hello. Below combofix log and mbam log. Unfortunately I failed to scan with Kaspersky. When the page loaded, it checked my system and informed me that Java frameworks is not installed (or out of date). I followed their instructions and at the end of installation, errors started to pop up:



Logs:

ComboFix 10-11-02.06 - Jarekexe 2010-11-05 2:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.48.1033.18.3327.2780 [GMT 1:00]
Uruchomiony z: c:\documents and settings\Jarekexe\Desktop\ComboFix.exe
Użyto następujących komend :: c:\documents and settings\Jarekexe\Desktop\CFScript.txt

file zipped: C:\svchost77.exe
.

((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\svchost77.exe

.
((((((((((((((((((((((((( Pliki utworzone od 2010-10-05 do 2010-11-05 )))))))))))))))))))))))))))))))
.

2010-11-04 02:32 . 2010-11-04 02:32 -------- d-----w- c:\program files\Opera
2010-11-03 02:41 . 2010-11-03 02:41 -------- d-----w- c:\program files\PragmaDigm
2010-11-03 02:39 . 2010-11-03 02:40 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\GetRightToGo
2010-11-02 18:40 . 2001-08-17 21:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-11-02 18:39 . 2001-08-17 21:36 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2010-11-02 18:38 . 2001-08-17 11:51 138528 -c--a-w- c:\windows\system32\dllcache\tgiulnt5.sys
2010-11-02 18:37 . 2001-08-17 12:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2010-11-02 18:36 . 2001-08-17 11:50 104064 -c--a-w- c:\windows\system32\dllcache\sisgrp.sys
2010-11-02 18:35 . 2001-08-17 11:50 41216 -c--a-w- c:\windows\system32\dllcache\s3mt3d.sys
2010-11-02 18:34 . 2001-08-17 21:36 35328 -c--a-w- c:\windows\system32\dllcache\psisload.dll
2010-11-02 18:33 . 2001-08-17 13:05 31872 -c--a-w- c:\windows\system32\dllcache\ovce.sys
2010-11-02 18:32 . 2001-08-17 11:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2010-11-02 18:31 . 2001-08-17 21:36 58880 -c--a-w- c:\windows\system32\dllcache\m3092dc.dll
2010-11-02 18:30 . 2008-04-13 10:40 5504 -c--a-w- c:\windows\system32\dllcache\intelide.sys
2010-11-02 18:29 . 2001-08-17 12:28 542879 -c--a-w- c:\windows\system32\dllcache\hsf_msft.sys
2010-11-02 18:28 . 2001-08-17 11:15 442240 -c--a-w- c:\windows\system32\dllcache\fpnpbase.sys
2010-11-02 18:27 . 2001-08-17 11:12 19594 -c--a-w- c:\windows\system32\dllcache\e100isa4.sys
2010-11-02 18:26 . 2001-08-17 12:51 6656 -c--a-w- c:\windows\system32\dllcache\cmdide.sys
2010-11-02 18:25 . 2001-08-17 13:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-11-01 15:00 . 2010-11-01 15:00 1409 ----a-w- c:\windows\QTFont.for
2010-11-01 14:40 . 2010-11-01 14:40 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Botei
2010-11-01 09:48 . 2010-11-01 09:48 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Leadertech
2010-11-01 09:48 . 2010-11-01 09:48 -------- d-----w- c:\program files\Common Files\PocketSoft
2010-11-01 09:48 . 2002-02-27 17:50 197120 ----a-w- c:\windows\patchw32.dll
2010-11-01 09:45 . 2010-11-01 09:45 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Atari
2010-10-28 14:30 . 2010-11-04 01:51 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Hais
2010-10-27 05:30 . 2010-10-27 05:30 -------- d-----w- c:\program files\TeamViewer
2010-10-23 16:46 . 2010-10-30 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Komputerowa Gratka
2010-10-23 16:45 . 2010-10-25 04:52 -------- d-----w- c:\program files\Pluszaki Rozrabiaki
2010-10-17 22:49 . 2010-10-17 22:49 -------- d-----w- c:\documents and settings\Jarekexe\Local Settings\Application Data\SKIDROW
2010-10-17 15:54 . 2010-10-17 15:54 -------- d-----w- c:\documents and settings\Jarekexe\Local Settings\Application Data\OtstoiSoft
2010-10-16 21:17 . 2010-10-16 21:17 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Octoshape
2010-10-16 07:57 . 2010-10-16 07:57 -------- d-----w- c:\documents and settings\Jarekexe\Local Settings\Application Data\GHISLER
2010-10-16 05:12 . 2010-10-16 05:12 -------- d-----w- c:\documents and settings\Jarekexe\Local Settings\Application Data\Focus Home Interactive
2010-10-15 06:36 . 2010-10-15 06:36 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Jumb-O-Fun Games
2010-10-14 05:12 . 2008-04-14 00:12 221184 ----a-w- c:\windows\system32\wmpns.dll
2010-10-13 10:27 . 2010-10-13 10:27 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\Media Player Classic
2010-10-11 10:14 . 2010-10-11 10:14 -------- d-----w- c:\documents and settings\Jarekexe\Application Data\OpenOffice.org
2010-10-11 10:10 . 2010-11-02 17:18 -------- d-----w- c:\program files\OpenOffice.org 3
2010-10-10 19:31 . 2010-03-30 21:38 20968 ----a-w- c:\windows\system32\drivers\cpuz133_x32.sys

.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 05:38 . 2010-09-23 05:38 30111555 ----a-w- C:\Multiplayer.zip
2010-09-18 10:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-16 13:21 . 2010-09-16 13:21 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 22:39 . 2010-09-09 22:39 2826240 ----a-w- c:\windows\system32\GPhotos.scr
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2010-06-20 13:35 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-08 06:28 . 2010-06-23 02:46 2828 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-08-08 06:28 . 2010-06-23 02:46 88 --sh--r- c:\documents and settings\All Users\Application Data\49A916B900.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-11-04_02.10.05 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-04 05:28 . 2010-11-04 05:28 16384 c:\windows\Temp\Perflib_Perfdata_518.dat
+ 2004-08-04 12:00 . 2010-11-04 05:33 67448 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2010-11-04 01:55 67448 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2010-11-04 05:33 432492 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2010-11-04 01:55 432492 c:\windows\system32\perfh009.dat
+ 2010-11-04 02:32 . 2010-11-04 02:32 2648064 c:\windows\Installer\129164.msi
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoConnect"="c:\program files\AutoConnect\AutoConnect.exe" [2004-08-28 295424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-03-21 16126464]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-06-08 13902440]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-06-08 110696]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 30208]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-09-29 49152]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\36X Raid Configurer]
2007-03-21 16:23 1953792 ------r- c:\windows\system32\xRaidSetup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 ----a-w- e:\programy\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JMB36X IDE Setup]
2007-03-20 14:36 36864 ------r- c:\windows\RaidTool\xInsIDE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
2004-08-06 17:45 877568 ----a-w- c:\program files\Thomson\SpeedTouch USB\dragdiag.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Tlen7\\tlen7.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"e:\\Programy\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"e:\\Programy\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"e:\\Programy\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"e:\\Gry\\StarCraft II\\StarCraft II.exe"=
"e:\\Gry\\StarCraft II\\Versions\\Base15405\\SC2.exe"=
"e:\\Gry\\StarCraft II\\Versions\\Base16561\\SC2.exe"=
"c:\\Documents and Settings\\Jarekexe\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=
"e:\\Gry\\StarCraft II\\Versions\\Base16605\\SC2.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\Opera\\opera.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2010-06-20 691696]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-03-18 172328]
.
Zawartość folderu 'Zaplanowane zadania'

2010-11-05 c:\windows\Tasks\New Task.job
- c:\windows\system32\wscript.exe [2004-08-04 11:24]
.
.
------- Skan uzupełniający -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {A561FE8E-79C3-45A8-B861-7D4DCF1C24D1} = 62.233.233.233 87.204.204.204
DPF: {888078C6-70B2-4F88-8EE7-1F50DDEA6120} - hxxps://as.photoprintit.de/ips-opdata/activex/ImageUploader6.cab
FF - ProfilePath - c:\documents and settings\Jarekexe\Application Data\Mozilla\Firefox\Profiles\di1ek9ts.default\
FF - prefs.js: browser.search.selectedEngine - YouTube
FF - prefs.js: browser.startup.homepage - google.pl
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Operations\program\plugins\NPOFF12.DLL
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Operations\program\plugins\npqtplugin7.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX - SPOSÓB POSTĘPOWANIA ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox2\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox2\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-05 02:18
Windows 5.1.2600 Service Pack 3 NTFS

skanowanie ukrytych procesów ...

skanowanie ukrytych wpisów autostartu ...

skanowanie ukrytych plików ...

skanowanie pomyślnie ukończone
ukryte pliki: 0

**************************************************************************
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Czas ukończenia: 2010-11-05 02:19:36
ComboFix-quarantined-files.txt 2010-11-05 01:19
ComboFix2.txt 2010-11-04 02:11

Przed: 11*768*365*056 bytes free
Po: 11*752*910*848 bytes free

- - End Of File - - B658653DDEAB56C31C4764B45AD22578
Przesyˆanie ukoäczono pomy˜lnie



MBAM-----------------------



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5047

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-11-05 02:35:20
mbam-log-2010-11-05 (02-35-20).txt

Scan type: Quick scan
Objects scanned: 138725
Time elapsed: 2 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\EBUNWVLUMV (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\QNB2EB90WX (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\RZDVL2F27W (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jarekexe\Application Data\log33.txt (Malware.Trace) -> Quarantined and deleted successfully.
 
#6 ·
Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.


Did you upload the file that comboFix prompted you too?
 
#8 ·
Im running Eset scanner now, for 5 hours :| ever since it reached 99%, it's going veeery slow. Each file takes about 5-15 minutes. No matter if it's 700mb avi or 1k txt :|

It has found 32 infected files though. Should I go on? It might take forever.
Nevermind, suddenly it started scanning at normal speed and finished. Here's log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1e19793f9e2f384192dbea0f3856a1df
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-05 04:55:38
# local_time=2010-11-05 05:55:38 (+0100, Romance Standard Time)
# country="Poland"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 10944674 10944674 0 0
# compatibility_mode=8192 67108863 100 0 3778 3778 0 0
# scanned=183923
# found=32
# cleaned=0
# scan_time=19704
C:\Program Files\ACSPMonitor\hprog.dll a variant of Win32/HideProc.B application 00000000000000000000000000000000 I
C:\Program Files\iSafe AllInOne Keylogger\LogViewer.exe a variant of Win32/KeyLogger.iSafeKeylogger application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\[70]-Submit_2010-11-05_02.15.55.zip Win32/Delf.NXC trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Jarekexe\Application Data\ft3.exe.vir a variant of Win32/Kryptik.HUA trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Jarekexe\Application Data\Ihuvdo\syho.exe.vir Win32/Spy.Zbot.YW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\Jarekexe\Application Data\Othu\abreo.exe.vir a variant of Win32/Kryptik.HUA trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\nvcmshpt.dll.vir a variant of Win32/Cimag.DZ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP146\A0042359.exe Win32/Adware.SecurityTool.AD application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP163\A0058008.exe Win32/Spy.Zbot.ZR trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP167\A0059202.exe a variant of Win32/KeyLogger.ActualSpy.NAE application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP167\A0059206.dll a variant of Win32/KeyHook.B application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP167\A0059207.dll a variant of Win32/KeyHook.B application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP167\A0059209.exe probably a variant of Win32/KeyLogger.ActualSpy.NAD application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP168\A0061883.exe a variant of Win32/Kryptik.HUA trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP168\A0061885.exe a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP168\A0061947.exe a variant of Win32/Kryptik.HUA trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP168\A0061948.exe Win32/Spy.Zbot.YW trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP168\A0061949.exe a variant of Win32/Kryptik.HUA trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP168\A0061950.dll a variant of Win32/Cimag.DZ trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{B094344B-F736-44A2-8A21-7A56201D4756}\RP170\A0062214.exe a variant of Win32/Kryptik.YI trojan 00000000000000000000000000000000 I
D:\Instalki\actualspy.exe multiple threats 00000000000000000000000000000000 I
D:\Instalki\ventmixsetup11.msi probably a variant of Win32/Agent.DRJCFOS trojan 00000000000000000000000000000000 I
D:\Instalki\Nero\Nero 6.6.1.15 PL + seriale\Nero Burning Rom 6.6.1.15 d Eng Setup.exe Win32/Toolbar.AskSBar application 00000000000000000000000000000000 I
D:\Instalki\*Gry\Anno.1404.Venice-RELOADED\Anno.1404.Venice-RELOADED.iso Win32/Packed.VMProtect.D trojan 00000000000000000000000000000000 I
D:\Instalki\*Gry\Settlers 7\rzr-set7.iso a variant of Win32/Packed.VMProtect.AAA trojan 00000000000000000000000000000000 I
D:\Instalki\*Gry\Sims 3\rzr-sim3.iso probably a variant of Win32/Hupigon.CJKIBCX trojan 00000000000000000000000000000000 I
D:\OLD_C\Documents and Settings\Jarekexe\Local Settings\Application Data\Mozilla\Firefox\Profiles\x2p338nk.default\Cache\27ACF3C4d01 a variant of Win32/KeyLogger.EliteKeylogger.46 application 00000000000000000000000000000000 I
E:\Aluś\Adibu w ogrodzie niespodzianek\setup.exe probably a variant of Win32/Agent.KJGTRDV trojan 00000000000000000000000000000000 I
E:\Download\keylogger.kopa probably a variant of Win32/Spy.Agent.ICBEWDC trojan 00000000000000000000000000000000 I
E:\Download\keylogger.zip probably a variant of Win32/Spy.Agent.ICBEWDC trojan 00000000000000000000000000000000 I
E:\Download\unlocker1.8.8(dobreprogramy.pl).exe Win32/Adware.ADON application 00000000000000000000000000000000 I
E:\Download\*Torrent\Norton Ghost 15.zip a variant of Win32/Keygen.AC application 00000000000000000000000000000000 I
 
#9 ·
Just an FYI, you will continually get infected downloading and using keygens.

Read our rules here at TSF about such programs
http://www.techsupportforum.com/f50/cracked-illegal-software-248501.html

Go to Start ---> Run ---> Type ComboFix /uninstall and press Enter.

That remove everything that eset detected from ComboFix's Quarantine's list.

Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

To SET A NEW RESTORE POINT:
1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
3. Then go to Start > Run and type: Cleanmgr
4. Click "OK".
5. Click the "More Options" Tab.
6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Graphics for doing this are in the following links if you need them.
How to Create a Restore Point.
How to use Cleanmgr.

======================================

Here is some useful information on keeping your computer clean:
  1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update
 
#15 ·
You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. Use that to search for this file c:\windows\system32\wscript.exe. Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt". Save the text file "Scan.txt" to your desktop. Please include the file in your next post.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top