[Closed] Request for help with continuous Trojan horse problem on Win7

Status
Not open for further replies.

mirekkazek

Posts: 17   +0
Hello. I have an urgent problem with my windows 7. I know someone had a similar one, but it is not the only thing that goes wrong.
My AVG continuously finds on my computer Trojan Horse Crypt.AQLW.
It shows every feew minuts the monit, that some .dll file in C:\windows\system32 (each time it is a different file (e.g. now it is comhost.dll)

The monit also says that it concerns process \\.\globalroot\SyStemRoot\system32\svchost.exe

It seems that AVG finds and deletes/puts to Quarantine each of those files, but it is really disturbing as it pops up very often. Also, I'm afraid if it is something really serious or not that bad?

Moreover, my windows has just lost its wallpaper - it went black and as it cannot see picture files.

I am quite green at that stuff, could you, please walk me through this log stuff - I haven't done it before.
Could you help me, please?
 
Welcome to TechSpot! I'll be glad to help with the malware.

You can go ahead and run this first:
Download Unhide.exeand save to the desktop.
  • Double-click on Unhide.exe icon to run the program.
  • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
Note 1: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue.
Note 2: It is important that you do not delete any files from your Temp folder or use any temp file cleaners

The malware may cause other "cosmetic" problems- they can be fixed. But they may recur until we remove all of the malware:
Correct Display Changes if needed:
If the desktop background is black or if the theme has been removed:
For Windows XP: Click on Start> Control Panel> Display> change theme and/or background if needed.
For Windows Vista or Windows 7: Click on Start> Control Panel> Appearance & Personalization> Select Change Theme or Change Desktop Background
=================================================
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
===============================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't follow directions given to someone else
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
Threads are closed after 5 days if there is no reply.

Please leave the logs in your next reply: 2 from DDS, 1 from Malwarebytes and 1 from GMER-if there is one.
 
unfortunately, as for the wallpaper it is not the matter of the scheme - it changed, but background is still black. (also, folders with graphic files and graphic files don't have any icon at all).
As for logs - here is the first one - from Malwarebytes. It didn't find anything, but even during the scan AVG stopped some trojans.
Her is the log - next one coming as soon as they are ready:


Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.12.04

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
MIRO :: MIRO-KOMPUTER [administrator]

Protection: Enabled

2012-05-12 14:37:13
mbam-log-2012-05-12 (14-37-13).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 216275
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
1st DDS log:

.

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by MIRO at 14:50:59 on 2012-05-12
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.48.1045.18.3037.1389 [GMT 2:00]
.
AV: AVG Internet Security *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\nvvsvc.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\nvvsvc.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\Dwm.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Lenovo\Energy Management\utility.exe
C:\Program Files\Lenovo\Energy Management\Energy Management.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\windows\system32\conhost.exe
C:\Program Files\Opera\opera.exe
C:\windows\system32\svchost.exe -k apphost
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k hpdevmgmt
C:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\windows\system32\svchost.exe -k iissvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\windows\system32\svchost.exe -k HPService
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\windows\system32\conhost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgcfgex.exe
C:\windows\explorer.exe
C:\windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\windows\notepad.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = about:blank
mDefault_Page_URL = about:blank
mStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [EnergyUtility] c:\program files\lenovo\energy management\utility.exe
mRun: [Energy Management] c:\program files\lenovo\energy management\Energy Management.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\lenovo\bluetooth software\BTTray.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&ksport do programu Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105
IE: Wyślij obraz do urządzenia &Bluetooth... - c:\program files\lenovo\bluetooth software\btsendto_ie_ctx.htm
IE: Wyślij stronę do urządzenia &Bluetooth... - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\lenovo\bluetooth software\btsendto_ie.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
LSP: mswsock.dll
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://87.116.199.52/camclictrl.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {EF991872-9158-4570-A7FF-E7DBB6A4B8E9} - hxxp://217.96.52.154:82/iqweb.ocx
DPF: {F9F6A5CD-76C1-4BE7-8F49-5D4183F9FAC5} - hxxps://www.otineo.com/resources/com.otineo.survey.ui.personal.softphone.SoftphonePanel/OtineoSoftphone.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2D61E27A-22F2-42C0-8781-88B7B0FACBC4} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{2D61E27A-22F2-42C0-8781-88B7B0FACBC4}\4656661657C647 : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{2D61E27A-22F2-42C0-8781-88B7B0FACBC4}\A41425341425F537B6C65607F523231363336333 : DhcpNameServer = 82.168.1.1 192.168.0.1
TCP: Interfaces\{2D61E27A-22F2-42C0-8781-88B7B0FACBC4}\A41636B637022556374716572716E64702D202A51607271637A716D697 : DhcpNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSErHrw7x;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSwx.sys [2010-5-21 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-5-21 52872]
R1 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwd6x.sys [2010-5-21 24856]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-5-21 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-5-21 29712]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-5-21 243152]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-7-19 218688]
R1 funfrm;funfrm;c:\windows\system32\drivers\funfrm.sys [2009-11-20 54800]
R1 VWiFiFlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-14 48128]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-6-22 921952]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-6-22 308136]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2010-6-22 2331544]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2010-6-22 5897808]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-12 654408]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\drivers\AcpiVpc.sys [2010-1-20 23136]
R3 AVGIDSDriverw7x;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSDriver.sys [2010-5-21 122448]
R3 AVGIDSFilterw7x;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSFilter.sys [2010-5-21 30288]
R3 AVGIDSShimw7x;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_win7\AVGIDSShim.sys [2010-5-21 20560]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-5-31 260648]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-12 22344]
R3 NETw5s32;Sterownik karty Intel(R) Wireless WiFi Link dla systemu Windows 7 32 Bit;c:\windows\system32\drivers\NETw5s32.sys [2009-9-15 6114816]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-11-20 66080]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-14 14336]
S2 AMService;AMService;c:\windows\temp\mjsvag\setup.exe run --> c:\windows\temp\mjsvag\setup.exe run [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ELOADER;General Purpose USB Driver (adildr.sys);c:\windows\system32\drivers\adildr.sys [2009-12-18 56088]
S2 KMService;KMService;c:\windows\system32\srvany.exe [2011-12-12 8192]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2009-11-20 29472]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-4-28 36640]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2009-7-14 229888]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\NETw5v32.sys [2009-11-20 4231680]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2009-9-15 171520]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-4-27 98432]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-4-27 14848]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-4-27 123648]
S3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\drivers\ss_bserd.sys [2011-4-27 100224]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-8 52224]
S3 WatAdminSvc;Usługa Technologie aktywacji systemu Windows;c:\windows\system32\wat\WatAdminSvc.exe [2010-5-24 1343400]
S3 wdmirror;wdmirror;c:\windows\system32\drivers\WDMirror.sys [2009-11-20 11792]
S3 wsvd;wsvd;c:\windows\system32\drivers\wsvd.sys [2009-7-21 81704]
.
=============== Created Last 30 ================
.
2012-05-12 12:36:16 -------- d-----w- c:\users\miro\appdata\roaming\Malwarebytes
2012-05-12 12:36:09 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-12 12:36:09 -------- d-----w- c:\programdata\Malwarebytes
2012-05-12 12:36:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-11 21:11:20 -------- d-s---w- C:\ComboFix
2012-05-10 05:03:32 -------- d-----w- C:\fbb5b84d456018be4690d2f6
2012-05-10 05:00:29 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-10 05:00:26 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-10 05:00:20 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-10 05:00:20 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-10 05:00:19 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-10 04:59:14 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-10 04:59:11 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-09 20:55:16 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-05-06 17:58:15 1772544 ----a-w- c:\windows\system32\dsetup32.dll
2012-05-06 17:57:26 47104 ----a-w- c:\windows\system32\KMVIDC32.DLL
2012-05-06 17:54:36 127488 ----a-w- c:\windows\system32\DSETUP.DLL
2012-05-06 17:50:34 -------- d-----w- c:\program files\Worms
2012-05-06 17:06:11 -------- d-----w- c:\program files\TryMedia
2012-05-04 20:44:12 -------- d-----w- c:\program files\Rockstar games
2012-04-27 10:06:24 -------- d-----w- c:\users\miro\appdata\local\{7C97460C-2299-41E5-AECF-C686D2347039}
2012-04-27 10:06:22 -------- d-----w- c:\users\miro\appdata\local\{4C0F6A9A-AC49-490B-BD56-E16D7891D0E0}
2012-04-27 10:03:31 -------- d-----w- c:\windows\pl
2012-04-27 10:00:25 89944 ----a-w- c:\program files\common files\windows live\.cache\91379c9e1cd245c02\DSETUP.dll
2012-04-27 10:00:25 537432 ----a-w- c:\program files\common files\windows live\.cache\91379c9e1cd245c02\DXSETUP.exe
2012-04-27 10:00:25 1801048 ----a-w- c:\program files\common files\windows live\.cache\91379c9e1cd245c02\dsetup32.dll
2012-04-27 09:54:44 -------- d-----w- c:\users\miro\appdata\local\{140818D8-FDB9-4B42-802F-FADAC818BBCB}
2012-04-12 19:50:41 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 19:50:41 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 19:50:41 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 19:50:41 159232 ----a-w- c:\windows\system32\imagehlp.dll
.
==================== Find3M ====================
.
2012-05-09 20:55:18 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-09 20:55:18 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-23 19:19:58 761152 ----a-w- c:\windows\system32\msvcr100.dll
2012-03-08 16:50:28 49016 ----a-w- c:\windows\system32\sirenacm.dll
2012-03-08 16:37:20 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 10:09:44 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2010-08-03 09:11:16 819200 --sha-w- c:\windows\system32\xvidcore.dll
2010-08-03 09:11:16 180224 --sha-w- c:\windows\system32\xvidvfw.dll
.
============= FINISH: 14:52:24,55 ===============
 
2nd DDS log:




.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows 7 Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 2009-12-18 10:52:59
System Uptime: 2012-05-12 13:22:51 (1 hours ago)
.
Motherboard: LENOVO | | NITU1
Processor: Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz | U2E1 | 2200/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 253 GiB total, 90,503 GiB free.
D: is FIXED (NTFS) - 30 GiB total, 1,193 GiB free.
E: is CDROM ()
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4d36e971-e325-11ce-bfc1-08002be10318}
Description: Deskjet F4500 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Deskjet F4500 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
Class GUID: {6bdd1fc6-810f-11d0-bec7-08002be2092f}
Description: Deskjet F4500 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: Deskjet F4500 series
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {e0cbf06c-cd8b-4647-bb8a-263b43f0f974}
Description: BCM2046 Bluetooth Module
Device ID: USB\VID_0A5C&PID_2150\0C6076B87F81
Manufacturer: Broadcom
Name: BCM2046 Bluetooth Module
PNP Device ID: USB\VID_0A5C&PID_2150\0C6076B87F81
Service: BTHUSB
.
==== System Restore Points ===================
.
RP540: 2012-04-23 15:22:20 - Zaplanowany punkt kontrolny
RP542: 2012-04-25 15:35:23 - Avg Update
RP544: 2012-04-27 12:00:34 - Windows Live Essentials
RP546: 2012-04-27 12:01:15 - Zainstalowany program DirectX
RP548: 2012-04-27 12:01:40 - Zainstalowany program DirectX
RP549: 2012-04-27 12:02:12 - WLSetup
RP551: 2012-05-06 19:43:30 - Revo Uninstaller's restore point - Worms 2
RP552: 2012-05-10 06:49:47 - Windows Update
RP553: 2012-05-10 06:58:12 - Windows Update
RP554: 2012-05-10 18:50:04 - Windows Update
.
==== Installed Programs ======================
.
1-abc.net Password Organizer (Remove only)
32 Bit HP CIO Components Installer
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 9.5.1 - Polish
Adobe Shockwave Player 11.5
ALPS Touch Pad Driver
Anki
Archiwizator WinRAR
Ashampoo Burning Studio 2010 Advanced
Audacity 1.2.6
AVG 9.0
Broadcom Gigabit Integrated Controller
BufferChm
Conexant HD Audio
Cool Edit Pro 2.1
Copy
D3DX10
DAEMON Tools Lite
Definition Update for Microsoft Office 2010 (KB982726) 32-Bit Edition
Destinations
DeviceDiscovery
DivX Setup
DJ_AIO_06_F4500_SW_MIN
Dropbox
EasyCapture
Energy Management
F4500
FileZilla Client 3.3.3
Gadu-Gadu 10
Galeria fotografii usługi Windows Live
GIMP 2.6.9
GOM Player
GPBaseService2
GSM 1.1.4.2
GST 2.3.8.4
Guitar Pro 5.2
Hiszpański - Mówisz I rozumiesz
Hotfix for Microsoft .NET Framework 4 Client Profile (KB2461678)
HP Deskjet F4500 All-in-One Driver Software 14.0 Rel. 6
HP Imaging Device Functions 14.0
HP Solution Center 14.0
HPPhotoGadget
HPProductAssistant
Intel® Matrix Storage Manager
InterVideo DeviceService
Java Auto Updater
Java(TM) 6 Update 29
LAME v3.98.2 for Audacity
Lenovo Bluetooth with Enhanced Data Rate Software
Lenovo EasyCamera
Lenovo OneKey Recovery
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Client Profile PLK Language Pack
Microsoft Application Error Reporting
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft Office 2010 Language Pack Service Pack 1 (SP1)
Microsoft Office 2010 Service Pack 1 (SP1)
Microsoft Office Access MUI (English) 2010
Microsoft Office Access MUI (Polish) 2010
Microsoft Office Access Setup Metadata MUI (English) 2010
Microsoft Office Excel MUI (English) 2010
Microsoft Office Excel MUI (Polish) 2010
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2010
Microsoft Office Groove MUI (Polish) 2010
Microsoft Office InfoPath MUI (English) 2010
Microsoft Office InfoPath MUI (Polish) 2010
Microsoft Office Language Pack 2010 - Polish/Polski
Microsoft Office O MUI (Polish) 2010
Microsoft Office OneNote MUI (English) 2010
Microsoft Office OneNote MUI (Polish) 2010
Microsoft Office Outlook MUI (English) 2010
Microsoft Office Outlook MUI (Polish) 2010
Microsoft Office PowerPoint MUI (English) 2010
Microsoft Office PowerPoint MUI (Polish) 2010
Microsoft Office Professional Plus 2010
Microsoft Office Proof (English) 2010
Microsoft Office Proof (French) 2010
Microsoft Office Proof (German) 2010
Microsoft Office Proof (Polish) 2010
Microsoft Office Proof (Spanish) 2010
Microsoft Office Proofing (English) 2010
Microsoft Office Proofing (Polish) 2010
Microsoft Office Publisher MUI (English) 2010
Microsoft Office Publisher MUI (Polish) 2010
Microsoft Office Shared MUI (English) 2010
Microsoft Office Shared MUI (Polish) 2010
Microsoft Office Shared Setup Metadata MUI (English) 2010
Microsoft Office SharePoint Designer MUI (Polish) 2010
Microsoft Office Visio 2010
Microsoft Office Visio MUI (Polish) 2010
Microsoft Office Word MUI (English) 2010
Microsoft Office Word MUI (Polish) 2010
Microsoft Office X MUI (Polish) 2010
Microsoft SharePoint Designer 2010 Service Pack 1 (SP1)
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visio 2010 Service Pack 1 (SP1)
Microsoft Visio Professional 2002 [English]
Microsoft Visio Professional 2010
Microsoft Visio Viewer 2002
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WSE 3.0 Runtime
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Network
NokiaFREE Unlock Codes Calculator
NVIDIA Drivers
Opera 11.62
Pajączek 5 NxG PRO - Deinstalacja
Podstawowe programy Windows Live
Polski pakiet językowy dla programu Microsoft .NET Framework 4 Client Profile
QT Lite 4.1.0
Real Alternative 2.0.2
Realtek USB 2.0 Card Reader
Revo Uninstaller 1.85
SAGEM F@st 800-840
Samsung Kies
Samsung Mobile phone USB driver Drive Software
SAMSUNG USB Driver for Mobile Phones
Scan
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft Excel 2010 (KB2597166) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2553091)
Security Update for Microsoft Office 2010 (KB2553096)
Security Update for Microsoft Office 2010 (KB2553371) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2589320) 32-Bit Edition
Security Update for Microsoft Office 2010 (KB2598039) 32-Bit Edition
Security Update for Microsoft PowerPoint 2010 (KB2553185) 32-Bit Edition
Security Update for Microsoft SharePoint Workspace 2010 (KB2566445)
Security Update for Microsoft Visio 2010 (KB2553374) 32-Bit Edition
Security Update for Microsoft Visio Viewer 2010 (KB2597981) 32-Bit Edition
Security Update for Polski pakiet językowy dla programu Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Polski pakiet językowy dla programu Microsoft .NET Framework 4 Client Profile (KB2518870)
Składniki łączności pakietu Microsoft Office Small Business
Skype™ 5.5
SolutionCenter
Status
Super Mario 3 : Mario Forever
SuperMemo UX - Hiszpański. No hay problema!+ 1
SuperMemo UX - Hiszpański. No hay problema!+ 2
SuperMemo UX - Hiszpański. No hay problema!+ 3
System Requirements Lab CYRI
Toolbox
Total Commander (Remove or Repair)
TrayApp
Ubuntu
Ulead VideoStudio 11
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft Office 2010 (KB2494150)
Update for Microsoft Office 2010 (KB2553065)
Update for Microsoft Office 2010 (KB2553092)
Update for Microsoft Office 2010 (KB2553181) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553267) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553270) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553310) 32-Bit Edition
Update for Microsoft Office 2010 (KB2553385) 32-Bit Edition
Update for Microsoft Office 2010 (KB2566458)
Update for Microsoft Office 2010 (KB2596964) 32-Bit Edition
Update for Microsoft Office 2010 (KB2597091) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2553290) 32-Bit Edition
Update for Microsoft OneNote 2010 (KB2589345) 32-Bit Edition
Update for Microsoft Outlook 2010 (KB2553248) 32-Bit Edition
Update for Microsoft Outlook Social Connector 2010 (KB2553406) 32-Bit Edition
VC80CRTRedist - 8.0.50727.4053
VideoStudio
Vividas Player Plugin v4.1
WebReg
Windows Live Communications Platform
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Common
Windows Live Photo Gallery
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Sync
Windows Live UX Platform
Windows Live UX Platform Language Pack
WorldUnlock Codes Calculator
Worms 2
.
==== End Of File ===========================
 
GMER log:


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-05-12 15:09:55
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0
Running: gmer.exe; Driver: C:\Users\MIRO\AppData\Local\Temp\aftciaod.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\iaStor \Device\Ide\iaStor0 [8BCBA360] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8BCBA360] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8BCBA360] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device 85D611F8
Device Ntfs.sys (Sterownik systemu plików NT/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
 
Thanks a lot for your interest and willingness to help. It starts to making me nervous as residential schield keeps telling me about new trojans. I also need my comp as I am finishing my thesis - I have a backup on dropbox, but don't really have other machine to do it.
Well, thanks again and I am waiting for some instructions. Have a nice day!
 
Once we find and remove the malware, hopefully we can get the setting back to normal.

Can you translate or tell me what these are please:
Hiszpański - Mówisz I rozumiesz
Pajączek 5 NxG PRO - Deinstalacja
Podstawowe programy Windows Live
Polski pakiet językowy dla programu Microsoft .NET Framework 4 Client Profile
===============================================
I see you have Combofix on the system: 2012-05-11 21:11:20 -------- d-s---w- C:\ComboFix
IF you uninstalled AVG first, then ran a scan, update, run a new scan and leave the new log
IF you did NOT uninstall AVG first and turn any other security off for the scan, please follow directions below:

To uninstall Combofix, then reinstall to run, do this:
  • Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

You will need to temporarily uninstall AVG as Combofix will not run with it and we cannot disable AVG for the scan, please do as follows:

Download AppRemoverand save to the desktop
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    image_preview
  5. Click on Next after choice has been made
  6. Check the AVG program you want to uninstall
  7. After uninstall shows complete, follow online prompts to Exit the program.
Temporary AV: Use one:
Microsoft Security Essentials
Comodo AV
Avast! Free Antivirus


============================================

  • Download Combofix from HERE or HEREand save to the desktop
    • Double click combofix.exe
      cf-icon.jpg
      & follow the prompts.
    • If prompted for Recovery Console, please allow.
    • Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
    • Note: No query will be made if the Recovery Console is already on the system.
  • Close any open browsers.
  • Before you run the Combofix scan, please disable any security software you have running.
    (If you need help with this, please see HERE)
  • Click on Yes, to continue scanning for malware
  • If Combofix asks you to update the program, allow
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===============================================
To run the Eset Online Virus Scan:
If you use Internet Explorer:
  1. Open the ESETOnlineScan
  2. Skip to #4 to "Continue with the directions"

    If you are using a browser other than Internet Explorer
  3. Open Eset Smart Installer
    [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
    [o] Double click on the desktop icon to run.
    [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
  4. Continue with the directions.
  5. Check 'Yes I accept terms of use.'
  6. Click Start button
  7. Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  8. Uncheck 'Remove found threats'
  9. Check 'Scan archives/
  10. Leave remaining settings as is.
  11. Press the Start button.
  12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  13. When the scan completes, press List of found threats
  14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  15. Push the Back button, then Finish
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
======================================
Please leave both logs in your next reply.
 
those frases are:
Hiszpański - Mówisz I rozumiesz -> Spanish learnign program
Pajączek 5 NxG PRO - Deinstalacja -> Deinstalator of a program for making web pages in HTML
Podstawowe programy Windows Live -> Basic Windows Live Programs
Polski pakiet językowy dla programu Microsoft .NET Framework 4 Client Profile -> Polish language package for Microsoft .NET Framework 4 Client Profile


About the AV - do I have to delete it and then install e.g. Ms Sec. Essentials? or delete AVG, run combofix and then install Ms SE? I have to be offline doing it, right?
 
Also, Combofix /Uninstall in the Run doesn't work - it says it cannot find it. I have a Combofix folder in C, but when I attempt to enter it, it brings me back to My Computer.
Combofix isn't also in the Uninstall list of Windows (I'm not sure if it should be there normally)
 
Okay, I'll delete the old Combofix Directory from the Registry. You may have partly uninstalled it when you had previously.

As for handling the AV.

Step 1: Download the AppRemover and save it to the desktop> don't run yet.
Step 2: Download whichever temporary AV you want to use while AVG is off the system> don't run yet
Step 3: Download Combofix and save to the desktop> don't run yet

Step 4: Go to File> Click on Work Offline> Double click to run the AppRmover and remove AVG
Step 5: Then double click on the new AV to run>>Note: it will not update since you are off line
Step 6: Go to File> Uncheck Work Offline

Step 7: Double click on Combofix to install. Before you run the scan itself, disable the AV.
 
Combofix finished its work. It took him veeery long, but it repared the wallpaper problem. This is the log:

ComboFix 12-05-12.01 - MIRO 2012-05-12 23:18:49.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1250.48.1045.18.3037.2294 [GMT 2:00]
Uruchomiony z: c:\users\MIRO\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Usunięto )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB36054$\3154194647\@
c:\windows\$NtUninstallKB36054$\3154194647\cfg.ini
c:\windows\$NtUninstallKB36054$\3154194647\Desktop.ini
c:\windows\$NtUninstallKB36054$\3154194647\L\xadqgnnk
c:\windows\$NtUninstallKB36054$\3154194647\twl.dll
c:\windows\$NtUninstallKB36054$\3154194647\U\00000001.@
c:\windows\$NtUninstallKB36054$\3154194647\U\00000002.@
c:\windows\$NtUninstallKB36054$\3154194647\U\00000004.@
c:\windows\$NtUninstallKB36054$\3154194647\U\80000000.@
c:\windows\$NtUninstallKB36054$\3154194647\U\80000004.@
c:\windows\$NtUninstallKB36054$\3154194647\U\80000032.@
c:\windows\$NtUninstallKB36054$\3154194647\version
c:\windows\$NtUninstallKB36054$\3363730420
c:\windows\IsUn0415.exe
c:\windows\pkunzip.pif
c:\windows\pkzip.pif
c:\windows\system32\6to4.dll
c:\windows\system32\aavmker4.dll
c:\windows\system32\anbmservice.dll
c:\windows\system32\appnnode.dll
c:\windows\system32\automate6.dll
c:\windows\system32\bdfsfltr.dll
c:\windows\system32\BlueSoleilCS.dll
c:\windows\system32\bthidenum.dll
c:\windows\system32\citrixwmiservice.dll
c:\windows\system32\comhost.dll
c:\windows\system32\ctxcpuusync.dll
c:\windows\system32\DC21x4.dll
c:\windows\system32\DCamUSBMke.dll
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\emu10k.dll
c:\windows\system32\hidusb.dll
c:\windows\system32\hkmsvc.dll
c:\windows\system32\httpfilter.dll
c:\windows\system32\https-nassry.dll
c:\windows\system32\iam.dll
c:\windows\system32\id2scaps.dll
c:\windows\system32\idechndr.dll
c:\windows\system32\inetaccs.dll
c:\windows\system32\ipassconnectengine.dll
c:\windows\system32\irbus.dll
c:\windows\system32\lxbt_device.dll
c:\windows\system32\MASPINT.dll
c:\windows\system32\mbmiodrvr.dll
c:\windows\system32\megamonitorsrv.dll
c:\windows\system32\msdtc.dll
c:\windows\system32\mssql$sony_mediamgr.dll
c:\windows\system32\mstdc.dll
c:\windows\system32\muzapp.exe
c:\windows\system32\ndiscm.dll
c:\windows\system32\Ndisipo.dll
c:\windows\system32\NETw3v32.dll
c:\windows\system32\NETw5x32.dll
c:\windows\system32\NVENET.dll
c:\windows\system32\osanbm.dll
c:\windows\system32\ossrv.dll
c:\windows\system32\ownershipprotocol.dll
c:\windows\system32\proxyhostmirrordisplay.dll
c:\windows\system32\qbreminderflash.dll
c:\windows\system32\roxupnprenderer.dll
c:\windows\system32\savscan.dll
c:\windows\system32\scarddrv.dll
c:\windows\system32\smtpd32.dll
c:\windows\system32\ssisvr32.dll
c:\windows\system32\sthda.dll
c:\windows\system32\StkAMini.dll
c:\windows\system32\symappcore.dll
c:\windows\system32\sympxsvc.dll
c:\windows\system32\tapeware.dll
c:\windows\system32\teefer2.dll
c:\windows\system32\toscosrv.dll
c:\windows\system32\trayman.dll
c:\windows\system32\tvalz.dll
c:\windows\system32\VC6SecS.dll
c:\windows\system32\vcsw.dll
c:\windows\system32\W55U01.dll
c:\windows\system32\WacomVKHid.dll
c:\windows\system32\windrvNT.dll
c:\windows\system32\wlancig.dll
c:\windows\system32\wmpnetworksvc.dll
c:\windows\system32\ZSMC211.dll
c:\windows\system32\ZuneWlanCfgSvc.dll
c:\windows\UA000088.DLL
.
Zainfekowana kopia c:\windows\system32\drivers\netbt.sys została znaleziona. Problem naprawiono
Plik odzyskano z - The cat found it :)
c:\windows\system32\drivers\tdx.sys - brakowało pliku
Plik odzyskano z - c:\windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys
.
.
((((((((((((((((((((((((((((((((((((((( Sterowniki/Usługi )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_aclient
-------\Service_admservice
-------\Service_ageresoftmodem
-------\Service_akshhl
-------\Service_AmeLanPc
-------\Service_AMService
-------\Service_ARPolicy
-------\Service_atitool
-------\Service_bt
-------\Service_btwmodem
-------\Service_cdudf_xp
-------\Service_cfosspeed
-------\Service_delldmi
-------\Service_dlaudf_m
-------\Service_EhttpSrv
-------\Service_elnkservice
-------\Service_Epiusb
-------\Service_epsonbidirectionalservice
-------\Service_F700imd
-------\Service_genregistrar
-------\Service_grmnusb
-------\Service_gv3
-------\Service_GVCplDrv
-------\Service_imagesrv
-------\Service_Intels51
-------\Service_iteatapi
-------\Service_ixiaendpoint
-------\Service_L8042Kbd
-------\Service_M3AD
-------\Service_modemcsa
-------\Service_mssql$sqlexpress
-------\Service_MXOFX
-------\Service_nbservice
-------\Service_nisvcloc
-------\Service_nsm1mdfl
-------\Service_OEM02Vfx
-------\Service_olregcap
-------\Service_oracleorahome811cman
-------\Service_osaio
-------\Service_ownershipprotocol
-------\Service_PAR1284
-------\Service_PCDCODEC
-------\Service_Pctspk
-------\Service_prevxdriver
-------\Service_psadd
-------\Service_regsrvc
-------\Service_rvsinst
-------\Service_sagefserver
-------\Service_SaiU040B
-------\Service_savrtpel
-------\Service_SE2Dmdm
-------\Service_se45obex
-------\Service_SNC
-------\Service_spsslm
-------\Service_steamdvr
-------\Service_tpkd
-------\Service_usbcm
-------\Service_wg5n
-------\Service_WLAN_USB
-------\Service_xusb21
-------\Service_yukonwlh
-------\Service_z800mdfl
-------\Service_ZSMC211
-------\Service_OVT511Plus
-------\Service_WINFLASH
.
.
((((((((((((((((((((((((( Pliki utworzone od 2012-04-12 do 2012-05-12 )))))))))))))))))))))))))))))))
.
.
.
.
.
(((((((((((((((((((((((((((((((((((((((( Sekcja Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-09 20:55 . 2012-04-01 20:49 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-09 20:55 . 2011-06-17 05:48 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 10:02 . 2010-06-24 10:33 19352 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-03-23 19:19 . 2012-04-11 19:17 761152 ----a-w- c:\windows\system32\msvcr100.dll
2012-03-08 16:50 . 2012-03-08 16:50 49016 ----a-w- c:\windows\system32\sirenacm.dll
2012-03-08 16:37 . 2012-03-08 16:37 302448 ----a-w- c:\windows\WLXPGSS.SCR
2012-03-01 05:46 . 2012-04-12 19:50 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37 . 2012-04-12 19:50 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33 . 2012-04-12 19:50 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 19:50 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18 . 2012-04-12 19:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 19:55 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 19:55 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 19:55 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-17 05:34 . 2012-03-13 18:53 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-13 18:53 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-13 18:53 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-14 10:09 . 2012-02-14 10:09 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
.
.
((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 123536 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MIRO\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MIRO\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\MIRO\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-06-04 186904]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2008-03-26 163840]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-27 13797920]
"EnergyUtility"="c:\program files\Lenovo\Energy Management\utility.exe" [2009-07-15 4081480]
"Energy Management"="c:\program files\Lenovo\Energy Management\Energy Management.exe" [2009-06-25 5064520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\Lenovo\Bluetooth Software\BTTray.exe [2009-7-1 795936]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer5"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^MIRO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Bitcoin.lnk]
path=c:\users\MIRO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bitcoin.lnk
backup=c:\windows\pss\Bitcoin.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^MIRO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\users\MIRO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^MIRO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2010 Screen Clipper and Launcher.lnk]
path=c:\users\MIRO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2010 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2010 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^MIRO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Pajączek NxG Updater.exe]
path=c:\users\MIRO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Pajączek NxG Updater.exe
backup=c:\windows\pss\Pajączek NxG Updater.exe.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeriFaceManager
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 09:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 13:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boxoft Tools]
2010-11-19 11:02 2590208 ----a-w- c:\programdata\Boxtools\Boxofttoolbox.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-01-20 09:20 1305408 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50 1144104 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesHelper]
2011-01-29 21:11 888120 ----a-w- c:\program files\Samsung\Kies\KiesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesPDLR]
2011-04-27 13:02 13824 ----a-w- c:\program files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KiesTrayAgent]
2011-01-29 21:11 3372856 ----a-w- c:\program files\Samsung\Kies\KiesTrayAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-04-04 13:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2012-03-08 16:50 4280184 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfficeSyncProcess]
2011-07-21 22:07 718720 ----a-w- c:\program files\Microsoft Office\Office14\MSOSYNC.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 11:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
2007-09-12 11:17 340136 ----a-w- c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ELOADER;General Purpose USB Driver (adildr.sys);c:\windows\system32\Drivers\adildr.sys [2007-02-07 56088]
R2 KMService;KMService;c:\windows\system32\srvany.exe [2011-12-11 8192]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-04-07 29472]
R3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [x]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.SYS [2009-12-22 36640]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-07-13 229888]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2011-06-12 31125880]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-05-14 4231680]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-07-30 171520]
R3 RtsUIR;Realtek IR Driver;c:\windows\system32\DRIVERS\Rts516xIR.sys [x]
R3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\DRIVERS\ss_bbus.sys [2010-12-21 98432]
R3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\DRIVERS\ss_bmdfl.sys [2010-12-21 14848]
R3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\DRIVERS\ss_bmdm.sys [2010-12-21 123648]
R3 ss_bserd;SAMSUNG USB Mobile Logging Driver;c:\windows\system32\DRIVERS\ss_bserd.sys [2010-12-21 100224]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-12-26 691696]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2011-07-19 218688]
S1 funfrm;funfrm; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2012-03-06 57688]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2010-01-20 23136]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 NETw5s32;Sterownik karty Intel(R) Wireless WiFi Link dla systemu Windows 7 32 Bit;c:\windows\system32\DRIVERS\NETw5s32.sys [2009-09-15 6114816]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2009-06-26 66080]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ SSDPSRV upnphost SCardSvr TBS FontCache fdrespub AppIDSvc QWAVE wcncsvc SensrSvc Mcx2Svc
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
OVT511Plus
WINFLASH
.
.
------- Skan uzupełniający -------
.
uStart Page = about:blank
mStart Page = about:blank
IE: E&ksport do programu Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: E&ksportuj do programu Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: Wyślij obraz do urządzenia &Bluetooth... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Wyślij stronę do urządzenia &Bluetooth... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/games/hamsterball/en/raptisoftgameloader.cab
DPF: {721700FE-7F0E-49C5-BDED-CA92B7CB1245} - hxxp://87.116.199.52/camclictrl.cab
DPF: {EF991872-9158-4570-A7FF-E7DBB6A4B8E9} - hxxp://217.96.52.154:82/iqweb.ocx
DPF: {F9F6A5CD-76C1-4BE7-8F49-5D4183F9FAC5} - hxxps://www.otineo.com/resources/com.otineo.survey.ui.personal.softphone.SoftphonePanel/OtineoSoftphone.cab
.
- - - - USUNIĘTO PUSTE WPISY - - - -
.
Toolbar-Locked - (no file)
SafeBoot-MCODS
MSConfigStartUp-ALLUpdate - c:\program files\ALLPlayer\ALLUpdate.exe
MSConfigStartUp-cacaoweb - c:\users\MIRO\AppData\Roaming\cacaoweb\cacaoweb.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
AddRemove-SuperMemo UX - Hiszpański. No hay problema!+ 1 - c:\windows\IsUn0415.exe
AddRemove-SuperMemo UX - Hiszpański. No hay problema!+ 2 - c:\windows\IsUn0415.exe
AddRemove-SuperMemo UX - Hiszpański. No hay problema!+ 3 - c:\windows\IsUn0415.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\SAMSUNG\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\SAMSUNG\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\SAMSUNG\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\SAMSUNG\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\SAMSUNG\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\SAMSUNG\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\SAMSUNG\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-24_flashusbdriver - c:\program files\Samsung\USB Drivers\24_flashusbdriver\Uninstall.exe
AddRemove-25_escape - c:\program files\Samsung\USB Drivers\25_escape\Uninstall.exe
.
.
.
--------------------- ZABLOKOWANE KLUCZE REJESTRU ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- Pliki DLL ładowane pod uruchomionymi procesami ---------------------
.
- - - - - - - > 'Explorer.EXE'(3728)
c:\users\MIRO\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Czas ukończenia: 2012-05-13 00:59:02 - komputer został uruchomiony ponownie
.
Przed: 112 608 178 176 bajtów wolnych
Po: 112 514 482 176 bajtów wolnych
.
 
As for on-line scanning, I'm performing it now, but it's gonna take some time and it is quite late, but I'll try to put is asap.
 
ESET ONLINE SCAN log is as follows:

C:\Qoobox\Quarantine\C\Windows\system32\anbmservice.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\system32\idechndr.dll.vir Win32/Sirefef.ER trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir Win32/Sirefef.DA trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir_ Win32/Sirefef.DA trojan
C:\Users\MIRO\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\50\2357adf2-4a6d6358 a variant of OSX/Exploit.Smid.D trojan
C:\Users\MIRO\Documents\instalki\Microsoft.Office.2010.ProfessionalPlus.Final.VL.Edition.x86-ZWTiSO\activator.rar a variant of Win32/HackKMS.A application
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.1.7601.17514_none_626c324d55864070\netbt.sys Win32/Sirefef.DA trojan
C:\Windows\winsxs\x86_microsoft-windows-tdi-over-tcpip_31bf3856ad364e35_6.1.7601.17514_none_ec4532373a57c1c2\tdx.sys a variant of Win32/Sirefef.DA trojan
 
There are quite a few irregularities on this system in addition to the ZeroAccess Rootkit. Additionally,Microsoft .Office 2010 ProfessionalPlus Final.VL Edition has been pirated. There are entries for professional surveillance cameras.

Please run the following:
Download CKScanner and save to your desktop.
  • Doubleclick CKScanner.exe and click Search For Files.
  • When the cursor hourglass disappears, click Save List To File.
  • A message box will verify that the file is saved.
  • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.
=======================================================
Please download WVCheck from one of the following Links:
Latest EXE download
Latest ZIP Download
  • Double click WVCheck.exe. (If you downloaded the zipped version you will need to extract it.)
    WVCheck.png
  • As indicated by the prompt, This program can take a while depending on your hard drive space.
  • Once the program is done, copy the contents of the notepad file as a reply.
=====================================================

Follow with
Please run the MGA Diagnostics tool
  • You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
  • You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
  • You must choose to Run this tool when prompted.
  • Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
  • If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
  • After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
  • Please return to this thread and Paste the results here for review.
------------------------------------------
 
CKScanner log:

CKScanner - Additional Security Risks - These are not necessarily bad
c:\program files\cream software\pajaczek 5 nxg\docs\php\function.crack-check.html
c:\program files\cream software\pajaczek 5 nxg\docs\php\function.crack-closedict.html
c:\program files\cream software\pajaczek 5 nxg\docs\php\function.crack-getlastmessage.html
c:\program files\cream software\pajaczek 5 nxg\docs\php\function.crack-opendict.html
c:\program files\cream software\pajaczek 5 nxg\docs\php\function.mhash-keygen-s2k.html
c:\program files\cream software\pajaczek 5 nxg\docs\php\ref.crack.html
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
c:\program files\rockstar games\gta sa\data\decision\craig\crack1.ped
c:\users\miro\appdata\local\opera\opera\icons\crackedscripts.com.idx
c:\users\miro\appdata\local\opera\opera\icons\http%3a%2f%2fwww.cracked.com%2ffavicon.ico
c:\users\miro\appdata\local\opera\opera\icons\www.cracked.com.idx
c:\users\miro\appdata\roaming\cream software\pajaczek-crack.exe
c:\users\miro\appdata\roaming\cream software\pajaczek 5 nxg\settings\pajaczek-crack.exe
c:\users\miro\appdata\roaming\cream software\pajaczek_pro_full\pajaczek-crack.exe
c:\users\miro\desktop\cool.edit.pro.v2.1.winall.with.user.manual.incl.crack-ror.zip
c:\users\miro\documents\instalki\pajaczek_pro_full\pajaczek-crack.exe
scanner sequence 3.HH.11.WIAPBT
----- EOF -----


WVCheck log


Windows Validation Check
Version: 1.9.12.5
Log Created On: 2251_15-05-2012
-----------------------

Windows Information
-----------------------
Windows Version: Windows 7 Service Pack 1
Windows Mode: Normal
Systemroot Path: C:\windows

WVCheck's Auto Update Check
-----------------------
Auto-Update Option: Download updates and install them automatically.
-----------------------
Last Success Time for Update Detection: 2012-05-14 19:38:58
Last Success Time for Update Download: 2012-05-10 05:01:49
Last Success Time for Update Installation: 2012-05-10 16:56:37


WVCheck's Registry Check Check
-----------------------
Antiwpa: Not Found
-----------------------
Chew7Hale: Not Found
-----------------------


WVCheck's File Dump
-----------------------
C:\Windows\System32\slwga.dll
Size: 14336 bytes
Creation; 8/7/2011 19:44:25
Modification; 20/11/2010 13:21:24
MD5; 19f75d71e4256f5113d64ce2bb66b838
Matched: slwga.dll
-----------------------
C:\Windows\winsxs\x86_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16385_none_ff27e02604a90885\slwga.dll
Size: 13824 bytes
Creation; 14/7/2009 1:36:22
Modification; 14/7/2009 3:16:15
MD5; 01fe4bdd0b47a7d8bf34d78d2bc23ddb
Matched: slwga.dll
-----------------------
C:\Windows\winsxs\x86_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.16723_none_ff66c6b2047a22cd\slwga.dll
Size: 14336 bytes
Creation; 9/2/2011 18:55:26
Modification; 21/12/2010 6:38:16
MD5; 2008845b41d561fb77b77bbe0045099e
Matched: slwga.dll
-----------------------
C:\Windows\winsxs\x86_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7600.20862_none_ffc423831db91904\slwga.dll
Size: 14336 bytes
Creation; 9/2/2011 18:55:26
Modification; 21/12/2010 6:29:6
MD5; 2332de32759ebcc691850e092b2564a6
Matched: slwga.dll
-----------------------
C:\Windows\winsxs\x86_microsoft-windows-security-spp-wga_31bf3856ad364e35_6.1.7601.17514_none_0158f3ee01978c1f\slwga.dll
Size: 14336 bytes
Creation; 8/7/2011 19:44:25
Modification; 20/11/2010 13:21:24
MD5; 19f75d71e4256f5113d64ce2bb66b838
Matched: slwga.dll
-----------------------


WVCheck's Dir Dump
-----------------------
WVCheck found no known bad directories.


WVCheck's Missing File Check
-----------------------
WVCheck found no missing Windows files.


WVCheck's MBAM Quarantine Check
-----------------------
There were no bad files quarantined by MBAM.


WVCheck's HOSTS File Check
-----------------------
WVCheck found no bad lines in the hosts file.


WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - f1dd3acaee5e6b4bbc69bc6df75cef66


-------- End of File, program close at 2253_15-05-2012 --------
 
MGA log


Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-JKHXW-D9W83-FJQKD
Windows Product Key Hash: AYaBykmfTHUVW5whGaYMeVJn0/U=
Windows Product ID: 00359-OEM-8992687-00249
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010300.1.0.003
ID: {6B12883C-82E8-4A63-B530-F729706C2593}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Home Premium
Architecture: 0x00000000
Build lab: 7601.win7sp1_gdr.120330-1504
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 100 Genuine
Microsoft Visio Professional 2002 [English] - 100 Genuine
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: B4D0AA8B-604-645_B4D0AA8B-604-645_B4D0AA8B-604-645_025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{6B12883C-82E8-4A63-B530-F729706C2593}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010300.1.0.003</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-FJQKD</PKey><PID>00359-OEM-8992687-00249</PID><PIDType>2</PIDType><SID>S-1-5-21-1180046307-1035285381-2495186085</SID><SYSTEM><Manufacturer>LENOVO</Manufacturer><Model>20023 </Model></SYSTEM><BIOS><Manufacturer>LENOVO</Manufacturer><Version>18CN37WW(V2.10) </Version><SMBIOSVersion major="2" minor="5"/><Date>20090918000000.000000+000</Date></BIOS><HWID>EB153507018400F8</HWID><UserLCID>0415</UserLCID><SystemLCID>0415</SystemLCID><TimeZone>Środkowoeuropejski czas stand.(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>LENOVO</OEMID><OEMTableID>CB-01 </OEMTableID></OEM><GANotification><File Name="OGAAddin.dll" Version="1.7.105.35"/></GANotification></MachineData><Software><Office><Result>100</Result><Products><Product GUID="{90510409-6D54-11D4-BEE3-00C04F990354}"><LegitResult>100</LegitResult><Name>Microsoft Visio Professional 2002 [English]</Name><Ver>10</Ver><Val>B07727A4C4B404C</Val><Hash>g7TU5cpk8XGUieJuay8QbOa4AXk=</Hash><Pid>54079-640-0000383-16445</Pid><PidType>14</PidType></Product></Products><Applications><App Id="51" Version="10" Result="100"/></Applications></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Wersja usługi licencjonowania oprogramowania: 6.1.7601.17514

Nazwa: Windows(R) 7, HomePremium edition
Opis: Windows Operating System - Windows(R) 7, OEM_SLP channel
Identyfikator aktywacji: d2c04e90-c3dd-4260-b0f3-f845f5d27d64
Identyfikator aplikacji: 55c92734-d682-4d71-983e-d6ec3f16059f
Rozszerzony identyfikator PID: 00359-00178-926-800249-02-1045-7600.0000-2582009
Identyfikator instalacji: 022193832035626185230643119294231852743854881741827090
Adres URL certyfikatu procesora: http://go.microsoft.com/fwlink/?LinkID=88338
Adres URL certyfikatu komputera: http://go.microsoft.com/fwlink/?LinkID=88339
Adres URL licencji użytkowania: http://go.microsoft.com/fwlink/?LinkID=88341
Adres URL certyfikatu klucza produktu: http://go.microsoft.com/fwlink/?LinkID=88340
Częściowy klucz produktu: FJQKD
Stan licencji: licencjonowano
Licznik pozostałych operacji przywrócenia pierwotnego stanu licencjonowania systemu Windows: 2
Godzina zaufana: 2012-05-15 22:56:28

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 4:1:2012 20:39
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: MgAAAAIAAQABAAEAAAACAAAAAwABAAEAeqi2H3cWNobmofaaoAz8aA7RjsHwOnT2Rso=

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC PTLTD APIC
FACP LENOVO CB-01
DBGP LENOVO CB-01
HPET LENOVO CB-01
BOOT PTLTD $SBFTBL$
MCFG LENOVO CB-01
SLIC LENOVO CB-01
SSDT PmRef CpuPm
SSDT PmRef CpuPm
SSDT PmRef CpuPm
 
One more thing - I took my laptop to univ and when I came back, it doesn't want to go online. The icon in the tray sais it is connected, but that there is "Identifying in progress" (not sure how it is exactly in english version of Win, that's polish translation)
Is it the matter of AVAST or sth else? I tried to de-activate Avast for a sec and it didn't help.
 
I found out that the DNS Client (and DHCP, if it is important) is turned off and I cannot turn it on (error 1068).
 
The Windows OS has not been validated.

All of the software in the CK Scanner show pirated software.

WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - f1dd3acaee5e6b4bbc69bc6df75cef66>>>
The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems.

The use of the function.crack in the piracy is also experimental.
-------------------------------------------
I do not support piracy. To continue, you will have to remove all pirated content from the system.

-----------------------
 
I don't know exactly what this part means
<quote>WVCheck's MD5 Check
EXPERIMENTAL!!
-----------------------
user32.dll - f1dd3acaee5e6b4bbc69bc6df75cef66>>>
The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems.

The use of the function.crack in the piracy is also experimental.</quote>


I will delete pirated software. only I cannot do it with Office, as I;m in the middle of my final project and have to do it. is it ok?
 
and do you think internet problem is related to my problem or is it sth else? Luckily I have a linux as well (this is some version for which I didn't have to do partition, but it installed as a program in Win) and on Linux net works, but it is really disturbing, as I'm not used to it and I cannot write my project as it is in .docx and it isn't the same in free office.
 
I will delete pirated software. only I cannot do it with Office, as I;m in the middle of my final project and have to do it. is it ok?

Let me know when all of the pirated software has been removed> if you want support.

I'm going to close the tread since you can't do it now and will reopen if after you have removed it.

I don't know the cause of the problem. When you pirate software with cracks and keygens, you open your system to malware.
 
Status
Not open for further replies.
Back