Skocz do zawartości
Nadchodzące zmiany w logowaniu

rambo8wTV

Użytkownicy
 Pokaż profil  Zobacz aktywność

  • Postów

    8

  • Dołączył

  • Ostatnia wizyta

  1. rambo8wTV
    Witam! Wykrylo jakies dwa trojany ale zostaly usniete. Raport http://wklej.to/fSgN1 Dzieki za pomoc.
  2. rambo8wTV
    Witam!! Przpepraszam nie mialem czasu w tygodniu sie tym zajac. Za szybko kliknalem zamknij i raportem z naprawy z OTL mi sie nie zapisal. Skan po naprawie jest tutaj: http://wklej.to/cSXc0 a z Ad-Removera tutaj: http://wklej.to/8UFxA . Dzieki.
  3. rambo8wTV
    Witam! Log z OTL http://wklej.to/oArbV Log Extras: http://wklej.to/5Tu3H Mam nadzieje ze tym razem wszystkie logi sa jak trzeba. Dzieki bardzo Marcin
  4. rambo8wTV
    Witam! Postaram sie puscic pelny test wieczorem ale na zainfekowanym koncie w trybie normalnym nie da sie nawet otworzyc folderu na pulpicie i klikniecie gdziekolwiek powoduje wlaczenie "skanera wirusowego". Pozdrawiam, Marcin
  5. rambo8wTV
    Witam. Przypetalo sie mojej zonie na komputer Security Sphere 2012. Nie da sie otworzyc zadnych programow, cokolwiek sie klika wyskakuje info ze obiekt jest zainfekowany i odpala sie jakis skan ktory pokazuje ze wszedzie sa wirusy. Skan z OTL: http://wklej.to/KGnso Infekcja najprawdopodbniej nastapila w piatek 30 wrzesnia. Bardzo prosze o pomoc! Z gory dziekuje. Marcin
  6. rambo8wTV
    Raport z usuwania sie nie utworzyl bo Windows stwierdzil sie sie OTL zawiesil i go zamknal. Takze w C:\OTL nie ma loga. Nie moge niestety usunac starszych wersji Firefoxa bo uzywamy ich do testowania czy sie nam reklamy dobrze wyswietlaja. Opere i reszte zaktualizuje. Byl jeszcze problem z polaczeniem z internetem, bo bylo automatyczne proxy ustawione. Ale juz zalatwione. Bardzo dziekuje za pomoc. Marcin
  7. rambo8wTV
    Dzieki i przepraszam. SpyDig odinstalowalem. Zynga to mnie troche zaskoczyla bo to do gry z Facebooka. Przy wykonywaniu skryptu OTL mi sie zawiesil i windows go wylaczyl. Ale zrobilem reset i oto nowe logi. OTL OTL logfile created on: 06/09/2010 11:24:11 - Run 3 OTL by OldTimer - Version 3.2.10.0 Folder = F:\!!!new Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18943) Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 100.25 Gb Total Space | 48.64 Gb Free Space | 48.52% Space Free | Partition Type: NTFS Drive D: | 11.54 Gb Total Space | 2.03 Gb Free Space | 17.57% Space Free | Partition Type: NTFS E: Drive not present or media not loaded Drive F: | 3.76 Gb Total Space | 0.82 Gb Free Space | 21.82% Space Free | Partition Type: FAT G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: VISTALAPTOP Current User Name: Swhelan Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 7 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/09/06 10:54:42 | 000,293,376 | ---- | M] () -- F:\!!!new\yol46lcd.exe PRC - [2010/09/06 09:25:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- F:\!!!new\OTL_3.2.10(dobreprogramy.pl).exe PRC - [2010/08/12 14:16:26 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe PRC - [2010/08/12 14:16:12 | 002,215,064 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe PRC - [2010/03/31 16:53:02 | 000,968,024 | ---- | M] (Intuit UK) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe PRC - [2009/06/15 16:13:54 | 000,188,736 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008/01/21 03:23:59 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe ========== Modules (SafeList) ========== MOD - [2010/09/06 09:25:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- F:\!!!new\OTL_3.2.10(dobreprogramy.pl).exe MOD - [2009/04/11 07:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll MOD - [2008/01/21 03:25:02 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx ========== Win32 Services (SafeList) ========== SRV - [2010/08/12 14:18:40 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv) SRV - [2010/08/12 14:16:26 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn) SRV - [2010/03/27 14:39:04 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService) SRV - [2009/06/15 16:13:54 | 000,188,736 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe -- (NitroDriverReadSpool) SRV - [2009/06/15 16:11:44 | 000,061,760 | ---- | M] (Nalpeiron Ltd.) [Disabled | Stopped] -- C:\Windows\System32\ASTSRV.EXE -- (astcc) SRV - [2008/01/21 03:23:59 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2006/11/10 00:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2010/07/29 13:31:26 | 000,136,632 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm) DRV - [2010/07/29 13:31:26 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv) DRV - [2010/07/29 13:31:26 | 000,096,920 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfpr.sys -- (epfwwfpr) DRV - [2008/12/04 03:42:00 | 007,606,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2008/07/17 18:01:00 | 000,269,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA004Vid.sys -- (OA004Vid) DRV - [2008/06/03 10:30:24 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA004Ufd.sys -- (OA004Ufd) DRV - [2008/04/27 12:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2008/01/21 03:23:51 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR) DRV - [2008/01/21 03:23:51 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320) DRV - [2008/01/21 03:23:51 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4) DRV - [2008/01/21 03:23:51 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs) DRV - [2008/01/21 03:23:51 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas) DRV - [2008/01/21 03:23:50 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci) DRV - [2008/01/21 03:23:50 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m) DRV - [2008/01/21 03:23:50 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS) DRV - [2008/01/21 03:23:49 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300) DRV - [2008/01/21 03:23:49 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel® DRV - [2008/01/21 03:23:49 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas) DRV - [2008/01/21 03:23:48 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid) DRV - [2008/01/21 03:23:48 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC) DRV - [2008/01/21 03:23:48 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc) DRV - [2008/01/21 03:23:47 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV) DRV - [2008/01/21 03:23:47 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2) DRV - [2008/01/21 03:23:47 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI) DRV - [2008/01/21 03:23:46 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor) DRV - [2008/01/21 03:23:45 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx) DRV - [2008/01/21 03:23:45 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci) DRV - [2008/01/21 03:23:45 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid) DRV - [2008/01/21 03:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor) DRV - [2008/01/21 03:23:26 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide) DRV - [2008/01/21 03:23:26 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide) DRV - [2008/01/21 03:23:26 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide) DRV - [2007/11/01 09:51:26 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV) DRV - [2007/11/01 09:47:54 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL) DRV - [2007/11/01 09:47:08 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf) DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio) DRV - [2007/03/07 05:15:58 | 001,059,112 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD) DRV - [2007/02/17 00:50:32 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu) DRV - [2006/11/02 10:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx) DRV - [2006/11/02 10:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata) DRV - [2006/11/02 10:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960) DRV - [2006/11/02 10:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp) DRV - [2006/11/02 10:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx) DRV - [2006/11/02 10:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid) DRV - [2006/11/02 10:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi) DRV - [2006/11/02 10:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx) DRV - [2006/11/02 10:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3) DRV - [2006/11/02 10:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x) DRV - [2006/11/02 10:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi) DRV - [2006/11/02 09:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM) DRV - [2006/11/02 09:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer) DRV - [2006/11/02 09:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp) DRV - [2006/11/02 09:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo) DRV - [2006/11/02 09:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm) DRV - [2006/11/02 09:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm) DRV - [2006/11/02 08:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi) DRV - [2006/06/28 11:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1902652002-3130174624-821348704-1110\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ IE - HKU\S-1-5-21-1902652002-3130174624-821348704-1110\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-1902652002-3130174624-821348704-1110\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKU\S-1-5-21-1902652002-3130174624-821348704-1110\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKU\S-1-5-21-1902652002-3130174624-821348704-1110\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Google" FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.startup.homepage: "https://heliosiq.adtech.de/h2/index.do" FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.3 FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.2 FF - prefs.js..extensions.enabledItems: "" FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/04/29 11:18:50 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 2.0\extensions\\Components: C:\Program Files\Mozilla Firefox2.0\components [2010/07/06 12:27:30 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 2.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox2.0\plugins [2010/08/04 08:58:27 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Components: C:\Program Files\Mozilla Firefox3.5\components [2010/07/06 12:28:07 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox3.5\plugins [2010/08/04 08:58:27 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/28 08:55:53 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/04 08:58:27 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/09/02 16:41:44 | 000,000,000 | ---D | M] [2009/10/06 11:45:49 | 000,000,000 | ---D | M] -- C:\Users\swhelan\AppData\Roaming\mozilla\Extensions [2010/09/06 10:41:13 | 000,000,000 | ---D | M] -- C:\Users\swhelan\AppData\Roaming\mozilla\Firefox\Profiles\h5k1rvev.default\extensions [2010/07/07 10:54:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\swhelan\AppData\Roaming\mozilla\Firefox\Profiles\h5k1rvev.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/05/18 15:59:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\swhelan\AppData\Roaming\mozilla\Firefox\Profiles\h5k1rvev.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1} [2010/07/07 12:35:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2009/01/20 18:05:37 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2010/07/07 12:35:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2009/01/20 18:05:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\real-networks@partners.mozilla.com [2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKU\S-1-5-21-1902652002-3130174624-821348704-1110\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll (Google Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {3D29D4FC-1A26-4082-81B8-4F0746FCA4D2} http://qos.doubleclick.net/browsersettingscommon/Settings.cab (DartSettings Class) O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.pl/skaner/SkanerOnline.cab (MksSkanerOnline Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {EE17B34D-BB48-4927-974F-DC38FF7D2036} http://qos.doubleclick.net/ClientDiagnostics/clientdiag/DartRep.cab (DiagReport Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 84.203.254.34 84.203.255.34 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i-Believe.local O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Green Sea Turtle.jpg O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Green Sea Turtle.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2010/09/03 09:39:02 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ] O32 - AutoRun File - [2005/09/11 16:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ] O32 - AutoRun File - [2010/09/03 09:39:02 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ] O32 - AutoRun File - [2010/09/03 09:39:04 | 000,000,000 | RHSD | M] - F:\autorun.inf -- [ FAT ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 7 Days ========== [2010/09/06 09:26:24 | 000,000,000 | ---D | C] -- C:\Users\swhelan\AppData\Roaming\Adobe [2010/09/03 14:33:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES [2010/09/03 14:33:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES [2010/09/03 14:33:31 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN [2010/09/03 14:13:17 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders [2010/09/03 11:17:15 | 000,002,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\svchost.exe.mui [2010/09/03 10:49:44 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro [2010/09/03 10:49:43 | 000,000,000 | ---D | C] -- C:\rsit [2010/09/03 09:39:02 | 000,000,000 | RHSD | C] -- C:\autorun.inf [2010/09/02 16:58:39 | 000,000,000 | ---D | C] -- C:\Users\swhelan\AppData\Local\ESET [2010/09/02 16:41:38 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/09/02 16:41:37 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET [2010/09/02 15:51:46 | 000,000,000 | ---D | C] -- C:\Users\swhelan\AppData\Roaming\Malwarebytes [2010/09/02 15:51:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/09/02 15:51:36 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/09/02 15:51:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/09/02 15:51:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/09/02 14:27:53 | 000,000,000 | ---D | C] -- C:\RECYCLER [2010/09/02 14:27:19 | 000,000,000 | ---D | C] -- C:\ProgramData\EarMaster ========== Files - Modified Within 7 Days ========== [2010/09/06 11:19:54 | 005,242,880 | -HS- | M] () -- C:\Users\swhelan\NTUSER.DAT [2010/09/06 11:13:08 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1902652002-3130174624-821348704-1110UA.job [2010/09/06 10:52:33 | 000,642,924 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/09/06 10:52:33 | 000,123,690 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/09/06 10:52:32 | 000,753,336 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/09/06 10:45:12 | 000,028,029 | ---- | M] () -- C:\ProgramData\nvModes.001 [2010/09/06 10:44:58 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010/09/06 10:44:58 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010/09/06 10:44:50 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/09/06 10:44:42 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/09/06 10:44:36 | 2079,154,176 | -HS- | M] () -- C:\hiberfil.sys [2010/09/06 09:37:38 | 000,524,288 | -HS- | M] () -- C:\Users\swhelan\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms [2010/09/06 09:37:38 | 000,065,536 | -HS- | M] () -- C:\Users\swhelan\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf [2010/09/06 08:59:15 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{B818E11C-648F-4A86-AB5B-5776D3713BAB}.job [2010/09/03 17:55:58 | 000,104,800 | ---- | M] () -- C:\Users\swhelan\AppData\Local\GDIPFONTCACHEV1.DAT [2010/09/03 17:38:35 | 000,000,022 | ---- | M] () -- C:\Windows\sd [2010/09/03 17:21:43 | 000,028,029 | ---- | M] () -- C:\ProgramData\nvModes.dat [2010/09/03 14:37:50 | 000,389,352 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010/09/03 11:02:26 | 000,000,290 | ---- | M] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-1902652002-3130174624-821348704-1110.job [2010/09/03 01:13:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1902652002-3130174624-821348704-1110Core.job [2010/09/02 18:49:38 | 000,076,800 | ---- | M] () -- C:\Users\swhelan\Desktop\blastgui.com [2010/09/02 15:51:40 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/09/01 10:21:29 | 000,016,291 | ---- | M] () -- C:\Users\swhelan\Desktop\NITB.xlsx [2010/09/01 09:55:25 | 000,015,639 | ---- | M] () -- C:\Users\swhelan\Desktop\Blinkx report.xlsx [2010/08/31 10:03:42 | 000,268,319 | ---- | M] () -- C:\Users\swhelan\Desktop\Aer Lingus - Booking Confirmation.pdf [2010/08/30 11:34:31 | 000,016,014 | ---- | M] () -- C:\Users\swhelan\Desktop\polaczenie.pdf ========== Files Created - No Company Name ========== [2010/09/06 09:38:16 | 2079,154,176 | -HS- | C] () -- C:\hiberfil.sys [2010/09/03 17:38:35 | 000,000,022 | ---- | C] () -- C:\Windows\sd [2010/09/02 18:50:33 | 000,076,800 | ---- | C] () -- C:\Users\swhelan\Desktop\blastgui.com [2010/09/02 15:51:40 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/09/02 14:55:17 | 000,000,290 | ---- | C] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-1902652002-3130174624-821348704-1110.job [2010/08/31 10:03:37 | 000,268,319 | ---- | C] () -- C:\Users\swhelan\Desktop\Aer Lingus - Booking Confirmation.pdf [2010/08/30 11:34:31 | 000,016,014 | ---- | C] () -- C:\Users\swhelan\Desktop\polaczenie.pdf [2010/02/17 14:30:07 | 000,004,096 | -H-- | C] () -- C:\Users\swhelan\AppData\Local\keyfile3.drm [2009/10/21 09:52:10 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll [2009/07/07 12:00:31 | 000,086,016 | ---- | C] () -- C:\Windows\System32\custmon32.dll [2009/04/23 12:30:43 | 000,005,632 | ---- | C] () -- C:\Users\swhelan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/04/21 14:52:04 | 000,000,019 | ---- | C] () -- C:\Users\swhelan\AppData\Local\update.dat [2009/04/21 14:51:51 | 000,000,043 | ---- | C] () -- C:\Users\swhelan\AppData\Local\catchbar5.dat [2009/04/01 11:58:25 | 000,000,095 | ---- | C] () -- C:\Users\swhelan\AppData\Local\fusioncache.dat [2008/12/23 09:56:00 | 000,028,029 | ---- | C] () -- C:\ProgramData\nvModes.001 [2008/12/23 09:55:06 | 000,028,029 | ---- | C] () -- C:\ProgramData\nvModes.dat [2008/12/02 19:12:51 | 000,002,412 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2008/04/29 14:42:24 | 000,503,808 | ---- | C] () -- C:\Windows\System32\ICCProfiles.dll [2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006/07/17 13:11:36 | 000,667,280 | ---- | C] () -- C:\Windows\System32\tx12.dll [2006/02/09 04:20:00 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx12_ic.ini ========== LOP Check ========== [2010/08/24 13:21:37 | 000,000,000 | ---D | M] -- C:\Users\swhelan\AppData\Roaming\gtk-2.0 [2010/08/31 18:14:08 | 000,000,000 | ---D | M] -- C:\Users\swhelan\AppData\Roaming\Nitro PDF [2010/03/29 10:41:04 | 000,000,000 | ---D | M] -- C:\Users\swhelan\AppData\Roaming\Opera [2010/07/28 11:11:24 | 000,000,000 | ---D | M] -- C:\Users\swhelan\AppData\Roaming\webex [2010/09/06 09:06:15 | 000,032,624 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2010/09/06 08:59:15 | 000,000,422 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{B818E11C-648F-4A86-AB5B-5776D3713BAB}.job ========== Purity Check ========== < End of report > Extras OTL Extras logfile created on: 06/09/2010 11:24:11 - Run 3 OTL by OldTimer - Version 3.2.10.0 Folder = F:\!!!new Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18943) Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 55.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 79.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 100.25 Gb Total Space | 48.64 Gb Free Space | 48.52% Space Free | Partition Type: NTFS Drive D: | 11.54 Gb Total Space | 2.03 Gb Free Space | 17.57% Space Free | Partition Type: NTFS E: Drive not present or media not loaded Drive F: | 3.76 Gb Total Space | 0.82 Gb Free Space | 21.82% Space Free | Partition Type: FAT G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: VISTALAPTOP Current User Name: Swhelan Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 7 Days Output = Standard ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation) .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox3.5\firefox.exe (Mozilla Corporation) [HKEY_USERS\S-1-5-21-1902652002-3130174624-821348704-1110\SOFTWARE\Classes\<extension>] .html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation) exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation) htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation) http [open] -- C:\PROGRA~1\MOZILL~1.0\FIREFOX.EXE -url "%1" (Mozilla Corporation) https [open] -- C:\PROGRA~1\MOZILL~1.0\FIREFOX.EXE -url "%1" (Mozilla Corporation) inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation) scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 0 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "oobe_av" = 1 "AntiVirusOverride" = 0 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "EnableFirewall" = 1 "DisableNotifications" = 0 ========== Authorized Applications List ========== ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{24144D1E-B83B-4DEC-913F-B5ED43B446D6}" = lport=139 | protocol=6 | dir=in | app=system | "{2E89A640-6658-4FE7-8F11-7E193CAF23B6}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{448761FF-CC27-4159-AC57-6CC8402F6B37}" = rport=445 | protocol=6 | dir=out | app=system | "{537D20A9-7B50-421B-B43E-E31E3CA721E0}" = lport=138 | protocol=17 | dir=in | app=system | "{5AAAC132-6A3A-41D2-AD2A-B57061205279}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe | "{5C33D1C2-1730-4FBD-8E2D-3CE95C5A4166}" = rport=137 | protocol=17 | dir=out | app=system | "{6DE5C512-829A-4E87-8959-2818DF45DF47}" = rport=3702 | protocol=17 | dir=out | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{7AEAD843-3D6E-4BB2-867C-E30D30B02C38}" = lport=3702 | protocol=17 | dir=in | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{7BBA9D1C-A536-48DB-B493-5B0A369DE8E1}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe | "{A325BB3E-0A18-46A1-86E4-83759D7A3BEB}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe | "{A6B19752-C27F-4D71-88D2-A48D292193C7}" = lport=5355 | protocol=17 | dir=in | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{A921A949-EC14-49FA-A69C-BFF62DAE7E6E}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 | "{AB5B7D22-7FDF-45A0-9551-B694A2AB13E4}" = lport=3702 | protocol=17 | dir=in | svc=fdrespub | app=%systemroot%\system32\svchost.exe | "{B19DEAB0-39A6-49F8-9DA7-68B75533EA76}" = lport=137 | protocol=17 | dir=in | app=system | "{BAF22D87-1BB8-4437-A90E-BBA62443B46E}" = lport=445 | protocol=6 | dir=in | app=system | "{BE209652-FC85-4E87-92CF-90FE1F9CFB6A}" = rport=3702 | protocol=17 | dir=out | svc=fdphost | app=%systemroot%\system32\svchost.exe | "{D54EC207-EE42-463D-9EED-6BE8D87E415F}" = rport=138 | protocol=17 | dir=out | app=system | "{DFA135F0-5C57-40A0-AE51-7CB56AA047D4}" = rport=5355 | protocol=17 | dir=out | svc=dnscache | app=%systemroot%\system32\svchost.exe | "{FBE3D42B-5BD5-4A97-BF96-A9932C30DE37}" = rport=139 | protocol=6 | dir=out | app=system | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0CFB8C3D-0C07-4E27-B084-0A54B3434534}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 | "{2F9ADF7D-A9AD-4E73-B341-7B7580024A48}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe | "{8DD8FFDF-8BF7-4197-8533-3A265ED65640}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 | "{D8580266-A28D-49EB-8D60-9632EFEFF155}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 | "{F328FB7F-0FF7-4AC6-A7DC-679D3A956A8F}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 | "TCP Query User{39C3C0AC-F76C-4A71-B9EF-2929F78AF559}C:\program files\opera\opera.exe" = protocol=6 | dir=in | app=c:\program files\opera\opera.exe | "TCP Query User{AA72F9B0-A5AF-49B2-BEEC-81D8722944FB}C:\users\swhelan\appdata\local\temp\966701.exe" = protocol=6 | dir=in | app=c:\users\swhelan\appdata\local\temp\966701.exe | "TCP Query User{AAA5EE5B-A1D0-4D90-AC1A-FE1EB29BABCA}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "TCP Query User{BC1D378E-54BA-4655-919D-890CCEBABE6F}C:\program files\gadu-gadu\gg.exe" = protocol=6 | dir=in | app=c:\program files\gadu-gadu\gg.exe | "TCP Query User{FCF984D7-2405-4EF0-A85C-E0CA58C204E6}C:\program files\gadu-gadu 10\gg.exe" = protocol=6 | dir=in | app=c:\program files\gadu-gadu 10\gg.exe | "UDP Query User{14436B0F-A4FA-4626-BCB5-7DF9E0CF9701}C:\program files\gadu-gadu\gg.exe" = protocol=17 | dir=in | app=c:\program files\gadu-gadu\gg.exe | "UDP Query User{19E9B2BE-D36A-4923-AAE0-D849D50C3C35}C:\users\swhelan\appdata\local\temp\966701.exe" = protocol=17 | dir=in | app=c:\users\swhelan\appdata\local\temp\966701.exe | "UDP Query User{3EDD427A-53AA-4301-A309-219B1143FF9A}C:\program files\gadu-gadu 10\gg.exe" = protocol=17 | dir=in | app=c:\program files\gadu-gadu 10\gg.exe | "UDP Query User{60CFCA3F-7683-4E2F-AD4C-2A2D9EC8FDB7}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "UDP Query User{AAA499F6-3D6C-43F8-B92A-BB6A8B1FA0B5}C:\program files\opera\opera.exe" = protocol=17 | dir=in | app=c:\program files\opera\opera.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{1D2C96C3-A3F3-49E7-B839-95279DED837F}" = Opera 10.60 "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 20 "{26B9F375-BFB2-4E61-A1B6-D7612111503C}" = CatchBar "{28006915-2739-4EBE-B5E8-49B25D32EB33}" = Atheros Driver Installation Program "{29C00AEB-D97A-4C91-80A0-B2AA910CE32C}" = Functional Ear Trainer v1.1 "{415B2719-AD3A-4944-B404-C472DB6085B3}" = Cisco EAP-FAST Module "{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater "{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service "{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update "{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin "{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com "{7E545666-F423-45FD-B3DF-C0B99A1A579F}" = QuickBooks Premier Edition 2008 "{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module "{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable "{8803FCD6-F5BA-475F-A71B-D83D8E31F251}" = Nitro PDF Professional "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight "{90120000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2007 "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0011-0000-0000-0000000FF1CE}_PROPLUS_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581) "{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007 "{90120000-0015-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007 "{90120000-0016-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007 "{90120000-0018-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007 "{90120000-0019-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007 "{90120000-001A-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007 "{90120000-001B-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007 "{90120000-001F-0409-0000-0000000FF1CE}_PROPLUS_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007 "{90120000-001F-040C-0000-0000000FF1CE}_PROPLUS_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007 "{90120000-001F-0C0A-0000-0000000FF1CE}_PROPLUS_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2) "{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007 "{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007 "{90120000-0044-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007 "{90120000-006E-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-00B0-0409-0000-0000000FF1CE}" = Microsoft Save as PDF Add-in for 2007 Microsoft Office programs "{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007 "{90120000-0115-0409-0000-0000000FF1CE}_PROPLUS_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007 "{90120000-0117-0409-0000-0000000FF1CE}_PROPLUS_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2) "{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1 "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9 "{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0 "{C3A32068-8AB1-4327-BB16-BED9C6219DC7}" = Atheros Driver Installation Program "{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime "{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1 "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{D02EDDE7-B5C5-40A2-AF57-73A3278F4EEB}" = ESET NOD32 Antivirus "{D9DC1139-C044-393F-39A4-2C5094602D14}" = TwitDoc "{ECDE3B5E-9B47-9C9E-EFB4-4E610234980E}" = delete #SharedObjects "{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0 "Adobe AIR" = Adobe AIR "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX "Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter "CNXT_MODEM_HDAUDIO_HERMOSA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP "com.adobe.example.deleteSharedObjects.AB634DF02EF3D98C53B8A63D9C184ADFAE863CA9.1" = delete #SharedObjects "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com "com.twitdoc.TwitDocDesktop.90D57B2A2F2B9729838713BDDA7F04FEB581672C.1" = TwitDoc "Creative OA004" = Integrated Webcam Driver (1.00.03.0720) "Excel Export Selected Cells To PDF Software_is1" = Excel Export Selected Cells To PDF Software 7.0 "Gadu-Gadu" = Gadu-Gadu 7.7 "IETester" = IETester v0.4.4 (remove only) "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware "Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Mozilla Firefox (2.0)" = Mozilla Firefox (2.0) "Mozilla Firefox (3.5)" = Mozilla Firefox (3.5) "Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8) "NVIDIA Drivers" = NVIDIA Drivers "PDF Writer" = PDF Writer "PROPLUS" = Microsoft Office Professional Plus 2007 "RealPlayer 12.0" = RealPlayer "screensaver_guinness" = screensaver_guinness "WinGimp-2.0_is1" = GIMP 2.6.10 "WinRAR archiver" = WinRAR archiver ========== HKEY_USERS Uninstall List ========== [HKEY_USERS\S-1-5-21-1902652002-3130174624-821348704-1110\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "ActiveTouchMeetingClient" = WebEx "Google Chrome" = Google Chrome ========== Last 10 Event Log Errors ========== [ Application Events ] Error - 06/09/2010 03:58:39 | Computer Name = vistalaptop.i-Believe.local | Source = WinMgmt | ID = 10 Description = Error - 06/09/2010 03:58:54 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 06/09/2010 04:14:31 | Computer Name = vistalaptop.i-Believe.local | Source = EventSystem | ID = 4609 Description = Error - 06/09/2010 04:15:14 | Computer Name = vistalaptop.i-Believe.local | Source = WinMgmt | ID = 10 Description = Error - 06/09/2010 04:40:03 | Computer Name = vistalaptop.i-Believe.local | Source = WinMgmt | ID = 10 Description = Error - 06/09/2010 05:09:33 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft-Windows-CAPI2 | ID = 131083 Description = Error - 06/09/2010 05:13:08 | Computer Name = vistalaptop.i-Believe.local | Source = Google Update | ID = 20 Description = Error - 06/09/2010 05:42:59 | Computer Name = vistalaptop.i-Believe.local | Source = Application Error | ID = 1000 Description = Faulting application OTL_3.2.10(dobreprogramy.pl).exe, version 3.2.10.0, time stamp 0x2a425e19, faulting module RPCRT4.dll, version 6.0.6002.18024, time stamp 0x49f05bcc, exception code 0xc0000005, fault offset 0x000b0af5, process id 0xd68, application start time 0x01cb4da769130169. Error - 06/09/2010 05:46:21 | Computer Name = vistalaptop.i-Believe.local | Source = WinMgmt | ID = 10 Description = Error - 06/09/2010 05:58:46 | Computer Name = vistalaptop.i-Believe.local | Source = Perflib | ID = 1010 Description = [ OSession Events ] Error - 08/05/2009 05:21:13 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6300.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 2210 seconds with 1800 seconds of active time. This session ended with a crash. Error - 15/10/2009 12:43:54 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 29 seconds with 0 seconds of active time. This session ended with a crash. Error - 18/12/2009 07:33:32 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6514.5000, Microsoft Office Version: 12.0.6215.1000. This session lasted 1475 seconds with 1020 seconds of active time. This session ended with a crash. Error - 15/02/2010 08:51:47 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 3, Application Name: Microsoft Office PowerPoint, Application Version: 12.0.6500.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 1132 seconds with 480 seconds of active time. This session ended with a crash. Error - 31/03/2010 22:16:53 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6524.5003, Microsoft Office Version: 12.0.6425.1000. This session lasted 55972 seconds with 840 seconds of active time. This session ended with a crash. Error - 20/08/2010 11:52:34 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft Office 12 Sessions | ID = 7001 Description = ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6535.5005, Microsoft Office Version: 12.0.6425.1000. This session lasted 27335 seconds with 2160 seconds of active time. This session ended with a crash. [ System Events ] Error - 06/09/2010 04:38:30 | Computer Name = vistalaptop.i-Believe.local | Source = NETLOGON | ID = 5719 Description = This computer was not able to set up a secure session with a domain controller in domain I-BELIEVE due to the following: %%1311 This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. Error - 06/09/2010 04:39:03 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft-Windows-GroupPolicy | ID = 1129 Description = The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error - 06/09/2010 04:39:04 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft-Windows-GroupPolicy | ID = 1129 Description = The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error - 06/09/2010 04:40:03 | Computer Name = vistalaptop.i-Believe.local | Source = Service Control Manager | ID = 7000 Description = Error - 06/09/2010 05:40:46 | Computer Name = vistalaptop.i-Believe.local | Source = Service Control Manager | ID = 7034 Description = Error - 06/09/2010 05:44:43 | Computer Name = vistalaptop.i-Believe.local | Source = EventLog | ID = 6008 Description = The previous system shutdown at 10:43:59 on 06/09/2010 was unexpected. Error - 06/09/2010 05:44:52 | Computer Name = vistalaptop.i-Believe.local | Source = NETLOGON | ID = 5719 Description = This computer was not able to set up a secure session with a domain controller in domain I-BELIEVE due to the following: %%1311 This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator. ADDITIONAL INFO If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the secure session to any domain controller in the specified domain. Error - 06/09/2010 05:45:23 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft-Windows-GroupPolicy | ID = 1129 Description = The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error - 06/09/2010 05:45:24 | Computer Name = vistalaptop.i-Believe.local | Source = Microsoft-Windows-GroupPolicy | ID = 1129 Description = The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has succesfully processed. If you do not see a success message for several hours, then contact your administrator. Error - 06/09/2010 05:46:22 | Computer Name = vistalaptop.i-Believe.local | Source = Service Control Manager | ID = 7000 Description = < End of report > GMER GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-09-06 12:05:59 Windows 6.0.6002 Service Pack 2 Running: yol46lcd.exe; Driver: C:\Users\swhelan\AppData\Local\Temp\uwlyipow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BE07340, 0x3FA057, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2024] kernel32.dll!SetUnhandledExceptionFilter 7610A84F 4 Bytes [C2, 04, 00, 00] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ---- Pozdrawiam, Marcin
  8. rambo8wTV
    Witam. Mam problem - 1 wrzesnia zalapalem wirusa. Odpalilem plik bez sprawdzania i mam. Wirus aktywuje sie po podlaczeniu do sieci. Objawy sa takie ze wyskakuje komunikat ze Windows zablokowal dzialanie niebezpiecznego programu i po minucie zostanie wylaczony. Po restarcie uruchamia sie program Security Suite Demo lub Security Tool (nazywa sie 98621 w pasku zadan) i nic nie daje sie uruchomic. Udalo mi sie go usunac po restarcie w safe mode ale dalej cos jest w systemie i gdy uruchamiam komputer w trybie normalnym z siecia od razu sie aktywuje i cala zabawa sie zaczyna od poczatku. Bardzo prosze o jakies porady. Malwarebytes nic nie znajduje. TDSSKiller nic nie znajduje. W Windows Defender jako jeden z procesow pokazuje mi sie plik ohydy.exe ktory powinien byc gdzies w Users/%AppData% i w rejestrze w SOFTWARE/MICROSOFT/WINDOWS NT/CURRENTVERSION/WINLOGON/TASKMAN. Wpisu nie daje sie usunac (znaczy jak sie usunie i odswiezy to znowu sie tam pojawia). System Windows Vista Businnes, SP2 (aczkolwiek update byl juz po zarazeniu), 32-bit. Oto log z OTL: OTL logfile created on: 06/09/2010 09:54:52 - Run 2 OTL by OldTimer - Version 3.2.10.0 Folder = F:\!!!new Windows Vista Business Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18943) Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy 2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 64.00% Memory free 4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 100.25 Gb Total Space | 48.03 Gb Free Space | 47.91% Space Free | Partition Type: NTFS Drive D: | 11.54 Gb Total Space | 2.03 Gb Free Space | 17.57% Space Free | Partition Type: NTFS E: Drive not present or media not loaded Drive F: | 3.76 Gb Total Space | 0.83 Gb Free Space | 21.95% Space Free | Partition Type: FAT G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: VISTALAPTOP Current User Name: Swhelan Logged in as Administrator. Current Boot Mode: Normal Scan Mode: Current user Company Name Whitelist: Off Skip Microsoft Files: Off File Age = 7 Days Output = Standard ========== Processes (SafeList) ========== PRC - [2010/09/06 09:25:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- F:\!!!new\OTL_3.2.10(dobreprogramy.pl).exe PRC - [2010/08/12 14:16:26 | 000,810,144 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe PRC - [2010/08/12 14:16:12 | 002,215,064 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe PRC - [2010/03/31 16:53:02 | 000,968,024 | ---- | M] (Intuit UK) -- C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe PRC - [2009/06/15 16:13:54 | 000,188,736 | ---- | M] (Nitro PDF Software) -- C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008/01/21 03:23:59 | 001,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe ========== Modules (SafeList) ========== MOD - [2010/09/06 09:25:54 | 000,575,488 | ---- | M] (OldTimer Tools) -- F:\!!!new\OTL_3.2.10(dobreprogramy.pl).exe MOD - [2009/04/11 07:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll MOD - [2008/01/21 03:25:02 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx ========== Win32 Services (SafeList) ========== SRV - [2010/08/12 14:18:40 | 000,033,584 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe -- (EhttpSrv) SRV - [2010/08/12 14:16:26 | 000,810,144 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe -- (ekrn) SRV - [2010/03/27 14:39:04 | 000,020,480 | ---- | M] (Intuit) [Disabled | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService) SRV - [2009/06/15 16:13:54 | 000,188,736 | ---- | M] (Nitro PDF Software) [Auto | Running] -- C:\Program Files\Nitro PDF\Professional\NitroPDFDriverService.exe -- (NitroDriverReadSpool) SRV - [2009/06/15 16:11:44 | 000,061,760 | ---- | M] (Nalpeiron Ltd.) [Disabled | Stopped] -- C:\Windows\System32\ASTSRV.EXE -- (astcc) SRV - [2008/01/21 03:23:59 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2006/11/10 00:30:14 | 000,065,536 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp) DRV - [2010/07/29 13:31:26 | 000,136,632 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamonm.sys -- (eamonm) DRV - [2010/07/29 13:31:26 | 000,115,008 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv) DRV - [2010/07/29 13:31:26 | 000,096,920 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfpr.sys -- (epfwwfpr) DRV - [2008/12/04 03:42:00 | 007,606,688 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm) DRV - [2008/07/17 18:01:00 | 000,269,760 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA004Vid.sys -- (OA004Vid) DRV - [2008/06/03 10:30:24 | 000,144,672 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OA004Ufd.sys -- (OA004Ufd) DRV - [2008/04/27 12:07:44 | 000,909,824 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2008/01/21 03:23:51 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR) DRV - [2008/01/21 03:23:51 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320) DRV - [2008/01/21 03:23:51 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4) DRV - [2008/01/21 03:23:51 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs) DRV - [2008/01/21 03:23:51 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas) DRV - [2008/01/21 03:23:50 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci) DRV - [2008/01/21 03:23:50 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m) DRV - [2008/01/21 03:23:50 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS) DRV - [2008/01/21 03:23:49 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300) DRV - [2008/01/21 03:23:49 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel® DRV - [2008/01/21 03:23:49 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas) DRV - [2008/01/21 03:23:48 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid) DRV - [2008/01/21 03:23:48 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC) DRV - [2008/01/21 03:23:48 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc) DRV - [2008/01/21 03:23:47 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV) DRV - [2008/01/21 03:23:47 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2) DRV - [2008/01/21 03:23:47 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI) DRV - [2008/01/21 03:23:46 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor) DRV - [2008/01/21 03:23:45 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx) DRV - [2008/01/21 03:23:45 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci) DRV - [2008/01/21 03:23:45 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid) DRV - [2008/01/21 03:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor) DRV - [2008/01/21 03:23:26 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide) DRV - [2008/01/21 03:23:26 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide) DRV - [2008/01/21 03:23:26 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide) DRV - [2007/11/01 09:51:26 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV) DRV - [2007/11/01 09:47:54 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL) DRV - [2007/11/01 09:47:08 | 000,661,504 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf) DRV - [2007/10/18 07:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio) DRV - [2007/03/07 05:15:58 | 001,059,112 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD) DRV - [2007/02/17 00:50:32 | 000,012,032 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvsmu.sys -- (nvsmu) DRV - [2006/11/02 10:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx) DRV - [2006/11/02 10:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata) DRV - [2006/11/02 10:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960) DRV - [2006/11/02 10:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp) DRV - [2006/11/02 10:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx) DRV - [2006/11/02 10:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid) DRV - [2006/11/02 10:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi) DRV - [2006/11/02 10:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx) DRV - [2006/11/02 10:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3) DRV - [2006/11/02 10:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x) DRV - [2006/11/02 10:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi) DRV - [2006/11/02 09:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM) DRV - [2006/11/02 09:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer) DRV - [2006/11/02 09:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp) DRV - [2006/11/02 09:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo) DRV - [2006/11/02 09:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm) DRV - [2006/11/02 09:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm) DRV - [2006/11/02 08:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi) DRV - [2006/06/28 11:54:00 | 000,009,472 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/ IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1 IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local> IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6092 ========== FireFox ========== FF - prefs.js..browser.search.defaultenginename: "Google" FF - prefs.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=" FF - prefs.js..browser.search.selectedEngine: "Google" FF - prefs.js..browser.startup.homepage: "https://heliosiq.adtech.de/h2/index.do" FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.1.3 FF - prefs.js..extensions.enabledItems: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}:0.7.2 FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.7.1.3 FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20 FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/04/29 11:18:50 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 2.0\extensions\\Components: C:\Program Files\Mozilla Firefox2.0\components [2010/07/06 12:27:30 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 2.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox2.0\plugins [2010/08/04 08:58:27 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Components: C:\Program Files\Mozilla Firefox3.5\components [2010/07/06 12:28:07 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox3.5\plugins [2010/08/04 08:58:27 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/28 08:55:53 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/04 08:58:27 | 000,000,000 | ---D | M] FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET NOD32 Antivirus\Mozilla Thunderbird [2010/09/02 16:41:44 | 000,000,000 | ---D | M] [2009/10/06 11:45:49 | 000,000,000 | ---D | M] -- C:\Users\swhelan\AppData\Roaming\mozilla\Extensions [2010/09/02 13:42:52 | 000,000,000 | ---D | M] -- C:\Users\swhelan\AppData\Roaming\mozilla\Firefox\Profiles\h5k1rvev.default\extensions [2010/07/07 10:54:55 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\swhelan\AppData\Roaming\mozilla\Firefox\Profiles\h5k1rvev.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010/07/23 12:52:26 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Users\swhelan\AppData\Roaming\mozilla\Firefox\Profiles\h5k1rvev.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822} [2010/05/18 15:59:04 | 000,000,000 | ---D | M] (No name found) -- C:\Users\swhelan\AppData\Roaming\mozilla\Firefox\Profiles\h5k1rvev.default\extensions\{e968fc70-8f95-4ab9-9e79-304de2a71ee1} [2010/07/07 12:35:37 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions [2009/01/20 18:05:37 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2010/07/07 12:35:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2009/01/20 18:05:21 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\real-networks@partners.mozilla.com [2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll O1 HOSTS File: ([2006/09/18 22:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer) O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.) O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.) O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe (ESET) O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation) O4 - HKLM..\Run: [NvCplDaemon] C:\Windows\System32\NvCpl.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [NvMediaCenter] C:\Windows\System32\NvMcTray.DLL (NVIDIA Corporation) O4 - HKLM..\Run: [spydig.exe] C:\Program Files\SpyDig\Spydig.exe () O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_A54B7D6FB1DA63EA.dll (Google Inc.) O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O13 - gopher Prefix: missing O16 - DPF: {3D29D4FC-1A26-4082-81B8-4F0746FCA4D2} http://qos.doubleclick.net/browsersettingscommon/Settings.cab (DartSettings Class) O16 - DPF: {68282C51-9459-467B-95BF-3C0E89627E55} http://www.mks.com.pl/skaner/SkanerOnline.cab (MksSkanerOnline Class) O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O16 - DPF: {EE17B34D-BB48-4927-974F-DC38FF7D2036} http://qos.doubleclick.net/ClientDiagnostics/clientdiag/DartRep.cab (DiagReport Class) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 84.203.254.34 84.203.255.34 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = i-Believe.local O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: TaskMan - (C:\Users\swhelan\AppData\Roaming\ohydy.exe) - C:\Users\swhelan\AppData\Roaming\ohydy.exe (Bon Jovi) O20 - HKCU Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKCU Winlogon: Shell - (C:\Users\swhelan\AppData\Roaming\ohydy.exe) - C:\Users\swhelan\AppData\Roaming\ohydy.exe (Bon Jovi) O24 - Desktop WallPaper: C:\Users\Public\Pictures\Sample Pictures\Green Sea Turtle.jpg O24 - Desktop BackupWallPaper: C:\Users\Public\Pictures\Sample Pictures\Green Sea Turtle.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O32 - AutoRun File - [2010/09/03 09:39:02 | 000,000,000 | RHSD | M] - C:\autorun.inf -- [ NTFS ] O32 - AutoRun File - [2005/09/11 16:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ] O32 - AutoRun File - [2010/09/03 09:39:02 | 000,000,000 | RHSD | M] - D:\autorun.inf -- [ NTFS ] O32 - AutoRun File - [2010/09/03 09:39:04 | 000,000,000 | RHSD | M] - F:\autorun.inf -- [ FAT ] O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 7 Days ========== [2010/09/06 09:26:24 | 000,000,000 | ---D | C] -- C:\Users\swhelan\AppData\Roaming\Adobe [2010/09/03 17:38:07 | 000,000,000 | ---D | C] -- C:\Program Files\SpyDig [2010/09/03 14:33:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\eu-ES [2010/09/03 14:33:32 | 000,000,000 | ---D | C] -- C:\Windows\System32\ca-ES [2010/09/03 14:33:31 | 000,000,000 | ---D | C] -- C:\Windows\System32\vi-VN [2010/09/03 14:13:17 | 000,000,000 | ---D | C] -- C:\Windows\System32\EventProviders [2010/09/03 11:17:15 | 000,002,560 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\svchost.exe.mui [2010/09/03 10:49:44 | 000,000,000 | ---D | C] -- C:\Program Files\trend micro [2010/09/03 10:49:43 | 000,000,000 | ---D | C] -- C:\rsit [2010/09/03 09:39:02 | 000,000,000 | RHSD | C] -- C:\autorun.inf [2010/09/02 16:58:39 | 000,000,000 | ---D | C] -- C:\Users\swhelan\AppData\Local\ESET [2010/09/02 16:41:38 | 000,000,000 | ---D | C] -- C:\Program Files\ESET [2010/09/02 16:41:37 | 000,000,000 | ---D | C] -- C:\ProgramData\ESET [2010/09/02 15:51:46 | 000,000,000 | ---D | C] -- C:\Users\swhelan\AppData\Roaming\Malwarebytes [2010/09/02 15:51:38 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010/09/02 15:51:36 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010/09/02 15:51:36 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware [2010/09/02 15:51:36 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010/09/02 14:31:13 | 000,190,976 | ---- | C] (OpenSC Project) -- C:\Windows\Phyleb.exe [2010/09/02 14:27:57 | 000,190,976 | ---- | C] (OpenSC Project) -- C:\Windows\Phylea.exe [2010/09/02 14:27:53 | 000,000,000 | ---D | C] -- C:\RECYCLER [2010/09/02 14:27:34 | 000,135,168 | RHS- | C] (Bon Jovi) -- C:\Users\swhelan\AppData\Roaming\ohydy.exe [2010/09/02 14:27:19 | 000,000,000 | ---D | C] -- C:\ProgramData\EarMaster [2008/01/21 03:24:47 | 000,074,752 | ---- | C] (MaresWEB) -- C:\Users\swhelan\AppData\Local\atST202.dll ========== Files - Modified Within 7 Days ========== [2010/09/06 09:54:34 | 005,242,880 | -HS- | M] () -- C:\Users\swhelan\NTUSER.DAT [2010/09/06 09:45:01 | 000,642,924 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010/09/06 09:45:01 | 000,123,690 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010/09/06 09:45:00 | 000,753,336 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010/09/06 09:39:02 | 000,028,029 | ---- | M] () -- C:\ProgramData\nvModes.001 [2010/09/06 09:38:45 | 000,000,294 | -H-- | M] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job [2010/09/06 09:38:34 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010/09/06 09:38:34 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010/09/06 09:38:29 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010/09/06 09:38:22 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010/09/06 09:38:16 | 2079,145,984 | -HS- | M] () -- C:\hiberfil.sys [2010/09/06 09:37:38 | 000,524,288 | -HS- | M] () -- C:\Users\swhelan\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms [2010/09/06 09:37:38 | 000,065,536 | -HS- | M] () -- C:\Users\swhelan\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf [2010/09/06 08:59:15 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{B818E11C-648F-4A86-AB5B-5776D3713BAB}.job [2010/09/03 18:13:13 | 000,000,916 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1902652002-3130174624-821348704-1110UA.job [2010/09/03 17:55:58 | 000,104,800 | ---- | M] () -- C:\Users\swhelan\AppData\Local\GDIPFONTCACHEV1.DAT [2010/09/03 17:38:35 | 000,000,022 | ---- | M] () -- C:\Windows\sd [2010/09/03 17:21:43 | 000,028,029 | ---- | M] () -- C:\ProgramData\nvModes.dat [2010/09/03 14:37:50 | 000,389,352 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010/09/03 11:02:26 | 000,000,290 | ---- | M] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-1902652002-3130174624-821348704-1110.job [2010/09/03 01:13:00 | 000,000,864 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1902652002-3130174624-821348704-1110Core.job [2010/09/02 18:49:38 | 000,076,800 | ---- | M] () -- C:\Users\swhelan\Desktop\blastgui.com [2010/09/02 15:51:40 | 000,000,818 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/09/02 14:29:15 | 000,190,976 | ---- | M] (OpenSC Project) -- C:\Windows\Phyleb.exe [2010/09/02 14:27:47 | 000,190,976 | ---- | M] (OpenSC Project) -- C:\Windows\Phylea.exe [2010/09/02 14:27:29 | 000,135,168 | RHS- | M] (Bon Jovi) -- C:\Users\swhelan\AppData\Roaming\ohydy.exe [2010/09/01 10:21:29 | 000,016,291 | ---- | M] () -- C:\Users\swhelan\Desktop\NITB.xlsx [2010/09/01 09:55:25 | 000,015,639 | ---- | M] () -- C:\Users\swhelan\Desktop\Blinkx report.xlsx [2010/08/31 10:03:42 | 000,268,319 | ---- | M] () -- C:\Users\swhelan\Desktop\Aer Lingus - Booking Confirmation.pdf [2010/08/30 11:34:31 | 000,016,014 | ---- | M] () -- C:\Users\swhelan\Desktop\polaczenie.pdf ========== Files Created - No Company Name ========== [2010/09/06 09:38:16 | 2079,145,984 | -HS- | C] () -- C:\hiberfil.sys [2010/09/03 17:38:35 | 000,000,022 | ---- | C] () -- C:\Windows\sd [2010/09/02 18:50:33 | 000,076,800 | ---- | C] () -- C:\Users\swhelan\Desktop\blastgui.com [2010/09/02 15:51:40 | 000,000,818 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010/09/02 14:55:17 | 000,000,290 | ---- | C] () -- C:\Windows\tasks\RealUpgradeScheduledTaskS-1-5-21-1902652002-3130174624-821348704-1110.job [2010/09/02 14:27:58 | 000,000,294 | -H-- | C] () -- C:\Windows\tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job [2010/08/31 10:03:37 | 000,268,319 | ---- | C] () -- C:\Users\swhelan\Desktop\Aer Lingus - Booking Confirmation.pdf [2010/08/30 11:34:31 | 000,016,014 | ---- | C] () -- C:\Users\swhelan\Desktop\polaczenie.pdf [2010/02/17 14:30:07 | 000,004,096 | -H-- | C] () -- C:\Users\swhelan\AppData\Local\keyfile3.drm [2009/10/21 09:52:10 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll [2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll [2009/07/07 12:00:31 | 000,086,016 | ---- | C] () -- C:\Windows\System32\custmon32.dll [2009/04/23 12:30:43 | 000,005,632 | ---- | C] () -- C:\Users\swhelan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2009/04/21 14:52:04 | 000,000,019 | ---- | C] () -- C:\Users\swhelan\AppData\Local\update.dat [2009/04/21 14:51:51 | 000,000,043 | ---- | C] () -- C:\Users\swhelan\AppData\Local\catchbar5.dat [2009/04/01 11:58:25 | 000,000,095 | ---- | C] () -- C:\Users\swhelan\AppData\Local\fusioncache.dat [2008/12/23 09:56:00 | 000,028,029 | ---- | C] () -- C:\ProgramData\nvModes.001 [2008/12/23 09:55:06 | 000,028,029 | ---- | C] () -- C:\ProgramData\nvModes.dat [2008/12/02 19:12:51 | 000,002,412 | RHS- | C] () -- C:\ProgramData\ntuser.pol [2008/04/29 14:42:24 | 000,503,808 | ---- | C] () -- C:\Windows\System32\ICCProfiles.dll [2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2006/07/17 13:11:36 | 000,667,280 | ---- | C] () -- C:\Windows\System32\tx12.dll [2006/02/09 04:20:00 | 000,000,530 | ---- | C] () -- C:\Windows\System32\tx12_ic.ini < End of report > I jeszcze dodam ze NOD pokazuje to jako wirusa WIN32/Wigon.KQ, a po restarcie z wlaczonym dostpem do sieci pokazuje sie okno wlasciwosci pliku z nawza VSBNTLO. Pozdrawiam, Marcin
×
×
  • Dodaj nową pozycję...