Unwanted IE

Hello,

I have a very annoying problem, while working with Mozilla Firefox, suddenly, once for a while, for no reason, Internet Explorer opens and starts connecting to some website (broadcaster.com). My firewall says then, that IE tries to connect to the internet and a system32 file called svchost.exe is its parental application. Furthermore there is also some kind of a popup with some ads and a search bar after sites such as google.

Scanning for viruses, spyware, cookies and deleting the stuff I found didn't do the trick

http://aycu17.webshots.com/image/13056/2005181705256698291_rs.jpg
http://aycu38.webshots.com/image/14797/2005130504176697294_rs.jpg

Thank you for help beforehand.

 

Hello and welcome to WindowsBBS Forums.


If, you have already run AdAware SE and\or Spybot Search Destroy, with updated definitions, and are still having problems, next, we move onto HiJackThis v:1.99.1

Please download HijackThis! SetUp from here. Save the file to your desktop.

Double-click the HijackThis! SetUp icon to begin the installation. Follow the prompts for the default install location of:'C:\Program Files\HijackThis'. Tick the 'Create a desktop' button when the option appears. Select next, then allow HijackThis! to start.

Then press the [Scan] button. You will notice the [Scan] button will turn into a [Save Log] button. Click the [Save Log] button and notepad will open up with the contents of the scan. Right-click in the saved log, and select 'copy'. Then proceed to your original thread, unless otherwise instructed and click the '[Reply]' button and paste the saved contents to be reviewed. Do not make any modifications to the log or perform any 'fixes' until told to do so.

 

Yes, Ad-Aware and Spybot failed. Here is the log from HijackThis:



Logfile of HijackThis v1.99.1
Scan saved at 19:38:18, on 2007-04-08
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe "
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: Miranda IM.lnk = C:\Program Files\Miranda IM\miranda32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Pobierz stronę WEB z Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Pobierz wszystko z Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz zaznaczenie z Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

 

Ok that didn't show anything obvious, so lets look a little deeper into the system. I'd also like you to do is to rename the HijackThis executable, hijackthis.exe to <anything of your choice> .exe, as long you change it's name.

Then Please download SilentRunners from here

Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run.
Silent Runners will ask if you want to skip the supplementary search.
Please select 'No' to include them.
Then select 'Yes' to confirm the search.
When the scan is finished, a message will pop up and a logfile will have been created on the desktop.

Please post the entire contents of this logfile created back into this thread for me to see along with the new HJT log file after renaming the HJT executable.

 

Here is the new log from HijackThis after changing the name of the executable (whatever.exe )



Logfile of HijackThis v1.99.1
Scan saved at 23:27:33, on 2007-04-08
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\Miranda IM\miranda32.exe
C:\Program Files\Avast4\aswUpdSv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Avast4\ashMaiSv.exe
C:\Program Files\Avast4\ashWebSv.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\whatever.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pl/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe "
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - Startup: Miranda IM.lnk = C:\Program Files\Miranda IM\miranda32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&ksport do programu Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Pobierz stronę WEB z Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Pobierz wszystko z Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Pobierz z Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Pobierz zaznaczenie z Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.modgik.lodz.pl/Mapa/mgaxctrl.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe



And here are the results of Silent Runners:



"Silent Runners.vbs ", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++} "


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Free Download Manager" = "C:\Program Files\Free Download Manager\fdm.exe -autorun" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [ "ATI Technologies, Inc."]
"WheelMouse" = "C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe" [ "A4Tech Co.,Ltd."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" [ "Ahead Software Gmbh"]
"msnappau" = " "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe" " [MS]
"MOD" = "C:\Program Files\Microangelo\muamgr.exe" [null data]
"avast!" = "C:\PROGRA~1\Avast4\ashDisp.exe" [null data]
"RemoteControl" = " "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" " [ "Cyberlink Corp."]
"dvd43" = "C:\Program Files\dvd43\dvd43_tray.exe" [ "Captain Red"]
"CloneCDTray" = " "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s" [ "SlySoft, Inc."]
"SunJavaUpdateSched" = " "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" " [ "Sun Microsystems, Inc."]
"Comodo Firewall" = " "C:\Program Files\Comodo\Firewall\CPF.exe" /background" [ "COMODO"]
"ISUSPM Startup" = " "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup" [ "Macrovision Corporation"]
"ISUSScheduler" = " "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" [ "Macrovision Corporation"]
"nod32kui" = " "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE" [ "Eset "]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" [ "Safer Networking Limited"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" [ "Sun Microsystems, Inc."]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4}\(Default) = (no title provided)
-> {HKLM...CLSID} = "ST "
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Rozszerzenie CPL kadrowania wyświetlania "
-> {HKLM...CLSID} = "Rozszerzenie CPL kadrowania wyświetlania "
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Rozszerzenie ikony HyperTerminalu "
-> {HKLM...CLSID} = "HyperTerminal Icon Ext "
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" [ "Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx "
-> {HKLM...CLSID} = "AlcoholShellEx "
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXShlEx.dll" [ "Alcohol Soft Development Team"]
"{616c1f06-bad8-11d2-b355-00104b642749}" = "Microangelo Context Menu Extension "
-> {HKLM...CLSID} = "Microangelo Context Menu Extension "
\InProcServer32\(Default) = "muangsys.dll" [null data]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" [ "ALWIL Software"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler "
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "NOD32 Context Menu Shell Extension "
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" [ "ALWIL Software"]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D} "
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24} "
-> {HKLM...CLSID} = "avast "
\InProcServer32\(Default) = "C:\Program Files\Avast4\ashShell.dll" [ "ALWIL Software"]
NOD32 Context Menu Shell Extension\(Default) = "{B089FE88-FB52-11D3-BDF1-0050DA34150D} "
-> {HKLM...CLSID} = "NOD32 Context Menu Shell Extension "
\InProcServer32\(Default) = "C:\Program Files\Eset\nodshex.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA} "
-> {HKLM...CLSID} = "WinRAR "
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\IrfanView_Wallpaper.bmp "

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\IrfanView_Wallpaper.bmp "


Startup items in "przemek" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\przemek\Menu Start\Programy\Autostart
"Miranda IM" -> shortcut to: "C:\Program Files\Miranda IM\miranda32.exe" [" "]

C:\Documents and Settings\All Users\Menu Start\Programy\Autostart
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
C:\WINDOWS\System32\imon.dll [ "Eset "], 01 - 05, 26
%SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 11 - 25
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} "
-> {HKLM...CLSID} = "MSN "
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "0 "
-> {HKLM...CLSID} = "MSN "
\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console "
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC} "
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_11 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll" [ "Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_11 "
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll" [ "Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger "
"MenuText" = "Messenger "
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" [ "ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, " "C:\Program Files\Avast4\ashServ.exe" " [null data]
avast! iAVS4 Control Service, aswUpdSv, " "C:\Program Files\Avast4\aswUpdSv.exe" " [null data]
avast! Mail Scanner, avast! Mail Scanner, " "C:\Program Files\Avast4\ashMaiSv.exe" /service" [ "ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, " "C:\Program Files\Avast4\ashWebSv.exe" /service" [ "ALWIL Software"]
Comodo Application Agent, CmdAgent, "C:\Program Files\Comodo\Firewall\cmdagent.exe" [ "COMODO"]
NOD32 Kernel Service, NOD32krn, " "C:\Program Files\Eset\nod32krn.exe" " [ "Eset "]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 582 seconds.
---------- (total run time: 1962 seconds)

 

Well, once again, nothing showing there.

Can you tell me exactly what it was that Ad-aware and Spybot found, files, registry entries or what? Also include file paths if you can.

We can try another tool to search the system.

Please download System Repair Engineer from here

• Extract it to Desktop & double-click SREng.exe to run it
• Select 'Smart Scan' & tick 'Verify Digital Signatures'
• If you have a custom hosts file installed un-check the Hosts File box

Click on the Scan button
When finished, click on the Save Reports button & save the log to Desktop

Post the log here for me to review.

No need for a HJT log however.

 

the link doesnt seem to be working. click here and click on Local Download 2

 

This is the log from AdAware scan. I removed from it about 1000 MRU strings of recently opened files on my computer (checked them all, jpg, bmp, txt, doc, xls, mp3, usual stuff I use). This is the rest:



ArchiveData(auto-quarantine- 2007-04-08 18-55-21.bckp)
Referencefile : SE1R164 02.04.2007
======================================================

ADWARE.WEBBUYING
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[48]=Regkey : appid\{4886e1bd-560b-4d75-ad85-d66cce2ddf53}
obj[49]=Regkey : interface\{15ceb2d5-4e8f-4b18-b335-34a5995db3e8}
obj[50]=Regkey : interface\{839df29d-6993-475a-9411-b2da1b9819b6}
obj[51]=Regkey : typelib\{20e65ac6-c457-484d-b386-ad2db3753865}
obj[73]=Regkey : appid\popengine.dll
obj[74]=Regkey : plugin.plugin
obj[75]=Regkey : plugin.plugin.1

ADWARE.YAZZLE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[52]=Regkey : interface\{665ac8e7-8b9b-40d9-a24d-c134052b6168}
obj[53]=Regkey : interface\{907977fb-8835-483f-9979-ae3101dd3d17}

ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[54]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a} "
obj[55]=RegValue : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a} "

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[56]=IECache Entry : Cookierzemek@casalemedia.com/
obj[57]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@ad.stat.4u[3].txt
obj[58]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@ads.clickad.com[3].txt
obj[59]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@hit.gemius[3].txt
obj[60]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@please[3].txt
obj[61]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@hit.gemius[6].txt
obj[62]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@cs.sexcounter[2].txt
obj[63]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@hit.gemius[4].txt
obj[64]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@ads.clickad.com[4].txt
obj[65]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@please[2].txt
obj[66]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@ad.stat.4u[1].txt
obj[67]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@hit.gemius[5].txt
obj[68]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@hit.gemius[1].txt
obj[69]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@ad.stat.4u[2].txt
obj[70]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@hit.gemius[2].txt
obj[71]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@ads.clickad.com[2].txt
obj[72]=IECache Entry : C:\Documents and Settings\przemek\Cookies\przemek@please[1].txt

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[76]=File : C:\Documents and Settings\przemek\Ulubione\Onet.pl - Słowniki - Centrum Tłumaczeń.url



Those are the things found with Spybot - Search & Destroy:



Alexa Related
C:\WINDOWS\Web\related.htm

Zlob.Downloader
HKEY_CLASSES_ROOT\TypeLib\{95C2547B-0785-4278-9AEA-CE65D78D853D}
HKEY_CLASSES_ROOT\CLSID\{8B7CD17E-428B-4EE7-BBCD-21875FA05D7F}

AstaKiller
HKEY_CLASSES_ROOT\MezziaCodec.Chl
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Cowabanga
HKEY_LOCAL_MACHINE\SOFTWARE\Cowabanga

MyWay.MyBar
HKEY_CLASSES_ROOT\CLSID\{0494D0DE-F8E0-41ad-92A3-1415ECE70AC}
HKEY_CLASSES_ROOT\CLSID\{0494D0D3-F8E0-41ad-92A3-1415ECE70AC}
HKEY_CLASSES_ROOT\CLSID\{014DA6CD-189F-421a-88CD-07CFE51CFF10}
HKEY_CLASSES_ROOT\Interface\{0494D0DC-F8E0-41ad-92A3-1415ECE70AC}
HKEY_CLASSES_ROOT\Interface\{0494D0D6-F8E0-41ad-92A3-1415ECE70AC}
HKEY_CLASSES_ROOT\Interface\{0494D0D4-F8E0-41ad-92A3-1415ECE70AC}
HKEY_USERS\S-1-5-21-1957994488-651377827-839522115-1003\Software\Netscape\Netscape Navigator\Automation Startup\MyWayToolBar.NetscapeStartup.1
HKEY_USERS\S-1-5-21-1957994488-651377827-839522115-1003\Software\Netscape\Netscape Navigator\Automation Shutdown\MyWayToolBar.NetscapeShutdown.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall|My Way Speedbar Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\MyWay
HKEY_LOCAL_MACHINE\Software\MyWay\myBar

RegistryOptimizer
HKEY_LOCAL_MACHINE\SOFTWARE\AffiliateCreator

Smitfraud-C.Toolbar888
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

WildTangent
HKEY_CLASSES_ROOT\TypeLib\{4A165BD0-165F-474F-AF66-40CD5AC4613E}
HKEY_CLASSES_ROOT\Interface\{25F53F41-0C37-40FA-AE9F-A260DB2D64CF}
HKEY_CLASSES_ROOT\Interface\{1DE680D4-84B7-4239-A887-9482A29DBE14}



This is the entire log from sreng2 (without the 'code' tag):



2007-04-09,12:05:20

System Repair Engineer 2.4.12.806
Smallfrogs (http://www.KZTechs.com)

Windows XP Professional (Build 2600) - Administrative User - Completed Functions Allowed

Follow item(s) have been choosed:
All Boot Items (Including Registry, Startup Folders, Services and so on)
Browser Add-ons
Runing Processes (Including process model information)
File Associations
Winsock Provider
Autorun.Inf


Boot Items
Registry
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
<CTFMON.EXE><C:\WINDOWS\System32\ctfmon.exe> [(Verified)Microsoft Windows XP Publisher (Europe)]
<Free Download Manager><C:\Program Files\Free Download Manager\fdm.exe -autorun> []
[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<load><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
<ATIPTA><C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe> [ATI Technologies, Inc.]
<WheelMouse><C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe> [A4Tech Co.,Ltd.]
<NeroCheck><C:\WINDOWS\system32\NeroCheck.exe> [Ahead Software Gmbh]
<msnappau>< "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe "> [Microsoft Corporation]
<MOD><C:\Program Files\Microangelo\muamgr.exe> []
<avast!><C:\PROGRA~1\Avast4\ashDisp.exe> [(Verified)ALWIL Software]
<RemoteControl>< "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "> [Cyberlink Corp.]
<dvd43><C:\Program Files\dvd43\dvd43_tray.exe> [Captain Red]
<CloneCDTray>< "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s> [SlySoft, Inc.]
<SunJavaUpdateSched>< "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "> [(Verified) "Sun Microsystems, Inc."]
<Comodo Firewall>< "C:\Program Files\Comodo\Firewall\CPF.exe" /background> [(Verified)Comodo CA Limited]
<ISUSPM Startup>< "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup> [Macrovision Corporation]
<ISUSScheduler>< "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start> [Macrovision Corporation]
<nod32kui>< "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE> [(Verified) "ESET, spol. s r.o."]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<shell><Explorer.exe> [(Verified)Microsoft Windows XP Publisher (Europe)]
<Userinit><C:\WINDOWS\system32\userinit.exe,> [(Verified)Microsoft Windows XP Publisher (Europe)]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
<AppInit_DLLs><> [N/A]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
<UIHost><logonui.exe> [(Verified)Microsoft Windows XP Publisher (Europe)]

==================================
Startup Folders
[Microsoft Office]
<C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Microsoft Office.lnk --> C:\PROGRA~1\MICROS~2\Office10\OSA.EXE [Microsoft Corporation]><N>
[Miranda IM]
<C:\Documents and Settings\przemek\Menu Start\Programy\Autostart\Miranda IM.lnk --> C:\PROGRA~1\MIRAND~1\MIRAND~1.EXE [ ]><N>

==================================
Services
[ASP.NET State Service / aspnet_state][Stopped/Manual Start]
<C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe><Microsoft Corporation>
[avast! iAVS4 Control Service / aswUpdSv][Running/Auto Start]
< "C:\Program Files\Avast4\aswUpdSv.exe "><N/A>
[Ati HotKey Poller / Ati HotKey Poller][Running/Auto Start]
<C:\WINDOWS\System32\Ati2evxx.exe><>
[ATI Smart / ATI Smart][Stopped/Auto Start]
<C:\WINDOWS\system32\ati2sgag.exe><>
[avast! Antivirus / avast! Antivirus][Running/Auto Start]
< "C:\Program Files\Avast4\ashServ.exe "><>
[avast! Mail Scanner / avast! Mail Scanner][Running/Manual Start]
< "C:\Program Files\Avast4\ashMaiSv.exe" /service><ALWIL Software>
[avast! Web Scanner / avast! Web Scanner][Running/Manual Start]
< "C:\Program Files\Avast4\ashWebSv.exe" /service><ALWIL Software>
[Comodo Application Agent / CmdAgent][Running/Auto Start]
<C:\Program Files\Comodo\Firewall\cmdagent.exe><COMODO>
[Dostęp do urządzeń interfejsu HID / HidServ][Stopped/Disabled]
<C:\WINDOWS\System32\svchost.exe -k netsvcs-->%SystemRoot%\System32\hidserv.dll><N/A>
[InstallDriver Table Manager / IDriverT][Stopped/Manual Start]
<C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe><Macrovision Corporation>
[NOD32 Kernel Service / NOD32krn][Running/Auto Start]
< "C:\Program Files\Eset\nod32krn.exe "><Eset>

==================================
Drivers
[AMON / AMON][Running/Auto Start]
<\SystemRoot\system32\drivers\amon.sys><Eset>
[A4Tech PS/2 Port Mouse Driver / Amps2prt][Running/Manual Start]
<System32\DRIVERS\Amps2prt.sys><A4Tech Co.,Ltd.>
[ati2mtag / ati2mtag][Running/Manual Start]
<System32\DRIVERS\ati2mtag.sys><ATI Technologies Inc.>
[Comodo Application Engine / CmdMon][Running/System Start]
<System32\DRIVERS\cmdmon.sys><Comodo Research Lab., Inc.>
[core / core][Running/System Start]
<system32\drivers\core.sys><N/A>
[d347bus / d347bus][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\d347bus.sys><>
[d347prt / d347prt][Running/Boot Start]
<\SystemRoot\System32\Drivers\d347prt.sys><>
[dvd43llh / dvd43llh][Running/Manual Start]
<System32\DRIVERS\dvd43llh.sys><RIF>
[ElbyCDFL / ElbyCDFL][Running/Manual Start]
<System32\Drivers\ElbyCDFL.sys><SlySoft, Inc.>
[ElbyCDIO Driver / ElbyCDIO][Running/Auto Start]
<System32\Drivers\ElbyCDIO.sys><Elaborate Bytes AG>
[ElbyDelay / ElbyDelay][Running/Manual Start]
<System32\Drivers\ElbyDelay.sys><Elaborate Bytes AG>
[Sterownik NT karty VIA PCI 10/100Mb Fast Ethernet / FETNDIS][Stopped/Manual Start]
<System32\DRIVERS\fetnd5.sys><VIA Technologies, Inc.>
[VIA Rhine Family Fast Ethernet Adapter Driver Service / FETNDISB][Running/Manual Start]
<System32\DRIVERS\fetnd5b.sys><VIA Technologies, Inc.>
[Hamachi Network Interface / hamachi][Stopped/Manual Start]
<System32\DRIVERS\hamachi.sys><LogMeIn, Inc.>
[Comodo Network Engine / Inspect][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\inspect.sys><COMODO>
[nod32drv / nod32drv][Running/System Start]
<\SystemRoot\system32\drivers\nod32drv.sys><N/A>
[npkcrypt / npkcrypt][Stopped/Manual Start]
<\??\E:\Gry\RAGNAROK\npkcrypt.sys><N/A>
[NTSIM / NTSIM][Stopped/Manual Start]
<\??\C:\WINDOWS\System32\ntsim.sys><VIA Technologies, Inc.>
[Sterownik bezpośredniego połączenia kablowego / Ptilink][Running/Manual Start]
<System32\DRIVERS\ptilink.sys><Parallel Technologies, Inc.>
[PxHelp20 / PxHelp20][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\PxHelp20.sys><Sonic Solutions>
[Secdrv / Secdrv][Running/Auto Start]
<System32\DRIVERS\secdrv.sys><Macrovision Europe Ltd>
[sojubus / sojubus][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\sojubus.sys><>
[sojuscsi / sojuscsi][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\sojuscsi.sys><>
[tmcomm / tmcomm][Running/Auto Start]
<\??\C:\WINDOWS\System32\drivers\tmcomm.sys><Trend Micro Inc.>
[VIA AGP Filter / viaagp1][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\viaagp1.sys><VIA Technologies, Inc.>
[ViaIde / ViaIde][Running/Boot Start]
<\SystemRoot\System32\DRIVERS\viaidexp.sys><VIA Technologies, Inc.>
[VIA AC'97 Audio Controller (WDM) / VIAudio][Running/Manual Start]
<system32\drivers\viaudio.sys><VIA Technologies, Inc.>
[WINFLASH / WINFLASH][Stopped/Manual Start]
<\??\D:\Utility\WinFlash\WinFlash.sys><N/A>

==================================
Browser Add-ons
[]
{53707962-6F74-2D53-2644-206D7942484F} <C:\Program Files\Spybot - Search & Destroy\SDHelper.dll, Safer Networking Limited>
[SSVHelper Class]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[ST]
{9394EDE7-C8B5-483E-8773-474BF36AF6E4} <C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll, Microsoft Corporation>
[Java Plug-in 1.5.0_11]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Messenger]
{FB5F1910-F110-11d2-BB9E-00C04F795683} <C:\Program Files\Messenger\MSMSGS.EXE, Microsoft Corporation>
[&Radio]
{8E718888-423F-11D2-876E-00A0C9082467} <C:\WINDOWS\System32\msdxm.ocx, Microsoft Corporation>
[MSN]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} <C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\pl-pl\msntb.dll, N/A>
[Autodesk MapGuide ActiveX Control]
{62789780-B744-11D0-986B-00609731A21D} <C:\WINDOWS\Downloaded Program Files\MgAxCtrl.dll, Autodesk Inc.>
[Java Plug-in 1.5.0_11]
{8AD9C840-044E-11D1-B3E9-00805F499D93} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.4.1_07]
{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_06]
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_09]
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_10]
{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_11]
{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll, Sun Microsystems, Inc.>
[Java Plug-in 1.5.0_11]
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} <C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll, Sun Microsystems, Inc.>
[Shockwave Flash Object]
{D27CDB6E-AE6D-11CF-96B8-444553540000} <C:\WINDOWS\System32\Macromed\Flash\Flash8.ocx, Macromedia, Inc.>
[Download with GetRight]
<C:\Program Files\GetRight\GRdownload.htm, N/A>
[E&ksport do programu Microsoft Excel]
<res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000, N/A>
[Open with GetRight Browser]
<C:\Program Files\GetRight\GRbrowse.htm, N/A>
[Pobierz stronę WEB z Free Download Manager ]
<file://C:\Program Files\Free Download Manager\dlpage.htm, N/A>
[Pobierz wszystko z Free Download Manager]
<file://C:\Program Files\Free Download Manager\dlall.htm, N/A>
[Pobierz z Free Download Manager ]
<file://C:\Program Files\Free Download Manager\dllink.htm, N/A>
[Pobierz zaznaczenie z Free Download Manager]
<file://C:\Program Files\Free Download Manager\dlselected.htm, N/A>

==================================
Running Processes
[PID: 612][\SystemRoot\System32\smss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 668][\??\C:\WINDOWS\system32\csrss.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 1804][C:\WINDOWS\Explorer.EXE] [Microsoft Corporation, 6.00.2600.0000 (xpclient.010817-1148)]
[C:\WINDOWS\System32\Amhooker.dll] [A4Tech Co.,Ltd., 7.42.0.0]
[C:\WINDOWS\System32\imon.dll] [Eset , 2, 70, 32 ]
[C:\WINDOWS\System32\muangsys.dll] [N/A, ]
[C:\Program Files\WinRAR\rarext.dll] [N/A, ]
[C:\Program Files\Eset\nodshex.dll] [N/A, ]
[C:\Program Files\Avast4\ashShell.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\WINDOWS\System32\lhacm.acm] [Microsoft Corporation, 4.4.3385]
[C:\Program Files\Spybot - Search & Destroy\SDHelper.dll] [Safer Networking Limited, 1, 4, 0, 0]
[PID: 1960][C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe] [ATI Technologies, Inc., 6.14.10.5014]
[C:\PROGRAM FILES\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATRPUIXX.PLK] [ATI Technologies, Inc., 6.14.10.5014]
[C:\Program Files\ATI Technologies\ATI Control Panel\atipdsxx.dll] [ATI Technologies, Inc., 6.14.10.5014]
[C:\Program Files\ATI Technologies\ATI Control Panel\atipdxxx.dll] [ATI Technologies, Inc., 6.14.10.5014]
[PID: 1980][C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe] [A4Tech Co.,Ltd., 7.42.0.0]
[C:\WINDOWS\System32\Amhooker.dll] [A4Tech Co.,Ltd., 7.42.0.0]
[C:\WINDOWS\System32\Amoures.dll] [A4Tech Co.,Ltd., 7.42.0.0]
[PID: 1996][C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\msnappau.exe] [Microsoft Corporation, 01.02.3000.1001]
[C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\au_util.dll] [Microsoft Corporation, 01.02.3000.1001]
[C:\Program Files\MSN Apps\Updater\01.02.3000.1001\pl-pl\TBDwnMgr.dll] [Microsoft Corporation, 01.02.3000.1001]
[C:\PROGRA~1\A4Tech\Mouse\Setuphk.dll] [N/A, ]
[PID: 2020][C:\PROGRA~1\Avast4\ashDisp.exe] [, 4, 7, 936, 0]
[C:\PROGRA~1\Avast4\aswCmnOS.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\WINDOWS\System32\MSVCP71.dll] [Microsoft Corporation, 7.10.3077.0]
[C:\WINDOWS\System32\MSVCR71.dll] [Microsoft Corporation, 7.10.3052.4]
[C:\PROGRA~1\Avast4\ashBase.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\PROGRA~1\Avast4\aswCmnB.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\PROGRA~1\Avast4\aswCmnS.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\PROGRA~1\Avast4\ashTask.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\PROGRA~1\Avast4\aswAux.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\PROGRA~1\Avast4\Aavm4h.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\Program Files\Avast4\Polish\Base.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\Program Files\Avast4\Polish\Lang.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\WINDOWS\System32\MFC71.DLL] [Microsoft Corporation, 7.10.3077.0]
[C:\PROGRA~1\Avast4\AavmRpch.dll] [ALWIL Software, 4, 7, 936, 0]
[c:\program files\avast4\ahruimai.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\PROGRA~1\Avast4\ashUInt.dll] [ALWIL Software, 4, 7, 936, 0]
[C:\PROGRA~1\Avast4\XT1922.dll] [Codejock Software, 1, 9, 4, 0]
[c:\program files\avast4\ahruimes.dll] [ALWIL Software, 4, 7, 936, 0]
[c:\program files\avast4\ahruins.dll] [ALWIL Software, 4, 7, 936, 0]
[c:\program files\avast4\ahruiout.dll] [ALWIL Software, 4, 7, 936, 0]
[c:\program files\avast4\ahruip2p.dll] [ALWIL Software, 4, 7, 936, 0]
[c:\program files\avast4\ahruistd.dll] [ALWIL Software, 4, 7, 936, 0]
[c:\program files\avast4\ahruiws.dll] [ALWIL Software, 4, 7, 936, 0]
[PID: 2032][C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe] [Cyberlink Corp., 5.00.0000]
[C:\Program Files\CyberLink\Shared Files\CLRCEngine2.dll] [CyberLink Corp., 3.20.0000]
[PID: 2040][C:\Program Files\dvd43\dvd43_tray.exe] [Captain Red, 3.5.3.113]
[PID: 200][C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe] [Sun Microsystems, Inc., 5.0.110.3]
[PID: 224][C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe] [Macrovision Corporation, 4, 60, 100, 37068]
[PID: 256][C:\Program Files\Eset\nod32kui.exe] [Eset , 2, 70, 32 ]
[C:\Program Files\Eset\pu_amon.dll] [Eset , 2, 70, 32 ]
[C:\Program Files\Eset\pu_dmon.dll] [Eset , 2, 70, 32 ]
[C:\Program Files\Eset\pu_emon.dll] [Eset , 2, 70, 32 ]
[C:\Program Files\Eset\pu_imon.dll] [Eset , 2, 70, 32 ]
[C:\Program Files\Eset\pu_nod32.dll] [Eset , 2, 70, 32 ]
[C:\Program Files\Eset\pu_upd.dll] [Eset , 2, 70, 32 ]
[PID: 268][C:\WINDOWS\System32\ctfmon.exe] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[PID: 280][C:\Program Files\Free Download Manager\fdm.exe] [N/A, ]
[C:\Program Files\Free Download Manager\MSVCP60.dll] [Microsoft Corporation, 6.02.3104.0]
[C:\WINDOWS\System32\Amhooker.dll] [A4Tech Co.,Ltd., 7.42.0.0]
[PID: 416][C:\Program Files\Miranda IM\miranda32.exe] [ , 0.6.1]
[C:\Program Files\Miranda IM\Plugins\dbx_3x.dll] [N/A, ]
[C:\Program Files\Miranda IM\Plugins\png2dib.dll] [ , 0.1.3.1]
[C:\Program Files\Miranda IM\Plugins\clist_classic.dll] [N/A, ]
[C:\Program Files\Miranda IM\Plugins\chat.dll] [N/A, ]
[C:\Program Files\Miranda IM\Plugins\gg.dll] [N/A, ]
[C:\Program Files\Miranda IM\Plugins\import.dll] [ , 0.9.2]
[C:\Program Files\Miranda IM\Plugins\irc.dll] [N/A, ]
[C:\Program Files\Miranda IM\Plugins\msn.dll] [ , 0.6.0.2]
[C:\Program Files\Miranda IM\Plugins\mucc.dll] [http://mtlen.berlios.de, 1.0.7.3]
[C:\Program Files\Miranda IM\Plugins\srmm.dll] [N/A, ]
[C:\Program Files\Miranda IM\Plugins\tlen.dll] [http://mtlen.berlios.de, 1.0.7.3]
[C:\WINDOWS\System32\imon.dll] [Eset , 2, 70, 32 ]
[PID: 4092][C:\Program Files\Mozilla Firefox\firefox.exe] [Mozilla Corporation, 1.8.1.3: 2007030919]
[C:\Program Files\Mozilla Firefox\js3250.dll] [Netscape Communications Corporation, 4.0]
[C:\Program Files\Mozilla Firefox\nspr4.dll] [Netscape Communications Corporation, 4.6.5]
[C:\Program Files\Mozilla Firefox\xpcom_core.dll] [Mozilla Foundation, 1.8.1.3: 2007030919]
[C:\Program Files\Mozilla Firefox\plc4.dll] [Netscape Communications Corporation, 4.6.5]
[C:\Program Files\Mozilla Firefox\plds4.dll] [Netscape Communications Corporation, 4.6.5]
[C:\Program Files\Mozilla Firefox\smime3.dll] [Mozilla Foundation, 3.11.5 Basic ECC]
[C:\Program Files\Mozilla Firefox\nss3.dll] [Mozilla Foundation, 3.11.5 Basic ECC]
[C:\Program Files\Mozilla Firefox\softokn3.dll] [Mozilla Foundation, 3.11.4 Basic ECC]
[C:\Program Files\Mozilla Firefox\ssl3.dll] [Mozilla Foundation, 3.11.5 Basic ECC]
[C:\Program Files\Mozilla Firefox\xpcom_compat.dll] [Mozilla Foundation, 1.8.1.3: 2007030919]
[C:\Program Files\Mozilla Firefox\components\jar50.dll] [Mozilla Foundation, 1.8.1.3: 2007030919]
[C:\Program Files\Mozilla Firefox\components\jsd3250.dll] [Mozilla Foundation, 1.8.1.3: 2007030919]
[C:\Program Files\Mozilla Firefox\components\xpinstal.dll] [Mozilla Foundation, 1.8.1.3: 2007030919]
[C:\Program Files\Mozilla Firefox\components\myspell.dll] [Mozilla Foundation, 1.8.1.3: 2007030919]
[C:\Program Files\Mozilla Firefox\components\spellchk.dll] [Mozilla Foundation, 1.8.1.3: 2007030919]
[C:\WINDOWS\System32\imon.dll] [Eset , 2, 70, 32 ]
[C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\eija997j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll] [N/A, ]
[C:\Program Files\Mozilla Firefox\xpcom.dll] [Mozilla Foundation, 1.8.1.3: 2007030919]
[C:\Documents and Settings\przemek\Dane aplikacji\Mozilla\Firefox\Profiles\eija997j.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll] [N/A, ]
[C:\Program Files\Mozilla Firefox\freebl3.dll] [Mozilla Foundation, 3.11.4 Basic ECC]
[C:\PROGRA~1\MOZILL~1\nssckbi.dll] [Mozilla Foundation, 1.62]
[C:\WINDOWS\System32\Amhooker.dll] [A4Tech Co.,Ltd., 7.42.0.0]
[C:\Program Files\Mozilla Firefox\plugins\npnul32.dll] [mozilla.org, 1, 0, 0, 15]
[PID: 1328][C:\WINDOWS\system32\NOTEPAD.EXE] [Microsoft Corporation, 5.1.2600.0 (xpclient.010817-1148)]
[C:\WINDOWS\System32\Amhooker.dll] [A4Tech Co.,Ltd., 7.42.0.0]
[PID: 3160][C:\Documents and Settings\przemek\Pulpit\sreng2\SREng.EXE] [Smallfrogs Studio, 2.4.12.806]
[C:\WINDOWS\System32\imon.dll] [Eset , 2, 70, 32 ]
[C:\WINDOWS\System32\Amhooker.dll] [A4Tech Co.,Ltd., 7.42.0.0]

==================================
File Associations
.TXT OK. [%SystemRoot%\system32\NOTEPAD.EXE %1]
.EXE OK. [ "%1" %*]
.COM OK. [ "%1" %*]
.PIF OK. [ "%1" %*]
.REG OK. [regedit.exe "%1"]
.BAT OK. [ "%1" %*]
.SCR OK. [ "%1" /S]
.CHM OK. [ "C:\WINDOWS\hh.exe" %1]
.HLP OK. [%SystemRoot%\System32\winhlp32.exe %1]
.INI OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.INF OK. [%SystemRoot%\System32\NOTEPAD.EXE %1]
.VBS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.JS OK. [%SystemRoot%\System32\WScript.exe "%1" %*]
.LNK OK. [{00021401-0000-0000-C000-000000000046}]

==================================
Winsock Provider
NOD32 protected [MSAFD Tcpip [TCP/IP]]
C:\WINDOWS\System32\imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32 protected [MSAFD Tcpip [UDP/IP]]
C:\WINDOWS\System32\imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32 protected [MSAFD Tcpip [RAW/IP]]
C:\WINDOWS\System32\imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32 protected [RSVP UDP Service Provider]
C:\WINDOWS\System32\imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32 protected [RSVP TCP Service Provider]
C:\WINDOWS\System32\imon.dll(Eset , NOD32 IMON - Internet scanning support)
NOD32
C:\WINDOWS\System32\imon.dll(Eset , NOD32 IMON - Internet scanning support)

==================================
Autorun.Inf
N/A

==================================
HOSTS File
N/A

==================================
API HOOK
N/A

==================================
Hidden Process
N/A

==================================

 

OK, still not showing much there at all. Hiding nicely

Lets gather yet more information.

1:Start Up List:

• Open HJT, click the [None of the above, just start the program] button.
• Then click the [Config] button in the lower right hand of the program.
• Then select the [Misc Tools] button.
• In the upper left hand side of the program tick the two boxes [List also minor sections (full)] button and the [List empty sections (complete)] and hit the [Generate StarupList log] button, select 'Yes' when prompted by the dialog box. The resultant scan will produce a notepad log file, please paste that log file back here for me to review.

2:Uninstall Manager List

• Open HJT, click the [None of the above, just start the program] button.
• Click on the [Config] button
• Click on the[ Misc Tools] button
• Click on the [Open Uninstall Manager] button
• Then click on the [Save list] button and specify where you would like to save this file.
• When you press [Save list] button a notepad will open with the contents of that file.
• Copy and paste the contents of that notepad back into this thread for me to view.

 

Great news, my problem seems to be solved. I was told to make a scan using a program called Autoruns. The log was quite big, yet one of the entries in it was a file called core.sys located in system32\drivers folder. The person who was helping me said "This is only the second time I've come across this file and it appears to be some kind of unidentified trojan/worm ".

The file was deleted using the Avenger script. So far so good.

Thank you for help dear TeMerc, maybe you can consider recommending those programs I mentioned in the inevitable future problems of other people. Sorry for trouble though.

Best regards

 

So you have another thread else where? Mind if you pass along the link?

 

Due to resolution or the lack of feedback this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.