Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with adultcameras


  • This topic is locked This topic is locked
17 replies to this topic

#1 nessto

nessto

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 04 February 2015 - 08:08 AM

When opening sites on the internet randomly a window with some porn pops up. It doesn't seem to do any harm (at least not yet) but is really annoying. I know that it can be dangerous, read people have more serious problems with it so I'd like to get rid of that thing ASAP. I was trying to do it myself but since my knowledge is not that big, I exhausted my ideas pretty fast. And I didn't find any solution on the internet other than installing a suspicious program which seems to be a virus removing a virus and you have to pay for it ;) This is the only place that may provide any help, I hope. But it's individual so here I am.

It doesn't seem to be affecting the other PC connected to the router so I believe it's just that one computer and I'd like it to stay that way and since I can't disconnect any of them, the resolve becomes even more urgent.

One more thing, I don't have a permanent access to that computer and I do most things remotely so please bare with me as I may not be able to do things right away.

 

Time for logs:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 01-02-2015
Ran by Marek (administrator) on CIESZYN-7B5J97K on 04-02-2015 13:06:52
Running from C:\Documents and Settings\Marek\Pulpit
Loaded Profiles: Marek (Available profiles: Marek)
Platform: Microsoft Windows XP Professional Dodatek Service Pack 3 (X86) OS Language: Polski
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(ABBYY (BIT Software)) C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
(InstallShield Software Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
(Creative Technology Ltd.) C:\WINDOWS\V0640Mon.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(VoipDiscount) C:\Program Files\VoipDiscount.com\VoipDiscount\voipdiscount.exe
(Foxit Software Inc.) C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Dropbox, Inc.) C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\Dropbox.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Mozilla Corporation) C:\Program Files\Mozilla Thunderbird\thunderbird.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jucheck.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\plugin-container.exe
(Adobe Systems Incorporated) C:\PM65\PM65.EXE
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\tv_w32.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Desktop.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [20053608 2011-05-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-01-13] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [ABBYY Community Agent] => C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe [241664 2001-01-31] (ABBYY (BIT Software))
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [959904 2013-11-21] (Adobe Systems Incorporated)
HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2005-02-16] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-02-16] (InstallShield Software Corporation)
HKLM\...\Run: [V0640Mon.exe] => C:\WINDOWS\V0640Mon.exe [28672 2011-08-22] (Creative Technology Ltd.)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [256896 2014-07-25] (Oracle Corporation)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Smart Security\egui.exe [5088456 2014-10-01] (ESET)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\Run: [VoipDiscount] => C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe [19578696 2013-07-10] (VoipDiscount)
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\MountPoints2: {1c61cf68-d5b3-11e3-af09-00241d118cfe} - H:\Startme.exe
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\MountPoints2: {660e99f9-c4dd-11e1-acc7-00241d118cfe} - H:\LaunchU3.exe -a
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\MountPoints2: {8911fa28-7262-11e1-ac78-00241d118cfe} - H:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [434080 2011-07-27] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.exe.lnk
ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\KYESCAN.lnk
ShortcutTarget: KYESCAN.lnk -> C:\Program Files\ScannerU\Kyescan.exe (KYE SYSTEMS CORP.)
Startup: C:\Documents and Settings\Marek\Menu Start\Programy\Autostart\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
BootExecute: autocheck autochk * aswBoot.exe /M:54435b51b0b /dir:"C:\Program Files\AVAST Software\Avast"

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1957994488-162531612-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1957994488-162531612-839522115-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gazeta.pl/0,0.html?sc=1
SearchScopes: HKU\S-1-5-21-1957994488-162531612-839522115-1003 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703
SearchScopes: HKU\S-1-5-21-1957994488-162531612-839522115-1003 -> {D16527E9-6401-4122-A61B-C5DAB6842ECD} URL = http://szukaj.gazeta.pl/portalSearch.do?s.si(navigation).navigationEnabled=true&s.sm.query={searchTerms}
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKU\S-1-5-21-1957994488-162531612-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 91.212.124.159 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Marek\Dane aplikacji\Mozilla\Firefox\Profiles\rofxqbxn.default
FF DefaultSearchUrl: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2233703&SearchSource=3&q={searchTerms}
FF Homepage: hxxp://www.wp.pl/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_296.dll ()
FF Plugin: @java.com/DTPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.67.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: PDF Architect 2 -> C:\Program Files\PDF Architect 2\np-previewer.dll (pdfforge GmbH)
FF Extension: Adblock Plus - C:\Documents and Settings\Marek\Dane aplikacji\Mozilla\Firefox\Profiles\rofxqbxn.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011-08-26]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-08-26]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.com"
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll ()
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\internal-nacl-plugin No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\pdf.dll No File
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
CHR Plugin: (Java Deployment Toolkit 7.0.670.1) - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
CHR Plugin: (Java™ Platform SE 7 U67) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
CHR Plugin: (PDF Architect 2) - C:\Program Files\PDF Architect 2\np-previewer.dll (pdfforge GmbH)
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_239.dll No File
CHR Profile: C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default
CHR Extension: (Adblock Plus) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-11-28]
CHR Extension: (Google Wallet) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-07]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [602112 2010-01-14] (ATI Technologies Inc.) [File not signed]
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [1349576 2014-10-01] (ESET)
R2 FoxitCloudUpdateService; C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [244448 2014-10-28] (Foxit Software Inc.)
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-08-06] (Oracle Corporation)
S3 PDF Architect 2; C:\Program Files\PDF Architect 2\ws.exe [1771560 2014-06-26] (pdfforge GmbH)
S3 pdfforge CrashHandler; C:\Program Files\PDF Architect 2\crash-handler-ws.exe [861736 2014-06-26] (pdfforge GmbH)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [4584448 2010-01-14] (ATI Technologies Inc.) [File not signed]
S2 BulkUsb; C:\WINDOWS\System32\DRIVERS\usbscan.sys [14976 2013-07-03] (Microsoft Corporation)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R1 eamonm; C:\WINDOWS\System32\DRIVERS\eamonm.sys [191928 2014-10-10] (ESET)
R1 ehdrv; C:\WINDOWS\System32\DRIVERS\ehdrv.sys [135296 2014-10-10] (ESET)
R2 epfw; C:\WINDOWS\System32\DRIVERS\epfw.sys [176448 2014-10-10] (ESET)
R3 Epfwndis; C:\WINDOWS\System32\DRIVERS\Epfwndis.sys [39464 2014-10-10] (ESET)
R1 epfwtdi; C:\WINDOWS\System32\DRIVERS\epfwtdi.sys [63160 2014-10-10] (ESET)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NVENETFD; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [70912 2010-03-04] (NVIDIA Corporation)
R0 nvgts; C:\WINDOWS\System32\DRIVERS\nvgts.sys [168040 2010-04-08] (NVIDIA Corporation)
R3 nvnetbus; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [13824 2010-03-04] (NVIDIA Corporation)
S3 RT73; C:\WINDOWS\System32\DRIVERS\rt73.sys [445696 2007-05-14] (Ralink Technology, Corp.)
R2 StarOpen; C:\WINDOWS\system32\Drivers\StarOpen.sys [13120 2013-08-25] ()
S3 V0010bVd; C:\WINDOWS\System32\DRIVERS\V0010bVd.sys [186551 2003-04-21] (Creative Technology Ltd.)
R3 V0640Vid; C:\WINDOWS\System32\DRIVERS\V0640Vid.sys [273856 2011-09-07] (Creative Technology Ltd.) [File not signed]
S1 wceusbsh; C:\WINDOWS\System32\DRIVERS\wceusbsh.sys [31872 2008-04-14] (Microsoft Corporation)
S4 IntelIde; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-04 13:06 - 2015-02-04 13:07 - 00014951 _____ () C:\Documents and Settings\Marek\Pulpit\FRST.txt
2015-02-04 13:06 - 2015-02-04 13:06 - 01122304 _____ (Farbar) C:\Documents and Settings\Marek\Pulpit\FRST.exe
2015-02-04 13:06 - 2015-02-04 13:06 - 00000000 ____D () C:\FRST
2015-02-02 14:57 - 2015-02-02 14:59 - 00000730 _____ () C:\Documents and Settings\All Users\Menu Start\Programy\Mozilla Firefox.lnk
2015-02-02 14:57 - 2015-02-02 14:59 - 00000724 _____ () C:\Documents and Settings\All Users\Pulpit\Mozilla Firefox.lnk
2015-02-02 14:57 - 2015-02-02 14:59 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-24 12:13 - 2015-01-24 12:13 - 00000000 ____D () C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\ESET
2015-01-24 12:13 - 2015-01-24 12:13 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\ESET
2015-01-24 12:12 - 2015-01-24 12:12 - 00000000 ____D () C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\ESET
2015-01-24 12:11 - 2015-01-24 12:11 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\ESET
2015-01-24 12:11 - 2015-01-24 12:11 - 00000000 ____D () C:\Documents and Settings\All Users\Dane aplikacji\ESET
2015-01-24 12:01 - 2014-08-22 11:22 - 01595776 _____ (ESET) C:\Documents and Settings\Marek\Pulpit\eset_smart_security_live_installer_.exe
2015-01-14 11:51 - 2015-01-15 08:40 - 00000000 ____D () C:\Program Files\Mozilla Thunderbird
2015-01-13 12:56 - 2015-01-13 12:56 - 00000000 ____D () C:\Documents and Settings\LocalService\Pulpit
2015-01-13 12:56 - 2015-01-13 12:56 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\TeamViewer 8

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-04 13:07 - 2011-08-22 15:57 - 00000000 ____D () C:\Documents and Settings\Marek\Ustawienia lokalne\Temp
2015-02-04 13:06 - 2011-08-23 12:40 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\Skype
2015-02-04 13:06 - 2011-08-22 15:57 - 00000000 ____D () C:\Documents and Settings\Marek\Pulpit
2015-02-04 12:30 - 2013-03-19 14:51 - 00000930 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-04 12:10 - 2011-09-05 07:33 - 00001036 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-04 09:14 - 2011-08-23 11:07 - 00000235 _____ () C:\WINDOWS\QTW.INI
2015-02-04 08:50 - 2011-08-23 09:16 - 01878368 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-04 08:49 - 2011-08-23 13:47 - 00000462 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{F7200281-F0EF-4CA7-A547-6B1C776333BF}.job
2015-02-04 08:48 - 2011-11-09 08:23 - 00000000 ___RD () C:\Documents and Settings\Marek\Moje dokumenty\Dropbox
2015-02-04 08:48 - 2011-11-09 08:18 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\Dropbox
2015-02-04 08:47 - 2014-03-28 08:18 - 00000222 _____ () C:\WINDOWS\Tasks\Powiadomienie o zakończeniu obsługi systemu Microsoft Windows XP — logowanie.job
2015-02-04 08:47 - 2011-09-05 07:33 - 00001032 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-04 08:47 - 2011-08-22 16:49 - 00000157 _____ () C:\WINDOWS\wiadebug.log
2015-02-04 08:47 - 2011-08-22 16:49 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2015-02-04 08:47 - 2011-08-22 15:54 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-04 08:47 - 2003-04-16 13:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-03 15:09 - 2011-08-23 10:16 - 00524288 _____ () C:\WINDOWS\system32\config\ACEEvent.evt
2015-02-03 15:09 - 2011-08-22 15:57 - 00000188 ___SH () C:\Documents and Settings\Marek\ntuser.ini
2015-02-03 15:09 - 2011-08-22 15:56 - 00032558 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-03 11:20 - 2012-12-17 10:04 - 00000320 _____ () C:\WINDOWS\barcode.ini
2015-02-03 10:45 - 2012-09-26 14:36 - 00000404 _____ () C:\WINDOWS\BRWMARK.INI
2015-02-03 08:59 - 2011-08-23 10:45 - 00002513 _____ () C:\Documents and Settings\Marek\Pulpit\Microsoft Office Word 2007.lnk
2015-02-03 08:42 - 2012-04-27 11:32 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-02-02 14:57 - 2011-08-22 16:48 - 00000000 ___RD () C:\Documents and Settings\All Users\Menu Start\Programy
2015-02-02 14:57 - 2011-08-22 16:48 - 00000000 ____D () C:\Documents and Settings\All Users\Pulpit
2015-02-02 14:55 - 2011-08-22 15:57 - 00000000 ____D () C:\Documents and Settings\Marek
2015-02-02 13:48 - 2014-07-24 13:13 - 00110296 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-01-28 09:18 - 2011-08-23 11:44 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\FileZilla
2015-01-27 09:59 - 2011-08-22 16:48 - 00000000 ___RD () C:\Documents and Settings\All Users\Dokumenty
2015-01-26 09:30 - 2013-03-19 14:51 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-01-26 09:30 - 2011-08-23 10:33 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-01-26 08:40 - 2014-04-04 07:36 - 00000406 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2015-01-26 08:15 - 2014-04-17 07:52 - 00000000 ____D () C:\Documents and Settings\All Users\Dane aplikacji\AVAST Software
2015-01-26 08:15 - 2011-08-22 15:57 - 00000000 __RHD () C:\Documents and Settings\Marek\Dane aplikacji
2015-01-24 12:21 - 2011-08-23 16:00 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\CorelDRAW 9
2015-01-24 12:13 - 2011-08-22 15:57 - 00000000 ___HD () C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji
2015-01-24 12:12 - 2011-08-22 15:56 - 00000000 ___HD () C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji
2015-01-24 12:11 - 2012-12-13 12:15 - 00000000 ____D () C:\Program Files\ESET
2015-01-24 12:11 - 2011-08-22 16:48 - 00000000 __RHD () C:\Documents and Settings\All Users\Dane aplikacji
2015-01-15 08:30 - 2011-08-22 16:47 - 01650480 _____ () C:\WINDOWS\system32\FNTCACHE.DAT
2015-01-14 15:08 - 2013-08-16 16:45 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-01-14 15:03 - 2011-08-23 13:40 - 110348472 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-01-14 08:22 - 2011-08-22 15:57 - 00000000 ___RD () C:\Documents and Settings\Marek\Menu Start\Programy\Autostart
2015-01-13 12:56 - 2013-01-21 15:06 - 00000815 _____ () C:\Documents and Settings\All Users\Pulpit\TeamViewer 8.lnk
2015-01-13 12:56 - 2011-08-22 15:56 - 00000000 __SHD () C:\Documents and Settings\LocalService
2015-01-08 15:00 - 2014-03-28 08:18 - 00000216 _____ () C:\WINDOWS\Tasks\Powiadomienie o zakończeniu obsługi systemu Microsoft Windows XP — co miesiąc.job

==================== Files in the root of some directories =======

2012-01-25 17:11 - 2014-08-11 13:29 - 0007680 _____ () C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some content of TEMP:
====================
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp58_tst.dll
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\InstHelper.exe


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

PS. While you're at it, I have a problem with pdf's. Adobe stopped working, I installed Foxit but it's not working 100% properly either. Maybe you'll find something in the logs that may explain it. Sorry if this is totally out of blue. Have no idea how logs work but it seems to contain all the info about a system so I thought you may find a resolution there. Just a thought, no pressure or anything since it's the virus thread not other things :)

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 07 February 2015 - 09:09 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
SearchScopes: HKU\S-1-5-21-1957994488-162531612-839522115-1003 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKU\S-1-5-21-1957994488-162531612-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF DefaultSearchUrl: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2233703&SearchSource=3&q={searchTerms}
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\internal-nacl-plugin No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\pdf.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_239.dll No File
CHR Extension: (Google Wallet) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-07]
S4 IntelIde; No ImagePath

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

How is the computer running now?

#3 nessto

nessto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 09 February 2015 - 06:22 AM

Hi,

 

Thanks so much for your help :)

 

I did all that you've told me and it seems like the porn is gone. I've opened quite a few pages and it didn't pop-up. Last time I tried opening anything it appeared after trying 2 or 3 pages. So I think it might have worked though I probably will know for sure after a few days since it pops-up randomly. But if it did work, I'm really, really grateful!

 

Still posting the logs:

 

1. FRST

 

start

CloseProcesses:

ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  No File
SearchScopes: HKU\S-1-5-21-1957994488-162531612-839522115-1003 -> {afdbddaa-5d3f-42ee-b79c-185a7020515b} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703
BHO: No Name -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} ->  No File
BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} ->  No File
Toolbar: HKU\S-1-5-21-1957994488-162531612-839522115-1003 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF DefaultSearchUrl: hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2233703&SearchSource=3&q={searchTerms}
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\internal-nacl-plugin No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\pdf.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_239.dll No File
CHR Extension: (Google Wallet) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-10-07]
S4 IntelIde; No ImagePath

End

 

 

2. AdwCleaner:

 

# AdwCleaner v4.110 - Logfile created 09/02/2015 at 11:55:09
# Updated 05/02/2015 by Xplode
# Database : 2015-02-05.2 [Local]
# Operating system : Microsoft Windows XP Dodatek Service Pack 3 (x86)
# Username : Marek - CIESZYN-7B5J97K
# Running from : C:\Documents and Settings\Marek\Pulpit\adwcleaner_4.110.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Documents and Settings\All Users\Dane aplikacji\FileCure
Folder Deleted : C:\Program Files\Conduit
Folder Deleted : C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Conduit
Folder Deleted : C:\Documents and Settings\Marek\Dane aplikacji\pdfforge

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D2CE3E00-F94A-4740-988E-03DC2F38C34F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DCB7100-DF86-4384-8842-8FA844297B3F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Conduit
Key Deleted : HKLM\SOFTWARE\ParetoLogic
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1AE46C09-2AB8-4EE5-88FB-08CD0FF7F2DF}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>

***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v35.0.1 (x86 pl)

[rofxqbxn.default\prefs.js] - Line Deleted : user_pref("browser.search.defaultthis.engineName", "4shared.com Customized Web Search");

-\\ Google Chrome v40.0.2214.111


*************************

AdwCleaner[R0].txt - [2167 bytes] - [09/02/2015 11:43:04]
AdwCleaner[S0].txt - [2137 bytes] - [09/02/2015 11:55:09]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2196  bytes] ##########

 

 

 

 

Thanks for spending your precious time on helping me, I really appreciate it :)
 



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 09 February 2015 - 09:41 AM

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

======

#5 nessto

nessto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 10 February 2015 - 06:24 AM

Everything seems to be working as usual.

 

Here's what you've asked for:

 

 

 Results of screen317's Security Check version 0.99.96  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
Czekaj, aľ zostanie zainstalowany program WMIC.d
i
s
p
l
a
y
N
a
m
e
ECHO jest wyĄczone.
E
S
E
T
ECHO jest wyĄczone.
S
m
a
r
t
ECHO jest wyĄczone.
S
e
c
u
r
i
t
y
ECHO jest wyĄczone.
8
.
0
ECHO jest wyĄczone.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 CCleaner     
 Java 7 Update 67  
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31  
 Adobe Flash Player     16.0.0.305  
 Adobe Reader XI  
 Mozilla Firefox (35.0.1)
 Mozilla Thunderbird (31.4.0)
 Google Chrome (40.0.2214.111)
 Google Chrome (40.0.2214.94)
````````Process Check: objlist.exe by Laurent````````  
 ESET NOD32 Antivirus egui.exe  
 ESET NOD32 Antivirus ekrn.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C::  
````````````````````End of Log``````````````````````
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 10 February 2015 - 09:29 AM

Using the Add/Remove programs applet remove this old version of Java 7 Update 67

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#7 nessto

nessto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 11 February 2015 - 08:33 AM

Java removed.

 

Thank you so much for all your time and effort spent on helping with removing that thing. I really appreciate it :)



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 11 February 2015 - 08:35 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 18 February 2015 - 09:24 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 18 February 2015 - 09:24 AM

This topic has been re-opened at the request of the person who originally posted.

#11 nessto

nessto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 19 February 2015 - 07:21 AM

Hello again :)

 

The problem seems to be the same, meaning - a new window pops-up randomly when opening any sites. Plus now something that looks like a regular ad appears (there should be no ads since there's Adblock Plus installed in the browser). It's all porn related. And the address now says adultyum, not adultcameras.

What I did since this topic was closed... I fixed the Adobe Reader. I uninstalled the thing using Adobe tool for that and downloaded a file from their site. Don't think there were any other changes done manually.

 

 

 

1. FRST:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 18-02-2015 01
Ran by Marek (administrator) on CIESZYN-7B5J97K on 19-02-2015 12:50:08
Running from C:\Documents and Settings\Marek\Pulpit
Loaded Profiles: Marek (Available profiles: Marek)
Platform: Microsoft Windows XP Professional Dodatek Service Pack 3 (X86) OS Language: Polski
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(ATI Technologies Inc.) C:\WINDOWS\system32\ati2evxx.exe
(Realtek Semiconductor Corp.) C:\WINDOWS\RTHDCPL.EXE
(ABBYY (BIT Software)) C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe
(Advanced Micro Devices Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(InstallShield Software Corporation) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
(Creative Technology Ltd.) C:\WINDOWS\V0640Mon.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\egui.exe
(ESET) C:\Program Files\ESET\ESET Smart Security\ekrn.exe
(Adobe Systems Incorporated) C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(VoipDiscount) C:\Program Files\VoipDiscount.com\VoipDiscount\voipdiscount.exe
(Foxit Software Inc.) C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe
(Skype Technologies S.A.) C:\Program Files\Skype\Phone\Skype.exe
(Dropbox, Inc.) C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\Dropbox.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Service.exe
(ATI Technologies Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Mozilla Corporation) C:\Program Files\Mozilla Thunderbird\thunderbird.exe
(Microsoft Corporation) C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
(Corel Corporation) C:\Program Files\Corel\Graphics9\Programs\coreldrw.exe
(Adobe Systems, Incorporated) C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe
(Adobe Systems, Incorporated) C:\Program Files\Common Files\Adobe\Web\AOM.exe
(Adobe Systems Incorporated) C:\PM65\PM65.EXE
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\tv_w32.exe
(Mozilla Corporation) C:\Program Files\Mozilla Firefox\firefox.exe
(TeamViewer GmbH) C:\Program Files\TeamViewer\Version8\TeamViewer_Desktop.exe


==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [RTHDCPL] => C:\WINDOWS\RTHDCPL.EXE [20053608 2011-05-12] (Realtek Semiconductor Corp.)
HKLM\...\Run: [StartCCC] => C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [98304 2010-01-13] (Advanced Micro Devices, Inc.)
HKLM\...\Run: [ABBYY Community Agent] => C:\Program Files\Sprint & FineReader 5.0 Office Try&Buy\Sprint\CAgent.exe [241664 2001-01-31] (ABBYY (BIT Software))
HKLM\...\Run: [ISUSPM Startup] => C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe [221184 2005-02-16] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSScheduler] => C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [81920 2005-02-16] (InstallShield Software Corporation)
HKLM\...\Run: [V0640Mon.exe] => C:\WINDOWS\V0640Mon.exe [28672 2011-08-22] (Creative Technology Ltd.)
HKLM\...\Run: [egui] => C:\Program Files\ESET\ESET Smart Security\egui.exe [5088456 2014-10-01] (ESET)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [1022152 2014-12-19] (Adobe Systems Incorporated)
Winlogon\Notify\AtiExtEvent: C:\WINDOWS\system32\Ati2evxx.dll (ATI Technologies Inc.)
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\Run: [VoipDiscount] => C:\Program Files\VoipDiscount.com\VoipDiscount\VoipDiscount.exe [19578696 2013-07-10] (VoipDiscount)
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\Run: [Skype] => C:\Program Files\Skype\Phone\Skype.exe [22041192 2014-08-27] (Skype Technologies S.A.)
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\MountPoints2: {1c61cf68-d5b3-11e3-af09-00241d118cfe} - H:\Startme.exe
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\MountPoints2: {660e99f9-c4dd-11e1-acc7-00241d118cfe} - H:\LaunchU3.exe -a
HKU\S-1-5-21-1957994488-162531612-839522115-1003\...\MountPoints2: {8911fa28-7262-11e1-ac78-00241d118cfe} - H:\LaunchU3.exe -a
HKU\S-1-5-18\...\Run: [DWQueuedReporting] => C:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE [434080 2011-07-27] (Microsoft Corporation)
Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\Adobe Gamma Loader.exe.lnk
ShortcutTarget: Adobe Gamma Loader.exe.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
Startup: C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\KYESCAN.lnk
ShortcutTarget: KYESCAN.lnk -> C:\Program Files\ScannerU\Kyescan.exe (KYE SYSTEMS CORP.)
Startup: C:\Documents and Settings\Marek\Menu Start\Programy\Autostart\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Documents and Settings\Marek\Dane aplikacji\Dropbox\bin\DropboxExt.25.dll (Dropbox, Inc.)
BootExecute: autocheck autochk * aswBoot.exe /M:54435b51b0b /dir:"C:\Program Files\AVAST Software\Avast"

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKU\S-1-5-21-1957994488-162531612-839522115-1003\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-1957994488-162531612-839522115-1003\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gazeta.pl/0,0.html?sc=1
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1957994488-162531612-839522115-1003 -> {D16527E9-6401-4122-A61B-C5DAB6842ECD} URL = http://szukaj.gazeta.pl/portalSearch.do?s.si(navigation).navigationEnabled=true&s.sm.query={searchTerms}
BHO: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Tcpip\Parameters: [DhcpNameServer] 195.238.181.164 8.8.8.8

FireFox:
========
FF ProfilePath: C:\Documents and Settings\Marek\Dane aplikacji\Mozilla\Firefox\Profiles\rofxqbxn.default
FF Homepage: hxxp://www.wp.pl/
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_16_0_0_305.dll ()
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.26.9\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: Adobe Reader -> C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin: PDF Architect 2 -> C:\Program Files\PDF Architect 2\np-previewer.dll (pdfforge GmbH)
FF Extension: Adblock Plus - C:\Documents and Settings\Marek\Dane aplikacji\Mozilla\Firefox\Profiles\rofxqbxn.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2011-08-26]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2011-08-26]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR StartupUrls: Default -> "hxxp://www.google.com"
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.6.703\_platform_specific\win_x86\widevinecdmadapter.dll ()
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\internal-nacl-plugin No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\pdf.dll No File
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npdrmv2.dll (Microsoft Corporation)
CHR Plugin: (Windows Media Player Plug-in Dynamic Link Library) - C:\Program Files\Windows Media Player\npdsplay.dll (Microsoft Corporation (written by Digital Renaissance Inc.))
CHR Plugin: (Microsoft® DRM) - C:\Program Files\Windows Media Player\npwmsdrm.dll (Microsoft Corporation)
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.670.1) - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 7 U67) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll No File
CHR Plugin: (PDF Architect 2) - C:\Program Files\PDF Architect 2\np-previewer.dll (pdfforge GmbH)
CHR Plugin: (Windows Presentation Foundation) - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_239.dll No File
CHR Profile: C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default
CHR Extension: (Adblock Plus) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-11-28]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [602112 2010-01-14] (ATI Technologies Inc.) [File not signed]
R2 ekrn; C:\Program Files\ESET\ESET Smart Security\ekrn.exe [1349576 2014-10-01] (ESET)
R2 FoxitCloudUpdateService; C:\Program Files\Foxit Software\Foxit Reader\Foxit Cloud\FCUpdateService.exe [244448 2014-10-28] (Foxit Software Inc.)
S3 PDF Architect 2; C:\Program Files\PDF Architect 2\ws.exe [1771560 2014-06-26] (pdfforge GmbH)
S3 pdfforge CrashHandler; C:\Program Files\PDF Architect 2\crash-handler-ws.exe [861736 2014-06-26] (pdfforge GmbH)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

S3 Ambfilt; C:\WINDOWS\System32\drivers\Ambfilt.sys [1691480 2009-11-18] (Creative)
R3 ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [4584448 2010-01-14] (ATI Technologies Inc.) [File not signed]
S2 BulkUsb; C:\WINDOWS\System32\DRIVERS\usbscan.sys [14976 2013-07-03] (Microsoft Corporation)
S3 CCDECODE; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [17024 2008-04-13] (Microsoft Corporation)
R1 eamonm; C:\WINDOWS\System32\DRIVERS\eamonm.sys [191928 2014-10-10] (ESET)
R1 ehdrv; C:\WINDOWS\System32\DRIVERS\ehdrv.sys [135296 2014-10-10] (ESET)
R2 epfw; C:\WINDOWS\System32\DRIVERS\epfw.sys [176448 2014-10-10] (ESET)
R3 Epfwndis; C:\WINDOWS\System32\DRIVERS\Epfwndis.sys [39464 2014-10-10] (ESET)
R1 epfwtdi; C:\WINDOWS\System32\DRIVERS\epfwtdi.sys [63160 2014-10-10] (ESET)
S3 Monfilt; C:\WINDOWS\System32\drivers\Monfilt.sys [1395800 2009-11-18] (Creative Technology Ltd.)
S3 NdisIP; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [10880 2008-04-13] (Microsoft Corporation)
R3 NVENETFD; C:\WINDOWS\System32\DRIVERS\NVENETFD.sys [70912 2010-03-04] (NVIDIA Corporation)
R0 nvgts; C:\WINDOWS\System32\DRIVERS\nvgts.sys [168040 2010-04-08] (NVIDIA Corporation)
R3 nvnetbus; C:\WINDOWS\System32\DRIVERS\nvnetbus.sys [13824 2010-03-04] (NVIDIA Corporation)
S3 RT73; C:\WINDOWS\System32\DRIVERS\rt73.sys [445696 2007-05-14] (Ralink Technology, Corp.)
R2 StarOpen; C:\WINDOWS\system32\Drivers\StarOpen.sys [13120 2013-08-25] ()
S3 V0010bVd; C:\WINDOWS\System32\DRIVERS\V0010bVd.sys [186551 2003-04-21] (Creative Technology Ltd.)
R3 V0640Vid; C:\WINDOWS\System32\DRIVERS\V0640Vid.sys [273856 2011-09-07] (Creative Technology Ltd.) [File not signed]
S1 wceusbsh; C:\WINDOWS\System32\DRIVERS\wceusbsh.sys [31872 2008-04-14] (Microsoft Corporation)
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)


==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-19 12:50 - 2015-02-19 12:50 - 00015485 _____ () C:\Documents and Settings\Marek\Pulpit\FRST.txt
2015-02-19 12:50 - 2015-02-19 12:50 - 00000000 ____D () C:\Documents and Settings\Marek\Pulpit\FRST-OlderVersion
2015-02-11 14:39 - 2015-02-11 14:39 - 00001804 _____ () C:\Documents and Settings\All Users\Menu Start\Programy\Adobe Reader XI.lnk
2015-02-11 14:39 - 2015-02-11 14:39 - 00001734 _____ () C:\Documents and Settings\All Users\Pulpit\Adobe Reader XI.lnk
2015-02-10 12:13 - 2015-02-10 12:13 - 00852594 _____ () C:\Documents and Settings\Marek\Pulpit\SecurityCheck.exe
2015-02-09 11:39 - 2015-02-09 11:55 - 00000000 ____D () C:\AdwCleaner
2015-02-09 11:39 - 2015-02-09 11:39 - 02112512 _____ () C:\Documents and Settings\Marek\Pulpit\adwcleaner_4.110.exe
2015-02-04 13:06 - 2015-02-19 12:50 - 01126400 _____ (Farbar) C:\Documents and Settings\Marek\Pulpit\FRST.exe
2015-02-04 13:06 - 2015-02-19 12:50 - 00000000 ____D () C:\FRST
2015-02-02 14:57 - 2015-02-02 14:59 - 00000730 _____ () C:\Documents and Settings\All Users\Menu Start\Programy\Mozilla Firefox.lnk
2015-02-02 14:57 - 2015-02-02 14:59 - 00000724 _____ () C:\Documents and Settings\All Users\Pulpit\Mozilla Firefox.lnk
2015-02-02 14:57 - 2015-02-02 14:59 - 00000000 ____D () C:\Program Files\Mozilla Firefox
2015-01-24 12:13 - 2015-01-24 12:13 - 00000000 ____D () C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\ESET
2015-01-24 12:13 - 2015-01-24 12:13 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\ESET
2015-01-24 12:12 - 2015-01-24 12:12 - 00000000 ____D () C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji\ESET
2015-01-24 12:11 - 2015-01-24 12:11 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\ESET
2015-01-24 12:11 - 2015-01-24 12:11 - 00000000 ____D () C:\Documents and Settings\All Users\Dane aplikacji\ESET

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-02-19 12:50 - 2011-08-23 12:40 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\Skype
2015-02-19 12:50 - 2011-08-22 15:57 - 00000000 ____D () C:\Documents and Settings\Marek\Ustawienia lokalne\Temp
2015-02-19 12:50 - 2011-08-22 15:57 - 00000000 ____D () C:\Documents and Settings\Marek\Pulpit
2015-02-19 12:32 - 2011-08-23 11:07 - 00000235 _____ () C:\WINDOWS\QTW.INI
2015-02-19 12:30 - 2013-03-19 14:51 - 00000930 _____ () C:\WINDOWS\Tasks\Adobe Flash Player Updater.job
2015-02-19 12:16 - 2011-09-05 07:33 - 00001036 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2015-02-19 12:15 - 2011-08-22 16:49 - 00000254 _____ () C:\WINDOWS\wiadebug.log
2015-02-19 11:56 - 2011-08-23 13:47 - 00000462 ____H () C:\WINDOWS\Tasks\User_Feed_Synchronization-{F7200281-F0EF-4CA7-A547-6B1C776333BF}.job
2015-02-19 11:34 - 2011-08-22 15:56 - 00032500 _____ () C:\WINDOWS\SchedLgU.Txt
2015-02-19 11:20 - 2011-08-23 10:45 - 00002513 _____ () C:\Documents and Settings\Marek\Pulpit\Microsoft Office Word 2007.lnk
2015-02-19 09:35 - 2011-08-23 09:16 - 01292594 _____ () C:\WINDOWS\WindowsUpdate.log
2015-02-19 09:34 - 2011-11-09 08:23 - 00000000 ___RD () C:\Documents and Settings\Marek\Moje dokumenty\Dropbox
2015-02-19 09:33 - 2011-11-09 08:18 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\Dropbox
2015-02-19 09:33 - 2003-04-16 13:00 - 00013646 _____ () C:\WINDOWS\system32\wpa.dbl
2015-02-19 09:32 - 2014-03-28 08:18 - 00000222 _____ () C:\WINDOWS\Tasks\Powiadomienie o zakończeniu obsługi systemu Microsoft Windows XP — logowanie.job
2015-02-19 09:32 - 2011-09-05 07:33 - 00001032 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2015-02-19 09:32 - 2011-08-22 16:49 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2015-02-19 09:32 - 2011-08-22 15:54 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2015-02-18 13:26 - 2011-08-23 10:16 - 00524288 _____ () C:\WINDOWS\system32\config\ACEEvent.evt
2015-02-18 13:26 - 2011-08-22 15:57 - 00000188 ___SH () C:\Documents and Settings\Marek\ntuser.ini
2015-02-18 13:12 - 2011-08-22 15:57 - 00000000 ____D () C:\Documents and Settings\Marek
2015-02-18 13:04 - 2003-04-16 13:00 - 00000608 _____ () C:\WINDOWS\win.ini
2015-02-18 12:58 - 2014-07-24 13:13 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2015-02-18 12:57 - 2014-07-24 13:12 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2015-02-18 12:57 - 2014-07-24 13:12 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\Malwarebytes Anti-Malware
2015-02-18 09:16 - 2011-08-22 15:57 - 00000000 ___HD () C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji
2015-02-16 15:03 - 2011-08-23 11:44 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\FileZilla
2015-02-16 08:37 - 2014-04-04 07:36 - 00000406 ____H () C:\WINDOWS\Tasks\Microsoft Antimalware Scheduled Scan.job
2015-02-13 08:56 - 2012-12-17 10:04 - 00000320 _____ () C:\WINDOWS\barcode.ini
2015-02-12 08:55 - 2011-08-22 15:57 - 00000000 ___RD () C:\Documents and Settings\Marek\Menu Start\Programy\Autostart
2015-02-12 08:54 - 2011-11-09 08:23 - 00000994 _____ () C:\Documents and Settings\Marek\Pulpit\Dropbox.lnk
2015-02-12 08:54 - 2011-11-09 08:19 - 00000000 ____D () C:\Documents and Settings\Marek\Menu Start\Programy\Dropbox
2015-02-11 15:04 - 2013-08-16 16:45 - 00000000 ____D () C:\WINDOWS\system32\MRT
2015-02-11 15:01 - 2011-08-23 13:40 - 113756392 _____ (Microsoft Corporation) C:\WINDOWS\system32\MRT.exe
2015-02-11 15:01 - 2011-08-23 10:28 - 00000000 ____D () C:\Documents and Settings\All Users\Dane aplikacji\Microsoft Help
2015-02-11 14:39 - 2011-08-23 11:25 - 00000000 ____D () C:\Program Files\Common Files\Adobe
2015-02-11 14:39 - 2011-08-22 16:48 - 00000000 ___RD () C:\Documents and Settings\All Users\Menu Start\Programy
2015-02-11 14:39 - 2011-08-22 16:48 - 00000000 ____D () C:\Documents and Settings\All Users\Pulpit
2015-02-11 09:19 - 2014-12-10 17:06 - 00000000 ____D () C:\Documents and Settings\Marek\Dane aplikacji\Foxit Software
2015-02-10 09:08 - 2012-09-26 14:36 - 00000404 _____ () C:\WINDOWS\BRWMARK.INI
2015-02-09 11:55 - 2011-08-22 16:48 - 00000000 __RHD () C:\Documents and Settings\All Users\Dane aplikacji
2015-02-05 13:30 - 2013-03-19 14:51 - 00701616 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerApp.exe
2015-02-05 13:30 - 2011-08-23 10:33 - 00071344 _____ (Adobe Systems Incorporated) C:\WINDOWS\system32\FlashPlayerCPLApp.cpl
2015-02-03 08:42 - 2012-04-27 11:32 - 00000000 ____D () C:\Program Files\Mozilla Maintenance Service
2015-01-27 09:59 - 2011-08-22 16:48 - 00000000 ___RD () C:\Documents and Settings\All Users\Dokumenty
2015-01-26 08:15 - 2014-04-17 07:52 - 00000000 ____D () C:\Documents and Settings\All Users\Dane aplikacji\AVAST Software
2015-01-26 08:15 - 2011-08-22 15:57 - 00000000 __RHD () C:\Documents and Settings\Marek\Dane aplikacji
2015-01-24 12:21 - 2011-08-23 16:00 - 00000000 ____D () C:\Documents and Settings\All Users\Menu Start\Programy\CorelDRAW 9
2015-01-24 12:12 - 2011-08-22 15:56 - 00000000 ___HD () C:\Documents and Settings\LocalService\Ustawienia lokalne\Dane aplikacji
2015-01-24 12:11 - 2012-12-13 12:15 - 00000000 ____D () C:\Program Files\ESET

==================== Files in the root of some directories =======

2012-01-25 17:11 - 2014-08-11 13:29 - 0007680 _____ () C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Some content of TEMP:
====================
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpubxoti.dll
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\InstHelper.exe
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\Quarantine.exe
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\sqlite3.dll


==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

 

 

 

 

 

 

 

 

2. AdwCleaner (I only run it, didn't clean anything though there doesn't seem to be anything to clean anyway)

 

# AdwCleaner v4.111 - Logfile created 19/02/2015 at 12:53:00
# Updated 18/02/2015 by Xplode
# Database : 2015-02-18.3 [Local]
# Operating system : Microsoft Windows XP Dodatek Service Pack 3 (x86)
# Username : Marek - CIESZYN-7B5J97K
# Running from : C:\Documents and Settings\Marek\Pulpit\adwcleaner_4.111.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v35.0.1 (x86 pl)


-\\ Google Chrome v40.0.2214.111

*************************

AdwCleaner[R0].txt - [2167 bytes] - [09/02/2015 11:43:04]
AdwCleaner[R1].txt - [742 bytes] - [19/02/2015 12:53:00]
AdwCleaner[S0].txt - [2276 bytes] - [09/02/2015 11:55:09]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [859 bytes] ##########
 

 

 

 

 

Attached Files



#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 19 February 2015 - 09:37 AM


Nothing suspicious was found on your logs. This is just a cleanup of some empty items in the registry.

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\internal-nacl-plugin No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\pdf.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.670.1) - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 7 U67) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_239.dll No File
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpubxoti.dll
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\InstHelper.exe

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Click the StartBtn.gif button. In the Search box, type Command Prompt, and then, in the list of results, double-click Command Prompt.

at the cursor type:
ipconfig /flushdns <-- (A space between g and / is needed)

ipconfig /release

repeat with
ipconfig /renew

Then hit Enter, type Exit, hit the Enter key.

You may need to run CMD - Command Prompt on Vista - Windows 7/8 with Elevated Privilege
http://www.bleepingcomputer.com/tutorials/windows-elevated-command-prompt/
<<<>>>

If the popups issue is the same continue.

Reset the browsers that have been compromised.

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
====

Firefox:
Reset Default Browsing settings:
https://support.mozilla.org/en-US/kb/reset-firefox-easily-fix-problems?utm_expid=65912487-41.djHNRQY0RhaLvvtvcd0BQA.2&utm_referrer=https%3A%2F%2Fwww.google.ca%2F
===

Reset Internet Explorer:
Menu > Tools > Internet Options > Advanced Tab.
Click the Reset button on the bottom of the pane.
Click the Apply button.
Close IE.

===

Open Adblock Plus Options
Remove the check mark in the box near Allow some non-intrusive advertising

How is iit now?

#13 nessto

nessto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 20 February 2015 - 07:50 AM

I had to do all the steps, the command thing didn't help. Reseting the browser seemed to do the trick though. But I'm not fast to jump to any conclusions since it came back the first time. Well, for now it seems to be fixed.

 

And the logs:

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 18-02-2015 01
Ran by Marek at 2015-02-20 12:47:33 Run:2
Running from C:\Documents and Settings\Marek\Pulpit
Loaded Profiles: Marek (Available profiles: Marek)
Boot Mode: Normal

==============================================

Content of fixlist:
*****************
start

CloseProcesses:

SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR Plugin: (Widevine Content Decryption Module) - C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll No File
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\internal-nacl-plugin No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\pdf.dll No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll No File
CHR Plugin: (Java Deployment Toolkit 7.0.670.1) - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 7 U67) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll No File
CHR Plugin: (Shockwave Flash) - C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_239.dll No File
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpubxoti.dll
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\InstHelper.exe

End
*****************

Processes closed successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
C:\Documents and Settings\Marek\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll not found.
C:\Program Files\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll not found.
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\39.0.2171.95\internal-nacl-plugin No File not found.
C:\Program Files\Google\Chrome\Application\39.0.2171.95\pdf.dll not found.
C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll not found.
C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll not found.
C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll not found.
C:\WINDOWS\system32\Macromed\Flash\NPSWF32_15_0_0_239.dll not found.
"C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpubxoti.dll" => File/Directory not found.
C:\Documents and Settings\Marek\Ustawienia lokalne\Temp\InstHelper.exe => Moved successfully.


The system needed a reboot.

==== End of Fixlog 12:47:34 ====



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,228 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:53 PM

Posted 20 February 2015 - 08:41 AM

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#15 nessto

nessto
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 23 February 2015 - 06:28 AM

There was no signs of the porn thing so far today. We'll see how it goes in the next few days, I guess.

 

Security Check:

 

Results of screen317's Security Check version 0.99.96  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
ESET Smart Security 8.0   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 CCleaner     
  Java 64-bit 8 Update 31  
 Adobe Flash Player     16.0.0.305  
 Adobe Reader XI  
 Mozilla Firefox (35.0.1)
 Mozilla Thunderbird (31.4.0)
 Google Chrome (40.0.2214.111)
 Google Chrome (40.0.2214.115)
````````Process Check: objlist.exe by Laurent````````  
 ESET NOD32 Antivirus egui.exe  
 ESET NOD32 Antivirus ekrn.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C::  
````````````````````End of Log``````````````````````
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users