Poslao: 23 Dec 2009 23:07
|
offline
- boksi
- Ugledni građanin
- Pridružio: 11 Jun 2008
- Poruke: 474
|
Imam Nod antivirus ali mi se desava da komp cesto nakupi viruse u zadnje vreme koci i sporo radi.......?
DDS (Ver_09-12-01.01) - NTFSx86
Run by Administrator at 20:32:56,64 on ??? 23.12.2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1304 [GMT 1:00]
AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Drive Space Indicator\DrvSpace.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Gigabyte\EasySaver\ESSVR.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\LieDetector.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Administrator\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.tattoodle.com?tid={582EF506-860F-4069-AB65-640578656A04}
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant =
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: FireShot: {6e6e744e-4d20-4ce3-9a7a-26dfffe22f68} - c:\users\administrator\application data\mozilla\firefox\profiles\24w5c27l.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.78.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe" -H
mRun: [DriveSpace] c:\program files\drive space indicator\DrvSpace.exe
mRun: [NodEnabler] c:\program files\eset\eset smart security\nodenabler\NodEnabler.exe /s
mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [BDRegion] c:\program files\cyberlink\shared files\brs.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [SystemTray] SysTray.Exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [NewUser] c:\windows\lastxp\NewUser.cmd
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-system: SynchronousMachineGroupPolicy = 0 (0x0)
mPolicies-system: SynchronousUserGroupPolicy = 0 (0x0)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\program files\dvd region+css free\DVDShell.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
IFEO: notepad.exe - "c:\program files\notepad2\Notepad2.exe" /z
================= FIREFOX ===================
FF - ProfilePath - c:\users\admini~1\applic~1\mozilla\firefox\profiles\24w5c27l.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.tattoodle.com?tid={36FED752-AC84-6DA9-5DB4-DD7EB8A95923}
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\administrator\application data\mozilla\firefox\profiles\24w5c27l.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\administrator\application data\mozilla\firefox\profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\administrator\local settings\application data\yahoo!\browserplus\2.4.17\plugins\npybrowserplus_2.4.17.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
============= SERVICES / DRIVERS ===============
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-2-1 41456]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 ES lite Service;ES lite Service for program management.;c:\program files\gigabyte\easysaver\essvr.exe [2009-9-25 68136]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-17 54752]
S1 HWiNFO32;HWiNFO32 Kernel Driver;\??\c:\windows\temp\rar$ex00.187\hwinfo32.sys --> c:\windows\temp\rar$ex00.187\HWiNFO32.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-9-17 133104]
S3 cpuz130;cpuz130;\??\c:\windows\temp\cpuz130\cpuz_x32.sys --> c:\windows\temp\cpuz130\cpuz_x32.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 oflpydin;oflpydin;c:\windows\temp\oflpydin.sys [2009-1-17 15872]
============== File Associations ===============
inffile=c:\windows\system32\Notepad2.exe %1
inifile=c:\windows\system32\Notepad2.exe %1
txtfile=c:\windows\system32\Notepad2.exe %1
=============== Created Last 30 ================
2009-12-21 14:37:51 0 d-----w- c:\users\administrator\WINDOWS
2009-12-14 19:15:14 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 17:32:15 54156 ---ha-w- c:\windows\QTFont.qfn
2009-12-14 17:32:15 1409 ----a-w- c:\windows\QTFont.for
2009-12-14 16:04:30 0 d-----w- c:\program files\common files\xing shared
2009-12-14 15:44:58 0 d-----w- c:\users\admini~1\applic~1\DMCache
2009-12-12 20:06:07 45 ----a-w- c:\windows\system32\initdebug.nfo
2009-12-10 10:54:40 0 d-----w- c:\program files\Vidomi
2009-12-04 10:23:43 87 ----a-w- c:\windows\NeroDigital.ini
2009-11-24 14:21:59 0 d-----w- c:\program files\Emicsoft Studio
==================== Find3M ====================
2009-12-23 19:25:16 16608 ----a-w- c:\windows\gdrv.sys
2009-10-19 06:36:44 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-16 05:34:56 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-10-11 03:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-30 14:24:58 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-09-30 14:24:25 249856 ------w- c:\windows\Setup1.exe
2009-09-30 14:24:24 73216 ----a-w- c:\windows\ST6UNST.EXE
2008-03-09 05:25:10 236 ----a-w- c:\program files\common files\dx.reg
2008-03-03 09:00:00 480 ----a-r- c:\program files\SetupS.ini
2008-03-03 09:00:00 1341 ----a-r- c:\program files\CopyPath.png
2006-05-03 09:06:54 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30:52 216064 --sh--r- c:\windows\system32\nbDX.dll
2009-09-16 22:44:23 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-09-16 22:44:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-09-16 22:44:30 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009091720090918\index.dat
2009-09-16 22:44:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat
============= FINISH: 20:33:16,78 ===============
https://www.mycity.rs/must-login.png
https://www.mycity.rs/must-login.png
https://www.mycity.rs/must-login.png
https://www.mycity.rs/must-login.png
https://www.mycity.rs/must-login.png
|
|
|
|
|
Poslao: 24 Dec 2009 09:25
|
offline
- boksi
- Ugledni građanin
- Pridružio: 11 Jun 2008
- Poruke: 474
|
ComboFix 09-12-23.02 - Administrator 24.12.2009 9:10.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1630 [GMT 1:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\users\Administrator\My Documents\cc_20090930_143701.reg
c:\windows\system32\d3d10core.dll
c:\windows\system32\kernel32new.dll
c:\windows\system32\msvcrtnew.dll
c:\windows\system32\Plugins
c:\windows\system32\Plugins\Hoster\aCallbackMethods.dll
c:\windows\system32\Plugins\Hoster\archivto.dll
c:\windows\system32\Plugins\Hoster\bluehostto.dll
c:\windows\system32\Plugins\Hoster\dataupde.dll
c:\windows\system32\Plugins\Hoster\fastloadnet.dll
c:\windows\system32\Plugins\Hoster\fastshareorg.dll
c:\windows\system32\Plugins\Hoster\fileuploadnet.dll
c:\windows\system32\Plugins\Hoster\megauploadcom.dll
c:\windows\system32\Plugins\Hoster\meinuploadcom.dll
c:\windows\system32\Plugins\Hoster\moosharede.dll
c:\windows\system32\Plugins\Hoster\myvideode.dll
c:\windows\system32\Plugins\Hoster\netloadin.dll
c:\windows\system32\Plugins\Hoster\PluginSettings.ini
c:\windows\system32\Plugins\Hoster\qsharecom.dll
c:\windows\system32\Plugins\Hoster\rapidsharecom.dll
c:\windows\system32\Plugins\Hoster\shareonlinebiz.dll
c:\windows\system32\Plugins\Hoster\shareplacecom.dll
c:\windows\system32\Plugins\Hoster\silofilescom.dll
c:\windows\system32\Plugins\Hoster\speedysharecom.dll
c:\windows\system32\Plugins\Hoster\uploadedto.dll
c:\windows\system32\Plugins\Hoster\yourfilesbiz.dll
c:\windows\system32\Plugins\Hoster\youtubecom.dll
c:\windows\system32\Plugins\YouCrypt\callbackmethods.dll
c:\windows\system32\Plugins\YouCrypt\captcha.dll
c:\windows\system32\Plugins\YouCrypt\cineto.dll
c:\windows\system32\Plugins\YouCrypt\datenbankorg.dll
c:\windows\system32\Plugins\YouCrypt\datenschleuder.dll
c:\windows\system32\Plugins\YouCrypt\ddlscene.dll
c:\windows\system32\Plugins\YouCrypt\ddl(zabranjeno).dll
c:\windows\system32\Plugins\YouCrypt\dreidl.dll
c:\windows\system32\Plugins\YouCrypt\dxpdivxvidorg.dll
c:\windows\system32\Plugins\YouCrypt\gameblog.dll
c:\windows\system32\Plugins\YouCrypt\gamezam.dll
c:\windows\system32\Plugins\YouCrypt\gapping.dll
c:\windows\system32\Plugins\YouCrypt\g(zabranjeno).dll
c:\windows\system32\Plugins\YouCrypt\linkbank.dll
c:\windows\system32\Plugins\YouCrypt\linksafe.dll
c:\windows\system32\Plugins\YouCrypt\LinkSave.dll
c:\windows\system32\Plugins\YouCrypt\lix.dll
c:\windows\system32\Plugins\YouCrypt\mirrorit.dll
c:\windows\system32\Plugins\YouCrypt\netfolderin.dll
c:\windows\system32\Plugins\YouCrypt\onekh.dll
c:\windows\system32\Plugins\YouCrypt\rapidfolder.dll
c:\windows\system32\Plugins\YouCrypt\rapidlayer.dll
c:\windows\system32\Plugins\YouCrypt\rapidsafede.dll
c:\windows\system32\Plugins\YouCrypt\rapidsafenet.dll
c:\windows\system32\Plugins\YouCrypt\relinkus.dll
c:\windows\system32\Plugins\YouCrypt\RScomLinkList.dll
c:\windows\system32\Plugins\YouCrypt\rslayer.dll
c:\windows\system32\Plugins\YouCrypt\saveraidrush.dll
c:\windows\system32\Plugins\YouCrypt\secured.dll
c:\windows\system32\Plugins\YouCrypt\securnet.dll
c:\windows\system32\Plugins\YouCrypt\serienjunkies.dll
c:\windows\system32\Plugins\YouCrypt\shareonall.dll
c:\windows\system32\Plugins\YouCrypt\shareprotect.dll
c:\windows\system32\Plugins\YouCrypt\stealth.dll
c:\windows\system32\Plugins\YouCrypt\tinyurl.dll
c:\windows\system32\Plugins\YouCrypt\UndergroundCMS.dll
c:\windows\system32\Plugins\YouCrypt\uppicoasis.dll
c:\windows\system32\Plugins\YouCrypt\urlcash.dll
c:\windows\system32\Plugins\YouCrypt\usercashcom.dll
c:\windows\system32\Plugins\YouCrypt\xlinkin.dll
c:\windows\system32\terminal.exe
c:\windows\system32\logonui.exe . . . is infected!!
.
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.
2009-12-22 11:51 . 2009-12-16 13:42 43008 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-22 11:51 . 2009-12-16 13:42 340480 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-22 11:51 . 2009-12-16 13:41 346624 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-22 11:51 . 2009-12-16 13:42 872960 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-21 14:37 . 2009-12-21 14:37 -------- d-----w- c:\users\Administrator\WINDOWS
2009-12-16 20:06 . 2009-10-08 09:31 3204096 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2009-12-16 20:06 . 2009-10-07 17:06 106496 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin.dll
2009-12-16 20:06 . 2009-09-23 20:29 28672 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2009-12-16 20:06 . 2009-03-19 22:57 40960 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fireshot-install.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 16:04 . 2009-12-14 16:04 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-14 15:44 . 2009-12-14 15:44 -------- d-----w- c:\users\Administrator\Application Data\DMCache
2009-12-10 10:54 . 2009-12-10 10:54 -------- d-----w- c:\program files\Vidomi
2009-12-10 10:34 . 2009-12-10 10:34 -------- d-----w- c:\users\Administrator\Application Data\dvdcss
2009-12-09 12:53 . 2009-12-09 12:53 868352 ----a-w- c:\users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\LieDetector.exe
2009-12-09 12:53 . 2009-12-09 12:53 640000 ----a-w- c:\users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\dbghelp.dll
2009-12-09 12:53 . 2009-12-09 12:53 53760 ----a-w- c:\users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\zlib.dll
2009-12-09 12:53 . 2009-12-09 12:53 1712128 ----a-w- c:\users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\GdiPlus.dll
2009-11-24 14:21 . 2009-11-24 14:21 -------- d-----w- c:\program files\Emicsoft Studio
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 07:59 . 2009-09-25 17:22 16608 ----a-w- c:\windows\gdrv.sys
2009-12-24 07:58 . 2009-09-16 23:30 -------- d-----w- c:\users\Administrator\Application Data\Skype
2009-12-24 07:57 . 2009-09-16 19:00 -------- d-----w- c:\users\Administrator\Application Data\skypePM
2009-12-21 14:52 . 2009-09-16 23:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-21 12:33 . 2009-09-17 14:19 -------- d-----w- c:\program files\Google
2009-12-14 16:04 . 2009-10-19 06:36 -------- d-----w- c:\program files\Common Files\Real
2009-12-14 16:04 . 2009-10-19 06:36 -------- d-----w- c:\program files\Real
2009-12-14 14:53 . 2009-09-16 22:58 -------- d-----w- c:\program files\Lavalys
2009-11-23 13:45 . 2009-11-23 13:45 -------- d-----w- c:\program files\Common Files\EasyInfo
2009-11-22 08:13 . 2009-11-15 11:40 -------- d-----w- c:\program files\BumpTop
2009-11-20 07:54 . 2009-09-16 21:55 -------- d-----w- c:\program files\SystemRequirementsLab
2009-11-20 07:54 . 2009-11-20 07:54 138240 ----a-w- c:\users\Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-11-20 07:54 . 2009-11-20 07:54 138240 ----a-w- c:\users\Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-11-20 07:54 . 2009-11-20 07:54 138240 ----a-w- c:\users\Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-11-20 07:54 . 2009-11-20 07:54 138240 ----a-w- c:\users\Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-11-20 07:54 . 2009-09-16 21:55 -------- d-----w- c:\users\Administrator\Application Data\SystemRequirementsLab
2009-11-17 07:36 . 2009-11-17 07:34 14741600 ----a-w- c:\users\Administrator\Application Data\Bump Technologies, Inc\BumpTop\Updates\BumpTopInstaller.exe
2009-11-15 20:15 . 2009-11-15 20:15 -------- d-----w- c:\program files\Common Files\Skype
2009-11-15 20:15 . 2009-09-16 23:08 -------- d-----r- c:\program files\Skype
2009-11-15 20:15 . 2009-09-16 23:08 -------- d-----w- c:\users\All Users\Application Data\Skype
2009-11-15 13:10 . 2009-11-15 13:10 -------- d-----w- c:\users\Administrator\Application Data\Bump Technologies, Inc
2009-11-14 17:52 . 2009-11-14 17:52 -------- d-----w- c:\users\Administrator\Application Data\Media Player Classic
2009-11-04 08:08 . 2009-09-16 22:39 -------- d-----w- c:\program files\Java
2009-11-04 08:07 . 2009-11-04 08:07 152576 ----a-w- c:\users\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 09:20 . 2009-11-02 09:20 -------- d-----w- c:\program files\City Interactive
2009-11-02 07:43 . 2009-09-27 06:13 -------- d-----w- c:\program files\Call of Duty
2009-10-27 21:14 . 2009-09-16 23:08 -------- d-----w- c:\program files\URUSoft
2009-10-26 13:55 . 2009-10-25 09:12 -------- d-----w- c:\users\Administrator\Application Data\FrostWire
2009-10-25 09:32 . 2009-10-25 09:32 0 ----a-w- c:\users\Administrator\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-19 06:36 . 2009-09-16 22:51 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-16 05:34 . 2009-09-16 22:53 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-10-16 05:34 . 2009-09-16 22:53 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-10-11 03:17 . 2009-09-16 22:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-30 14:24 . 2009-09-16 22:51 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-09-30 14:24 . 2009-09-30 14:24 249856 ------w- c:\windows\Setup1.exe
2009-09-30 14:24 . 2009-09-30 14:24 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-09-25 18:06 . 2009-09-25 18:06 664 ----a-w- c:\windows\system32\d3d9caps.dat
2008-03-09 05:25 . 2009-09-22 16:25 236 ----a-w- c:\program files\Common Files\dx.reg
2008-03-03 09:00 . 2009-09-16 22:56 1341 ----a-r- c:\program files\CopyPath.png
2008-03-03 09:00 . 2009-09-16 22:56 480 ----a-r- c:\program files\SetupS.ini
2006-05-03 09:06 . 2009-09-18 16:29 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-18 16:29 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-18 16:29 216064 --sh--r- c:\windows\system32\nbDX.dll
.
------- Sigcheck -------
[-] 2009-03-08 . FF267FF1D773BEA5522295E3A79701E9 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[-] 2009-03-08 . 3D1ABDC3009D6B7CA7F9E66769C126CA . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2009-03-08 . EA032FC150B9C6276C98EB3DED3B75C6 . 652800 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2009-03-08 . 0797D8DAD6DD09CF7437C4F3132E82A6 . 3736576 . . [7.00.6000.20996] . . c:\windows\system32\mshtml.dll
[7] 2009-01-16 . 3B413267DA8AE71C20E5EF3E54F74728 . 3594752 . . [7.00.6000.16809] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2008-11-18 . CCF64982AD1B27461A5B85401657B29A . 2292224 . . [5.1.2600.5657] . . c:\windows\system32\ntoskrnl.exe
[-] 2009-03-08 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2009-03-08 . E7552D59A876B0E6919F05E500937993 . 884224 . . [7.00.6000.20978] . . c:\windows\system32\wininet.dll
[7] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 . A82935D32D0672E8FF4E91AE398E901C . 826368 . . [7.00.6000.16791] . . c:\windows\system32\dllcache\wininet.dll
[-] 2008-10-25 . E7EAF1CD2E46E6FFFD1A66983EE1936A . 1589248 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2009-03-08 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2009-03-08 . BEC5D7EF52E385F457E7C20EDBB1C5E7 . 2185216 . . [5.1.2600.5657] . . c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 62976]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-22 1271808]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"DriveSpace"="c:\program files\Drive Space Indicator\DrvSpace.exe" [2009-03-07 417455]
"NodEnabler"="c:\program files\ESET\ESET Smart Security\NodEnabler\NodEnabler.exe" [2009-04-08 357521]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-03-21 91432]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-24 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-24 141336]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-07-01 1447168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-14 198160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 124928]
"NewUser"="c:\windows\LastXP\NewUser.cmd" [2009-05-20 3563]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 49152]
[HKLM\~\startupfolder\C:^Users^Administrator^Start Menu^Programs^Startup^nero.bat.lnk]
path=c:\users\Administrator\Start Menu\Programs\Startup\nero.bat.lnk
backup=c:\windows\pss\nero.bat.lnkStartup
[HKLM\~\startupfolder\C:^Users^Administrator^Start Menu^Programs^Startup^Registration Call of Juarez.LNK]
path=c:\users\Administrator\Start Menu\Programs\Startup\Registration Call of Juarez.LNK
backup=c:\windows\pss\Registration Call of Juarez.LNKStartup
[HKLM\~\startupfolder\C:^Users^Administrator^Start Menu^Programs^Startup^winword.exe.lnk]
path=c:\users\Administrator\Start Menu\Programs\Startup\winword.exe.lnk
backup=c:\windows\pss\winword.exe.lnkStartup
[HKLM\~\startupfolder\C:^Users^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\users\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [1.2.2008 16:24 41456]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 8:21 468224]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [25.9.2009 18:23 68136]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [17.9.2009 15:24 54752]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16.9.2009 23:33 717296]
S1 HWiNFO32;HWiNFO32 Kernel Driver;\??\c:\windows\Temp\Rar$EX00.187\HWiNFO32.SYS --> c:\windows\Temp\Rar$EX00.187\HWiNFO32.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17.9.2009 15:19 133104]
S3 cpuz130;cpuz130;\??\c:\windows\Temp\cpuz130\cpuz_x32.sys --> c:\windows\Temp\cpuz130\cpuz_x32.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [5.8.2009 21:48 704864]
S3 oflpydin;oflpydin;\??\c:\windows\Temp\oflpydin.sys --> c:\windows\Temp\oflpydin.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 09:03 124928 ----a-w- c:\windows\system32\advpack.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tattoodle.com?tid={582EF506-860F-4069-AB65-640578656A04}
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.tattoodle.com?tid={36FED752-AC84-6DA9-5DB4-DD7EB8A95923}
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Administrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
.
.
------- File Associations -------
.
inifile=c:\windows\system32\Notepad2.exe %1
txtfile=c:\windows\system32\Notepad2.exe %1
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 09:15
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(820)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
- - - - - - - > 'lsass.exe'(876)
c:\windows\system32\setupapi.dll
.
Completion time: 2009-12-24 09:17:35
ComboFix-quarantined-files.txt 2009-12-24 08:17
Pre-Run: 2.309.099.520 bytes free
Post-Run: 5.828.222.976 bytes free
- - End Of File - - 2EE09862641DB5676166873D1C290876
|
|
|
|
|
|
|
Poslao: 24 Dec 2009 19:25
|
offline
- boksi
- Ugledni građanin
- Pridružio: 11 Jun 2008
- Poruke: 474
|
C:\pagefile.sys - error opening
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » PROCESS_LIBRARY.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HIRING_REQUISITION_CUSTOMIZED.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HARDWARE_TRACKER.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » HIRING_REQUISITION.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » CUSTOMER_SUPPORT.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » TRACK_ISSUES.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » STATUS_REPORT.FDT » MIME - is OK (internal scanning not performed)
C:\MSOCache\All Users\{90120000-0030-0000-0000-0000000FF1CE}-C\EnterWW.cab » CAB » POLICIES.FDT » MIME - is OK (internal scanning not performed)
C:\Program Files\7-Zip\Uninstall.exe » NSIS - incorrect CRC checksum, the file may be damaged
C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe » NSIS - bad archive
C:\Program Files\eRightSoft\SUPER\DXdump.exe » tElock v0.98 - unpack error
C:\Program Files\Free Download Manager\Firefox\extension\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\genius_maxfighter_f16u.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\logitech_attack3.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\logitech_extreme_3d.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\logitech_force_3d.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\logitech_freedom.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\saitek_cyborg_evo.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\saitek_x52.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\speed_link_black_hawk.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\speed_link_black_widow.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\speed_link_cougar_flightstick.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\speed_link_dark_tornado.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\client\res\flightsim\controller\xbox_360.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\genius_maxfighter_f16u.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\logitech_attack3.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\logitech_extreme_3d.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\logitech_force_3d.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\logitech_freedom.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\saitek_cyborg_evo.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\saitek_x52.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\speed_link_black_hawk.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\speed_link_black_widow.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\speed_link_cougar_flightstick.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\speed_link_dark_tornado.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Google Earth\plugin\res\flightsim\controller\xbox_360.ini » MIME - is OK (internal scanning not performed)
C:\Program Files\Google\Picasa3\Uninstall.exe » NSIS - incorrect CRC checksum, the file may be damaged
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » com/sun/org/apache/xerces/internal/impl/msg/XIncludeMessages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » com/sun/xml/internal/fastinfoset/resources/ResourceBundle.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\resources.jar » ZIP » javax/xml/bind/Messages.properties » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\deploy\ffjcext.zip » ZIP » {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}/chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Java\jre6\lib\deploy\jqs\ff\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\LimeWire\lib\additional_resources.jar » ZIP » xulrunner-win32.zip » ZIP » xulrunner/chrome/comm.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\LimeWire\lib\additional_resources.jar » ZIP » xulrunner-win32.zip » ZIP » xulrunner/chrome/pippki.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\LimeWire\lib\additional_resources.jar » ZIP » xulrunner-win32.zip » ZIP » xulrunner/chrome/toolkit.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\LimeWire\lib\additional_resources.jar » ZIP » xulrunner-win32.zip » ZIP » xulrunner/chrome/limewire.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft CAPICOM 2.1.0.2\License\license.mht » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Customer Support.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hardware Tracker.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition - Customized.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\POLICIES.FDT » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Process Library.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Microsoft Office\Office12\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Track Issues.fdt » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\comm.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\pippki.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Mozilla Firefox\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Nero 9\Nero Burning ROM\CDI\CDI_VCD.CFG » MIME - is OK (internal scanning not performed)
C:\Program Files\Real\RealPlayer\browserrecord\firefox\ext\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Program Files\Total Video Converter\StarBurn_SuperVideoCD.iso » ISO » AVSEQ01.MPG - archive damaged
C:\Program Files\Total Video Converter\StarBurn_VideoCD.iso » ISO » AVSEQ01.DAT - archive damaged
C:\Program Files\Vidomi\uninst-Vidomi.exe » NSIS - bad archive
C:\Program Files\Winamp\UninstallWinampEssentials.exe » NSIS - archive damaged - the file could not be extracted.
C:\Program Files\Winamp\UninstWA.exe » NSIS - incorrect CRC checksum, the file may be damaged
C:\Users\Administrator\NTUSER.DAT - error opening
C:\Users\Administrator\ntuser.dat.LOG - error opening
C:\Users\Administrator\Application Data\Bump Technologies, Inc\BumpTop\Updates\BumpTopInstaller.exe » INNO » files.info - file is not an archive
C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\parent.lock - error opening
C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\ehtip@robertkatic\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\Users\Administrator\Application Data\Skype\bokiva\dc.db - error opening
C:\Users\Administrator\Application Data\Skype\bokiva\dc.db-journal - error opening
C:\Users\Administrator\Application Data\Skype\bokiva\dc.lock - error opening
C:\Users\Administrator\Application Data\Skype\bokiva\etilqs_D05DBHtbs4QPgeoQkBRG - error opening
C:\Users\Administrator\Application Data\Skype\bokiva\etilqs_U0Pj25hHx5AIebylwwfm - error opening
C:\Users\Administrator\Application Data\Skype\bokiva\main.db - error opening
C:\Users\Administrator\Application Data\Skype\bokiva\main.db-journal - error opening
C:\Users\Administrator\Application Data\Skype\bokiva\main.lock - error opening
C:\Users\Administrator\Local Settings\Application Data\Identities\{A93CEB86-6128-41CF-BF4B-CCE9AC77E15E}\Microsoft\Outlook Express\Deleted Items.dbx » DBX - is OK (internal scanning not performed)
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{46539f07-3e15-48e8-9a03-d9a4ab6c0d81}\DBStore\contacts.edb - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{46539f07-3e15-48e8-9a03-d9a4ab6c0d81}\DBStore\tempedb.edb - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{46539f07-3e15-48e8-9a03-d9a4ab6c0d81}\DBStore\LogFiles\edb.log - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{46539f07-3e15-48e8-9a03-d9a4ab6c0d81}\DBStore\LogFiles\edbtmp.log - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{ea5909e2-35a8-4395-9d54-4baedd2562ff}\DBStore\contacts.edb - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{ea5909e2-35a8-4395-9d54-4baedd2562ff}\DBStore\tempedb.edb - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{ea5909e2-35a8-4395-9d54-4baedd2562ff}\DBStore\LogFiles\edb.log - error opening
C:\Users\Administrator\Local Settings\Application Data\Microsoft\Windows Live Contacts\{ea5909e2-35a8-4395-9d54-4baedd2562ff}\DBStore\LogFiles\edbtmp.log - error opening
C:\Users\LocalService\ntuser.dat - error opening
C:\Users\LocalService\ntuser.dat.LOG - error opening
C:\Users\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening
C:\Users\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening
C:\Users\NetworkService\NTUSER.DAT - error opening
C:\Users\NetworkService\ntuser.dat.LOG - error opening
C:\Users\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening
C:\Users\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening
C:\WINDOWS\Installer\1de82.msi » MSI » ISSetupFile.SetupFile11 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\1de82.msi » MSI » ISSetupFile.SetupFile13 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Installer\1de8e.msi » MSI » Binary.Callultraedittbsetup » NSIS » chrome.manifest » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\vs_setup.cab » CAB » Chrome_manifest.3643236F_FC70_11D3_A536_0090278A1BB8 » MIME - is OK (internal scanning not performed)
C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\chrome.manifest » MIME - is OK (internal scanning not performed)
C:\WINDOWS\system32\config\default - error opening
C:\WINDOWS\system32\config\default.LOG - error opening
C:\WINDOWS\system32\config\SAM - error opening
C:\WINDOWS\system32\config\SAM.LOG - error opening
C:\WINDOWS\system32\config\SECURITY - error opening
C:\WINDOWS\system32\config\SECURITY.LOG - error opening
C:\WINDOWS\system32\config\software - error opening
C:\WINDOWS\system32\config\software.LOG - error opening
C:\WINDOWS\system32\config\system - error opening
C:\WINDOWS\system32\config\system.LOG - error opening
C:\WINDOWS\system32\drivers\sptd.sys - error opening
|
|
|
|
Poslao: 24 Dec 2009 20:05
|
offline
- helen1
- Anti Malware Fighter
Rank 2
- Pridružio: 27 Avg 2005
- Poruke: 8617
- Gde živiš: Novi Beograd
|
Otvoriti Notepad i iskopirati sledeci tekst:
File::
c:\windows\Temp\oflpydin.sys
Driver::
oflpydin
Snimiti na Desktop fajl iz Notepada kao "CFScript"
Prevuci snimljeni skript/tekst na ComboFix ikonicu kao na slici.
Postaviti u sledecoj poruci log koji bude bio napravljen na kraju ciscenja/skeniranja.
|
|
|
|
Poslao: 24 Dec 2009 20:47
|
offline
- boksi
- Ugledni građanin
- Pridružio: 11 Jun 2008
- Poruke: 474
|
ComboFix 09-12-24.02 - Administrator 24.12.2009 20:32:17.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1609 [GMT 1:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
-- Previous Run --
c:\windows\system32\logonui.exe . . . is infected!!
--------
c:\windows\system32\logonui.exe . . . is infected!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_OFLPYDIN
-------\Service_oflpydin
((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.
2009-12-22 11:51 . 2009-12-16 13:42 43008 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-12-22 11:51 . 2009-12-16 13:42 340480 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-12-22 11:51 . 2009-12-16 13:41 346624 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-12-22 11:51 . 2009-12-16 13:42 872960 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2009-12-21 14:37 . 2009-12-21 14:37 -------- d-----w- c:\users\Administrator\WINDOWS
2009-12-16 20:06 . 2009-10-08 09:31 3204096 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2009-12-16 20:06 . 2009-10-07 17:06 106496 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\FSAddin.dll
2009-12-16 20:06 . 2009-09-23 20:29 28672 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2009-12-16 20:06 . 2009-03-19 22:57 40960 ----a-w- c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fireshot-install.exe
2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-12-14 16:04 . 2009-12-14 16:04 -------- d-----w- c:\program files\Common Files\xing shared
2009-12-14 15:44 . 2009-12-14 15:44 -------- d-----w- c:\users\Administrator\Application Data\DMCache
2009-12-10 10:54 . 2009-12-10 10:54 -------- d-----w- c:\program files\Vidomi
2009-12-10 10:34 . 2009-12-10 10:34 -------- d-----w- c:\users\Administrator\Application Data\dvdcss
2009-12-09 12:53 . 2009-12-09 12:53 868352 ----a-w- c:\users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\LieDetector.exe
2009-12-09 12:53 . 2009-12-09 12:53 640000 ----a-w- c:\users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\dbghelp.dll
2009-12-09 12:53 . 2009-12-09 12:53 53760 ----a-w- c:\users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\zlib.dll
2009-12-09 12:53 . 2009-12-09 12:53 1712128 ----a-w- c:\users\All Users\Application Data\Skype\Plugins\Plugins\E12C95FCBD1240FEAE314D89676CA6F8\GdiPlus.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-24 19:31 . 2009-09-25 17:22 16608 ----a-w- c:\windows\gdrv.sys
2009-12-24 19:29 . 2009-09-16 23:30 -------- d-----w- c:\users\Administrator\Application Data\Skype
2009-12-24 19:13 . 2009-09-16 19:00 -------- d-----w- c:\users\Administrator\Application Data\skypePM
2009-12-21 14:52 . 2009-09-16 23:06 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-21 12:33 . 2009-09-17 14:19 -------- d-----w- c:\program files\Google
2009-12-14 16:04 . 2009-10-19 06:36 -------- d-----w- c:\program files\Common Files\Real
2009-12-14 16:04 . 2009-10-19 06:36 -------- d-----w- c:\program files\Real
2009-12-14 14:53 . 2009-09-16 22:58 -------- d-----w- c:\program files\Lavalys
2009-11-24 14:21 . 2009-11-24 14:21 -------- d-----w- c:\program files\Emicsoft Studio
2009-11-23 13:45 . 2009-11-23 13:45 -------- d-----w- c:\program files\Common Files\EasyInfo
2009-11-22 08:13 . 2009-11-15 11:40 -------- d-----w- c:\program files\BumpTop
2009-11-20 07:54 . 2009-09-16 21:55 -------- d-----w- c:\program files\SystemRequirementsLab
2009-11-20 07:54 . 2009-11-20 07:54 138240 ----a-w- c:\users\Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-11-20 07:54 . 2009-11-20 07:54 138240 ----a-w- c:\users\Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-11-20 07:54 . 2009-11-20 07:54 138240 ----a-w- c:\users\Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-11-20 07:54 . 2009-11-20 07:54 138240 ----a-w- c:\users\Administrator\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-11-20 07:54 . 2009-09-16 21:55 -------- d-----w- c:\users\Administrator\Application Data\SystemRequirementsLab
2009-11-17 07:36 . 2009-11-17 07:34 14741600 ----a-w- c:\users\Administrator\Application Data\Bump Technologies, Inc\BumpTop\Updates\BumpTopInstaller.exe
2009-11-15 20:15 . 2009-11-15 20:15 -------- d-----w- c:\program files\Common Files\Skype
2009-11-15 20:15 . 2009-09-16 23:08 -------- d-----r- c:\program files\Skype
2009-11-15 20:15 . 2009-09-16 23:08 -------- d-----w- c:\users\All Users\Application Data\Skype
2009-11-15 13:10 . 2009-11-15 13:10 -------- d-----w- c:\users\Administrator\Application Data\Bump Technologies, Inc
2009-11-14 17:52 . 2009-11-14 17:52 -------- d-----w- c:\users\Administrator\Application Data\Media Player Classic
2009-11-04 08:08 . 2009-09-16 22:39 -------- d-----w- c:\program files\Java
2009-11-04 08:07 . 2009-11-04 08:07 152576 ----a-w- c:\users\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-02 09:20 . 2009-11-02 09:20 -------- d-----w- c:\program files\City Interactive
2009-11-02 07:43 . 2009-09-27 06:13 -------- d-----w- c:\program files\Call of Duty
2009-10-27 21:14 . 2009-09-16 23:08 -------- d-----w- c:\program files\URUSoft
2009-10-26 13:55 . 2009-10-25 09:12 -------- d-----w- c:\users\Administrator\Application Data\FrostWire
2009-10-25 09:32 . 2009-10-25 09:32 0 ----a-w- c:\users\Administrator\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-19 06:36 . 2009-09-16 22:51 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-10-16 05:34 . 2009-09-16 22:53 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-10-16 05:34 . 2009-09-16 22:53 16512 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2009-10-11 03:17 . 2009-09-16 22:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-30 14:24 . 2009-09-16 22:51 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-09-30 14:24 . 2009-09-30 14:24 249856 ------w- c:\windows\Setup1.exe
2009-09-30 14:24 . 2009-09-30 14:24 73216 ----a-w- c:\windows\ST6UNST.EXE
2008-03-09 05:25 . 2009-09-22 16:25 236 ----a-w- c:\program files\Common Files\dx.reg
2008-03-03 09:00 . 2009-09-16 22:56 1341 ----a-r- c:\program files\CopyPath.png
2008-03-03 09:00 . 2009-09-16 22:56 480 ----a-r- c:\program files\SetupS.ini
2006-05-03 09:06 . 2009-09-18 16:29 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-09-18 16:29 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-09-18 16:29 216064 --sh--r- c:\windows\system32\nbDX.dll
.
------- Sigcheck -------
[-] 2009-03-08 . FF267FF1D773BEA5522295E3A79701E9 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[-] 2009-03-08 . 3D1ABDC3009D6B7CA7F9E66769C126CA . 568832 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2009-03-08 . EA032FC150B9C6276C98EB3DED3B75C6 . 652800 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2009-03-08 . 0797D8DAD6DD09CF7437C4F3132E82A6 . 3736576 . . [7.00.6000.20996] . . c:\windows\system32\mshtml.dll
[7] 2009-01-16 . 3B413267DA8AE71C20E5EF3E54F74728 . 3594752 . . [7.00.6000.16809] . . c:\windows\system32\dllcache\mshtml.dll
[7] 2009-01-16 . CC9D001B7370B292C35B366CA05B12B4 . 3596288 . . [7.00.6000.20996] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\mshtml.dll
[-] 2008-11-18 . CCF64982AD1B27461A5B85401657B29A . 2292224 . . [5.1.2600.5657] . . c:\windows\system32\ntoskrnl.exe
[-] 2009-03-08 . 99C1ACB1B8F0F2CECC56515E502B5120 . 575488 . . [5.1.2600.5512] . . c:\windows\system32\user32.dll
[-] 2009-03-08 . E7552D59A876B0E6919F05E500937993 . 884224 . . [7.00.6000.20978] . . c:\windows\system32\wininet.dll
[7] 2008-12-20 . 044E0A4E9FE97C0FB9AFE9C89E2A82E6 . 827904 . . [7.00.6000.20978] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2008-12-20 . A82935D32D0672E8FF4E91AE398E901C . 826368 . . [7.00.6000.16791] . . c:\windows\system32\dllcache\wininet.dll
[-] 2008-10-25 . E7EAF1CD2E46E6FFFD1A66983EE1936A . 1589248 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2009-03-08 . CBF5945651C96E471B3A004BBDC36864 . 37376 . . [5.1.2600.5512] . . c:\windows\system32\ctfmon.exe
[-] 2009-03-08 . BEC5D7EF52E385F457E7C20EDBB1C5E7 . 2185216 . . [5.1.2600.5657] . . c:\windows\system32\ntkrnlpa.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-12-24_08.15.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-24 19:31 . 2009-12-24 19:31 16384 c:\windows\Temp\Perflib_Perfdata_4d8.dat
+ 2009-12-24 19:31 . 2009-12-24 19:31 16384 c:\windows\Temp\Perflib_Perfdata_438.dat
+ 2009-12-24 19:36 . 2009-12-24 19:36 53248 c:\windows\Temp\catchme.dll
- 2009-12-24 08:15 . 2009-12-24 08:15 53248 c:\windows\Temp\catchme.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 62976]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-22 1271808]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-10-09 25623336]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"DriveSpace"="c:\program files\Drive Space Indicator\DrvSpace.exe" [2009-03-07 417455]
"NodEnabler"="c:\program files\ESET\ESET Smart Security\NodEnabler\NodEnabler.exe" [2009-04-08 357521]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-20 83240]
"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-03-21 91432]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-11-24 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-11-24 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-11-24 141336]
"RTHDCPL"="RTHDCPL.EXE" [2009-01-13 18084864]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-07-01 1447168]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-14 198160]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 124928]
"NewUser"="c:\windows\LastXP\NewUser.cmd" [2009-05-20 3563]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVD Region+CSS Free\DVDShell.dll" [2004-10-09 49152]
[HKLM\~\startupfolder\C:^Users^Administrator^Start Menu^Programs^Startup^nero.bat.lnk]
path=c:\users\Administrator\Start Menu\Programs\Startup\nero.bat.lnk
backup=c:\windows\pss\nero.bat.lnkStartup
[HKLM\~\startupfolder\C:^Users^Administrator^Start Menu^Programs^Startup^Registration Call of Juarez.LNK]
path=c:\users\Administrator\Start Menu\Programs\Startup\Registration Call of Juarez.LNK
backup=c:\windows\pss\Registration Call of Juarez.LNKStartup
[HKLM\~\startupfolder\C:^Users^Administrator^Start Menu^Programs^Startup^winword.exe.lnk]
path=c:\users\Administrator\Start Menu\Programs\Startup\winword.exe.lnk
backup=c:\windows\pss\winword.exe.lnkStartup
[HKLM\~\startupfolder\C:^Users^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
path=c:\users\All Users\Start Menu\Programs\Startup\BlueSoleil.lnk
backup=c:\windows\pss\BlueSoleil.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 14:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-10-09 12:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [1.2.2008 16:24 41456]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [21.12.2007 8:21 468224]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [25.9.2009 18:23 68136]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [17.9.2009 15:24 54752]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [16.9.2009 23:33 717296]
S1 HWiNFO32;HWiNFO32 Kernel Driver;\??\c:\windows\Temp\Rar$EX00.187\HWiNFO32.SYS --> c:\windows\Temp\Rar$EX00.187\HWiNFO32.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17.9.2009 15:19 133104]
S3 cpuz130;cpuz130;\??\c:\windows\Temp\cpuz130\cpuz_x32.sys --> c:\windows\Temp\cpuz130\cpuz_x32.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [5.8.2009 21:48 704864]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
2009-03-08 09:03 124928 ----a-w- c:\windows\system32\advpack.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tattoodle.com?tid={582EF506-860F-4069-AB65-640578656A04}
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.tattoodle.com?tid={36FED752-AC84-6DA9-5DB4-DD7EB8A95923}
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\users\Administrator\Application Data\Mozilla\Firefox\Profiles\24w5c27l.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Administrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll
.
.
------- File Associations -------
.
inifile=c:\windows\system32\Notepad2.exe %1
txtfile=c:\windows\system32\Notepad2.exe %1
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 20:36
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1116)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll
- - - - - - - > 'lsass.exe'(1172)
c:\windows\system32\setupapi.dll
.
Completion time: 2009-12-24 20:38:57
ComboFix-quarantined-files.txt 2009-12-24 19:38
ComboFix2.txt 2009-12-24 08:17
Pre-Run: 5.614.002.176 bytes free
Post-Run: 5.593.612.288 bytes free
- - End Of File - - A3884469A42F138946B589BEF7688B27
|
|
|
|
|